file-systems: Open files with O_CLOEXEC.

Since this code is run from PID 1, this ensures file descriptors to sensitive files and devices are not accidentally leaked to sub-processes. * gnu/build/file-systems.scm (call-with-input-file): New procedure. (mount-file-system): Use 'close-fdes' + 'open-fdes'.
2025-01-12 14:16:55 -05:00 · 2022-09-08 14:30:19 +02:00 · 2022-09-08 14:30:19 +02:00 · e05f7c55d7
commit e05f7c55d7
parent 8f53630f2f
1 changed files with 14 additions and 1 deletions
--- a/gnu/build/file-systems.scm
+++ b/gnu/build/file-systems.scm
@ -98,6 +98,18 @@ (define (system*/tty program . args)
             system*/console)
         program args))

+(define (call-with-input-file file proc)
+  "Like 'call-with-input-file', but pass O_CLOEXEC."
+  (let ((port #f))
+    (dynamic-wind
+      (lambda ()
+        (set! port (open file (logior O_RDONLY O_CLOEXEC))))
+      (lambda ()
+        (proc port))
+      (lambda ()
+        (close-port port)
+        (set! port #f)))))
+
 (define (bind-mount source target)
  "Bind-mount SOURCE at TARGET."
  (mount source target "" MS_BIND))
@ -1183,7 +1195,8 @@ (define (mount-nfs source mount-point type flags options)
                 (not (file-is-directory? source)))
            (unless (file-exists? target)
              (mkdir-p (dirname target))
-              (call-with-output-file target (const #t)))
+              (close-fdes
+               (open-fdes target (logior O_WRONLY O_CREAT O_CLOEXEC))))
            (mkdir-p target))

        (cond