lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 11 May 2019 09:40:29 +0100
From:   David Howells <>
To:     Christian Brauner <>
Subject: Re: [PATCH v2 1/2] fs: make all new mount api fds cloexec by default

Christian Brauner <> wrote:

> This makes all file descriptors returned from new syscalls of the new mount
> api cloexec by default.
> From a userspace perspective it is rarely the case that fds are supposed to
> be inherited across exec. Having them not cloexec by default forces
> userspace to remember to pass the <SPECIFIC>_CLOEXEC flag along or to
> invoke fcntl() on the fd to prevent leaking it. And leaking the fd is a
> much bigger issue than forgetting to remove the cloexec flag and failing to
> inherit the fd.
> For old fd types we can't break userspace. But for new ones we should
> whenever reasonable make them cloexec by default (Examples of this policy
> are the new seccomp notify fds and also pidfds.). If userspace wants to
> inherit fds across exec they can remove the O_CLOEXEC flag and so opt in to
> inheritance explicitly.
> This patch also has the advantage that we can get rid of all the special
> flags per file descriptor type for the new mount api. In total this lets us
> remove 4 flags:
> Signed-off-by: Christian Brauner <>

Fine by me.

Reviewed-by: David Howells <>

Powered by blists - more mailing lists