store: Open daemon connections with SOCK_CLOEXEC.

Previously, 'guix shell' for example would leak the socket that's
connected to the daemon.

* guix/store.scm (open-unix-domain-socket, open-inet-socket): Pass
SOCK_CLOEXEC to 'socket'.
* tests/guix-shell.sh: Add test.
This commit is contained in:
Ludovic Courtès 2022-09-04 16:04:31 +02:00
parent 2028419e30
commit 7a2acbdc5a
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
2 changed files with 12 additions and 2 deletions

View file

@ -457,7 +457,7 @@ (define (open-unix-domain-socket file)
'&store-connection-error' upon error."
(let ((s (with-fluids ((%default-port-encoding #f))
;; This trick allows use of the `scm_c_read' optimization.
(socket PF_UNIX SOCK_STREAM 0)))
(socket PF_UNIX (logior SOCK_STREAM SOCK_CLOEXEC) 0)))
(a (make-socket-address PF_UNIX file)))
(system-error-to-connection-error file
@ -485,7 +485,7 @@ (define addresses
((ai rest ...)
(let ((s (socket (addrinfo:fam ai)
;; TCP/IP only
SOCK_STREAM IPPROTO_IP)))
(logior SOCK_STREAM SOCK_CLOEXEC) IPPROTO_IP)))
(catch 'system-error
(lambda ()

View file

@ -38,6 +38,16 @@ guix shell --bootstrap --pure guile-bootstrap -- guile --version
# Rejecting unsupported packages.
! guix shell -s armhf-linux intelmetool -n
# Test approximately that the child process does not inherit extra file
# descriptors. Ideally we'd check there's nothing more than 0, 1, and 2, but
# we cannot do that because (1) we might be inheriting additional FDs, for
# example due to <https://issues.guix.gnu.org/57567>, and (2) Bash itself
# opens a couple of extra FDs.
initial_fd_list="$(echo /proc/$$/fd/*)"
fd_list="$(guix shell --bootstrap guile-bootstrap -- \
"$SHELL" -c 'echo /proc/$$/fd/*')"
test "$(echo $fd_list | wc -w)" -le "$(echo $initial_fd_list | wc -w)"
# Ignoring unauthorized files.
cat > "$tmpdir/guix.scm" <<EOF
This is a broken guix.scm file.