Set CLOEXEC on epoll FD

Georg Wicherski gw at oxff.net
Wed Oct 24 16:25:32 CEST 2012


Hi,

I'm heavily abusing CLOEXEC on a lot of file descriptors to fork &
execve into a sandboxed mode for handling connections (for security
reasons, as additional exploit mitigation of sorts).

Furthermore I'm using vfork for performance reasons and therefore cannot
close the event loop by legitimate means (due to execve, I do not care
about the leaked heap memory etc.). However this also means, the epoll
FD (as an example) will remain open.

- Can you set CLOEXEC on the epoll FD, please?
- What is a hackish way to get that FD and do this myself until such a
patch is available in the major distrubtions? Iterating over all file
descriptors is not a solution. ;)


Thanks,
Georg



More information about the libev mailing list