open files O_CLOEXEC|O_EXCL

Dumb patch that adds O_CLOEXEC to all open/fopen calls, even where it is obviously pointless. While at it, also add O_EXCL where it might be considered useful, for example to clear Coverity warnings, or on files that subsequently are used to configure a join sandbox. Pure defense in depth, this patch should have no observable effects.
author: smitsohu <smitsohu@gmail.com> 2021-05-16 15:48:14 +0200
committer: smitsohu <smitsohu@gmail.com> 2021-05-16 15:48:14 +0200
commit: 825ac9cdc38c4285584e69d6f29102b149914dfe (patch)
tree: fd65f17f166a535f9a619c044022a3b933cc5f0c /src/firejail/sandbox.c
parent: Update disable-common.inc (diff)
download: firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.tar.gz
firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.tar.zst
firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3af828ede..2c751809e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -67,7 +67,7 @@ static void sandbox_handler(int sig){
                if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1)
                        errExit("asprintf");
                while (monsec) {
-                        FILE *fp = fopen(monfile, "r");
+                        FILE *fp = fopen(monfile, "re");
                        if (!fp)
                                break;
@@ -162,7 +162,7 @@ static void save_nogroups(void) {
        if (arg_nogroups == 0)
                return;
-        FILE *fp = fopen(RUN_GROUPS_CFG, "w");
+        FILE *fp = fopen(RUN_GROUPS_CFG, "wxe");
        if (fp) {
                fprintf(fp, "\n");
                SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
author	smitsohu <smitsohu@gmail.com>	2021-05-16 15:48:14 +0200
committer	smitsohu <smitsohu@gmail.com>	2021-05-16 15:48:14 +0200
commit	825ac9cdc38c4285584e69d6f29102b149914dfe (patch)
tree	fd65f17f166a535f9a619c044022a3b933cc5f0c /src/firejail/sandbox.c
parent	Update disable-common.inc (diff)
download	firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.tar.gz firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.tar.zst firejail-825ac9cdc38c4285584e69d6f29102b149914dfe.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3af828ede..2c751809e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -67,7 +67,7 @@ static void sandbox_handler(int sig){
67	if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1)	67	if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1)
68	errExit("asprintf");	68	errExit("asprintf");
69	while (monsec) {	69	while (monsec) {
70	FILE *fp = fopen(monfile, "r");	70	FILE *fp = fopen(monfile, "re");
71	if (!fp)	71	if (!fp)
72	break;	72	break;
73		73
@@ -162,7 +162,7 @@ static void save_nogroups(void) {
162	if (arg_nogroups == 0)	162	if (arg_nogroups == 0)
163	return;	163	return;
164		164
165	FILE *fp = fopen(RUN_GROUPS_CFG, "w");	165	FILE *fp = fopen(RUN_GROUPS_CFG, "wxe");
166	if (fp) {	166	if (fp) {
167	fprintf(fp, "\n");	167	fprintf(fp, "\n");
168	SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644	168	SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644