4 files changed, 7 insertions, 4 deletions

diff --git a/clatd.c b/clatd.c
index 94a0f06..06ca799 100644
--- a/clatd.c
+++ b/clatd.c
@@ -231,7 +231,7 @@ void drop_root_but_keep_caps() {
  *   mark - the socket mark to use for the sending raw socket
  */
 void open_sockets(struct tun_data *tunnel, uint32_t mark) {
-  int rawsock = socket(AF_INET6, SOCK_RAW | SOCK_NONBLOCK, IPPROTO_RAW);
+  int rawsock = socket(AF_INET6, SOCK_RAW | SOCK_NONBLOCK | SOCK_CLOEXEC, IPPROTO_RAW);
   if (rawsock < 0) {
     logmsg(ANDROID_LOG_FATAL, "raw socket failed: %s", strerror(errno));
     exit(1);
diff --git a/config.c b/config.c
index 5a9d599..f84a61f 100644
--- a/config.c
+++ b/config.c
@@ -227,7 +227,7 @@ void gen_random_iid(struct in6_addr *myaddr, struct in_addr *ipv4_local_subnet,
 
 // Factored out to a separate function for testability.
 int connect_is_ipv4_address_free(in_addr_t addr) {
-  int s = socket(AF_INET, SOCK_DGRAM, 0);
+  int s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
   if (s == -1) {
     return 0;
   }
diff --git a/mtu.c b/mtu.c
index 567d177..472bd4e 100644
--- a/mtu.c
+++ b/mtu.c
@@ -22,6 +22,7 @@
 #include <sys/ioctl.h>
 #include <sys/socket.h>
 #include <sys/types.h>
+#include <unistd.h>
 
 #include "mtu.h"
 
@@ -33,14 +34,16 @@ int getifmtu(const char *ifname) {
   int fd;
   struct ifreq if_mtu;
 
-  fd = socket(AF_INET, SOCK_STREAM, 0);
+  fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
   if (fd < 0) {
     return -1;
   }
   strncpy(if_mtu.ifr_name, ifname, IFNAMSIZ);
   if_mtu.ifr_name[IFNAMSIZ - 1] = '\0';
   if (ioctl(fd, SIOCGIFMTU, &if_mtu) < 0) {
+    close(fd);
     return -1;
   }
+  close(fd);
   return if_mtu.ifr_mtu;
 }
diff --git a/ring.c b/ring.c
index 61d40d2..e836a55 100644
--- a/ring.c
+++ b/ring.c
@@ -30,7 +30,7 @@
 #include "tun.h"
 
 int ring_create(struct tun_data *tunnel) {
-  int packetsock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_IPV6));
+  int packetsock = socket(AF_PACKET, SOCK_DGRAM | SOCK_CLOEXEC, htons(ETH_P_IPV6));
   if (packetsock < 0) {
     logmsg(ANDROID_LOG_FATAL, "packet socket failed: %s", strerror(errno));
     return -1;