Google Git
Sign in
googlers / maze / iptables / c0aa38e22e8a09fcb1898ad0e042eaf6314d2d42
commitc0aa38e22e8a09fcb1898ad0e042eaf6314d2d42[log] [tgz]
authorMaciej Żenczykowski <maze@google.com>Wed Mar 21 00:52:00 2012 +0000
committerPablo Neira Ayuso <pablo@netfilter.org>Fri Mar 23 11:24:30 2012 +0100
tree6c4df30f78f66235cb610b018f4dbf8a5cee1621
parent61b8f7ecb64b3b6fe04d2a6ad9598f66e42ceea8 [diff]
src: mark newly opened fds as FD_CLOEXEC (close on exec)

By default, Unix-like systems leak file descriptors after fork/exec
call. I think this seem to result in SELinux spotting a strange AVC
log messages according to what I can find on the web.

Fedora 18 iptables source includes this change.

Maciej says:
"iptables does potentially fork/exec modprobe to load modules.
That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing.
You can do automated inspection of what gets carried across such
privilege changes and any unexpected open file descriptors flag
problems, patches like this cut down on the noise."

Signed-off-by: Maciej  enczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2 files changed
tree: 6c4df30f78f66235cb610b018f4dbf8a5cee1621
  1. extensions/
  2. include/
  3. iptables/
  4. libipq/
  5. libiptc/
  6. libxtables/
  7. m4/
  8. tests/
  9. utils/
  10. .gitignore
  11. autogen.sh
  12. COMMIT_NOTES
  13. configure.ac
  14. COPYING
  15. INCOMPATIBILITIES
  16. INSTALL
  17. Makefile.am
  18. release.sh