mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-30 21:37:53 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: add missing O_CLOEXEC/SOCK_CLOEXEC flags

Browse source 
File and Resource Handling: Medium

Several file and socket operations were missing the close-on-exec flag,
which causes file descriptors to leak to child processes created via
fork+exec. This could allow child processes unintended access to
privileged resources.

- node-driver.c: SOCK_DGRAM socket for SIOCETHTOOL ioctl leaked to
  child processes
- pw-container.c: Unix domain listen socket leaked to spawned
  container processes
- compress-offload-api.c: ALSA compress-offload device fd leaked to
  child processes

Added O_CLOEXEC to open() calls and SOCK_CLOEXEC to socket() calls.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-27 17:06:40 +02:00
parent 32f969324b
commit 4d7c448150
3 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/tools/pw-container.c
View file

@ -242,7 +242,7 @@ int main(int argc, char *argv[])
close(res);
unlink(temp);
listen_fd = socket(AF_UNIX, SOCK_STREAM, 0);
listen_fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
if (listen_fd < 0) {
fprintf(stderr, "can't make unix socket: %m\n");
return -1;