treewide: make more file descriptors cloexec

Avoid file descriptor leakage into child processes by marking them `O_CLOEXEC`.
2026-05-05 06:46:28 -04:00 · 2025-10-28 20:03:13 +01:00 · 2025-10-28 20:03:13 +01:00 · ccfb61efa4
commit ccfb61efa4
parent 8344117e7b
9 changed files with 11 additions and 11 deletions
--- a/spa/plugins/avb/avb-pcm.c
+++ b/spa/plugins/avb/avb-pcm.c
@ -548,7 +548,7 @@ static int setup_socket(struct state *state)
 	struct ifreq req;
 	struct props *p = &state->props;

-	fd = socket(AF_PACKET, SOCK_DGRAM|SOCK_NONBLOCK, htons(ETH_P_TSN));
+	fd = socket(AF_PACKET, SOCK_DGRAM | SOCK_CLOEXEC | SOCK_NONBLOCK, htons(ETH_P_TSN));
 	if (fd < 0) {
 		spa_log_error(state->log, "socket() failed: %m");
 		return -errno;
--- a/spa/plugins/bluez5/backend-native.c
+++ b/spa/plugins/bluez5/backend-native.c
@ -2617,7 +2617,7 @@ static int sco_create_socket(struct impl *backend, struct spa_bt_adapter *adapte
 	socklen_t len;
 	bdaddr_t src;

-	spa_autoclose int sock = socket(PF_BLUETOOTH, SOCK_SEQPACKET | SOCK_NONBLOCK, BTPROTO_SCO);
+	spa_autoclose int sock = socket(PF_BLUETOOTH, SOCK_SEQPACKET | SOCK_CLOEXEC | SOCK_NONBLOCK, BTPROTO_SCO);
 	if (sock < 0) {
 		spa_log_error(backend->log, "socket(SEQPACKET, SCO) %s", strerror(errno));
 		return -1;
--- a/spa/plugins/support/node-driver.c
+++ b/spa/plugins/support/node-driver.c
@ -758,7 +758,7 @@ static bool parse_clock_id(struct impl *this, const char *s)

 static bool parse_clock_device(struct impl *this, const char *s)
 {
-	int fd = open(s, O_RDONLY);
+	int fd = open(s, O_RDONLY | O_CLOEXEC);
 	if (fd == -1) {
 		spa_log_info(this->log, "failed to open clock device '%s': %m", s);
 		return false;
--- a/spa/plugins/vulkan/vulkan-compute-utils.c
+++ b/spa/plugins/vulkan/vulkan-compute-utils.c
@ -165,7 +165,7 @@ static VkShaderModule createShaderModule(struct vulkan_compute_state *s, const c
 	int fd;
 	struct stat stat;

-	if ((fd = open(shaderFile, 0, O_RDONLY)) == -1) {
+	if ((fd = open(shaderFile, 0, O_RDONLY | O_CLOEXEC)) == -1) {
 		spa_log_error(s->log, "can't open %s: %m", shaderFile);
 		return VK_NULL_HANDLE;
 	}
--- a/src/modules/module-avb/avdecc.c
+++ b/src/modules/module-avb/avdecc.c
@ -153,7 +153,7 @@ static int raw_make_socket(struct server *server, uint16_t type, const uint8_t m
 	struct packet_mreq mreq;
 	struct sockaddr_ll sll;

-	fd = socket(AF_PACKET, SOCK_RAW|SOCK_NONBLOCK, htons(ETH_P_ALL));
+	fd = socket(AF_PACKET, SOCK_RAW | SOCK_CLOEXEC | SOCK_NONBLOCK, htons(ETH_P_ALL));
 	if (fd < 0) {
 		pw_log_error("socket() failed: %m");
 		return -errno;
@ -267,7 +267,7 @@ static int raw_stream_setup_socket(struct server *server, struct stream *stream)
 	char buf[128];
 	struct ifreq req;

-	fd = socket(AF_PACKET, SOCK_RAW | SOCK_NONBLOCK, htons(ETH_P_ALL));
+	fd = socket(AF_PACKET, SOCK_RAW | SOCK_CLOEXEC | SOCK_NONBLOCK, htons(ETH_P_ALL));
 	if (fd < 0) {
 		pw_log_error("socket() failed: %m");
 		return -errno;
--- a/src/modules/module-protocol-native/test-connection.c
+++ b/src/modules/module-protocol-native/test-connection.c
@ -263,7 +263,7 @@ int main(int argc, char *argv[])
 	spa_assert_se(loop != NULL);
 	context = pw_context_new(pw_main_loop_get_loop(loop), NULL, 0);

-	if (socketpair(AF_UNIX, SOCK_STREAM, 0, fds) < 0) {
+	if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, fds) < 0) {
 		spa_assert_not_reached();
 		return -1;
 	}
@ -286,7 +286,7 @@ int main(int argc, char *argv[])
 		int fds2[2];
 		struct pw_protocol_native_connection *in2, *out2;

-		if (socketpair(AF_UNIX, SOCK_STREAM, 0, fds2) < 0)
+		if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, fds2) < 0)
 			spa_assert_not_reached();

 		in2 = pw_protocol_native_connection_new(context, fds2[0]);
--- a/src/modules/module-rtp-sap.c
+++ b/src/modules/module-rtp-sap.c
@ -880,7 +880,7 @@ static int send_sap(struct impl *impl, struct session *sess, bool bye)

 		if ((str = pw_properties_get(sess->props, "source.ip")) == NULL) {
 			if (impl->ifname) {
-				int fd = socket(impl->sap_addr.ss_family, SOCK_DGRAM, 0);
+				int fd = socket(impl->sap_addr.ss_family, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 				if (fd >= 0) {
 					struct ifreq req;
 					spa_zero(req);
--- a/src/tests/test-security-context.c
+++ b/src/tests/test-security-context.c
@ -125,7 +125,7 @@ static void test_create(void)

 	unlink(temp);

-	listen_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	listen_fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
 	spa_assert_se(listen_fd >= 0);

 	sockaddr.sun_family = AF_UNIX;
--- a/test/test-logger.c
+++ b/test/test-logger.c
@ -344,7 +344,7 @@ PWTEST(logger_debug_env_invalid)
 	/* The error message during pw_init() will go to stderr because no
 	 * logger has been set up yet. Intercept that in our temp file */
 	pwtest_mkstemp(fname);
-	fd = open(fname, O_RDWR);
+	fd = open(fname, O_RDWR | O_CLOEXEC);
 	pwtest_errno_ok(fd);
 	rc = dup2(fd, STDERR_FILENO);
 	setlinebuf(stderr);