From 7a2acbdc5a9eed7c5dc3fe947f54fbebd89c0892 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Sun, 4 Sep 2022 16:04:31 +0200
Subject: store: Open daemon connections with SOCK_CLOEXEC.

Previously, 'guix shell' for example would leak the socket that's
connected to the daemon.

* guix/store.scm (open-unix-domain-socket, open-inet-socket): Pass
SOCK_CLOEXEC to 'socket'.
* tests/guix-shell.sh: Add test.
---
 tests/guix-shell.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'tests')

diff --git a/tests/guix-shell.sh b/tests/guix-shell.sh
index 6340f90574..9a6b055264 100644
--- a/tests/guix-shell.sh
+++ b/tests/guix-shell.sh
@@ -38,6 +38,16 @@ guix shell --bootstrap --pure guile-bootstrap -- guile --version
 # Rejecting unsupported packages.
 ! guix shell -s armhf-linux intelmetool -n
 
+# Test approximately that the child process does not inherit extra file
+# descriptors.  Ideally we'd check there's nothing more than 0, 1, and 2, but
+# we cannot do that because (1) we might be inheriting additional FDs, for
+# example due to <https://issues.guix.gnu.org/57567>, and (2) Bash itself
+# opens a couple of extra FDs.
+initial_fd_list="$(echo /proc/$$/fd/*)"
+fd_list="$(guix shell --bootstrap guile-bootstrap -- \
+		 "$SHELL" -c 'echo /proc/$$/fd/*')"
+test "$(echo $fd_list | wc -w)" -le "$(echo $initial_fd_list | wc -w)"
+
 # Ignoring unauthorized files.
 cat > "$tmpdir/guix.scm" <<EOF
 This is a broken guix.scm file.
-- 
cgit v1.2.3