From 671638f00ee385dce6eee129d08a509cc7a1b702 Mon Sep 17 00:00:00 2001
From: vbot <vincent.botbol@nomadic-labs.com>
Date: Wed, 19 Jul 2023 13:12:50 +0200
Subject: [PATCH 1/2] Events: add cloexec flags to fdsinks

---
 src/lib_base/unix/file_descriptor_sink.ml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lib_base/unix/file_descriptor_sink.ml b/src/lib_base/unix/file_descriptor_sink.ml
index 6cae731244b2..fcb63c38b4f1 100644
--- a/src/lib_base/unix/file_descriptor_sink.ml
+++ b/src/lib_base/unix/file_descriptor_sink.ml
@@ -480,7 +480,7 @@ end) : Internal_event.SINK with type t = t = struct
               Lwt_result.ok
               @@ Lwt_unix.(
                    let flags =
-                     [O_WRONLY; O_CREAT]
+                     [O_WRONLY; O_CREAT; O_CLOEXEC]
                      @ if fresh then [O_TRUNC] else [O_APPEND]
                    in
                    let*! fd = openfile fixed_path flags rights in
@@ -566,7 +566,7 @@ end) : Internal_event.SINK with type t = t = struct
                 protect (fun () ->
                     Lwt_result.ok
                     @@ Lwt_unix.(
-                         let flags = [O_WRONLY; O_CREAT; O_APPEND] in
+                         let flags = [O_WRONLY; O_CREAT; O_APPEND; O_CLOEXEC] in
                          openfile path flags rights))
               in
               current := {fd; day = today} ;
-- 
GitLab


From 87f0197f471ac10f86e39da339b08bce80609b8d Mon Sep 17 00:00:00 2001
From: vbot <vincent.botbol@nomadic-labs.com>
Date: Wed, 19 Jul 2023 13:58:53 +0200
Subject: [PATCH 2/2] Base: add cloexec flag in syslog

---
 src/lib_base/unix/syslog.ml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lib_base/unix/syslog.ml b/src/lib_base/unix/syslog.ml
index 69c6aeffe187..94c70d0457bf 100644
--- a/src/lib_base/unix/syslog.ml
+++ b/src/lib_base/unix/syslog.ml
@@ -169,9 +169,9 @@ let open_fd path =
   | Unix.S_SOCK ->
       let logaddr = Unix.ADDR_UNIX path in
       let fd =
-        try Lwt_unix.socket Unix.PF_UNIX SOCK_DGRAM 0
+        try Lwt_unix.socket ~cloexec:true Unix.PF_UNIX SOCK_DGRAM 0
         with Unix.Unix_error (Unix.EPROTOTYPE, _, _) ->
-          Lwt_unix.socket Unix.PF_UNIX SOCK_STREAM 0
+          Lwt_unix.socket ~cloexec:true Unix.PF_UNIX SOCK_STREAM 0
       in
       let* () =
         Lwt.catch
@@ -188,7 +188,7 @@ let open_fd path =
             | exn -> raise exn)
       in
       Lwt.return fd
-  | Unix.S_FIFO -> Lwt_unix.openfile path [Unix.O_WRONLY] 0o666
+  | Unix.S_FIFO -> Lwt_unix.openfile path [Unix.O_WRONLY; O_CLOEXEC] 0o666
   | _ -> raise (Syslog_error "invalid log path, not a socket or pipe")
 
 (* Write the whole contents of a string on the given file
-- 
GitLab