Dont leaks descriptors

stevegrubb · stevegrubb · commit 1ff90d2bf25a · 2025-07-14T10:35:51.000-04:00
diff --git a/audisp/plugins/ids/reactions.c b/audisp/plugins/ids/reactions.c
@@ -53,6 +53,12 @@ static int safe_exec(const char *exe, ...)
 	/* Child */
 	sigfillset (&sa.sa_mask);
 	sigprocmask (SIG_UNBLOCK, &sa.sa_mask, 0);
+#ifdef HAVE_CLOSE_RANGE
+	close_range(3, ~0U, 0); /* close all past stderr */
+#else
+	for (i=3; i<24; i++)     /* Arbitrary number */
+		close(i);
+#endif
 
 	va_start(ap, exe);
 	for (i = 1; va_arg(ap, char *) != NULL; i++);
diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
@@ -275,6 +275,12 @@ static void safe_exec(const char *exe, const char *message)
 	/* Child */
 	sigfillset (&sa.sa_mask);
 	sigprocmask (SIG_UNBLOCK, &sa.sa_mask, 0);
+#ifdef HAVE_CLOSE_RANGE
+	close_range(3, ~0U, 0); /* close all past stderr */
+#else
+	for (i=3; i<24; i++)     /* Arbitrary number */
+		close(i);
+#endif
 
 	argv[0] = (char *)exe;
 	argv[1] = (char *)message;
diff --git a/src/auditd-event.c b/src/auditd-event.c
@@ -1523,6 +1523,12 @@ static pid_t safe_exec(const char *exe)
 	/* Child */
 	sigfillset(&sa.sa_mask);
 	sigprocmask(SIG_UNBLOCK, &sa.sa_mask, 0);
+#ifdef HAVE_CLOSE_RANGE
+	close_range(3, ~0U, 0); /* close all past stderr */
+#else
+	for (i=3; i<24; i++)     /* Arbitrary number */
+		close(i);
+#endif
 
 	argv[0] = (char *)exe;
 	argv[1] = NULL;
