From 45071fcaa03eafc27352987fa2277b2792725036 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 30 Oct 2014 16:23:34 +0100
Subject: [PATCH] memfd: always create our memfds with CLOEXEC set

We really shouldn't create fds ever that have the flag unset.
---
 src/libsystemd/sd-bus/bus-kernel.c | 2 +-
 src/shared/memfd.c                 | 2 +-
 src/shared/missing.h               | 6 +++++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c
index 032761474..3f8b0ab65 100644
--- a/src/libsystemd/sd-bus/bus-kernel.c
+++ b/src/libsystemd/sd-bus/bus-kernel.c
@@ -1129,7 +1129,7 @@ int bus_kernel_pop_memfd(sd_bus *bus, void **address, size_t *mapped, size_t *al
                 if (!g)
                         return -ENOMEM;
 
-                r = memfd_create(g, MFD_ALLOW_SEALING);
+                r = memfd_create(g, MFD_ALLOW_SEALING|MFD_CLOEXEC);
                 if (r < 0)
                         return -errno;
 
diff --git a/src/shared/memfd.c b/src/shared/memfd.c
index 162c12f7a..f3ce8f84d 100644
--- a/src/shared/memfd.c
+++ b/src/shared/memfd.c
@@ -65,7 +65,7 @@ int memfd_new(const char *name) {
                 }
         }
 
-        fd = memfd_create(name, MFD_ALLOW_SEALING);
+        fd = memfd_create(name, MFD_ALLOW_SEALING | MFD_CLOEXEC);
         if (fd < 0)
                 return -errno;
 
diff --git a/src/shared/missing.h b/src/shared/missing.h
index 7725e4729..0d7c55952 100644
--- a/src/shared/missing.h
+++ b/src/shared/missing.h
@@ -74,7 +74,11 @@
 #endif
 
 #ifndef MFD_ALLOW_SEALING
-#define MFD_ALLOW_SEALING 0x0002ULL
+#define MFD_ALLOW_SEALING 0x0002U
+#endif
+
+#ifndef MFD_CLOEXEC
+#define MFD_CLOEXEC 0x0001U
 #endif
 
 #ifndef IP_FREEBIND
-- 
2.30.2