tree-wide: use FORK_REARRANGE_STDIO and FORK_CLOSE_ALL_FDS

3 files changed, 17 insertions, 39 deletions

diff --git a/src/import/import-common.c b/src/import/import-common.c
index 874d27d292..7227f885a8 100644
--- a/src/import/import-common.c
+++ b/src/import/import-common.c
@@ -36,7 +36,10 @@ int import_fork_tar_x(const char *path, pid_t *ret) {
 
         use_selinux = mac_selinux_use();
 
-        r = safe_fork("(tar)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid);
+        r = safe_fork_full("(tar)",
+                           (int[]) { pipefd[0], -EBADF, STDERR_FILENO },
+                           NULL, 0,
+                           FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_DEATHSIG|FORK_REARRANGE_STDIO|FORK_LOG, &pid);
         if (r < 0)
                 return r;
         if (r == 0) {
@@ -63,14 +66,6 @@ int import_fork_tar_x(const char *path, pid_t *ret) {
 
                 /* Child */
 
-                pipefd[1] = safe_close(pipefd[1]);
-
-                r = rearrange_stdio(TAKE_FD(pipefd[0]), -EBADF, STDERR_FILENO);
-                if (r < 0) {
-                        log_error_errno(r, "Failed to rearrange stdin/stdout: %m");
-                        _exit(EXIT_FAILURE);
-                }
-
                 if (unshare(CLONE_NEWNET) < 0)
                         log_warning_errno(errno, "Failed to lock tar into network namespace, ignoring: %m");
 
@@ -110,7 +105,10 @@ int import_fork_tar_c(const char *path, pid_t *ret) {
 
         use_selinux = mac_selinux_use();
 
-        r = safe_fork("(tar)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid);
+        r = safe_fork_full("(tar)",
+                           (int[]) { -EBADF, pipefd[1], STDERR_FILENO },
+                           NULL, 0,
+                           FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_DEATHSIG|FORK_REARRANGE_STDIO|FORK_LOG, &pid);
         if (r < 0)
                 return r;
         if (r == 0) {
@@ -129,14 +127,6 @@ int import_fork_tar_c(const char *path, pid_t *ret) {
 
                 /* Child */
 
-                pipefd[0] = safe_close(pipefd[0]);
-
-                r = rearrange_stdio(-EBADF, TAKE_FD(pipefd[1]), STDERR_FILENO);
-                if (r < 0) {
-                        log_error_errno(r, "Failed to rearrange stdin/stdout: %m");
-                        _exit(EXIT_FAILURE);
-                }
-
                 if (unshare(CLONE_NEWNET) < 0)
                         log_error_errno(errno, "Failed to lock tar into network namespace, ignoring: %m");
 
diff --git a/src/import/importd.c b/src/import/importd.c
index 65647a66a6..5f7b9c3163 100644
--- a/src/import/importd.c
+++ b/src/import/importd.c
@@ -365,7 +365,10 @@ static int transfer_start(Transfer *t) {
         if (pipe2(pipefd, O_CLOEXEC) < 0)
                 return -errno;
 
-        r = safe_fork("(sd-transfer)", FORK_RESET_SIGNALS|FORK_DEATHSIG, &t->pid);
+        r = safe_fork_full("(sd-transfer)",
+                           (int[]) { t->stdin_fd, t->stdout_fd < 0 ? pipefd[1] : t->stdout_fd, pipefd[1] },
+                           NULL, 0,
+                           FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_DEATHSIG|FORK_REARRANGE_STDIO, &t->pid);
         if (r < 0)
                 return r;
         if (r == 0) {
@@ -387,17 +390,6 @@ static int transfer_start(Transfer *t) {
 
                 /* Child */
 
-                pipefd[0] = safe_close(pipefd[0]);
-
-                r = rearrange_stdio(TAKE_FD(t->stdin_fd),
-                                    t->stdout_fd < 0 ? pipefd[1] : TAKE_FD(t->stdout_fd),
-                                    pipefd[1]);
-                TAKE_FD(pipefd[1]);
-                if (r < 0) {
-                        log_error_errno(r, "Failed to set stdin/stdout/stderr: %m");
-                        _exit(EXIT_FAILURE);
-                }
-
                 if (setenv("SYSTEMD_LOG_TARGET", "console-prefixed", 1) < 0 ||
                     setenv("NOTIFY_SOCKET", "/run/systemd/import/notify", 1) < 0) {
                         log_error_errno(errno, "setenv() failed: %m");
diff --git a/src/import/pull-common.c b/src/import/pull-common.c
index c8a3bf370e..3b80e64b32 100644
--- a/src/import/pull-common.c
+++ b/src/import/pull-common.c
@@ -414,7 +414,11 @@ static int verify_gpg(
 
         gpg_home_created = true;
 
-        r = safe_fork("(gpg)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE, &pid);
+        r = safe_fork_full("(gpg)",
+                           (int[]) { gpg_pipe[0], -EBADF, STDERR_FILENO },
+                           NULL, 0,
+                           FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_DEATHSIG|FORK_REARRANGE_STDIO|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE,
+                           &pid);
         if (r < 0)
                 return r;
         if (r == 0) {
@@ -437,14 +441,6 @@ static int verify_gpg(
 
                 /* Child */
 
-                gpg_pipe[1] = safe_close(gpg_pipe[1]);
-
-                r = rearrange_stdio(TAKE_FD(gpg_pipe[0]), -EBADF, STDERR_FILENO);
-                if (r < 0) {
-                        log_error_errno(r, "Failed to rearrange stdin/stdout: %m");
-                        _exit(EXIT_FAILURE);
-                }
-
                 cmd[k++] = strjoina("--homedir=", gpg_home);
 
                 /* We add the user keyring only to the command line arguments, if it's around since gpg fails