diff options
Diffstat (limited to 'debian/patches/close_socket_before_scripts.patch')
-rw-r--r-- | debian/patches/close_socket_before_scripts.patch | 112 |
1 files changed, 91 insertions, 21 deletions
diff --git a/debian/patches/close_socket_before_scripts.patch b/debian/patches/close_socket_before_scripts.patch index 0b848a0..6e00c00 100644 --- a/debian/patches/close_socket_before_scripts.patch +++ b/debian/patches/close_socket_before_scripts.patch @@ -1,32 +1,102 @@ -Description: Set socket's FD_CLOEXEC flag before calling up script - Moving the set_cloexec() call from link_socket_init_phase2() to - link_socket_init_phase1(). -Author: Julien Cristau <jcristau@debian.org> -Bug-Debian: http://bugs.debian.org/367716 - -Index: openvpn/src/openvpn/socket.c -=================================================================== ---- openvpn.orig/src/openvpn/socket.c 2016-11-21 09:58:03.562096178 +0100 -+++ openvpn/src/openvpn/socket.c 2016-11-21 10:01:20.143091482 +0100 -@@ -1625,6 +1625,10 @@ - } - resolve_remote (sock, 1, NULL, NULL); +--- a/src/openvpn/manage.c ++++ b/src/openvpn/manage.c +@@ -1499,7 +1499,6 @@ man_new_connection_post (struct management *man, const char *description) + struct gc_arena gc = gc_new (); + + set_nonblock (man->connection.sd_cli); +- set_cloexec (man->connection.sd_cli); + + man_connection_settings_reset (man); + +@@ -1640,7 +1639,6 @@ man_listen (struct management *man) + * Set misc socket properties + */ + set_nonblock (man->connection.sd_top); +- set_cloexec (man->connection.sd_top); + + #if UNIX_SOCK_SUPPORT + if (man->settings.flags & MF_UNIX_SOCK) +--- a/src/openvpn/socket.c ++++ b/src/openvpn/socket.c +@@ -771,6 +771,10 @@ create_socket_tcp (struct addrinfo* addrinfo) + } + #endif + ++ /* set socket file descriptor to not pass across execs, so that ++ scripts don't have access to it */ ++ set_cloexec (sd); ++ + return sd; + } + +@@ -815,6 +819,11 @@ create_socket_udp (struct addrinfo* addrinfo, const unsigned int flags) + } } + #endif + + /* set socket file descriptor to not pass across execs, so that + scripts don't have access to it */ -+ set_cloexec (sock->sd); ++ set_cloexec (sd); ++ + return sd; + } + +@@ -968,6 +977,12 @@ socket_do_accept (socket_descriptor_t sd, + openvpn_close_socket (new_sd); + new_sd = SOCKET_UNDEFINED; + } ++ else ++ { ++ /* set socket file descriptor to not pass across execs, so that ++ scripts don't have access to it */ ++ set_cloexec (sd); ++ } + return new_sd; } - - static -@@ -1677,10 +1681,6 @@ + +@@ -1617,6 +1632,7 @@ link_socket_init_phase1 (struct link_socket *sock, + ASSERT (sock->info.proto != PROTO_TCP_CLIENT); + ASSERT (socket_defined (inetd_socket_descriptor)); + sock->sd = inetd_socket_descriptor; ++ set_cloexec (sock->sd); /* not created by create_socket*() */ + } + else if (mode != LS_MODE_TCP_ACCEPT_FROM) + { +@@ -1677,13 +1693,6 @@ phase2_set_socket_flags (struct link_socket* sock) /* set socket to non-blocking mode */ set_nonblock (sock->sd); - + - /* set socket file descriptor to not pass across execs, so that - scripts don't have access to it */ - set_cloexec (sock->sd); - - if (socket_defined (sock->ctrl_sd)) - set_cloexec (sock->ctrl_sd); - +- if (socket_defined (sock->ctrl_sd)) +- set_cloexec (sock->ctrl_sd); +- + /* set Path MTU discovery options on the socket */ + set_mtu_discover_type (sock->sd, sock->mtu_discover_type, sock->info.af); + +@@ -3476,6 +3485,11 @@ create_socket_unix (void) + + if ((sd = socket (PF_UNIX, SOCK_STREAM, 0)) < 0) + msg (M_ERR, "Cannot create unix domain socket"); ++ ++ /* set socket file descriptor to not pass across execs, so that ++ scripts don't have access to it */ ++ set_cloexec (sd); ++ + return sd; + } + +@@ -3516,6 +3530,12 @@ socket_accept_unix (socket_descriptor_t sd, + + CLEAR (*remote); + ret = accept (sd, (struct sockaddr *) remote, &remote_len); ++ if ( ret >= 0 ) ++ { ++ /* set socket file descriptor to not pass across execs, so that ++ scripts don't have access to it */ ++ set_cloexec (ret); ++ } + return ret; + } |