core: merge branch 'th/sysctl-ifname-race-bgo775613' (early part)

Backport some of the patches from "th/sysctl-ifname-race-bgo775613" branch. https://bugzilla.gnome.org/show_bug.cgi?id=775613
2026-05-07 10:48:12 +02:00 · 2016-12-15 19:38:19 +01:00 · 2016-12-15 19:38:19 +01:00 · ea944d5b4c
commit ea944d5b4c
parent 9afbaa86ce f0d20c945e
22 changed files with 180 additions and 54 deletions
--- a/shared/nm-utils/nm-macros-internal.h
+++ b/shared/nm-utils/nm-macros-internal.h
@ -22,7 +22,9 @@
 #ifndef __NM_MACROS_INTERNAL_H__
 #define __NM_MACROS_INTERNAL_H__
 #include <stdio.h>
 #include <stdlib.h>
 #include <errno.h>
 #include "nm-glib.h"
@ -59,7 +61,31 @@ _nm_auto_free_gstring_impl (GString **str)
 }
 #define nm_auto_free_gstring nm_auto(_nm_auto_free_gstring_impl)
-/********************************************************/
+static inline void
 _nm_auto_close_impl (int *pfd)
 {
 	if (*pfd >= 0) {
 		int errsv = errno;
 		(void) close (*pfd);
 		errno = errsv;
 	}
 }
 #define nm_auto_close nm_auto(_nm_auto_close_impl)
 static inline void
 _nm_auto_fclose_impl (FILE **pfd)
 {
 	if (*pfd) {
 		int errsv = errno;
 		(void) fclose (*pfd);
 		errno = errsv;
 	}
 }
 #define nm_auto_fclose nm_auto(_nm_auto_fclose_impl)
 /*****************************************************************************/
 /* http://stackoverflow.com/a/11172679 */
 #define  _NM_UTILS_MACRO_FIRST(...)                           __NM_UTILS_MACRO_FIRST_HELPER(__VA_ARGS__, throwaway)
--- a/src/devices/adsl/nm-device-adsl.c
+++ b/src/devices/adsl/nm-device-adsl.c
@ -154,7 +154,7 @@ br2684_assign_vcc (NMDeviceAdsl *self, NMSettingAdsl *s_adsl)
 	g_return_val_if_fail (priv->brfd == -1, FALSE);
 	g_return_val_if_fail (priv->nas_ifname != NULL, FALSE);
-	priv->brfd = socket (PF_ATMPVC, SOCK_DGRAM, ATM_AAL5);
+	priv->brfd = socket (PF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, ATM_AAL5);
 	if (priv->brfd < 0) {
 		errsv = errno;
 		_LOGE (LOGD_ADSL, "failed to open ATM control socket (%d)", errsv);
@ -338,7 +338,7 @@ br2684_create_iface (NMDeviceAdsl *self,
 		nm_clear_g_source (&priv->nas_update_id);
 	}
-	fd = socket (PF_ATMPVC, SOCK_DGRAM, ATM_AAL5);
+	fd = socket (PF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, ATM_AAL5);
 	if (fd < 0) {
 		errsv = errno;
 		_LOGE (LOGD_ADSL, "failed to open ATM control socket (%d)", errsv);
--- a/src/devices/bluetooth/nm-bluez5-dun.c
+++ b/src/devices/bluetooth/nm-bluez5-dun.c
@ -64,7 +64,7 @@ dun_connect (NMBluez5DunContext *context)
 		.channel = context->rfcomm_channel
 	};
-	context->rfcomm_fd = socket (AF_BLUETOOTH, SOCK_STREAM, BTPROTO_RFCOMM);
+	context->rfcomm_fd = socket (AF_BLUETOOTH, SOCK_STREAM | SOCK_CLOEXEC, BTPROTO_RFCOMM);
 	if (context->rfcomm_fd < 0) {
 		int errsv = errno;
 		error = g_error_new (NM_BT_ERROR, NM_BT_ERROR_DUN_CONNECT_FAILED,
@ -112,7 +112,7 @@ dun_connect (NMBluez5DunContext *context)
 	context->rfcomm_id = devid;
 	snprintf (tty, ttylen, "/dev/rfcomm%d", devid);
-	while ((context->rfcomm_tty_fd = open (tty, O_RDONLY | O_NOCTTY)) < 0 && try--) {
+	while ((context->rfcomm_tty_fd = open (tty, O_RDONLY | O_NOCTTY | O_CLOEXEC)) < 0 && try--) {
 		if (try) {
 			g_usleep (100 * 1000);
 			continue;
--- a/src/devices/tests/test-lldp.c
+++ b/src/devices/tests/test-lldp.c
@ -352,7 +352,7 @@ _test_recv_fixture_setup (TestRecvFixture *fixture, gconstpointer user_data)
 	struct ifreq ifr = { };
 	int fd, s;
-	fd = open ("/dev/net/tun", O_RDWR);
+	fd = open ("/dev/net/tun", O_RDWR | O_CLOEXEC);
 	g_assert (fd >= 0);
 	ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
@ -360,7 +360,7 @@ _test_recv_fixture_setup (TestRecvFixture *fixture, gconstpointer user_data)
 	g_assert (ioctl (fd, TUNSETIFF, &ifr) >= 0);
 	/* Bring the interface up */
-	s = socket (AF_INET, SOCK_DGRAM, 0);
+	s = socket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	g_assert (s >= 0);
 	ifr.ifr_flags |= IFF_UP;
 	g_assert (ioctl (s, SIOCSIFFLAGS, &ifr) >= 0);
--- a/src/devices/wwan/nm-modem.c
+++ b/src/devices/wwan/nm-modem.c
@ -496,18 +496,18 @@ ppp_stats (NMPPPManager *ppp_manager,
 static gboolean
 port_speed_is_zero (const char *port)
 {
-    struct termios options;
+	struct termios options;
-    gs_fd_close int fd = -1;
+	nm_auto_close int fd = -1;
-    fd = open (port, O_RDWR | O_NONBLOCK | O_NOCTTY);
+	fd = open (port, O_RDWR | O_NONBLOCK | O_NOCTTY | O_CLOEXEC);
-    if (fd < 0)
+	if (fd < 0)
 		return FALSE;
-    memset (&options, 0, sizeof (struct termios));
+	memset (&options, 0, sizeof (struct termios));
-    if (tcgetattr (fd, &options) != 0)
+	if (tcgetattr (fd, &options) != 0)
-        return FALSE;
+		return FALSE;
-    return cfgetospeed (&options) == B0;
+	return cfgetospeed (&options) == B0;
 }
 static NMActStageReturn
--- a/src/dns-manager/nm-dns-manager.c
+++ b/src/dns-manager/nm-dns-manager.c
@ -707,7 +707,7 @@ update_resolv_conf (NMDnsManager *self,
 		}
 	}
-	if ((f = fopen (MY_RESOLV_CONF_TMP, "w")) == NULL) {
+	if ((f = fopen (MY_RESOLV_CONF_TMP, "we")) == NULL) {
 		errsv = errno;
 		g_set_error (error,
 		             NM_MANAGER_ERROR,
@ -1576,7 +1576,7 @@ _check_resconf_immutable (NMDnsManagerResolvConfManager rc_manager)
 			}
 		}
-		fd = open (_PATH_RESCONF, O_RDONLY);
+		fd = open (_PATH_RESCONF, O_RDONLY | O_CLOEXEC);
 		if (fd != -1) {
 			if (ioctl (fd, FS_IOC_GETFLAGS, &flags) != -1)
 				immutable = NM_FLAGS_HAS (flags, FS_IMMUTABLE_FL);
--- a/src/main-utils.c
+++ b/src/main-utils.c
@ -94,7 +94,7 @@ nm_main_utils_write_pidfile (const char *pidfile)
 	int fd;
 	gboolean success = FALSE;
-	if ((fd = open (pidfile, O_CREAT|O_WRONLY|O_TRUNC, 00644)) < 0) {
+	if ((fd = open (pidfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, 00644)) < 0) {
 		fprintf (stderr, _("Opening %s failed: %s\n"), pidfile, strerror (errno));
 		return FALSE;
 	}
--- a/src/nm-core-utils.c
+++ b/src/nm-core-utils.c
@ -2810,7 +2810,7 @@ nm_utils_read_urandom (void *p, size_t nbytes)
 	int r;
 again:
-	fd = open ("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
+	fd = open ("/dev/urandom", O_RDONLY | O_CLOEXEC | O_NOCTTY);
 	if (fd < 0) {
 		r = errno;
 		if (r == EINTR)
--- a/src/nm-manager.c
+++ b/src/nm-manager.c
@ -5332,7 +5332,7 @@ rfkill_change (NMManager *self, const char *desc, RfKillType rtype, gboolean ena
 	g_return_if_fail (rtype == RFKILL_TYPE_WLAN || rtype == RFKILL_TYPE_WWAN);
 	errno = 0;
-	fd = open ("/dev/rfkill", O_RDWR);
+	fd = open ("/dev/rfkill", O_RDWR | O_CLOEXEC);
 	if (fd < 0) {
 		if (errno == EACCES)
 			_LOGW (LOGD_RFKILL, "(%s): failed to open killswitch device", desc);
--- a/src/platform/nm-linux-platform.c
+++ b/src/platform/nm-linux-platform.c
@ -721,7 +721,7 @@ _linktype_get_type (NMPlatform *platform,
 		}
 		/* Fallback for drivers that don't call SET_NETDEV_DEVTYPE() */
-		if (wifi_utils_is_wifi (ifname))
+		if (wifi_utils_is_wifi (ifindex, ifname))
 			return NM_LINK_TYPE_WIFI;
 		if (arptype == ARPHRD_ETHER) {
@ -5147,7 +5147,7 @@ tun_add (NMPlatform *platform, const char *name, gboolean tap,
 	_LOGD ("link: add %s '%s' owner %" G_GINT64_FORMAT " group %" G_GINT64_FORMAT,
 	       tap ? "tap" : "tun", name, owner, group);
-	fd = open ("/dev/net/tun", O_RDWR);
+	fd = open ("/dev/net/tun", O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return FALSE;
--- a/src/platform/nm-platform-utils.c
+++ b/src/platform/nm-platform-utils.c
@ -31,12 +31,15 @@
 #include <linux/mii.h>
 #include <linux/version.h>
 #include <linux/rtnetlink.h>
 #include <fcntl.h>
 #include "nm-utils.h"
 #include "nm-setting-wired.h"
 #include "nm-core-utils.h"
 extern char *if_indextoname (unsigned int __ifindex, char *__ifname);
 /******************************************************************
 * ethtool
 ******************************************************************/
@ -60,7 +63,7 @@ ethtool_get (const char *name, gpointer edata)
 	nm_utils_ifname_cpy (ifr.ifr_name, name);
 	ifr.ifr_data = edata;
-	fd = socket (PF_INET, SOCK_DGRAM, 0);
+	fd = socket (PF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (fd < 0) {
 		nm_log_err (LOGD_PLATFORM, "ethtool: Could not open socket.");
 		return FALSE;
@ -342,7 +345,7 @@ nmp_utils_mii_supports_carrier_detect (const char *ifname)
 	if (!nmp_utils_device_exists (ifname))
 		return FALSE;
-	fd = socket (PF_INET, SOCK_DGRAM, 0);
+	fd = socket (PF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (fd < 0) {
 		nm_log_err (LOGD_PLATFORM, "mii: couldn't open control socket (%s)", ifname);
 		return FALSE;
@ -558,3 +561,83 @@ nmp_utils_ip_config_source_to_string (NMIPConfigSource source, char *buf, gsize
 	return buf;
 }
 /**
 * nmp_utils_sysctl_open_netdir:
 * @ifindex: the ifindex for which to open "/sys/class/net/%s"
 * @ifname_guess: (allow-none): optional argument, if present used as initial
 *   guess as the current name for @ifindex. If guessed right,
 *   it saves an addtional if_indextoname() call.
 * @out_ifname: (allow-none): if present, must be at least IFNAMSIZ
 *   characters. On success, this will contain the actual ifname
 *   found while opening the directory.
 *
 * Returns: a negative value on failure, on success returns the open fd
 *   to the "/sys/class/net/%s" directory for @ifindex.
 */
 int
 nmp_utils_sysctl_open_netdir (int ifindex,
                              const char *ifname_guess,
                              char *out_ifname)
 {
 	#define SYS_CLASS_NET "/sys/class/net/"
 	const char *ifname = ifname_guess;
 	char ifname_buf_last_try[IFNAMSIZ];
 	char ifname_buf[IFNAMSIZ];
 	guint try_count = 0;
 	char sysdir[NM_STRLEN (SYS_CLASS_NET) + IFNAMSIZ] = SYS_CLASS_NET;
 	char fd_buf[256];
 	ssize_t nn;
 	g_return_val_if_fail (ifindex >= 0, -1);
 	ifname_buf_last_try[0] = '\0';
 	for (try_count = 0; try_count < 10; try_count++, ifname = NULL) {
 		nm_auto_close int fd_dir = -1;
 		nm_auto_close int fd_ifindex = -1;
 		int fd;
 		if (!ifname) {
 			ifname = if_indextoname (ifindex, ifname_buf);
 			if (!ifname)
 				return -1;
 		}
 		nm_assert (nm_utils_iface_valid_name (ifname));
 		if (g_strlcpy (&sysdir[NM_STRLEN (SYS_CLASS_NET)], ifname, IFNAMSIZ) >= IFNAMSIZ)
 			g_return_val_if_reached (-1);
 		/* we only retry, if the name changed since previous attempt.
 		 * Hence, it is extremely unlikely that this loop runes until the
 		 * end of the @try_count. */
 		if (nm_streq (ifname, ifname_buf_last_try))
 			return -1;
 		strcpy (ifname_buf_last_try, ifname);
 		fd_dir = open (sysdir, O_DIRECTORY | O_CLOEXEC);
 		if (fd_dir < 0)
 			continue;
 		fd_ifindex = openat (fd_dir, "ifindex", O_CLOEXEC);
 		if (fd_ifindex < 0)
 			continue;
 		nn = nm_utils_fd_read_loop (fd_ifindex, fd_buf, sizeof (fd_buf) - 2, FALSE);
 		if (nn <= 0)
 			continue;
 		fd_buf[nn] = '\0';
 		if (ifindex != _nm_utils_ascii_str_to_int64 (fd_buf, 10, 1, G_MAXINT, -1))
 			continue;
 		if (out_ifname)
 			strcpy (out_ifname, ifname);
 		fd = fd_dir;
 		fd_dir = -1;
 		return fd;
 	}
 	return -1;
 }
--- a/src/platform/nm-platform-utils.h
+++ b/src/platform/nm-platform-utils.h
@ -60,4 +60,8 @@ NMIPConfigSource nmp_utils_ip_config_source_coerce_from_rtprot (NMIPConfigSource
 NMIPConfigSource nmp_utils_ip_config_source_round_trip_rtprot  (NMIPConfigSource source) _nm_const;
 const char *     nmp_utils_ip_config_source_to_string (NMIPConfigSource source, char *buf, gsize len);
 int nmp_utils_sysctl_open_netdir (int ifindex,
                                  const char *ifname_guess,
                                  char *out_ifname);
 #endif /* __NM_PLATFORM_UTILS_H__ */
--- a/src/platform/nmp-netns.c
+++ b/src/platform/nmp-netns.c
@ -277,7 +277,7 @@ _netns_new (GError **error)
 	int fd_net, fd_mnt;
 	int errsv;
-	fd_net = open (PROC_SELF_NS_NET, O_RDONLY);
+	fd_net = open (PROC_SELF_NS_NET, O_RDONLY | O_CLOEXEC);
 	if (fd_net == -1) {
 		errsv = errno;
 		g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
@ -286,7 +286,7 @@ _netns_new (GError **error)
 		return NULL;
 	}
-	fd_mnt = open (PROC_SELF_NS_MNT, O_RDONLY);
+	fd_mnt = open (PROC_SELF_NS_MNT, O_RDONLY | O_CLOEXEC);
 	if (fd_mnt == -1) {
 		errsv = errno;
 		g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
@ -623,7 +623,7 @@ nmp_netns_bind_to_path (NMPNetns *self, const char *filename, int *out_fd)
 	}
 	if (out_fd) {
-		if ((fd = open (filename, O_RDONLY)) == -1) {
+		if ((fd = open (filename, O_RDONLY | O_CLOEXEC)) == -1) {
 			errsv = errno;
 			_LOGE (self, "bind: failed to open %s: %s", filename, g_strerror (errsv));
 			umount2 (filename, MNT_DETACH);
--- a/src/platform/tests/test-common.c
+++ b/src/platform/tests/test-common.c
@ -1398,7 +1398,7 @@ nmtstp_namespace_create (int unshare_flags, GError **error)
 	int pipefd_p2c[2];
 	ssize_t r;
-	e = pipe (pipefd_c2p);
+	e = pipe2 (pipefd_c2p, O_CLOEXEC);
 	if (e != 0) {
 		errsv = errno;
 		g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
@ -1406,7 +1406,7 @@ nmtstp_namespace_create (int unshare_flags, GError **error)
 		return FALSE;
 	}
-	e = pipe (pipefd_p2c);
+	e = pipe2 (pipefd_p2c, O_CLOEXEC);
 	if (e != 0) {
 		errsv = errno;
 		g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
@ -1540,7 +1540,7 @@ nmtstp_namespace_get_fd_for_process (pid_t pid, const char *ns_name)
 	nm_sprintf_buf (p, "/proc/%lu/ns/%s", (long unsigned) pid, ns_name);
-	return open(p, O_RDONLY);
+	return open(p, O_RDONLY | O_CLOEXEC);
 }
 /*****************************************************************************/
@ -1564,21 +1564,21 @@ unshare_user (void)
 	/* Since Linux 3.19 we have to disable setgroups() in order to map users.
 	 * Just proceed if the file is not there. */
-	f = fopen ("/proc/self/setgroups", "w");
+	f = fopen ("/proc/self/setgroups", "we");
 	if (f) {
 		fprintf (f, "deny");
 		fclose (f);
 	}
 	/* Map current UID to root in NS to be created. */
-	f = fopen ("/proc/self/uid_map", "w");
+	f = fopen ("/proc/self/uid_map", "we");
 	if (!f)
 		return FALSE;
 	fprintf (f, "0 %d 1", uid);
 	fclose (f);
 	/* Map current GID to root in NS to be created. */
-	f = fopen ("/proc/self/gid_map", "w");
+	f = fopen ("/proc/self/gid_map", "we");
 	if (!f)
 		return FALSE;
 	fprintf (f, "0 %d 1", gid);
--- a/src/platform/wifi/wifi-utils-wext.c
+++ b/src/platform/wifi/wifi-utils-wext.c
@ -577,7 +577,7 @@ wifi_wext_init (const char *iface, int ifindex, gboolean check_scan)
 	wext->parent.set_mesh_channel = wifi_wext_set_mesh_channel;
 	wext->parent.set_mesh_ssid = wifi_wext_set_mesh_ssid;
-	wext->fd = socket (PF_INET, SOCK_DGRAM, 0);
+	wext->fd = socket (PF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (wext->fd < 0)
 		goto error;
@ -665,7 +665,7 @@ wifi_wext_is_wifi (const char *iface)
 	if (!nmp_utils_device_exists (iface))
 		return FALSE;
-	fd = socket (PF_INET, SOCK_DGRAM, 0);
+	fd = socket (PF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (fd >= 0) {
 		nm_utils_ifname_cpy (iwr.ifr_ifrn.ifrn_name, iface);
 		if (ioctl (fd, SIOCGIWNAME, &iwr) == 0)
--- a/src/platform/wifi/wifi-utils.c
+++ b/src/platform/wifi/wifi-utils.c
@ -26,6 +26,7 @@
 #include <sys/stat.h>
 #include <stdio.h>
 #include <string.h>
 #include <fcntl.h>
 #include "wifi-utils-private.h"
 #include "wifi-utils-nl80211.h"
@ -34,6 +35,8 @@
 #endif
 #include "nm-core-utils.h"
 #include "platform/nm-platform-utils.h"
 gpointer
 wifi_data_new (const char *iface, int ifindex, gsize len)
 {
@ -180,23 +183,32 @@ wifi_utils_deinit (WifiData *data)
 }
 gboolean
-wifi_utils_is_wifi (const char *iface)
+wifi_utils_is_wifi (int ifindex, const char *ifname)
 {
-	char phy80211_path[NM_STRLEN ("/sys/class/net/123456789012345/phy80211\0") + 100 /*safety*/];
+	int fd_sysnet;
-	struct stat s;
+	int fd_phy80211;
 	char ifname_verified[IFNAMSIZ];
-	g_return_val_if_fail (iface != NULL, FALSE);
+	g_return_val_if_fail (ifindex > 0, FALSE);
-	nm_sprintf_buf (phy80211_path,
+	fd_sysnet = nmp_utils_sysctl_open_netdir (ifindex, ifname, ifname_verified);
-	                "/sys/class/net/%s/phy80211",
+	if (fd_sysnet < 0)
-	                NM_ASSERT_VALID_PATH_COMPONENT (iface));
+		return FALSE;
 	nm_assert (strlen (phy80211_path) < sizeof (phy80211_path) - 1);
-	if ((stat (phy80211_path, &s) == 0 && (s.st_mode & S_IFDIR)))
+	/* there might have been a race and ifname might be wrong. Below for checking
 	 * wext, use the possibly improved name that we just verified. */
 	ifname = ifname_verified;
 	fd_phy80211 = openat (fd_sysnet, "phy80211", O_CLOEXEC);
 	close (fd_sysnet);
 	if (fd_phy80211 >= 0) {
 		close (fd_phy80211);
 		return TRUE;
 	}
 #if HAVE_WEXT
-	if (wifi_wext_is_wifi (iface))
+	if (wifi_wext_is_wifi (ifname))
 		return TRUE;
 #endif
--- a/src/platform/wifi/wifi-utils.h
+++ b/src/platform/wifi/wifi-utils.h
@ -28,7 +28,7 @@
 typedef struct WifiData WifiData;
-gboolean wifi_utils_is_wifi (const char *iface);
+gboolean wifi_utils_is_wifi (int ifindex, const char *ifname);
 WifiData *wifi_utils_init (const char *iface, int ifindex, gboolean check_scan);
--- a/src/ppp-manager/nm-ppp-manager.c
+++ b/src/ppp-manager/nm-ppp-manager.c
@ -197,7 +197,7 @@ monitor_cb (gpointer user_data)
 		if (errno != ENODEV)
 			_LOGW ("could not read ppp stats: %s", strerror (errno));
 	} else {
-		g_signal_emit (manager, signals[STATS], 0, 
+		g_signal_emit (manager, signals[STATS], 0,
 		               stats.p.ppp_ibytes,
 		               stats.p.ppp_obytes);
 	}
@ -214,7 +214,7 @@ monitor_stats (NMPPPManager *manager)
 	if (priv->monitor_fd >= 0)
 		return;
-	priv->monitor_fd = socket (AF_INET, SOCK_DGRAM, 0);
+	priv->monitor_fd = socket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (priv->monitor_fd >= 0) {
 		g_warn_if_fail (priv->monitor_id == 0);
 		if (priv->monitor_id)
--- a/src/settings/nm-inotify-helper.c
+++ b/src/settings/nm-inotify-helper.c
@ -128,7 +128,7 @@ init_inotify (NMInotifyHelper *self)
 	GIOChannel *channel;
 	guint source_id;
-	priv->ifd = inotify_init ();
+	priv->ifd = inotify_init1 (IN_CLOEXEC);
 	if (priv->ifd == -1) {
 		int errsv = errno;
--- a/src/settings/plugins/ifcfg-rh/shvar.c
+++ b/src/settings/plugins/ifcfg-rh/shvar.c
@ -53,11 +53,11 @@ svOpenFileInternal (const char *name, gboolean create, GError **error)
 	s->fd = -1;
 	if (create)
-		s->fd = open (name, O_RDWR); /* NOT O_CREAT */
+		s->fd = open (name, O_RDWR | O_CLOEXEC); /* NOT O_CREAT */
 	if (!create || s->fd == -1) {
 		/* try read-only */
-		s->fd = open (name, O_RDONLY); /* NOT O_CREAT */
+		s->fd = open (name, O_RDONLY | O_CLOEXEC); /* NOT O_CREAT */
 		if (s->fd == -1)
 			errsv = errno;
 		else
@ -461,7 +461,7 @@ svWriteFile (shvarFile *s, int mode, GError **error)
 	if (s->modified) {
 		if (s->fd == -1)
-			s->fd = open (s->fileName, O_WRONLY | O_CREAT, mode);
+			s->fd = open (s->fileName, O_WRONLY | O_CREAT | O_CLOEXEC, mode);
 		if (s->fd == -1) {
 			int errsv = errno;
--- a/src/settings/plugins/ifupdown/interface_parser.c
+++ b/src/settings/plugins/ifupdown/interface_parser.c
@ -117,7 +117,7 @@ _recursive_ifparser (const char *eni_file, int quiet)
 			nm_log_warn (LOGD_SETTINGS, "interfaces file %s doesn't exist\n", eni_file);
 		return;
 	}
-	inp = fopen (eni_file, "r");
+	inp = fopen (eni_file, "re");
 	if (inp == NULL) {
 		if (!quiet)
 			nm_log_warn (LOGD_SETTINGS, "Can't open %s\n", eni_file);
--- a/src/tests/test-general-with-expect.c
+++ b/src/tests/test-general-with-expect.c
@ -26,6 +26,7 @@
 #include <netinet/ether.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <fcntl.h>
 #include "NetworkManagerUtils.h"
 #include "nm-multi-index.h"
@ -173,7 +174,7 @@ test_nm_utils_kill_child_create_and_join_pgroup (void)
 	int pipefd[2];
 	pid_t pgid;
-	err = pipe (pipefd);
+	err = pipe2 (pipefd, O_CLOEXEC);
 	g_assert (err == 0);
 	pgid = fork();