On 3/15/19 4:26 AM, Richard Henderson wrote:
> Avoids leaking the /dev/urandom fd into any child processes.
>
> Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
> Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com>
> ---
> crypto/random-platform.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/crypto/random-platform.c b/crypto/random-platform.c
> index 260b64564d..6df40744c7 100644
> --- a/crypto/random-platform.c
> +++ b/crypto/random-platform.c
> @@ -42,9 +42,9 @@ int qcrypto_random_init(Error **errp)
> #else
> /* TBD perhaps also add support for BSD getentropy / Linux
> * getrandom syscalls directly */
> - fd = open("/dev/urandom", O_RDONLY);
> + fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC);
> if (fd == -1 && errno == ENOENT) {
> - fd = open("/dev/random", O_RDONLY);
> + fd = open("/dev/random", O_RDONLY | O_CLOEXEC);
> }
>
> if (fd < 0) {
>
