From 64afa1aff1cd610d2493f780e2a44b551f668b84 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sun, 11 Dec 2016 09:30:16 -0800
Subject: libselinux: add O_CLOEXEC

Makes libselinux safer and less likely to leak file descriptors when
used as part of a multithreaded program.

Signed-off-by: Nick Kralevich <nnk@google.com>
---
 libselinux/src/deny_unknown.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libselinux/src/deny_unknown.c')

diff --git a/libselinux/src/deny_unknown.c b/libselinux/src/deny_unknown.c
index c93998a0..77d04e37 100644
--- a/libselinux/src/deny_unknown.c
+++ b/libselinux/src/deny_unknown.c
@@ -21,7 +21,7 @@ int security_deny_unknown(void)
 	}
 
 	snprintf(path, sizeof(path), "%s/deny_unknown", selinux_mnt);
-	fd = open(path, O_RDONLY);
+	fd = open(path, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 
-- 
cgit v1.2.3