1 files changed, 45 insertions, 0 deletions
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch
new file mode 100644
index 0000000..aaaa1e5
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch
@@ -0,0 +1,45 @@
+From dca6a89058d818827d6f1c80c9b6abb46002b855 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Fri, 11 Oct 2013 09:55:43 -0400
+Subject: [PATCH 1/2] policycoreutils: make O_CLOEXEC optional
+Various commits in the selinux tree in the current release added O_CLOEXEC
+to open() calls in an attempt to address file descriptor leaks as
+described:
+   http://danwalsh.livejournal.com/53603.html
+However O_CLOEXEC isn't available on all platforms, so make it a
+compile-time option and generate a warning when it is not available.  The
+actual impact of leaking these file descriptors is minimal, though it does
+produce curious AVC Denied messages.
+Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+---
+ restorecond/user.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/restorecond/user.c b/restorecond/user.c
+index 00a646f..50f3ab6 100644
+--- a/restorecond/user.c
+++ b/restorecond/user.c
+@@ -201,7 +201,13 @@ static int local_server() {
+                        perror("asprintf");
+                return -1;
+        }
+-       int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
+       int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW 
+#ifdef O_CLOEXEC
+                 | O_CLOEXEC
+#else
+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
+#endif
+                 , S_IRUSR | S_IWUSR);
+        if (debug_mode)
+                g_warning ("Lock file: %s", ptr);
+ 
+-- 
+1.7.10.4

diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch new file mode 100644 index 0000000..aaaa1e5 --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch
@@ -0,0 +1,45 @@
	1	From dca6a89058d818827d6f1c80c9b6abb46002b855 Mon Sep 17 00:00:00 2001
	2	From: Joe MacDonald <joe.macdonald@windriver.com>
	3	Date: Fri, 11 Oct 2013 09:55:43 -0400
	4	Subject: [PATCH 1/2] policycoreutils: make O_CLOEXEC optional
	5
	6	Various commits in the selinux tree in the current release added O_CLOEXEC
	7	to open() calls in an attempt to address file descriptor leaks as
	8	described:
	9
	10	http://danwalsh.livejournal.com/53603.html
	11
	12	However O_CLOEXEC isn't available on all platforms, so make it a
	13	compile-time option and generate a warning when it is not available. The
	14	actual impact of leaking these file descriptors is minimal, though it does
	15	produce curious AVC Denied messages.
	16
	17	Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
	18
	19	Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
	20	---
	21	restorecond/user.c \| 8 +++++++-
	22	1 file changed, 7 insertions(+), 1 deletion(-)
	23
	24	diff --git a/restorecond/user.c b/restorecond/user.c
	25	index 00a646f..50f3ab6 100644
	26	--- a/restorecond/user.c
	27	+++ b/restorecond/user.c
	28	@@ -201,7 +201,13 @@ static int local_server() {
	29	perror("asprintf");
	30	return -1;
	31	}
	32	- int fd = open(ptr, O_CREAT \| O_WRONLY \| O_NOFOLLOW \| O_CLOEXEC, S_IRUSR \| S_IWUSR);
	33	+ int fd = open(ptr, O_CREAT \| O_WRONLY \| O_NOFOLLOW
	34	+#ifdef O_CLOEXEC
	35	+ \| O_CLOEXEC
	36	+#else
	37	+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
	38	+#endif
	39	+ , S_IRUSR \| S_IWUSR);
	40	if (debug_mode)
	41	g_warning ("Lock file: %s", ptr);
	42
	43	--
	44	1.7.10.4
	45