kvm: open /dev/kvm with close on exec

Without this, the KVM FD may leak to child processes.

BUG=None
TEST=./build_test

Change-Id: Ic2f6db6c787d99865c2eefb40ad8993471ee82b2
Reviewed-on: https://chromium-review.googlesource.com/848015
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>

1 files changed, 2 insertions, 2 deletions

diff --git a/kvm/src/lib.rs b/kvm/src/lib.rs
index 30dd499..18699d7 100644
--- a/kvm/src/lib.rs
+++ b/kvm/src/lib.rs
@@ -17,7 +17,7 @@ use std::collections::hash_map::Entry;
 use std::os::raw::*;
 use std::os::unix::io::{AsRawFd, FromRawFd, RawFd};
 
-use libc::{open, O_RDWR, EINVAL, ENOSPC, ENOENT};
+use libc::{open, O_RDWR, O_CLOEXEC, EINVAL, ENOSPC, ENOENT};
 
 use kvm_sys::*;
 
@@ -62,7 +62,7 @@ impl Kvm {
     pub fn new() -> Result<Kvm> {
         // Open calls are safe because we give a constant nul-terminated string and verify the
         // result.
-        let ret = unsafe { open("/dev/kvm\0".as_ptr() as *const c_char, O_RDWR) };
+        let ret = unsafe { open("/dev/kvm\0".as_ptr() as *const c_char, O_RDWR | O_CLOEXEC) };
         if ret < 0 {
             return errno_result();
         }