diff --git a/configure b/configure
index dcb9f06..bdc7ba7 100755
--- a/configure
+++ b/configure
@@ -4753,7 +4753,7 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
-for ac_func in gettimeofday select socket strerror strtol uname
+for ac_func in gettimeofday select socket strerror strtol uname pipe2
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
diff --git a/configure.in b/configure.in
index 8aba44a..808401c 100644
--- a/configure.in
+++ b/configure.in
@@ -303,7 +303,7 @@ dnl ----[ Checks for library functions ]----
AC_PROG_GCC_TRADITIONAL
AC_FUNC_MEMCMP
AC_TYPE_SIGNAL
-AC_CHECK_FUNCS(gettimeofday select socket strerror strtol uname)
+AC_CHECK_FUNCS(gettimeofday select socket strerror strtol uname pipe2)
dnl ----[ Process output target ]----
OUTPUT_TARGET="$OUTPUT_TARGET keepalived/Makefile lib/Makefile"
diff --git a/genhash/layer4.c b/genhash/layer4.c
index ba7b05b..bdf3580 100644
--- a/genhash/layer4.c
+++ b/genhash/layer4.c
@@ -231,18 +231,18 @@ tcp_connect_thread(thread_t * thread)
if(req->dst){
if(req->dst->ai_family == AF_INET6) {
- if ((sock_obj->fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP)) == -1) {
+ if ((sock_obj->fd = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
DBG("WEB connection fail to create socket.\n");
return 0;
}
} else {
- if ((sock_obj->fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
+ if ((sock_obj->fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
DBG("WEB connection fail to create socket.\n");
return 0;
}
}
} else {
- if ((sock_obj->fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
+ if ((sock_obj->fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
DBG("WEB connection fail to create socket.\n");
return 0;
}
diff --git a/keepalived/check/check_http.c b/keepalived/check/check_http.c
index 18431f9..830f05b 100644
--- a/keepalived/check/check_http.c
+++ b/keepalived/check/check_http.c
@@ -869,7 +869,7 @@ http_connect_thread(thread_t * thread)
}
/* Create the socket */
- if ((fd = socket(co->dst.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
+ if ((fd = socket(co->dst.ss_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
log_message(LOG_INFO, "WEB connection fail to create socket. Rescheduling.");
thread_add_timer(thread->master, http_connect_thread, checker,
checker->vs->delay_loop);
diff --git a/keepalived/check/check_misc.c b/keepalived/check/check_misc.c
index 53e08e9..1f8ad19 100644
--- a/keepalived/check/check_misc.c
+++ b/keepalived/check/check_misc.c
@@ -150,7 +150,6 @@ misc_check_thread(thread_t * thread)
/* Child part */
signal_handler_destroy();
- closeall(0);
open("/dev/null", O_RDWR);
ret = dup(0);
diff --git a/keepalived/check/check_smtp.c b/keepalived/check/check_smtp.c
index a52b755..1baaacf 100644
--- a/keepalived/check/check_smtp.c
+++ b/keepalived/check/check_smtp.c
@@ -774,7 +774,7 @@ smtp_connect_thread(thread_t *thread)
smtp_host = smtp_checker->host_ptr;
/* Create the socket, failling here should be an oddity */
- if ((sd = socket(smtp_host->dst.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
+ if ((sd = socket(smtp_host->dst.ss_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
log_message(LOG_INFO, "SMTP_CHECK connection failed to create socket. Rescheduling.");
thread_add_timer(thread->master, smtp_connect_thread, checker,
checker->vs->delay_loop);
diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
index aa19011..2035a67 100644
--- a/keepalived/check/check_ssl.c
+++ b/keepalived/check/check_ssl.c
@@ -199,8 +199,11 @@ ssl_connect(thread_t * thread, int new_req)
/* First round, create SSL context */
if (new_req) {
+ int bio_fd;
req->ssl = SSL_new(check_data->ssl->ctx);
req->bio = BIO_new_socket(thread->u.fd, BIO_NOCLOSE);
+ BIO_get_fd(req->bio, &bio_fd);
+ fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC);
SSL_set_bio(req->ssl, req->bio, req->bio);
}
diff --git a/keepalived/check/check_tcp.c b/keepalived/check/check_tcp.c
index b941ab2..c595935 100644
--- a/keepalived/check/check_tcp.c
+++ b/keepalived/check/check_tcp.c
@@ -131,7 +131,7 @@ tcp_connect_thread(thread_t * thread)
return 0;
}
- if ((fd = socket(co->dst.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
+ if ((fd = socket(co->dst.ss_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
log_message(LOG_INFO, "TCP connect fail to create socket. Rescheduling.");
thread_add_timer(thread->master, tcp_connect_thread, checker,
checker->vs->delay_loop);
diff --git a/keepalived/core/smtp.c b/keepalived/core/smtp.c
index 6b1cf7e..34bb126 100644
--- a/keepalived/core/smtp.c
+++ b/keepalived/core/smtp.c
@@ -560,7 +560,7 @@ smtp_connect(smtp_t * smtp)
{
enum connect_result status;
- if ((smtp->fd = socket(global_data->smtp_server.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
+ if ((smtp->fd = socket(global_data->smtp_server.ss_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
DBG("SMTP connect fail to create socket.");
free_smtp_all(smtp);
return;
diff --git a/keepalived/libipvs-2.4/libipvs.c b/keepalived/libipvs-2.4/libipvs.c
index be0329e..ff95e8c 100644
--- a/keepalived/libipvs-2.4/libipvs.c
+++ b/keepalived/libipvs-2.4/libipvs.c
@@ -35,7 +35,7 @@ int ipvs_init(void)
socklen_t len;
len = sizeof(ipvs_info);
- if ((sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
+ if ((sockfd = socket(AF_INET, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_RAW)) == -1)
return -1;
ipvs_cmd = GET_CMD(IP_VS_SO_GET_INFO);
diff --git a/keepalived/vrrp/vrrp.c b/keepalived/vrrp/vrrp.c
index 2d41ae2..0133ff5 100644
--- a/keepalived/vrrp/vrrp.c
+++ b/keepalived/vrrp/vrrp.c
@@ -1073,7 +1073,7 @@ open_vrrp_send_socket(sa_family_t family, int proto, int idx, int unicast)
ifp = if_get_by_ifindex(idx);
/* Create and init socket descriptor */
- fd = socket(family, SOCK_RAW, proto);
+ fd = socket(family, SOCK_RAW | SOCK_CLOEXEC, proto);
if (fd < 0) {
log_message(LOG_INFO, "cant open raw socket. errno=%d", errno);
return -1;
@@ -1119,7 +1119,7 @@ open_vrrp_socket(sa_family_t family, int proto, int idx, int unicast)
ifp = if_get_by_ifindex(idx);
/* open the socket */
- fd = socket(family, SOCK_RAW, proto);
+ fd = socket(family, SOCK_RAW | SOCK_CLOEXEC, proto);
if (fd < 0) {
int err = errno;
log_message(LOG_INFO, "cant open raw socket. errno=%d", err);
diff --git a/keepalived/vrrp/vrrp_arp.c b/keepalived/vrrp/vrrp_arp.c
index e53b9d7..58116a9 100644
--- a/keepalived/vrrp/vrrp_arp.c
+++ b/keepalived/vrrp/vrrp_arp.c
@@ -98,7 +98,7 @@ void gratuitous_arp_init(void)
garp_buffer = (char *)MALLOC(sizeof(arphdr_t) + ETHER_HDR_LEN);
/* Create the socket descriptor */
- garp_fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_RARP));
+ garp_fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, htons(ETH_P_RARP));
if (garp_fd > 0)
log_message(LOG_INFO, "Registering gratuitous ARP shared channel");
diff --git a/keepalived/vrrp/vrrp_if.c b/keepalived/vrrp/vrrp_if.c
index 4bb2356..3b3209d 100644
--- a/keepalived/vrrp/vrrp_if.c
+++ b/keepalived/vrrp/vrrp_if.c
@@ -190,7 +190,7 @@ if_mii_probe(const char *ifname)
{
uint16_t *data = (uint16_t *) (&ifr.ifr_data);
int phy_id;
- int fd = socket(AF_INET, SOCK_DGRAM, 0);
+ int fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
int status = 0;
if (fd < 0)
@@ -239,7 +239,7 @@ if_ethtool_status(const int fd)
int
if_ethtool_probe(const char *ifname)
{
- int fd = socket(AF_INET, SOCK_DGRAM, 0);
+ int fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
int status = 0;
if (fd < 0)
@@ -255,7 +255,7 @@ if_ethtool_probe(const char *ifname)
void
if_ioctl_flags(interface_t * ifp)
{
- int fd = socket(AF_INET, SOCK_DGRAM, 0);
+ int fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (fd < 0)
return;
diff --git a/keepalived/vrrp/vrrp_ndisc.c b/keepalived/vrrp/vrrp_ndisc.c
index 1399095..84e77be 100644
--- a/keepalived/vrrp/vrrp_ndisc.c
+++ b/keepalived/vrrp/vrrp_ndisc.c
@@ -187,7 +187,7 @@ ndisc_init(void)
sizeof(struct ndhdr) + sizeof(struct nd_opt_hdr) + ETH_ALEN);
/* Create the socket descriptor */
- ndisc_fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_IPV6));
+ ndisc_fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, htons(ETH_P_IPV6));
}
void
diff --git a/keepalived/vrrp/vrrp_netlink.c b/keepalived/vrrp/vrrp_netlink.c
index d7adffa..f73810e 100644
--- a/keepalived/vrrp/vrrp_netlink.c
+++ b/keepalived/vrrp/vrrp_netlink.c
@@ -56,7 +56,7 @@ netlink_socket(nl_handle_t *nl, unsigned long groups)
memset(nl, 0, sizeof (*nl));
- nl->fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+ nl->fd = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_ROUTE);
if (nl->fd < 0) {
log_message(LOG_INFO, "Netlink: Cannot open netlink socket : (%s)",
strerror(errno));
diff --git a/keepalived/vrrp/vrrp_scheduler.c b/keepalived/vrrp/vrrp_scheduler.c
index 10d9539..05dd1d8 100644
--- a/keepalived/vrrp/vrrp_scheduler.c
+++ b/keepalived/vrrp/vrrp_scheduler.c
@@ -983,7 +983,6 @@ vrrp_script_thread(thread_t * thread)
/* Child part */
signal_handler_destroy();
- closeall(0);
open("/dev/null", O_RDWR);
ret = dup(0);
if (ret < 0) {
diff --git a/lib/notify.c b/lib/notify.c
index 80cc91e..188423d 100644
--- a/lib/notify.c
+++ b/lib/notify.c
@@ -48,15 +48,6 @@ system_call(char *cmdline)
return retval;
}
-/* Close all FDs >= a specified value */
-void
-closeall(int fd)
-{
- int fdlimit = sysconf(_SC_OPEN_MAX);
- while (fd < fdlimit)
- close(fd++);
-}
-
/* Execute external script/program */
int
notify_exec(char *cmd)
@@ -77,7 +68,6 @@ notify_exec(char *cmd)
return 0;
signal_handler_destroy();
- closeall(0);
open("/dev/null", O_RDWR);
diff --git a/lib/notify.h b/lib/notify.h
index a17cb75..9b81da1 100644
--- a/lib/notify.h
+++ b/lib/notify.h
@@ -25,7 +25,6 @@
/* system includes */
extern int system_call(char *cmdline);
-extern void closeall(int fd);
extern int notify_exec(char *cmd);
#endif
diff --git a/lib/signals.c b/lib/signals.c
index 983c71d..5eb1ee3 100644
--- a/lib/signals.c
+++ b/lib/signals.c
@@ -125,12 +125,21 @@ signal_ignore(int signo)
void
signal_handler_init(void)
{
- int n = pipe(signal_pipe);
- assert(!n);
+ int n;
+#ifdef HAVE_PIPE2
+ n = pipe2(signal_pipe, O_CLOEXEC | O_NONBLOCK);
+#else
+ n = pipe(signal_pipe);
+
fcntl(signal_pipe[0], F_SETFL, O_NONBLOCK | fcntl(signal_pipe[0], F_GETFL));
fcntl(signal_pipe[1], F_SETFL, O_NONBLOCK | fcntl(signal_pipe[1], F_GETFL));
-
+
+ fcntl(signal_pipe[0], F_SETFD, FD_CLOEXEC | fcntl(signal_pipe[0], F_GETFD));
+ fcntl(signal_pipe[1], F_SETFD, FD_CLOEXEC | fcntl(signal_pipe[1], F_GETFD));
+#endif
+ assert(!n);
+
signal_SIGHUP_handler = NULL;
signal_SIGINT_handler = NULL;
signal_SIGTERM_handler = NULL;
@@ -172,10 +181,6 @@ void
signal_handler_destroy(void)
{
signal_wait_handlers();
- close(signal_pipe[1]);
- close(signal_pipe[0]);
- signal_pipe[1] = -1;
- signal_pipe[0] = -1;
}
int