libselinux: add O_CLOEXEC

Makes libselinux safer and less likely to leak file descriptors when
used as part of a multithreaded program.

Signed-off-by: Nick Kralevich <nnk@google.com>

libselinux/src/audit2why.c

@@ -201,7 +201,7 @@ static int __policy_init(const char *init_path)
 	path[PATH_MAX-1] = '\0';
 	if (init_path) {
 		strncpy(path, init_path, PATH_MAX-1);
-		fp = fopen(path, "r");
+		fp = fopen(path, "re");
 		if (!fp) {
 			snprintf(errormsg, sizeof(errormsg), 
 				 "unable to open %s:  %s\n",
@@ -218,7 +218,7 @@ static int __policy_init(const char *init_path)
 			PyErr_SetString( PyExc_ValueError, errormsg);
 			return 1;
 		}
-		fp = fopen(curpolicy, "r");
+		fp = fopen(curpolicy, "re");
 		if (!fp) {
 			snprintf(errormsg, sizeof(errormsg), 
 				 "unable to open %s:  %s\n",

libselinux/src/booleans.c

@@ -97,7 +97,7 @@ char *selinux_boolean_sub(const char *name)
 	if (!name)
 		return NULL;
 
-	cfg = fopen(selinux_booleans_subs_path(), "r");
+	cfg = fopen(selinux_booleans_subs_path(), "re");
 	if (!cfg)
 		goto out;
 
@@ -210,7 +210,7 @@ static int get_bool_value(const char *name, char **buf)
 
 	(*buf)[STRBUF_SIZE] = 0;
 
-	fd = bool_open(name, O_RDONLY);
+	fd = bool_open(name, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		goto out_err;
 
@@ -274,7 +274,7 @@ int security_set_boolean(const char *name, int value)
 		return -1;
 	}
 
-	fd = bool_open(name, O_WRONLY);
+	fd = bool_open(name, O_WRONLY | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 
@@ -305,7 +305,7 @@ int security_commit_booleans(void)
 	}
 
 	snprintf(path, sizeof path, "%s/commit_pending_bools", selinux_mnt);
-	fd = open(path, O_WRONLY);
+	fd = open(path, O_WRONLY | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 
@@ -411,7 +411,7 @@ static int save_booleans(size_t boolcnt, SELboolean * boollist)
 
 	snprintf(local_bool_file, sizeof(local_bool_file), "%s.local",
 		 bool_file);
-	boolf = fopen(local_bool_file, "r");
+	boolf = fopen(local_bool_file, "re");
 	if (boolf != NULL) {
 		ssize_t ret;
 		size_t size = 0;
@@ -530,7 +530,7 @@ int security_load_booleans(char *path)
 	int val;
 	char name[BUFSIZ];
 
-	boolf = fopen(path ? path : selinux_booleans_path(), "r");
+	boolf = fopen(path ? path : selinux_booleans_path(), "re");
 	if (boolf == NULL)
 		goto localbool;
 
@@ -548,7 +548,7 @@ int security_load_booleans(char *path)
       localbool:
 	snprintf(localbools, sizeof(localbools), "%s.local",
 		 (path ? path : selinux_booleans_path()));
-	boolf = fopen(localbools, "r");
+	boolf = fopen(localbools, "re");
 
 	if (boolf != NULL) {
 		int ret;

libselinux/src/canonicalize_context.c

@@ -23,7 +23,7 @@ int security_canonicalize_context_raw(const char * con,
 	}
 
 	snprintf(path, sizeof path, "%s/context", selinux_mnt);
-	fd = open(path, O_RDWR);
+	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/check_context.c

@@ -20,7 +20,7 @@ int security_check_context_raw(const char * con)
 	}
 
 	snprintf(path, sizeof path, "%s/context", selinux_mnt);
-	fd = open(path, O_RDWR);
+	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/compute_av.c

@@ -27,7 +27,7 @@ int security_compute_av_flags_raw(const char * scon,
 	}
 
 	snprintf(path, sizeof path, "%s/access", selinux_mnt);
-	fd = open(path, O_RDWR);
+	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/compute_create.c

@@ -65,7 +65,7 @@ int security_compute_create_name_raw(const char * scon,
 	}
 
 	snprintf(path, sizeof path, "%s/create", selinux_mnt);
-	fd = open(path, O_RDWR);
+	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/compute_member.c

@@ -26,7 +26,7 @@ int security_compute_member_raw(const char * scon,
 	}
 
 	snprintf(path, sizeof path, "%s/member", selinux_mnt);
-	fd = open(path, O_RDWR);
+	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/compute_relabel.c

@@ -26,7 +26,7 @@ int security_compute_relabel_raw(const char * scon,
 	}
 
 	snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
-	fd = open(path, O_RDWR);
+	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/compute_user.c

@@ -25,7 +25,7 @@ int security_compute_user_raw(const char * scon,
 	}
 
 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
-	fd = open(path, O_RDWR);
+	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/deny_unknown.c

@@ -21,7 +21,7 @@ int security_deny_unknown(void)
 	}
 
 	snprintf(path, sizeof(path), "%s/deny_unknown", selinux_mnt);
-	fd = open(path, O_RDONLY);
+	fd = open(path, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/disable.c

@@ -21,7 +21,7 @@ int security_disable(void)
 	}
 
 	snprintf(path, sizeof path, "%s/disable", selinux_mnt);
-	fd = open(path, O_WRONLY);
+	fd = open(path, O_WRONLY | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/enabled.c

@@ -36,7 +36,7 @@ int is_selinux_mls_enabled(void)
 		return enabled;
 
 	snprintf(path, sizeof path, "%s/mls", selinux_mnt);
-	fd = open(path, O_RDONLY);
+	fd = open(path, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		return enabled;
 

libselinux/src/get_context_list.c

@@ -275,7 +275,7 @@ static int get_failsafe_context(const char *user, char ** newcon)
 	size_t plen, nlen;
 	int rc;
 
-	fp = fopen(selinux_failsafe_context_path(), "r");
+	fp = fopen(selinux_failsafe_context_path(), "re");
 	if (!fp)
 		return -1;
 
@@ -437,7 +437,7 @@ int get_ordered_context_list(const char *user,
 	if (!fname)
 		goto failsafe;
 	snprintf(fname, fname_len, "%s%s", user_contexts_path, user);
-	fp = fopen(fname, "r");
+	fp = fopen(fname, "re");
 	if (fp) {
 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
 		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
@@ -451,7 +451,7 @@ int get_ordered_context_list(const char *user,
 		}
 	}
 	free(fname);
-	fp = fopen(selinux_default_context_path(), "r");
+	fp = fopen(selinux_default_context_path(), "re");
 	if (fp) {
 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
 		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,

libselinux/src/get_default_type.c

@@ -11,7 +11,7 @@ int get_default_type(const char *role, char **type)
 {
 	FILE *fp = NULL;
 
-	fp = fopen(selinux_default_type_path(), "r");
+	fp = fopen(selinux_default_type_path(), "re");
 	if (!fp)
 		return -1;
 

libselinux/src/get_initial_context.c

@@ -25,7 +25,7 @@ int security_get_initial_context_raw(const char * name, char ** con)
 
 	snprintf(path, sizeof path, "%s%s%s", 
 		 selinux_mnt, SELINUX_INITCON_DIR, name);
-	fd = open(path, O_RDONLY);
+	fd = open(path, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/getenforce.c

@@ -21,7 +21,7 @@ int security_getenforce(void)
 	}
 
 	snprintf(path, sizeof path, "%s/enforce", selinux_mnt);
-	fd = open(path, O_RDONLY);
+	fd = open(path, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/init.c

@@ -61,7 +61,7 @@ int selinuxfs_exists(void)
 	size_t len;
 	ssize_t num;
 
-	fp = fopen("/proc/filesystems", "r");
+	fp = fopen("/proc/filesystems", "re");
 	if (!fp)
 		return 1; /* Fail as if it exists */
 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
@@ -101,7 +101,7 @@ static void init_selinuxmnt(void)
 
 	/* At this point, the usual spot doesn't have an selinuxfs so
 	 * we look around for it */
-	fp = fopen("/proc/mounts", "r");
+	fp = fopen("/proc/mounts", "re");
 	if (!fp)
 		goto out;
 

libselinux/src/is_customizable_type.c

@@ -16,7 +16,7 @@ static int get_customizable_type_list(char *** retlist)
 	unsigned int ctr = 0, i;
 	char **list = NULL;
 
-	fp = fopen(selinux_customizable_types_path(), "r");
+	fp = fopen(selinux_customizable_types_path(), "re");
 	if (!fp)
 		return -1;
 

libselinux/src/label.c

@@ -96,7 +96,7 @@ struct selabel_sub *selabel_subs_init(const char *path,
 					    struct selabel_digest *digest)
 {
 	char buf[1024];
-	FILE *cfg = fopen(path, "r");
+	FILE *cfg = fopen(path, "re");
 	struct selabel_sub *sub = NULL;
 	struct stat sb;
 

libselinux/src/label_backends_android.c

@@ -159,7 +159,7 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
 		return -1;
 
 	/* Open the specification file. */
-	if ((fp = fopen(path, "r")) == NULL)
+	if ((fp = fopen(path, "re")) == NULL)
 		return -1;
 
 	if (fstat(fileno(fp), &sb) < 0)

libselinux/src/label_file.c

@@ -520,7 +520,7 @@ static FILE *open_file(const char *path, const char *suffix,
 	}
 
 	memcpy(sb, &found->sb, sizeof(*sb));
-	return fopen(save_path, "r");
+	return fopen(save_path, "re");
 }
 
 static int process_file(const char *path, const char *suffix,

libselinux/src/label_media.c

@@ -90,7 +90,7 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
 	/* Open the specification file. */
 	if (!path)
 		path = selinux_media_context_path();
-	if ((fp = fopen(path, "r")) == NULL)
+	if ((fp = fopen(path, "re")) == NULL)
 		return -1;
 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
 

libselinux/src/label_x.c

@@ -117,7 +117,7 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
 	/* Open the specification file. */
 	if (!path)
 		path = selinux_x_context_path();
-	if ((fp = fopen(path, "r")) == NULL)
+	if ((fp = fopen(path, "re")) == NULL)
 		return -1;
 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
 

libselinux/src/load_policy.c

@@ -34,7 +34,7 @@ int security_load_policy(void *data, size_t len)
 	}
 
 	snprintf(path, sizeof path, "%s/load", selinux_mnt);
-	fd = open(path, O_RDWR);
+	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 
@@ -173,13 +173,13 @@ checkbool:
       search:
 	snprintf(path, sizeof(path), "%s.%d",
 		 selinux_binary_policy_path(), vers);
-	fd = open(path, O_RDONLY);
+	fd = open(path, O_RDONLY | O_CLOEXEC);
 	while (fd < 0 && errno == ENOENT
 	       && --vers >= minvers) {
 		/* Check prior versions to see if old policy is available */
 		snprintf(path, sizeof(path), "%s.%d",
 			 selinux_binary_policy_path(), vers);
-		fd = open(path, O_RDONLY);
+		fd = open(path, O_RDONLY | O_CLOEXEC);
 	}
 	if (fd < 0) {
 		fprintf(stderr,
@@ -334,7 +334,7 @@ int selinux_init_load_policy(int *enforce)
 
 	/* Check for an override of the mode via the kernel command line. */
 	rc = mount("proc", "/proc", "proc", 0, 0);
-	cfg = fopen("/proc/cmdline", "r");
+	cfg = fopen("/proc/cmdline", "re");
 	if (cfg) {
 		char *tmp;
 		buf = malloc(selinux_page_size);

libselinux/src/matchmediacon.c

@@ -18,7 +18,7 @@ int matchmediacon(const char *media, char ** con)
 	char *ptr, *ptr2 = NULL;
 	int found = 0;
 	char current_line[PATH_MAX];
-	if ((infile = fopen(path, "r")) == NULL)
+	if ((infile = fopen(path, "re")) == NULL)
 		return -1;
 	while (!feof_unlocked(infile)) {
 		if (!fgets_unlocked(current_line, sizeof(current_line), infile)) {

libselinux/src/policyvers.c

@@ -23,7 +23,7 @@ int security_policyvers(void)
 	}
 
 	snprintf(path, sizeof path, "%s/policyvers", selinux_mnt);
-	fd = open(path, O_RDONLY);
+	fd = open(path, O_RDONLY | O_CLOEXEC);
 	if (fd < 0) {
 		if (errno == ENOENT)
 			return vers;

libselinux/src/procattr.c

@@ -143,7 +143,7 @@ static int getprocattrcon_raw(char ** context,
 		return 0;
 	}
 
-	fd = openattr(pid, attr, O_RDONLY);
+	fd = openattr(pid, attr, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 
@@ -235,7 +235,7 @@ static int setprocattrcon_raw(const char * context,
 	    && !strcmp(context, *prev_context))
 		return 0;
 
-	fd = openattr(pid, attr, O_RDWR);
+	fd = openattr(pid, attr, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 	if (context) {

libselinux/src/selinux_check_securetty_context.c

@@ -14,7 +14,7 @@ int selinux_check_securetty_context(const char * tty_context)
 	ssize_t len;
 	int found = -1;
 	FILE *fp;
-	fp = fopen(selinux_securetty_types_path(), "r");
+	fp = fopen(selinux_securetty_types_path(), "re");
 	if (fp) {
 		context_t con = context_new(tty_context);
 		if (con) {

libselinux/src/selinux_config.c

@@ -88,7 +88,7 @@ static const uint16_t file_path_suffixes_idx[NEL] = {
 int selinux_getenforcemode(int *enforce)
 {
 	int ret = -1;
-	FILE *cfg = fopen(SELINUXCONFIG, "r");
+	FILE *cfg = fopen(SELINUXCONFIG, "re");
 	if (cfg) {
 		char *buf;
 		int len = sizeof(SELINUXTAG) - 1;
@@ -163,7 +163,7 @@ static void init_selinux_config(void)
 	if (selinux_policyroot)
 		return;
 
-	fp = fopen(SELINUXCONFIG, "r");
+	fp = fopen(SELINUXCONFIG, "re");
 	if (fp) {
 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
 		while ((len = getline(&line_buf, &line_len, fp)) > 0) {

libselinux/src/selinux_restorecon.c

@@ -242,7 +242,7 @@ static int exclude_non_seclabel_mounts(void)
 	if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
 		return 0;
 
-	fp = fopen("/proc/mounts", "r");
+	fp = fopen("/proc/mounts", "re");
 	if (!fp)
 		return 0;
 

libselinux/src/setenforce.c

@@ -21,7 +21,7 @@ int security_setenforce(int value)
 	}
 
 	snprintf(path, sizeof path, "%s/enforce", selinux_mnt);
-	fd = open(path, O_RDWR);
+	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 

libselinux/src/seusers.c

@@ -185,7 +185,7 @@ int getseuserbyname(const char *name, char **r_seuser, char **r_level)
 
 	gid_t gid = get_default_gid(name);
 
-	cfg = fopen(selinux_usersconf_path(), "r");
+	cfg = fopen(selinux_usersconf_path(), "re");
 	if (!cfg)
 		goto nomatch;
 
@@ -278,7 +278,7 @@ int getseuser(const char *username, const char *service,
 	FILE *fp = NULL;
 	if (asprintf(&path,"%s/logins/%s", selinux_policy_root(), username) <  0)
 		goto err;
-	fp = fopen(path, "r");
+	fp = fopen(path, "re");
 	free(path);
 	if (fp == NULL) goto err;
 	__fsetlocking(fp, FSETLOCKING_BYCALLER);

libselinux/src/stringrep.c

@@ -80,7 +80,7 @@ static struct discover_class_node * discover_class(const char *s)
 
 	/* load up class index */
 	snprintf(path, sizeof path, "%s/class/%s/index", selinux_mnt,s);
-	fd = open(path, O_RDONLY);
+	fd = open(path, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		goto err3;