mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: add missing O_CLOEXEC/SOCK_CLOEXEC flags

Browse source 
File and Resource Handling: Medium

Several file and socket operations were missing the close-on-exec flag,
which causes file descriptors to leak to child processes created via
fork+exec. This could allow child processes unintended access to
privileged resources.

- node-driver.c: SOCK_DGRAM socket for SIOCETHTOOL ioctl leaked to
  child processes
- pw-container.c: Unix domain listen socket leaked to spawned
  container processes
- compress-offload-api.c: ALSA compress-offload device fd leaked to
  child processes

Added O_CLOEXEC to open() calls and SOCK_CLOEXEC to socket() calls.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-27 17:06:40 +02:00
parent 3b7e9b0779
commit 7bfa93de05
3 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
spa/plugins/alsa/compress-offload-api.c
View file

@ -40,7 +40,7 @@ struct compress_offload_api_context* compress_offload_api_open(int card_nr, int
snprintf(fn, sizeof(fn), "/dev/snd/comprC%uD%u", card_nr, device_nr);
context->fd = open(fn, O_WRONLY);
context->fd = open(fn, O_WRONLY | O_CLOEXEC);
if (context->fd < 0) {
spa_log_error(context->log, "could not open device \"%s\": %s (%d)", fn, strerror(errno), errno);
goto error;