1 files changed, 47 insertions, 0 deletions

diff --git a/0010-tools-libxs-Open-dev-xen-xenbus-fds-as-O_CLOEXEC.patch b/0010-tools-libxs-Open-dev-xen-xenbus-fds-as-O_CLOEXEC.patch
new file mode 100644
index 0000000..9f9cdd7
--- /dev/null
+++ b/0010-tools-libxs-Open-dev-xen-xenbus-fds-as-O_CLOEXEC.patch
@@ -0,0 +1,47 @@
+From 2bc52041cacb33a301ebf939d69a021597941186 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 21 May 2024 10:21:47 +0200
+Subject: [PATCH 10/56] tools/libxs: Open /dev/xen/xenbus fds as O_CLOEXEC
+
+The header description for xs_open() goes as far as to suggest that the fd is
+O_CLOEXEC, but it isn't actually.
+
+`xl devd` has been observed leaking /dev/xen/xenbus into children.
+
+Link: https://github.com/QubesOS/qubes-issues/issues/8292
+Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+master commit: f4f2f3402b2f4985d69ffc0d46f845d05fd0b60f
+master date: 2024-05-07 15:18:36 +0100
+---
+ tools/libs/store/xs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/libs/store/xs.c b/tools/libs/store/xs.c
+index 140b9a2839..1498515073 100644
+--- a/tools/libs/store/xs.c
++++ b/tools/libs/store/xs.c
+@@ -54,6 +54,10 @@ struct xs_stored_msg {
+ #include <dlfcn.h>
+ #endif
+ 
++#ifndef O_CLOEXEC
++#define O_CLOEXEC 0
++#endif
++
+ struct xs_handle {
+ 	/* Communications channel to xenstore daemon. */
+ 	int fd;
+@@ -227,7 +231,7 @@ error:
+ static int get_dev(const char *connect_to)
+ {
+ 	/* We cannot open read-only because requests are writes */
+-	return open(connect_to, O_RDWR);
++	return open(connect_to, O_RDWR | O_CLOEXEC);
+ }
+ 
+ static int all_restrict_cb(Xentoolcore__Active_Handle *ah, domid_t domid) {
+-- 
+2.45.2
+