memfd: always create our memfds with CLOEXEC set

We really shouldn't create fds ever that have the flag unset.

diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c
index 032761474234cfecee05408d66c0d20413148751..3f8b0ab65a5562896a310ae2ad8a37980b93e4fc 100644 (file)
--- a/src/libsystemd/sd-bus/bus-kernel.c
+++ b/src/libsystemd/sd-bus/bus-kernel.c
@@ -1129,7 +1129,7 @@ int bus_kernel_pop_memfd(sd_bus *bus, void **address, size_t *mapped, size_t *al
                 if (!g)
                         return -ENOMEM;
 
-                r = memfd_create(g, MFD_ALLOW_SEALING);
+                r = memfd_create(g, MFD_ALLOW_SEALING|MFD_CLOEXEC);
                 if (r < 0)
                         return -errno;
 

diff --git a/src/shared/memfd.c b/src/shared/memfd.c
index 162c12f7a77e035e472ca4d2bc470c7852e8551c..f3ce8f84da50a9eb0c3ce6c9727f1c2df8033677 100644 (file)
--- a/src/shared/memfd.c
+++ b/src/shared/memfd.c
@@ -65,7 +65,7 @@ int memfd_new(const char *name) {
                 }
         }
 
-        fd = memfd_create(name, MFD_ALLOW_SEALING);
+        fd = memfd_create(name, MFD_ALLOW_SEALING | MFD_CLOEXEC);
         if (fd < 0)
                 return -errno;
 

diff --git a/src/shared/missing.h b/src/shared/missing.h
index 7725e4729803e9ed8c7c26561652f4bc918755a7..0d7c55952ee3f885ecf8c0cd3121c1dfd40ce374 100644 (file)
--- a/src/shared/missing.h
+++ b/src/shared/missing.h
@@ -74,7 +74,11 @@
 #endif
 
 #ifndef MFD_ALLOW_SEALING
-#define MFD_ALLOW_SEALING 0x0002ULL
+#define MFD_ALLOW_SEALING 0x0002U
+#endif
+
+#ifndef MFD_CLOEXEC
+#define MFD_CLOEXEC 0x0001U
 #endif
 
 #ifndef IP_FREEBIND