open files O_CLOEXEC|O_EXCL

Dumb patch that adds O_CLOEXEC to all open/fopen calls, even where it is obviously pointless. While at it, also add O_EXCL where it might be considered useful, for example to clear Coverity warnings, or on files that subsequently are used to configure a join sandbox. Pure defense in depth, this patch should have no observable effects.
author: smitsohu <smitsohu@gmail.com> 2021-05-16 15:48:14 +0200
committer: smitsohu <smitsohu@gmail.com> 2021-05-16 15:48:14 +0200
commit: 825ac9cdc38c4285584e69d6f29102b149914dfe (patch)
tree: fd65f17f166a535f9a619c044022a3b933cc5f0c /src/firejail/fs_dev.c
parent: Update disable-common.inc (diff)
download: firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.tar.gz
firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.tar.zst
firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 2f0067c93..8c2870a4d 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -122,7 +122,7 @@ static void deventry_mount(void) {
                                                i++;
                                                continue;
                                        }
-                                        FILE *fp = fopen(dev[i].dev_fname, "w");
+                                        FILE *fp = fopen(dev[i].dev_fname, "we");
                                        if (fp) {
                                                fprintf(fp, "\n");
                                                SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
@@ -218,7 +218,7 @@ void fs_private_dev(void){
        struct stat s;
        if (stat("/dev/log", &s) == 0) {
                have_devlog = 1;
-                FILE *fp = fopen(RUN_DEVLOG_FILE, "w");
+                FILE *fp = fopen(RUN_DEVLOG_FILE, "we");
                if (!fp)
                        have_devlog = 0;
                else {
@@ -239,7 +239,7 @@ void fs_private_dev(void){
        // bring back /dev/log
        if (have_devlog) {
-                FILE *fp = fopen("/dev/log", "w");
+                FILE *fp = fopen("/dev/log", "we");
                if (fp) {
                        fprintf(fp, "\n");
                        fclose(fp);
author	smitsohu <smitsohu@gmail.com>	2021-05-16 15:48:14 +0200
committer	smitsohu <smitsohu@gmail.com>	2021-05-16 15:48:14 +0200
commit	825ac9cdc38c4285584e69d6f29102b149914dfe (patch)
tree	fd65f17f166a535f9a619c044022a3b933cc5f0c /src/firejail/fs_dev.c
parent	Update disable-common.inc (diff)
download	firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.tar.gz firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.tar.zst firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.zip

diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 2f0067c93..8c2870a4d 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -122,7 +122,7 @@ static void deventry_mount(void) {
122	i++;	122	i++;
123	continue;	123	continue;
124	}	124	}
125	FILE *fp = fopen(dev[i].dev_fname, "w");	125	FILE *fp = fopen(dev[i].dev_fname, "we");
126	if (fp) {	126	if (fp) {
127	fprintf(fp, "\n");	127	fprintf(fp, "\n");
128	SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);	128	SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
@@ -218,7 +218,7 @@ void fs_private_dev(void){
218	struct stat s;	218	struct stat s;
219	if (stat("/dev/log", &s) == 0) {	219	if (stat("/dev/log", &s) == 0) {
220	have_devlog = 1;	220	have_devlog = 1;
221	FILE *fp = fopen(RUN_DEVLOG_FILE, "w");	221	FILE *fp = fopen(RUN_DEVLOG_FILE, "we");
222	if (!fp)	222	if (!fp)
223	have_devlog = 0;	223	have_devlog = 0;
224	else {	224	else {
@@ -239,7 +239,7 @@ void fs_private_dev(void){
239		239
240	// bring back /dev/log	240	// bring back /dev/log
241	if (have_devlog) {	241	if (have_devlog) {
242	FILE *fp = fopen("/dev/log", "w");	242	FILE *fp = fopen("/dev/log", "we");
243	if (fp) {	243	if (fp) {
244	fprintf(fp, "\n");	244	fprintf(fp, "\n");
245	fclose(fp);	245	fclose(fp);