The following patch for devfsd.c makes it close the .devfsd file on exec.
At the moment the only problem that the open file handle causes is that it's
against my security policy for the domain insmod_t to read devfs_t domain
character devices. But there could be more serious issues that I haven't
considered.
@@ -557,6 +561,8 @@
fprintf (stderr, "Error opening file: \".devfsd\"\t%s\n", ERRSTRING);
exit (1);
}
+ if(fcntl(fd, F_SETFD, FD_CLOEXEC))
+ fprintf(stderr, "Error setting close on exec for .devfsd\n");
if (ioctl (fd, DEVFSDIOC_GET_PROTO_REV, &proto_rev) != 0)
{
fprintf (stderr, "Error getting protocol revision\t%s\n", ERRSTRING);
--
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.
|