Set CLOEXEC so tun file descriptor not leaked to network config command subprocesses

psiphon/common/tun/tun_darwin.go

@@ -80,6 +80,10 @@ func makeDeviceOutboundBuffer(MTU int) []byte {
 
 func createTunDevice() (io.ReadWriteCloser, string, error) {
 
+	// Prevent fork between creating fd and setting CLOEXEC
+	syscall.ForkLock.RLock()
+	defer syscall.ForkLock.RUnlock()
+
 	// Darwin utun code based on:
 	// https://github.com/songgao/water/blob/70591d249921d075889cc49aaef072987e6b354a/syscalls_darwin.go
 
@@ -103,6 +107,9 @@ func createTunDevice() (io.ReadWriteCloser, string, error) {
 		return nil, "", common.ContextError(err)
 	}
 
+	// Set CLOEXEC so file descriptor not leaked to network config command subprocesses
+	syscall.CloseOnExec(fd)
+
 	var tunControlName [96]byte
 	copy(tunControlName[:], TUN_CONTROL_NAME)
 
@@ -169,9 +176,6 @@ func createTunDevice() (io.ReadWriteCloser, string, error) {
 	deviceName := string(ifName.name[:ifNameSize-1])
 	file := os.NewFile(uintptr(fd), deviceName)
 
-	// TODO: set CLOEXEC on tun fds?
-	// https://github.com/OpenVPN/openvpn/blob/3e4e300d6c5ea9c320e62def79e5b70f8e255248/src/openvpn/tun.c#L3060
-
 	return file, deviceName, nil
 }
 

psiphon/common/tun/tun_linux.go

@@ -48,6 +48,10 @@ func makeDeviceOutboundBuffer(MTU int) []byte {
 
 func createTunDevice() (io.ReadWriteCloser, string, error) {
 
+	// Prevent fork between creating fd and setting CLOEXEC
+	syscall.ForkLock.RLock()
+	defer syscall.ForkLock.RUnlock()
+
 	// Requires process to run as root or have CAP_NET_ADMIN.
 
 	// This code follows snippets in this thread:
@@ -58,6 +62,9 @@ func createTunDevice() (io.ReadWriteCloser, string, error) {
 		return nil, "", common.ContextError(err)
 	}
 
+	// Set CLOEXEC so file descriptor not leaked to network config command subprocesses
+	syscall.CloseOnExec(int(file.Fd()))
+
 	// Definitions from <linux/if.h>, <linux/if_tun.h>
 
 	// Note: using IFF_NO_PI, so packets have no size/flags header. This does mean
@@ -95,9 +102,6 @@ func createTunDevice() (io.ReadWriteCloser, string, error) {
 
 	deviceName := strings.Trim(string(ifReq.name[:]), "\x00")
 
-	// TODO: set CLOEXEC on tun fds?
-	// https://github.com/OpenVPN/openvpn/blob/3e4e300d6c5ea9c320e62def79e5b70f8e255248/src/openvpn/tun.c#L3060
-
 	return file, deviceName, nil
 }
 

psiphon/common/tun/tun_unsupported.go

@@ -59,7 +59,7 @@ func (device *Device) writeTunPacket(_ []byte) error {
 	return common.ContextError(unsupportedError)
 }
 
-func configureSubprocessCapabilities() error {
+func configureNetworkConfigSubprocessCapabilities() error {
 	return common.ContextError(unsupportedError)
 }