In addition to the standard O_CLOEXEC flag to open (POSIX.1-2008), all modern POSIX systems implement non-standard syscalls (accept4, dup3 and pipe2) along with the SOCK_CLOEXEC flag, that atomically create file descriptors with the FD_CLOEXEC flag.
A notable exception is Darwin that only implements O_CLOEXEC.
We thus have to support falling back to accept, dup2 and pipe that won't set FD_CLOEXEC or SOCK_CLOEXEC atomically, which creates a time window during which another thread may fork the process before FD_CLOEXEC is set, which will leak the file descriptor to a child process.
This patch introduces a RWLock to prevent fork/exec in such situations.
In addition to the standard
O_CLOEXEC
flag toopen
(POSIX.1-2008), all modern POSIX systems implement non-standard syscalls (accept4
,dup3
andpipe2
) along with theSOCK_CLOEXEC
flag, that atomically create file descriptors with theFD_CLOEXEC
flag.A notable exception is Darwin that only implements
O_CLOEXEC
.We thus have to support falling back to
accept
,dup2
andpipe
that won't setFD_CLOEXEC
orSOCK_CLOEXEC
atomically, which creates a time window during which another thread may fork the process beforeFD_CLOEXEC
is set, which will leak the file descriptor to a child process.This patch introduces a RWLock to prevent fork/exec in such situations.
Follow up of #14672, #14673 and #14675.
Prior art: Go does exactly that.