Set CLOEXEC on listened/accepted sockets in the FPM children

Author: Mikhail Galanin

main/fastcgi.c

@@ -1423,6 +1423,14 @@ int fcgi_accept_request(fcgi_request *req)
 					return -1;
 				}
 
+#ifdef F_SETFD
+# ifdef FD_CLOEXEC
+				if (0 > fcntl(req->fd, F_SETFD, fcntl(req->fd, F_GETFD) | FD_CLOEXEC)) {
+					fcgi_log(FCGI_WARNING, "failed to change attribute of error_log");
+				}
+# endif
+#endif
+
 #ifdef _WIN32
 				break;
 #else

sapi/fpm/fpm/fpm_children.c

@@ -167,6 +167,25 @@ struct fpm_child_s *fpm_child_find(pid_t pid) /* {{{ */
 }
 /* }}} */
 
+static int fpm_child_cloexec(void)
+{
+	/* If PHP code invokes pcntl_fork()/exec(), we don't want the external programm to inherit the descriptor.
+		If the external process accidentally uses the socket it will likely break the communication */
+	int attrs = fcntl(fpm_globals.listening_socket, F_GETFD);
+	if (0 > attrs) {
+		zlog(ZLOG_WARNING, "failed to get attributes of listening socket, errno: %d", errno);
+		return -1;
+	}
+
+	/* set CLOEXEC to prevent the descriptor leaking to child processes */
+	if (0 > fcntl(fpm_globals.listening_socket, F_SETFD, attrs | FD_CLOEXEC)) {
+		zlog(ZLOG_WARNING, "failed to change attribute of listening socket");
+		return -1;
+	}
+
+	return 0;
+}
+
 static void fpm_child_init(struct fpm_worker_pool_s *wp) /* {{{ */
 {
 	fpm_globals.max_requests = wp->config->pm_max_requests;
@@ -178,7 +197,8 @@ static void fpm_child_init(struct fpm_worker_pool_s *wp) /* {{{ */
 	    0 > fpm_unix_init_child(wp)   ||
 	    0 > fpm_signals_init_child()  ||
 	    0 > fpm_env_init_child(wp)    ||
-	    0 > fpm_php_init_child(wp)) {
+	    0 > fpm_php_init_child(wp)    ||
+	    0 > fpm_child_cloexec()) {
 
 		zlog(ZLOG_ERROR, "[pool %s] child failed to initialize", wp->config->name);
 		exit(FPM_EXIT_SOFTWARE);

sapi/fpm/tests/listen-socket-closed-on-exec.phpt

@@ -0,0 +1,82 @@
+--TEST--
+FPM: Set CLOEXEC on the listen socket
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+<?php
+if (!in_array(PHP_OS_FAMILY, ['Linux', 'Darwin'], true)) {
+    die("skip: only can work on Linux or macOS\n");
+}
+?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<'EOT'
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = static
+pm.max_children = 1
+pm.status_listen = {{ADDR[status]}}
+pm.status_path = /status
+env[PATH] = $PATH
+EOT;
+
+$code = <<<'EOT'
+<?php
+
+$fpmPort = $_GET['fpm_port'];
+
+echo "My sockets (expect to see 2 of them - one ESTABLISHED and one LISTEN):\n";
+
+$mypid = getmypid();
+$ph = popen("/bin/sh -c 'lsof -Pn -p$mypid' 2>&1 | grep TCP | grep '127.0.0.1:$fpmPort'", 'r');
+echo stream_get_contents($ph);
+pclose($ph);
+
+echo "\n\n";
+
+/*
+We expect that both LISTEN (inherited from the master process) and ACCEPTED (ESTABLISHED)
+have F_CLOEXEC and should not appear in the created process.
+
+We grep out sockets from non-FPM port, because they may appear in the environment,
+e.g. PHP-FPM can inherit them from the test-runner. We cannot control the runner
+but we test how the FPM behaves.
+*/
+
+echo "Sockets after exec(), expected to be empty:\n";
+$ph = popen("/bin/sh -c 'lsof -Pn -p\$\$' 2>&1 | grep TCP | grep '127.0.0.1:$fpmPort'", 'r');
+var_dump(stream_get_contents($ph));
+pclose($ph);
+
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$tester->request(query: 'fpm_port='.$tester->getPort())->printBody();
+usleep(100000);
+//$tester->status($expectedStatusData, '{{ADDR[status]}}');
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+
+?>
+Done
+--EXPECTF--
+My sockets (expect to see 2 of them - one ESTABLISHED and one LISTEN):
+%S 127.0.0.1:%d->127.0.0.1:%d (ESTABLISHED)
+%S 127.0.0.1:%d (LISTEN)
+
+
+Sockets after exec(), expected to be empty:
+string(0) ""
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>