main/cryptsetup: fix fd leak to child processes

1 files changed, 35 insertions, 0 deletions

diff --git a/main/cryptsetup/0001-Close-dev-random-urandom-on-exec.patch b/main/cryptsetup/0001-Close-dev-random-urandom-on-exec.patch
new file mode 100644
index 0000000000..b250fd332b
--- /dev/null
+++ b/main/cryptsetup/0001-Close-dev-random-urandom-on-exec.patch
@@ -0,0 +1,35 @@
+From 243fc987f15b4e280acb089b6f476de204cb7def Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Tue, 10 Jan 2017 20:06:08 +0100
+Subject: [PATCH] Close /dev/{random,urandom} on exec
+
+This prevents the descriptors to leak to programs that are executed.
+
+Fixes https://gitlab.com/cryptsetup/cryptsetup/issues/313
+---
+ lib/random.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/random.c b/lib/random.c
+index cb772f4..12040dc 100644
+--- a/lib/random.c
++++ b/lib/random.c
+@@ -152,13 +152,13 @@ int crypt_random_init(struct crypt_device *ctx)
+ 
+ 	/* Used for CRYPT_RND_NORMAL */
+ 	if(urandom_fd == -1)
+-		urandom_fd = open(URANDOM_DEVICE, O_RDONLY);
++		urandom_fd = open(URANDOM_DEVICE, O_RDONLY | O_CLOEXEC);
+ 	if(urandom_fd == -1)
+ 		goto fail;
+ 
+ 	/* Used for CRYPT_RND_KEY */
+ 	if(random_fd == -1)
+-		random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK);
++		random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK | O_CLOEXEC);
+ 	if(random_fd == -1)
+ 		goto fail;
+ 
+-- 
+2.11.0
+