conn, device, tun: set CLOEXEC on fds
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
parent
6a08d81f6b
commit
c31a7b1ab4
@ -331,7 +331,7 @@ func create4(port uint16) (int, uint16, error) {
|
|||||||
|
|
||||||
fd, err := unix.Socket(
|
fd, err := unix.Socket(
|
||||||
unix.AF_INET,
|
unix.AF_INET,
|
||||||
unix.SOCK_DGRAM,
|
unix.SOCK_DGRAM|unix.SOCK_CLOEXEC,
|
||||||
0,
|
0,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -373,7 +373,7 @@ func create6(port uint16) (int, uint16, error) {
|
|||||||
|
|
||||||
fd, err := unix.Socket(
|
fd, err := unix.Socket(
|
||||||
unix.AF_INET6,
|
unix.AF_INET6,
|
||||||
unix.SOCK_DGRAM,
|
unix.SOCK_DGRAM|unix.SOCK_CLOEXEC,
|
||||||
0,
|
0,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -204,7 +204,7 @@ func (device *Device) routineRouteListener(bind conn.Bind, netlinkSock int, netl
|
|||||||
}
|
}
|
||||||
|
|
||||||
func createNetlinkRouteSocket() (int, error) {
|
func createNetlinkRouteSocket() (int, error) {
|
||||||
sock, err := unix.Socket(unix.AF_NETLINK, unix.SOCK_RAW, unix.NETLINK_ROUTE)
|
sock, err := unix.Socket(unix.AF_NETLINK, unix.SOCK_RAW|unix.SOCK_CLOEXEC, unix.NETLINK_ROUTE)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return -1, err
|
return -1, err
|
||||||
}
|
}
|
||||||
|
@ -107,7 +107,7 @@ func CreateTUN(name string, mtu int) (Device, error) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fd, err := unix.Socket(unix.AF_SYSTEM, unix.SOCK_DGRAM, 2)
|
fd, err := socketCloexec(unix.AF_SYSTEM, unix.SOCK_DGRAM, 2)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -173,7 +173,7 @@ func CreateTUNFromFile(file *os.File, mtu int) (Device, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
tun.routeSocket, err = unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
|
tun.routeSocket, err = socketCloexec(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
tun.tunFile.Close()
|
tun.tunFile.Close()
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -276,7 +276,7 @@ func (tun *NativeTun) Close() error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (tun *NativeTun) setMTU(n int) error {
|
func (tun *NativeTun) setMTU(n int) error {
|
||||||
fd, err := unix.Socket(
|
fd, err := socketCloexec(
|
||||||
unix.AF_INET,
|
unix.AF_INET,
|
||||||
unix.SOCK_DGRAM,
|
unix.SOCK_DGRAM,
|
||||||
0,
|
0,
|
||||||
@ -299,7 +299,7 @@ func (tun *NativeTun) setMTU(n int) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (tun *NativeTun) MTU() (int, error) {
|
func (tun *NativeTun) MTU() (int, error) {
|
||||||
fd, err := unix.Socket(
|
fd, err := socketCloexec(
|
||||||
unix.AF_INET,
|
unix.AF_INET,
|
||||||
unix.SOCK_DGRAM,
|
unix.SOCK_DGRAM,
|
||||||
0,
|
0,
|
||||||
@ -317,3 +317,15 @@ func (tun *NativeTun) MTU() (int, error) {
|
|||||||
|
|
||||||
return int(ifr.MTU), nil
|
return int(ifr.MTU), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func socketCloexec(family, sotype, proto int) (fd int, err error) {
|
||||||
|
// See go/src/net/sys_cloexec.go for background.
|
||||||
|
syscall.ForkLock.RLock()
|
||||||
|
defer syscall.ForkLock.RUnlock()
|
||||||
|
|
||||||
|
fd, err = unix.Socket(family, sotype, proto)
|
||||||
|
if err == nil {
|
||||||
|
unix.CloseOnExec(fd)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
@ -143,7 +143,7 @@ func tunName(fd uintptr) (string, error) {
|
|||||||
|
|
||||||
// Destroy a named system interface
|
// Destroy a named system interface
|
||||||
func tunDestroy(name string) error {
|
func tunDestroy(name string) error {
|
||||||
fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
|
fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM|unix.SOCK_CLOEXEC, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -170,7 +170,7 @@ func CreateTUN(name string, mtu int) (Device, error) {
|
|||||||
return nil, fmt.Errorf("interface %s already exists", name)
|
return nil, fmt.Errorf("interface %s already exists", name)
|
||||||
}
|
}
|
||||||
|
|
||||||
tunFile, err := os.OpenFile("/dev/tun", unix.O_RDWR, 0)
|
tunFile, err := os.OpenFile("/dev/tun", unix.O_RDWR|unix.O_CLOEXEC, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -213,7 +213,7 @@ func CreateTUN(name string, mtu int) (Device, error) {
|
|||||||
// Disable link-local v6, not just because WireGuard doesn't do that anyway, but
|
// Disable link-local v6, not just because WireGuard doesn't do that anyway, but
|
||||||
// also because there are serious races with attaching and detaching LLv6 addresses
|
// also because there are serious races with attaching and detaching LLv6 addresses
|
||||||
// in relation to interface lifetime within the FreeBSD kernel.
|
// in relation to interface lifetime within the FreeBSD kernel.
|
||||||
confd6, err := unix.Socket(unix.AF_INET6, unix.SOCK_DGRAM, 0)
|
confd6, err := unix.Socket(unix.AF_INET6, unix.SOCK_DGRAM|unix.SOCK_CLOEXEC, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
tunFile.Close()
|
tunFile.Close()
|
||||||
tunDestroy(assignedName)
|
tunDestroy(assignedName)
|
||||||
@ -238,7 +238,7 @@ func CreateTUN(name string, mtu int) (Device, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if name != "" {
|
if name != "" {
|
||||||
confd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
|
confd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM|unix.SOCK_CLOEXEC, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
tunFile.Close()
|
tunFile.Close()
|
||||||
tunDestroy(assignedName)
|
tunDestroy(assignedName)
|
||||||
@ -295,7 +295,7 @@ func CreateTUNFromFile(file *os.File, mtu int) (Device, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
tun.routeSocket, err = unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
|
tun.routeSocket, err = unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW|unix.SOCK_CLOEXEC, unix.AF_UNSPEC)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
tun.tunFile.Close()
|
tun.tunFile.Close()
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -397,7 +397,7 @@ func (tun *NativeTun) Close() error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (tun *NativeTun) setMTU(n int) error {
|
func (tun *NativeTun) setMTU(n int) error {
|
||||||
fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
|
fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM|unix.SOCK_CLOEXEC, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -414,7 +414,7 @@ func (tun *NativeTun) setMTU(n int) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (tun *NativeTun) MTU() (int, error) {
|
func (tun *NativeTun) MTU() (int, error) {
|
||||||
fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
|
fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM|unix.SOCK_CLOEXEC, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return 0, err
|
return 0, err
|
||||||
}
|
}
|
||||||
|
@ -99,7 +99,7 @@ func (tun *NativeTun) routineHackListener() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func createNetlinkSocket() (int, error) {
|
func createNetlinkSocket() (int, error) {
|
||||||
sock, err := unix.Socket(unix.AF_NETLINK, unix.SOCK_RAW, unix.NETLINK_ROUTE)
|
sock, err := unix.Socket(unix.AF_NETLINK, unix.SOCK_RAW|unix.SOCK_CLOEXEC, unix.NETLINK_ROUTE)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return -1, err
|
return -1, err
|
||||||
}
|
}
|
||||||
@ -194,7 +194,7 @@ func (tun *NativeTun) routineNetlinkListener() {
|
|||||||
func getIFIndex(name string) (int32, error) {
|
func getIFIndex(name string) (int32, error) {
|
||||||
fd, err := unix.Socket(
|
fd, err := unix.Socket(
|
||||||
unix.AF_INET,
|
unix.AF_INET,
|
||||||
unix.SOCK_DGRAM,
|
unix.SOCK_DGRAM|unix.SOCK_CLOEXEC,
|
||||||
0,
|
0,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -228,7 +228,7 @@ func (tun *NativeTun) setMTU(n int) error {
|
|||||||
// open datagram socket
|
// open datagram socket
|
||||||
fd, err := unix.Socket(
|
fd, err := unix.Socket(
|
||||||
unix.AF_INET,
|
unix.AF_INET,
|
||||||
unix.SOCK_DGRAM,
|
unix.SOCK_DGRAM|unix.SOCK_CLOEXEC,
|
||||||
0,
|
0,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -264,7 +264,7 @@ func (tun *NativeTun) MTU() (int, error) {
|
|||||||
// open datagram socket
|
// open datagram socket
|
||||||
fd, err := unix.Socket(
|
fd, err := unix.Socket(
|
||||||
unix.AF_INET,
|
unix.AF_INET,
|
||||||
unix.SOCK_DGRAM,
|
unix.SOCK_DGRAM|unix.SOCK_CLOEXEC,
|
||||||
0,
|
0,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -400,7 +400,7 @@ func (tun *NativeTun) Close() error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func CreateTUN(name string, mtu int) (Device, error) {
|
func CreateTUN(name string, mtu int) (Device, error) {
|
||||||
nfd, err := unix.Open(cloneDevicePath, os.O_RDWR, 0)
|
nfd, err := unix.Open(cloneDevicePath, unix.O_RDWR|unix.O_CLOEXEC, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if os.IsNotExist(err) {
|
if os.IsNotExist(err) {
|
||||||
return nil, fmt.Errorf("CreateTUN(%q) failed; %s does not exist", name, cloneDevicePath)
|
return nil, fmt.Errorf("CreateTUN(%q) failed; %s does not exist", name, cloneDevicePath)
|
||||||
|
@ -114,10 +114,10 @@ func CreateTUN(name string, mtu int) (Device, error) {
|
|||||||
var err error
|
var err error
|
||||||
|
|
||||||
if ifIndex != -1 {
|
if ifIndex != -1 {
|
||||||
tunfile, err = os.OpenFile(fmt.Sprintf("/dev/tun%d", ifIndex), unix.O_RDWR, 0)
|
tunfile, err = os.OpenFile(fmt.Sprintf("/dev/tun%d", ifIndex), unix.O_RDWR|unix.O_CLOEXEC, 0)
|
||||||
} else {
|
} else {
|
||||||
for ifIndex = 0; ifIndex < 256; ifIndex++ {
|
for ifIndex = 0; ifIndex < 256; ifIndex++ {
|
||||||
tunfile, err = os.OpenFile(fmt.Sprintf("/dev/tun%d", ifIndex), unix.O_RDWR, 0)
|
tunfile, err = os.OpenFile(fmt.Sprintf("/dev/tun%d", ifIndex), unix.O_RDWR|unix.O_CLOEXEC, 0)
|
||||||
if err == nil || !errors.Is(err, syscall.EBUSY) {
|
if err == nil || !errors.Is(err, syscall.EBUSY) {
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
@ -165,7 +165,7 @@ func CreateTUNFromFile(file *os.File, mtu int) (Device, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
tun.routeSocket, err = unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
|
tun.routeSocket, err = unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW|unix.SOCK_CLOEXEC, unix.AF_UNSPEC)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
tun.tunFile.Close()
|
tun.tunFile.Close()
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -270,7 +270,7 @@ func (tun *NativeTun) setMTU(n int) error {
|
|||||||
|
|
||||||
fd, err := unix.Socket(
|
fd, err := unix.Socket(
|
||||||
unix.AF_INET,
|
unix.AF_INET,
|
||||||
unix.SOCK_DGRAM,
|
unix.SOCK_DGRAM|unix.SOCK_CLOEXEC,
|
||||||
0,
|
0,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -304,7 +304,7 @@ func (tun *NativeTun) MTU() (int, error) {
|
|||||||
|
|
||||||
fd, err := unix.Socket(
|
fd, err := unix.Socket(
|
||||||
unix.AF_INET,
|
unix.AF_INET,
|
||||||
unix.SOCK_DGRAM,
|
unix.SOCK_DGRAM|unix.SOCK_CLOEXEC,
|
||||||
0,
|
0,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user