From 243fc987f15b4e280acb089b6f476de204cb7def Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Tue, 10 Jan 2017 20:06:08 +0100
Subject: [PATCH] Close /dev/{random,urandom} on exec

This prevents the descriptors to leak to programs that are executed.

Fixes https://gitlab.com/cryptsetup/cryptsetup/issues/313
---
 lib/random.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/random.c b/lib/random.c
index cb772f4..12040dc 100644
--- a/lib/random.c
+++ b/lib/random.c
@@ -152,13 +152,13 @@ int crypt_random_init(struct crypt_device *ctx)
 
 	/* Used for CRYPT_RND_NORMAL */
 	if(urandom_fd == -1)
-		urandom_fd = open(URANDOM_DEVICE, O_RDONLY);
+		urandom_fd = open(URANDOM_DEVICE, O_RDONLY | O_CLOEXEC);
 	if(urandom_fd == -1)
 		goto fail;
 
 	/* Used for CRYPT_RND_KEY */
 	if(random_fd == -1)
-		random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK);
+		random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK | O_CLOEXEC);
 	if(random_fd == -1)
 		goto fail;
 
-- 
2.11.0