mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: add missing O_CLOEXEC/SOCK_CLOEXEC flags

Browse source 
File and Resource Handling: Medium

Several file and socket operations were missing the close-on-exec flag,
which causes file descriptors to leak to child processes created via
fork+exec. This could allow child processes unintended access to
privileged resources.

- node-driver.c: SOCK_DGRAM socket for SIOCETHTOOL ioctl leaked to
  child processes
- pw-container.c: Unix domain listen socket leaked to spawned
  container processes
- compress-offload-api.c: ALSA compress-offload device fd leaked to
  child processes

Added O_CLOEXEC to open() calls and SOCK_CLOEXEC to socket() calls.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-27 17:06:40 +02:00
parent 3b7e9b0779
commit 7bfa93de05
3 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/tools/pw-container.c
View file

@ -243,7 +243,7 @@ int main(int argc, char *argv[])
close(res);
unlink(temp);
listen_fd = socket(AF_UNIX, SOCK_STREAM, 0);
listen_fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
if (listen_fd < 0) {
fprintf(stderr, "can't make unix socket: %m\n");
return -1;