From 7a2acbdc5a9eed7c5dc3fe947f54fbebd89c0892 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Sun, 4 Sep 2022 16:04:31 +0200
Subject: store: Open daemon connections with SOCK_CLOEXEC.

Previously, 'guix shell' for example would leak the socket that's
connected to the daemon.

* guix/store.scm (open-unix-domain-socket, open-inet-socket): Pass
SOCK_CLOEXEC to 'socket'.
* tests/guix-shell.sh: Add test.
---
 guix/store.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'guix')

diff --git a/guix/store.scm b/guix/store.scm
index e52aa420d9..4d21c5ff1a 100644
--- a/guix/store.scm
+++ b/guix/store.scm
@@ -457,7 +457,7 @@
 '&store-connection-error' upon error."
   (let ((s (with-fluids ((%default-port-encoding #f))
              ;; This trick allows use of the `scm_c_read' optimization.
-             (socket PF_UNIX SOCK_STREAM 0)))
+             (socket PF_UNIX (logior SOCK_STREAM SOCK_CLOEXEC) 0)))
         (a (make-socket-address PF_UNIX file)))
 
     (system-error-to-connection-error file
@@ -485,7 +485,7 @@
       ((ai rest ...)
        (let ((s (socket (addrinfo:fam ai)
                         ;; TCP/IP only
-                        SOCK_STREAM IPPROTO_IP)))
+                        (logior SOCK_STREAM SOCK_CLOEXEC) IPPROTO_IP)))
 
          (catch 'system-error
            (lambda ()
-- 
cgit v1.2.3