Close on exec pipes

src/runner.cpp

@@ -26,7 +26,7 @@ run_result runner::run_blocking(const program &program) {
     int in_pipe[2];
     int out_pipe[2];
     int err_pipe[2];
-    if (pipe(in_pipe) == -1 || pipe(out_pipe) == -1 || pipe(err_pipe) == -1) {
+    if (pipe2(in_pipe, O_CLOEXEC) == -1 || pipe2(out_pipe, O_CLOEXEC) == -1 || pipe2(err_pipe, O_CLOEXEC) == -1) {
         throw std::system_error{errno, std::generic_category()};
     }
 
@@ -47,16 +47,10 @@ run_result runner::run_blocking(const program &program) {
 
     posix_spawn_file_actions_t actions;
     posix_spawn_file_actions_init(&actions);
-    posix_spawn_file_actions_addclose(&actions, in_pipe[1]);
-    posix_spawn_file_actions_addclose(&actions, out_pipe[0]);
-    posix_spawn_file_actions_addclose(&actions, err_pipe[0]);
     posix_spawn_file_actions_addclose(&actions, timerfd);
     posix_spawn_file_actions_adddup2(&actions, in_pipe[0], STDIN_FILENO);
     posix_spawn_file_actions_adddup2(&actions, out_pipe[1], STDOUT_FILENO);
     posix_spawn_file_actions_adddup2(&actions, err_pipe[1], STDERR_FILENO);
-    posix_spawn_file_actions_addclose(&actions, in_pipe[0]);
-    posix_spawn_file_actions_addclose(&actions, out_pipe[1]);
-    posix_spawn_file_actions_addclose(&actions, err_pipe[1]);
     const char *const docker_args[] = {"docker", "run", "--rm", "-i", "--name", program.name.c_str(), "--pull=never", "--cap-drop=ALL", "--network=none", "--memory=64m", "--memory-swap=64m", "--pids-limit=128", program.image.c_str(), nullptr};
     const char *const bwrap_args[] = {"bwrap", "--ro-bind", "/usr", "/usr", "--dir", "/tmp", "--dir", "/var", "--proc", "/proc", "--dev", "/dev", "--symlink", "usr/lib", "/lib", "--symlink", "usr/lib64", "/lib64", "--symlink", "usr/bin", "/bin", "--symlink", "usr/sbin", "/sbin", "--unshare-all", "--die-with-parent", "/bin/sh", nullptr};
     const char *const *args = docker_args;