add the CLOEXEC flag to all sockets and files (netdata#16881)

* add the CLOEXEC flag to all sockets and files

* add network-viewer to apps.plugin; min update frequency 5 seconds

aclk/mqtt_websockets/mqtt_wss_client.c

@@ -583,7 +583,7 @@ int mqtt_wss_connect(mqtt_wss_client client, char *host, int port, struct mqtt_c
 
     if (client->sockfd > 0)
         close(client->sockfd);
-    client->sockfd = socket(AF_INET, SOCK_STREAM, 0);
+    client->sockfd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
     if (client->sockfd < 0) {
         mws_error(client->log, "Couldn't create socket()");
         return -1;

aclk/mqtt_websockets/ws_client.c

@@ -72,7 +72,7 @@ ws_client *ws_client_new(size_t buf_size, char **host, mqtt_wss_log_ctx_t log)
     if (!client->buf_to_mqtt)
         goto cleanup_2;
 
-    client->entropy_fd = open(ENTROPY_SOURCE, O_RDONLY);
+    client->entropy_fd = open(ENTROPY_SOURCE, O_RDONLY | O_CLOEXEC);
     if (client->entropy_fd < 1) {
         ERROR("Error opening entropy source \"" ENTROPY_SOURCE "\". Reason: \"%s\"", strerror(errno));
         goto cleanup_3;
@@ -164,7 +164,7 @@ static int ws_client_get_nonce(ws_client *client, char *dest, unsigned int size)
     // we do not need crypto secure random here
     // it's just used for protocol negotiation
     int rd;
-    int f = open(RAND_SRC, O_RDONLY);
+    int f = open(RAND_SRC, O_RDONLY | O_CLOEXEC);
     if (f < 0) {
         ERROR("Error opening \"%s\". Err: \"%s\"", RAND_SRC, strerror(errno));
         return -2;

claim/claim.c

@@ -256,7 +256,7 @@ bool netdata_random_session_id_generate(void) {
     (void)unlink(filename);
 
     // save it
-    int fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, 640);
+    int fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 640);
     if(fd == -1) {
         netdata_log_error("Cannot create random session id file '%s'.", filename);
         ret = false;

collectors/apps.plugin/apps_groups.conf

@@ -84,6 +84,7 @@ perf.plugin: perf.plugin
 charts.d.plugin: *charts.d.plugin*
 python.d.plugin: *python.d.plugin*
 systemd-journal.plugin:*systemd-journal.plugin*
+network-viewer.plugin:*network-viewer.plugin*
 tc-qos-helper: *tc-qos-helper.sh*
 fping: fping
 ioping: ioping

collectors/cgroups.plugin/cgroup-network.c

@@ -183,7 +183,7 @@ int proc_pid_fd(const char *prefix, const char *ns, pid_t pid) {
 
     char filename[FILENAME_MAX + 1];
     snprintfz(filename, FILENAME_MAX, "%s/proc/%d/%s", prefix, (int)pid, ns);
-    int fd = open(filename, O_RDONLY);
+    int fd = open(filename, O_RDONLY | O_CLOEXEC);
 
     if(fd == -1)
         collector_error("Cannot open proc_pid_fd() file '%s'", filename);

collectors/network-viewer.plugin/network-viewer.c

@@ -110,7 +110,7 @@ void network_viewer_function(const char *transaction, char *function __maybe_unu
 
     buffer_json_member_add_uint64(wb, "status", HTTP_RESP_OK);
     buffer_json_member_add_string(wb, "type", "table");
-    buffer_json_member_add_time_t(wb, "update_every", 1);
+    buffer_json_member_add_time_t(wb, "update_every", 5);
     buffer_json_member_add_string(wb, "help", NETWORK_VIEWER_HELP);
     buffer_json_member_add_array(wb, "data");
 

collectors/plugins.d/local-sockets.h

@@ -811,7 +811,7 @@ static inline bool local_sockets_get_namespace_sockets(LS_STATE *ls, struct pid_
     snprintfz(filename, sizeof(filename), "%s/proc/%d/ns/net", ls->config.host_prefix, ps->pid);
 
     // verify the pid is in the target namespace
-    int fd = open(filename, O_RDONLY);
+    int fd = open(filename, O_RDONLY | O_CLOEXEC);
     if (fd == -1) {
         local_sockets_log(ls, "cannot open file '%s'", filename);
         return false;

collectors/proc.plugin/proc_stat.c

@@ -68,7 +68,7 @@ static int read_per_core_files(struct cpu_chart *all_cpu_charts, size_t len, siz
             continue;
 
         if(unlikely(f->fd == -1)) {
-            f->fd = open(f->filename, O_RDONLY);
+            f->fd = open(f->filename, O_RDONLY | O_CLOEXEC);
             if (unlikely(f->fd == -1)) {
                 collector_error("Cannot open file '%s'", f->filename);
                 continue;
@@ -412,7 +412,7 @@ static int read_cpuidle_states(char *cpuidle_name_filename , char *cpuidle_time_
             char name_buf[50 + 1];
             snprintfz(filename, FILENAME_MAX, cpuidle_name_filename, core, state);
 
-            int fd = open(filename, O_RDONLY, 0666);
+            int fd = open(filename, O_RDONLY | O_CLOEXEC, 0666);
             if(unlikely(fd == -1)) {
                 collector_error("Cannot open file '%s'", filename);
                 cc->rescan_cpu_states = 1;
@@ -444,7 +444,7 @@ static int read_cpuidle_states(char *cpuidle_name_filename , char *cpuidle_time_
         struct cpuidle_state *cs = &cc->cpuidle_state[state];
 
         if(unlikely(cs->time_fd == -1)) {
-            cs->time_fd = open(cs->time_filename, O_RDONLY);
+            cs->time_fd = open(cs->time_filename, O_RDONLY | O_CLOEXEC);
             if (unlikely(cs->time_fd == -1)) {
                 collector_error("Cannot open file '%s'", cs->time_filename);
                 cc->rescan_cpu_states = 1;

collectors/proc.plugin/sys_class_power_supply.c

@@ -245,7 +245,7 @@ int do_sys_class_power_supply(int update_every, usec_t dt) {
                 char buffer[30 + 1];
 
                 if(unlikely(ps->capacity->fd == -1)) {
-                    ps->capacity->fd = open(ps->capacity->filename, O_RDONLY, 0666);
+                    ps->capacity->fd = open(ps->capacity->filename, O_RDONLY | O_CLOEXEC, 0666);
                     if(unlikely(ps->capacity->fd == -1)) {
                         collector_error("Cannot open file '%s'", ps->capacity->filename);
                         power_supply_free(ps);
@@ -290,7 +290,7 @@ int do_sys_class_power_supply(int update_every, usec_t dt) {
                             char buffer[30 + 1];
 
                             if(unlikely(pd->fd == -1)) {
-                                pd->fd = open(pd->filename, O_RDONLY, 0666);
+                                pd->fd = open(pd->filename, O_RDONLY | O_CLOEXEC, 0666);
                                 if(unlikely(pd->fd == -1)) {
                                     collector_error("Cannot open file '%s'", pd->filename);
                                     read_error = 1;

daemon/config/dyncfg-files.c

@@ -201,7 +201,7 @@ void dyncfg_load_all(void) {
 // schemas loading
 
 static bool dyncfg_read_file_to_buffer(const char *filename, BUFFER *dst) {
-    int fd = open(filename, O_RDONLY, 0666);
+    int fd = open(filename, O_RDONLY | O_CLOEXEC, 0666);
     if(unlikely(fd == -1))
         return false;
 

daemon/daemon.c

@@ -245,7 +245,7 @@ static void oom_score_adj(void) {
     }
 
     int written = 0;
-    int fd = open("/proc/self/oom_score_adj", O_WRONLY);
+    int fd = open("/proc/self/oom_score_adj", O_WRONLY | O_CLOEXEC);
     if(fd != -1) {
         snprintfz(buf, sizeof(buf) - 1, "%d", (int)wanted_score);
         ssize_t len = strlen(buf);
@@ -478,7 +478,7 @@ int become_daemon(int dont_fork, const char *user)
     // generate our pid file
     int pidfd = -1;
     if(pidfile[0]) {
-        pidfd = open(pidfile, O_WRONLY | O_CREAT, 0644);
+        pidfd = open(pidfile, O_WRONLY | O_CREAT | O_CLOEXEC, 0644);
         if(pidfd >= 0) {
             if(ftruncate(pidfd, 0) != 0)
                 netdata_log_error("Cannot truncate pidfile '%s'.", pidfile);

daemon/main.c

@@ -2174,7 +2174,7 @@ int main(int argc, char **argv) {
     int incomplete_shutdown_detected = (unlink(agent_incomplete_shutdown_file) == 0);
     snprintfz(agent_crash_file, FILENAME_MAX, "%s/.agent_crash", netdata_configured_varlib_dir);
     int crash_detected = (unlink(agent_crash_file) == 0);
-    int fd = open(agent_crash_file, O_WRONLY | O_CREAT | O_TRUNC, 444);
+    int fd = open(agent_crash_file, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 444);
     if (fd >= 0)
         close(fd);
 

database/engine/journalfile.c

@@ -1045,7 +1045,7 @@ int journalfile_v2_load(struct rrdengine_instance *ctx, struct rrdengine_journal
         journal_v1_file_size = (uint32_t)statbuf.st_size;
 
     journalfile_v2_generate_path(datafile, path_v2, sizeof(path_v2));
-    fd = open(path_v2, O_RDONLY);
+    fd = open(path_v2, O_RDONLY | O_CLOEXEC);
     if (fd < 0) {
         if (errno == ENOENT)
             return 1;

database/sqlite/sqlite_functions.c

@@ -143,7 +143,7 @@ static bool mark_database_to_recover(sqlite3_stmt *res, sqlite3 *database)
     if (db_meta == database) {
         char recover_file[FILENAME_MAX + 1];
         snprintfz(recover_file, FILENAME_MAX, "%s/.netdata-meta.db.recover", netdata_configured_cache_dir);
-        int fd = open(recover_file, O_WRONLY | O_CREAT | O_TRUNC, 444);
+        int fd = open(recover_file, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 444);
         if (fd >= 0) {
             close(fd);
             return true;

libnetdata/ebpf/ebpf.c

@@ -77,7 +77,7 @@ int ebpf_get_kernel_version()
     char ver[VERSION_STRING_LEN];
     char *version = ver;
 
-    int fd = open("/proc/sys/kernel/osrelease", O_RDONLY);
+    int fd = open("/proc/sys/kernel/osrelease", O_RDONLY | O_CLOEXEC);
     if (fd < 0)
         return -1;
 
@@ -1480,7 +1480,7 @@ void ebpf_histogram_dimension_cleanup(char **ptr, size_t length)
 static inline int ebpf_open_tracepoint_path(char *filename, size_t length, char *subsys, char *eventname, int flags)
 {
     snprintfz(filename, length, "%s/events/%s/%s/enable", NETDATA_DEBUGFS, subsys, eventname);
-    return open(filename, flags, 0);
+    return open(filename, flags | O_CLOEXEC, 0);
 }
 
 /**

libnetdata/inlined.h

@@ -472,7 +472,7 @@ static inline bool sanitize_command_argument_string(char *dst, const char *src,
 static inline int read_txt_file(const char *filename, char *buffer, size_t size) {
     if(unlikely(!size)) return 3;
 
-    int fd = open(filename, O_RDONLY, 0666);
+    int fd = open(filename, O_RDONLY | O_CLOEXEC, 0666);
     if(unlikely(fd == -1)) {
         buffer[0] = '\0';
         return 1;
@@ -493,7 +493,7 @@ static inline int read_txt_file(const char *filename, char *buffer, size_t size)
 static inline int read_proc_cmdline(const char *filename, char *buffer, size_t size) {
     if (unlikely(!size)) return 3;
 
-    int fd = open(filename, O_RDONLY, 0666);
+    int fd = open(filename, O_RDONLY | O_CLOEXEC, 0666);
     if (unlikely(fd == -1)) {
         buffer[0] = '\0';
         return 1;

libnetdata/libnetdata.c

@@ -1087,7 +1087,7 @@ void netdata_fix_chart_id(char *s) {
 static int memory_file_open(const char *filename, size_t size) {
     // netdata_log_info("memory_file_open('%s', %zu", filename, size);
 
-    int fd = open(filename, O_RDWR | O_CREAT | O_NOATIME, 0664);
+    int fd = open(filename, O_RDWR | O_CREAT | O_NOATIME | O_CLOEXEC, 0664);
     if (fd != -1) {
         if (lseek(fd, size, SEEK_SET) == (off_t) size) {
             if (write(fd, "", 1) == 1) {

libnetdata/log/journal.c

@@ -48,7 +48,7 @@ int journal_direct_fd(const char *path) {
     if(!is_path_unix_socket(path))
         return -1;
 
-    int fd = socket(AF_UNIX, SOCK_DGRAM, 0);
+    int fd = socket(AF_UNIX, SOCK_DGRAM| SOCK_CLOEXEC, 0);
     if (fd < 0) return -1;
 
     struct sockaddr_un addr;

libnetdata/procfile/procfile.c

@@ -8,7 +8,7 @@
 #define PFLINES_INCREASE_STEP 200
 #define PROCFILE_INCREMENT_BUFFER 4096
 
-int procfile_open_flags = O_RDONLY;
+int procfile_open_flags = O_RDONLY | O_CLOEXEC;
 
 int procfile_adaptive_initial_allocation = 0;
 

libnetdata/socket/socket.c

@@ -262,7 +262,7 @@ char *strdup_client_description(int family, const char *protocol, const char *ip
 int create_listen_socket_unix(const char *path, int listen_backlog) {
     int sock;
 
-    sock = socket(AF_UNIX, SOCK_STREAM, 0);
+    sock = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
     if(sock < 0) {
         nd_log(NDLS_DAEMON, NDLP_ERR,
                "LISTENER: UNIX socket() on path '%s' failed.",
@@ -316,7 +316,7 @@ int create_listen_socket_unix(const char *path, int listen_backlog) {
 int create_listen_socket4(int socktype, const char *ip, uint16_t port, int listen_backlog) {
     int sock;
 
-    sock = socket(AF_INET, socktype, 0);
+    sock = socket(AF_INET, socktype | SOCK_CLOEXEC, 0);
     if(sock < 0) {
         nd_log(NDLS_DAEMON, NDLP_ERR,
                "LISTENER: IPv4 socket() on ip '%s' port %d, socktype %d failed.",
@@ -374,7 +374,7 @@ int create_listen_socket6(int socktype, uint32_t scope_id, const char *ip, int p
     int sock;
     int ipv6only = 1;
 
-    sock = socket(AF_INET6, socktype, 0);
+    sock = socket(AF_INET6, socktype | SOCK_CLOEXEC, 0);
     if (sock < 0) {
         nd_log(NDLS_DAEMON, NDLP_ERR,
                "LISTENER: IPv6 socket() on ip '%s' port %d, socktype %d, failed.",
@@ -781,7 +781,7 @@ int listen_sockets_setup(LISTEN_SOCKETS *sockets) {
 // timeout     the timeout for establishing a connection
 
 static inline int connect_to_unix(const char *path, struct timeval *timeout) {
-    int fd = socket(AF_UNIX, SOCK_STREAM, 0);
+    int fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
     if(fd == -1) {
         nd_log(NDLS_DAEMON, NDLP_ERR,
                "Failed to create UNIX socket() for '%s'",
@@ -894,7 +894,7 @@ int connect_to_this_ip46(int protocol, int socktype, const char *host, uint32_t
             }
         }
 
-        fd = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+        fd = socket(ai->ai_family, ai->ai_socktype | SOCK_CLOEXEC, ai->ai_protocol);
         if(fd != -1) {
             if(timeout) {
                 if(setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, (char *) timeout, sizeof(struct timeval)) < 0)

registry/registry_internals.c

@@ -277,7 +277,7 @@ char *registry_get_this_machine_guid(void) {
         return guid;
 
     // read it from disk
-    int fd = open(registry.machine_guid_filename, O_RDONLY);
+    int fd = open(registry.machine_guid_filename, O_RDONLY | O_CLOEXEC);
     if(fd != -1) {
         char buf[GUID_LEN + 1];
         if(read(fd, buf, GUID_LEN) != GUID_LEN)
@@ -305,7 +305,7 @@ char *registry_get_this_machine_guid(void) {
         guid[GUID_LEN] = '\0';
 
         // save it
-        fd = open(registry.machine_guid_filename, O_WRONLY|O_CREAT|O_TRUNC, 444);
+        fd = open(registry.machine_guid_filename, O_WRONLY|O_CREAT|O_TRUNC | O_CLOEXEC, 444);
         if(fd == -1)
             fatal("Cannot create unique machine id file '%s'. Please fix this.", registry.machine_guid_filename);
 

web/api/web_api_v1.c

@@ -159,7 +159,7 @@ char *get_mgmt_api_key(void) {
         return guid;
 
     // read it from disk
-    int fd = open(api_key_filename, O_RDONLY);
+    int fd = open(api_key_filename, O_RDONLY | O_CLOEXEC);
     if(fd != -1) {
         char buf[GUID_LEN + 1];
         if(read(fd, buf, GUID_LEN) != GUID_LEN)
@@ -185,7 +185,7 @@ char *get_mgmt_api_key(void) {
         guid[GUID_LEN] = '\0';
 
         // save it
-        fd = open(api_key_filename, O_WRONLY|O_CREAT|O_TRUNC, 444);
+        fd = open(api_key_filename, O_WRONLY|O_CREAT|O_TRUNC | O_CLOEXEC, 444);
         if(fd == -1) {
             netdata_log_error("Cannot create unique management API key file '%s'. Please adjust config parameter 'netdata management api key file' to a proper path and file.", api_key_filename);
             goto temp_key;

web/server/web_client.c

@@ -512,7 +512,7 @@ static int mysendfile(struct web_client *w, char *filename) {
         return append_slash_to_url_and_redirect(w);
 
     // open the file
-    w->ifd = open(web_filename, O_NONBLOCK, O_RDONLY);
+    w->ifd = open(web_filename, O_NONBLOCK, O_RDONLY | O_CLOEXEC);
     if(w->ifd == -1) {
         w->ifd = w->ofd;