Use O_CLOEXEC instead of fcntl(FD_CLOEXEC)

O_CLOEXEC avoids a race condition and is less code. It was supported in Linux starting 2.6.23. https://bugs.python.org/issue26343#msg260151 says it's been available since macOS 10.7. Let's try using it instead of fcntl and see if anything breaks. It's even part of POSIX these days. Update-Note: BoringSSL's /dev/urandom code now assumes the platform supports O_CLOEXEC. Change-Id: I95313892b36539591685d4c83a387f77129ad3d1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/54125 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
2 years ago · 4ff604e98f
parent 779f7d0840
commit 4ff604e98f
1 changed files with 1 additions and 15 deletions
--- a/crypto/fipsmodule/rand/urandom.c
+++ b/crypto/fipsmodule/rand/urandom.c
@ -198,7 +198,7 @@ static void init_once(void) {

  int fd;
  do {
-    fd = open("/dev/urandom", O_RDONLY);
+    fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC);
  } while (fd == -1 && errno == EINTR);

  if (fd < 0) {
@ -206,20 +206,6 @@ static void init_once(void) {
    abort();
  }

-  int flags = fcntl(fd, F_GETFD);
-  if (flags == -1) {
-    // Native Client doesn't implement |fcntl|.
-    if (errno != ENOSYS) {
-      perror("failed to get flags from urandom fd");
-      abort();
-    }
-  } else {
-    flags |= FD_CLOEXEC;
-    if (fcntl(fd, F_SETFD, flags) == -1) {
-      perror("failed to set FD_CLOEXEC on urandom fd");
-      abort();
-    }
-  }
  *urandom_fd_bss_get() = fd;
 }