From 57ef42991e64c547ffa94d7dc70ed41a65383114 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Mon, 6 Jan 2025 02:52:46 +0000
Subject: [PATCH] bunpen: dbus: fix to not keep the non-sandboxed file open
 after exec'ing into the user program

---
 pkgs/by-name/bunpen/restrict/restrict.ha | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/by-name/bunpen/restrict/restrict.ha b/pkgs/by-name/bunpen/restrict/restrict.ha
index 06494add0..7b19d2be6 100644
--- a/pkgs/by-name/bunpen/restrict/restrict.ha
+++ b/pkgs/by-name/bunpen/restrict/restrict.ha
@@ -31,7 +31,7 @@ export fn restrict(what: *resources::resources) void = {
         // on i can refer to it by path relative to that parent
         let session_parent = path::parent(&session)!;
         log::printfln("[restrict] attempting to open parent(DBUS_SESSION_BUS_ADDRESS={})={}", path::string(&session), session_parent);
-        yield match (rt::open(session_parent, rt::O_RDONLY, 0o700)) { //< TODO: correct mode?
+        yield match (rt::open(session_parent, rt::O_RDONLY | rt::O_CLOEXEC, 0o700)) { //< TODO: correct mode?
           case let outer_fd: int => yield dbus_details {
             outer_parent_fd = outer_fd,
             session_path = session,