memfd: always create our memfds with CLOEXEC set

We really shouldn't create fds ever that have the flag unset.

2 files changed, 6 insertions, 2 deletions

diff --git a/src/shared/memfd.c b/src/shared/memfd.c
index 162c12f7a7..f3ce8f84da 100644
--- a/src/shared/memfd.c
+++ b/src/shared/memfd.c
@@ -65,7 +65,7 @@ int memfd_new(const char *name) {
                 }
         }
 
-        fd = memfd_create(name, MFD_ALLOW_SEALING);
+        fd = memfd_create(name, MFD_ALLOW_SEALING | MFD_CLOEXEC);
         if (fd < 0)
                 return -errno;
 
diff --git a/src/shared/missing.h b/src/shared/missing.h
index 7725e47298..0d7c55952e 100644
--- a/src/shared/missing.h
+++ b/src/shared/missing.h
@@ -74,7 +74,11 @@
 #endif
 
 #ifndef MFD_ALLOW_SEALING
-#define MFD_ALLOW_SEALING 0x0002ULL
+#define MFD_ALLOW_SEALING 0x0002U
+#endif
+
+#ifndef MFD_CLOEXEC
+#define MFD_CLOEXEC 0x0001U
 #endif
 
 #ifndef IP_FREEBIND