core: merge branch 'th/sysctl-ifname-race-bgo775613' (early part)

Backport some of the patches from "th/sysctl-ifname-race-bgo775613"
branch.

https://bugzilla.gnome.org/show_bug.cgi?id=775613

22 files changed, 180 insertions, 54 deletions

diff --git a/shared/nm-utils/nm-macros-internal.h b/shared/nm-utils/nm-macros-internal.h
index b6b6bdee4..de90e3f58 100644
--- a/shared/nm-utils/nm-macros-internal.h
+++ b/shared/nm-utils/nm-macros-internal.h
@@ -22,7 +22,9 @@
 #ifndef __NM_MACROS_INTERNAL_H__
 #define __NM_MACROS_INTERNAL_H__
 
+#include <stdio.h>
 #include <stdlib.h>
+#include <errno.h>
 
 #include "nm-glib.h"
 
@@ -59,7 +61,31 @@ _nm_auto_free_gstring_impl (GString **str)
 }
 #define nm_auto_free_gstring nm_auto(_nm_auto_free_gstring_impl)
 
-/********************************************************/
+static inline void
+_nm_auto_close_impl (int *pfd)
+{
+	if (*pfd >= 0) {
+		int errsv = errno;
+
+		(void) close (*pfd);
+		errno = errsv;
+	}
+}
+#define nm_auto_close nm_auto(_nm_auto_close_impl)
+
+static inline void
+_nm_auto_fclose_impl (FILE **pfd)
+{
+	if (*pfd) {
+		int errsv = errno;
+
+		(void) fclose (*pfd);
+		errno = errsv;
+	}
+}
+#define nm_auto_fclose nm_auto(_nm_auto_fclose_impl)
+
+/*****************************************************************************/
 
 /* http://stackoverflow.com/a/11172679 */
 #define  _NM_UTILS_MACRO_FIRST(...)                           __NM_UTILS_MACRO_FIRST_HELPER(__VA_ARGS__, throwaway)
diff --git a/src/devices/adsl/nm-device-adsl.c b/src/devices/adsl/nm-device-adsl.c
index 2ab67c9a9..77c6e119b 100644
--- a/src/devices/adsl/nm-device-adsl.c
+++ b/src/devices/adsl/nm-device-adsl.c
@@ -154,7 +154,7 @@ br2684_assign_vcc (NMDeviceAdsl *self, NMSettingAdsl *s_adsl)
 	g_return_val_if_fail (priv->brfd == -1, FALSE);
 	g_return_val_if_fail (priv->nas_ifname != NULL, FALSE);
 
-	priv->brfd = socket (PF_ATMPVC, SOCK_DGRAM, ATM_AAL5);
+	priv->brfd = socket (PF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, ATM_AAL5);
 	if (priv->brfd < 0) {
 		errsv = errno;
 		_LOGE (LOGD_ADSL, "failed to open ATM control socket (%d)", errsv);
@@ -338,7 +338,7 @@ br2684_create_iface (NMDeviceAdsl *self,
 		nm_clear_g_source (&priv->nas_update_id);
 	}
 
-	fd = socket (PF_ATMPVC, SOCK_DGRAM, ATM_AAL5);
+	fd = socket (PF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, ATM_AAL5);
 	if (fd < 0) {
 		errsv = errno;
 		_LOGE (LOGD_ADSL, "failed to open ATM control socket (%d)", errsv);
diff --git a/src/devices/bluetooth/nm-bluez5-dun.c b/src/devices/bluetooth/nm-bluez5-dun.c
index 4c93feba6..aba3a0dd9 100644
--- a/src/devices/bluetooth/nm-bluez5-dun.c
+++ b/src/devices/bluetooth/nm-bluez5-dun.c
@@ -64,7 +64,7 @@ dun_connect (NMBluez5DunContext *context)
 		.channel = context->rfcomm_channel
 	};
 
-	context->rfcomm_fd = socket (AF_BLUETOOTH, SOCK_STREAM, BTPROTO_RFCOMM);
+	context->rfcomm_fd = socket (AF_BLUETOOTH, SOCK_STREAM | SOCK_CLOEXEC, BTPROTO_RFCOMM);
 	if (context->rfcomm_fd < 0) {
 		int errsv = errno;
 		error = g_error_new (NM_BT_ERROR, NM_BT_ERROR_DUN_CONNECT_FAILED,
@@ -112,7 +112,7 @@ dun_connect (NMBluez5DunContext *context)
 	context->rfcomm_id = devid;
 
 	snprintf (tty, ttylen, "/dev/rfcomm%d", devid);
-	while ((context->rfcomm_tty_fd = open (tty, O_RDONLY | O_NOCTTY)) < 0 && try--) {
+	while ((context->rfcomm_tty_fd = open (tty, O_RDONLY | O_NOCTTY | O_CLOEXEC)) < 0 && try--) {
 		if (try) {
 			g_usleep (100 * 1000);
 			continue;
diff --git a/src/devices/tests/test-lldp.c b/src/devices/tests/test-lldp.c
index ff6f42a97..f6b6af90b 100644
--- a/src/devices/tests/test-lldp.c
+++ b/src/devices/tests/test-lldp.c
@@ -352,7 +352,7 @@ _test_recv_fixture_setup (TestRecvFixture *fixture, gconstpointer user_data)
 	struct ifreq ifr = { };
 	int fd, s;
 
-	fd = open ("/dev/net/tun", O_RDWR);
+	fd = open ("/dev/net/tun", O_RDWR | O_CLOEXEC);
 	g_assert (fd >= 0);
 
 	ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
@@ -360,7 +360,7 @@ _test_recv_fixture_setup (TestRecvFixture *fixture, gconstpointer user_data)
 	g_assert (ioctl (fd, TUNSETIFF, &ifr) >= 0);
 
 	/* Bring the interface up */
-	s = socket (AF_INET, SOCK_DGRAM, 0);
+	s = socket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	g_assert (s >= 0);
 	ifr.ifr_flags |= IFF_UP;
 	g_assert (ioctl (s, SIOCSIFFLAGS, &ifr) >= 0);
diff --git a/src/devices/wwan/nm-modem.c b/src/devices/wwan/nm-modem.c
index bf3aa3b28..459d212aa 100644
--- a/src/devices/wwan/nm-modem.c
+++ b/src/devices/wwan/nm-modem.c
@@ -496,18 +496,18 @@ ppp_stats (NMPPPManager *ppp_manager,
 static gboolean
 port_speed_is_zero (const char *port)
 {
-    struct termios options;
-    gs_fd_close int fd = -1;
+	struct termios options;
+	nm_auto_close int fd = -1;
 
-    fd = open (port, O_RDWR | O_NONBLOCK | O_NOCTTY);
-    if (fd < 0)
+	fd = open (port, O_RDWR | O_NONBLOCK | O_NOCTTY | O_CLOEXEC);
+	if (fd < 0)
 		return FALSE;
 
-    memset (&options, 0, sizeof (struct termios));
-    if (tcgetattr (fd, &options) != 0)
-        return FALSE;
+	memset (&options, 0, sizeof (struct termios));
+	if (tcgetattr (fd, &options) != 0)
+		return FALSE;
 
-    return cfgetospeed (&options) == B0;
+	return cfgetospeed (&options) == B0;
 }
 
 static NMActStageReturn
diff --git a/src/dns-manager/nm-dns-manager.c b/src/dns-manager/nm-dns-manager.c
index ce8f4d931..5a758a9e7 100644
--- a/src/dns-manager/nm-dns-manager.c
+++ b/src/dns-manager/nm-dns-manager.c
@@ -707,7 +707,7 @@ update_resolv_conf (NMDnsManager *self,
 		}
 	}
 
-	if ((f = fopen (MY_RESOLV_CONF_TMP, "w")) == NULL) {
+	if ((f = fopen (MY_RESOLV_CONF_TMP, "we")) == NULL) {
 		errsv = errno;
 		g_set_error (error,
 		             NM_MANAGER_ERROR,
@@ -1576,7 +1576,7 @@ _check_resconf_immutable (NMDnsManagerResolvConfManager rc_manager)
 			}
 		}
 
-		fd = open (_PATH_RESCONF, O_RDONLY);
+		fd = open (_PATH_RESCONF, O_RDONLY | O_CLOEXEC);
 		if (fd != -1) {
 			if (ioctl (fd, FS_IOC_GETFLAGS, &flags) != -1)
 				immutable = NM_FLAGS_HAS (flags, FS_IMMUTABLE_FL);
diff --git a/src/main-utils.c b/src/main-utils.c
index c2ed9d1cb..6497ea25c 100644
--- a/src/main-utils.c
+++ b/src/main-utils.c
@@ -94,7 +94,7 @@ nm_main_utils_write_pidfile (const char *pidfile)
 	int fd;
 	gboolean success = FALSE;
 
-	if ((fd = open (pidfile, O_CREAT|O_WRONLY|O_TRUNC, 00644)) < 0) {
+	if ((fd = open (pidfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, 00644)) < 0) {
 		fprintf (stderr, _("Opening %s failed: %s\n"), pidfile, strerror (errno));
 		return FALSE;
 	}
diff --git a/src/nm-core-utils.c b/src/nm-core-utils.c
index 6988a1243..ed2a871e5 100644
--- a/src/nm-core-utils.c
+++ b/src/nm-core-utils.c
@@ -2810,7 +2810,7 @@ nm_utils_read_urandom (void *p, size_t nbytes)
 	int r;
 
 again:
-	fd = open ("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
+	fd = open ("/dev/urandom", O_RDONLY | O_CLOEXEC | O_NOCTTY);
 	if (fd < 0) {
 		r = errno;
 		if (r == EINTR)
diff --git a/src/nm-manager.c b/src/nm-manager.c
index bdc1c10f0..c3d65cd1e 100644
--- a/src/nm-manager.c
+++ b/src/nm-manager.c
@@ -5332,7 +5332,7 @@ rfkill_change (NMManager *self, const char *desc, RfKillType rtype, gboolean ena
 	g_return_if_fail (rtype == RFKILL_TYPE_WLAN || rtype == RFKILL_TYPE_WWAN);
 
 	errno = 0;
-	fd = open ("/dev/rfkill", O_RDWR);
+	fd = open ("/dev/rfkill", O_RDWR | O_CLOEXEC);
 	if (fd < 0) {
 		if (errno == EACCES)
 			_LOGW (LOGD_RFKILL, "(%s): failed to open killswitch device", desc);
diff --git a/src/platform/nm-linux-platform.c b/src/platform/nm-linux-platform.c
index d24dee241..f9f4b088d 100644
--- a/src/platform/nm-linux-platform.c
+++ b/src/platform/nm-linux-platform.c
@@ -721,7 +721,7 @@ _linktype_get_type (NMPlatform *platform,
 		}
 
 		/* Fallback for drivers that don't call SET_NETDEV_DEVTYPE() */
-		if (wifi_utils_is_wifi (ifname))
+		if (wifi_utils_is_wifi (ifindex, ifname))
 			return NM_LINK_TYPE_WIFI;
 
 		if (arptype == ARPHRD_ETHER) {
@@ -5147,7 +5147,7 @@ tun_add (NMPlatform *platform, const char *name, gboolean tap,
 	_LOGD ("link: add %s '%s' owner %" G_GINT64_FORMAT " group %" G_GINT64_FORMAT,
 	       tap ? "tap" : "tun", name, owner, group);
 
-	fd = open ("/dev/net/tun", O_RDWR);
+	fd = open ("/dev/net/tun", O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return FALSE;
 
diff --git a/src/platform/nm-platform-utils.c b/src/platform/nm-platform-utils.c
index 068801ee6..b939e7836 100644
--- a/src/platform/nm-platform-utils.c
+++ b/src/platform/nm-platform-utils.c
@@ -31,12 +31,15 @@
 #include <linux/mii.h>
 #include <linux/version.h>
 #include <linux/rtnetlink.h>
+#include <fcntl.h>
 
 #include "nm-utils.h"
 #include "nm-setting-wired.h"
 
 #include "nm-core-utils.h"
 
+extern char *if_indextoname (unsigned int __ifindex, char *__ifname);
+
 /******************************************************************
  * ethtool
  ******************************************************************/
@@ -60,7 +63,7 @@ ethtool_get (const char *name, gpointer edata)
 	nm_utils_ifname_cpy (ifr.ifr_name, name);
 	ifr.ifr_data = edata;
 
-	fd = socket (PF_INET, SOCK_DGRAM, 0);
+	fd = socket (PF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (fd < 0) {
 		nm_log_err (LOGD_PLATFORM, "ethtool: Could not open socket.");
 		return FALSE;
@@ -342,7 +345,7 @@ nmp_utils_mii_supports_carrier_detect (const char *ifname)
 	if (!nmp_utils_device_exists (ifname))
 		return FALSE;
 
-	fd = socket (PF_INET, SOCK_DGRAM, 0);
+	fd = socket (PF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (fd < 0) {
 		nm_log_err (LOGD_PLATFORM, "mii: couldn't open control socket (%s)", ifname);
 		return FALSE;
@@ -558,3 +561,83 @@ nmp_utils_ip_config_source_to_string (NMIPConfigSource source, char *buf, gsize
 	return buf;
 }
 
+/**
+ * nmp_utils_sysctl_open_netdir:
+ * @ifindex: the ifindex for which to open "/sys/class/net/%s"
+ * @ifname_guess: (allow-none): optional argument, if present used as initial
+ *   guess as the current name for @ifindex. If guessed right,
+ *   it saves an addtional if_indextoname() call.
+ * @out_ifname: (allow-none): if present, must be at least IFNAMSIZ
+ *   characters. On success, this will contain the actual ifname
+ *   found while opening the directory.
+ *
+ * Returns: a negative value on failure, on success returns the open fd
+ *   to the "/sys/class/net/%s" directory for @ifindex.
+ */
+int
+nmp_utils_sysctl_open_netdir (int ifindex,
+                              const char *ifname_guess,
+                              char *out_ifname)
+{
+	#define SYS_CLASS_NET "/sys/class/net/"
+	const char *ifname = ifname_guess;
+	char ifname_buf_last_try[IFNAMSIZ];
+	char ifname_buf[IFNAMSIZ];
+	guint try_count = 0;
+	char sysdir[NM_STRLEN (SYS_CLASS_NET) + IFNAMSIZ] = SYS_CLASS_NET;
+	char fd_buf[256];
+	ssize_t nn;
+
+	g_return_val_if_fail (ifindex >= 0, -1);
+
+	ifname_buf_last_try[0] = '\0';
+
+	for (try_count = 0; try_count < 10; try_count++, ifname = NULL) {
+		nm_auto_close int fd_dir = -1;
+		nm_auto_close int fd_ifindex = -1;
+		int fd;
+
+		if (!ifname) {
+			ifname = if_indextoname (ifindex, ifname_buf);
+			if (!ifname)
+				return -1;
+		}
+
+		nm_assert (nm_utils_iface_valid_name (ifname));
+
+		if (g_strlcpy (&sysdir[NM_STRLEN (SYS_CLASS_NET)], ifname, IFNAMSIZ) >= IFNAMSIZ)
+			g_return_val_if_reached (-1);
+
+		/* we only retry, if the name changed since previous attempt.
+		 * Hence, it is extremely unlikely that this loop runes until the
+		 * end of the @try_count. */
+		if (nm_streq (ifname, ifname_buf_last_try))
+			return -1;
+		strcpy (ifname_buf_last_try, ifname);
+
+		fd_dir = open (sysdir, O_DIRECTORY | O_CLOEXEC);
+		if (fd_dir < 0)
+			continue;
+
+		fd_ifindex = openat (fd_dir, "ifindex", O_CLOEXEC);
+		if (fd_ifindex < 0)
+			continue;
+
+		nn = nm_utils_fd_read_loop (fd_ifindex, fd_buf, sizeof (fd_buf) - 2, FALSE);
+		if (nn <= 0)
+			continue;
+		fd_buf[nn] = '\0';
+
+		if (ifindex != _nm_utils_ascii_str_to_int64 (fd_buf, 10, 1, G_MAXINT, -1))
+			continue;
+
+		if (out_ifname)
+			strcpy (out_ifname, ifname);
+
+		fd = fd_dir;
+		fd_dir = -1;
+		return fd;
+	}
+
+	return -1;
+}
diff --git a/src/platform/nm-platform-utils.h b/src/platform/nm-platform-utils.h
index 456c08652..92a06fdfa 100644
--- a/src/platform/nm-platform-utils.h
+++ b/src/platform/nm-platform-utils.h
@@ -60,4 +60,8 @@ NMIPConfigSource nmp_utils_ip_config_source_coerce_from_rtprot (NMIPConfigSource
 NMIPConfigSource nmp_utils_ip_config_source_round_trip_rtprot  (NMIPConfigSource source) _nm_const;
 const char *     nmp_utils_ip_config_source_to_string (NMIPConfigSource source, char *buf, gsize len);
 
+int nmp_utils_sysctl_open_netdir (int ifindex,
+                                  const char *ifname_guess,
+                                  char *out_ifname);
+
 #endif /* __NM_PLATFORM_UTILS_H__ */
diff --git a/src/platform/nmp-netns.c b/src/platform/nmp-netns.c
index 26295855d..07e134c13 100644
--- a/src/platform/nmp-netns.c
+++ b/src/platform/nmp-netns.c
@@ -277,7 +277,7 @@ _netns_new (GError **error)
 	int fd_net, fd_mnt;
 	int errsv;
 
-	fd_net = open (PROC_SELF_NS_NET, O_RDONLY);
+	fd_net = open (PROC_SELF_NS_NET, O_RDONLY | O_CLOEXEC);
 	if (fd_net == -1) {
 		errsv = errno;
 		g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
@@ -286,7 +286,7 @@ _netns_new (GError **error)
 		return NULL;
 	}
 
-	fd_mnt = open (PROC_SELF_NS_MNT, O_RDONLY);
+	fd_mnt = open (PROC_SELF_NS_MNT, O_RDONLY | O_CLOEXEC);
 	if (fd_mnt == -1) {
 		errsv = errno;
 		g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
@@ -623,7 +623,7 @@ nmp_netns_bind_to_path (NMPNetns *self, const char *filename, int *out_fd)
 	}
 
 	if (out_fd) {
-		if ((fd = open (filename, O_RDONLY)) == -1) {
+		if ((fd = open (filename, O_RDONLY | O_CLOEXEC)) == -1) {
 			errsv = errno;
 			_LOGE (self, "bind: failed to open %s: %s", filename, g_strerror (errsv));
 			umount2 (filename, MNT_DETACH);
diff --git a/src/platform/tests/test-common.c b/src/platform/tests/test-common.c
index b1947a6d1..d636ebeb5 100644
--- a/src/platform/tests/test-common.c
+++ b/src/platform/tests/test-common.c
@@ -1398,7 +1398,7 @@ nmtstp_namespace_create (int unshare_flags, GError **error)
 	int pipefd_p2c[2];
 	ssize_t r;
 
-	e = pipe (pipefd_c2p);
+	e = pipe2 (pipefd_c2p, O_CLOEXEC);
 	if (e != 0) {
 		errsv = errno;
 		g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
@@ -1406,7 +1406,7 @@ nmtstp_namespace_create (int unshare_flags, GError **error)
 		return FALSE;
 	}
 
-	e = pipe (pipefd_p2c);
+	e = pipe2 (pipefd_p2c, O_CLOEXEC);
 	if (e != 0) {
 		errsv = errno;
 		g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
@@ -1540,7 +1540,7 @@ nmtstp_namespace_get_fd_for_process (pid_t pid, const char *ns_name)
 
 	nm_sprintf_buf (p, "/proc/%lu/ns/%s", (long unsigned) pid, ns_name);
 
-	return open(p, O_RDONLY);
+	return open(p, O_RDONLY | O_CLOEXEC);
 }
 
 /*****************************************************************************/
@@ -1564,21 +1564,21 @@ unshare_user (void)
 
 	/* Since Linux 3.19 we have to disable setgroups() in order to map users.
 	 * Just proceed if the file is not there. */
-	f = fopen ("/proc/self/setgroups", "w");
+	f = fopen ("/proc/self/setgroups", "we");
 	if (f) {
 		fprintf (f, "deny");
 		fclose (f);
 	}
 
 	/* Map current UID to root in NS to be created. */
-	f = fopen ("/proc/self/uid_map", "w");
+	f = fopen ("/proc/self/uid_map", "we");
 	if (!f)
 		return FALSE;
 	fprintf (f, "0 %d 1", uid);
 	fclose (f);
 
 	/* Map current GID to root in NS to be created. */
-	f = fopen ("/proc/self/gid_map", "w");
+	f = fopen ("/proc/self/gid_map", "we");
 	if (!f)
 		return FALSE;
 	fprintf (f, "0 %d 1", gid);
diff --git a/src/platform/wifi/wifi-utils-wext.c b/src/platform/wifi/wifi-utils-wext.c
index 66c13764f..d4ed86ebf 100644
--- a/src/platform/wifi/wifi-utils-wext.c
+++ b/src/platform/wifi/wifi-utils-wext.c
@@ -577,7 +577,7 @@ wifi_wext_init (const char *iface, int ifindex, gboolean check_scan)
 	wext->parent.set_mesh_channel = wifi_wext_set_mesh_channel;
 	wext->parent.set_mesh_ssid = wifi_wext_set_mesh_ssid;
 
-	wext->fd = socket (PF_INET, SOCK_DGRAM, 0);
+	wext->fd = socket (PF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (wext->fd < 0)
 		goto error;
 
@@ -665,7 +665,7 @@ wifi_wext_is_wifi (const char *iface)
 	if (!nmp_utils_device_exists (iface))
 		return FALSE;
 
-	fd = socket (PF_INET, SOCK_DGRAM, 0);
+	fd = socket (PF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (fd >= 0) {
 		nm_utils_ifname_cpy (iwr.ifr_ifrn.ifrn_name, iface);
 		if (ioctl (fd, SIOCGIWNAME, &iwr) == 0)
diff --git a/src/platform/wifi/wifi-utils.c b/src/platform/wifi/wifi-utils.c
index b7fe86bbe..2ce6eb778 100644
--- a/src/platform/wifi/wifi-utils.c
+++ b/src/platform/wifi/wifi-utils.c
@@ -26,6 +26,7 @@
 #include <sys/stat.h>
 #include <stdio.h>
 #include <string.h>
+#include <fcntl.h>
 
 #include "wifi-utils-private.h"
 #include "wifi-utils-nl80211.h"
@@ -34,6 +35,8 @@
 #endif
 #include "nm-core-utils.h"
 
+#include "platform/nm-platform-utils.h"
+
 gpointer
 wifi_data_new (const char *iface, int ifindex, gsize len)
 {
@@ -180,23 +183,32 @@ wifi_utils_deinit (WifiData *data)
 }
 
 gboolean
-wifi_utils_is_wifi (const char *iface)
+wifi_utils_is_wifi (int ifindex, const char *ifname)
 {
-	char phy80211_path[NM_STRLEN ("/sys/class/net/123456789012345/phy80211\0") + 100 /*safety*/];
-	struct stat s;
+	int fd_sysnet;
+	int fd_phy80211;
+	char ifname_verified[IFNAMSIZ];
+
+	g_return_val_if_fail (ifindex > 0, FALSE);
 
-	g_return_val_if_fail (iface != NULL, FALSE);
+	fd_sysnet = nmp_utils_sysctl_open_netdir (ifindex, ifname, ifname_verified);
+	if (fd_sysnet < 0)
+		return FALSE;
 
-	nm_sprintf_buf (phy80211_path,
-	                "/sys/class/net/%s/phy80211",
-	                NM_ASSERT_VALID_PATH_COMPONENT (iface));
-	nm_assert (strlen (phy80211_path) < sizeof (phy80211_path) - 1);
+	/* there might have been a race and ifname might be wrong. Below for checking
+	 * wext, use the possibly improved name that we just verified. */
+	ifname = ifname_verified;
 
-	if ((stat (phy80211_path, &s) == 0 && (s.st_mode & S_IFDIR)))
+	fd_phy80211 = openat (fd_sysnet, "phy80211", O_CLOEXEC);
+	close (fd_sysnet);
+
+	if (fd_phy80211 >= 0) {
+		close (fd_phy80211);
 		return TRUE;
+	}
 
 #if HAVE_WEXT
-	if (wifi_wext_is_wifi (iface))
+	if (wifi_wext_is_wifi (ifname))
 		return TRUE;
 #endif
 
diff --git a/src/platform/wifi/wifi-utils.h b/src/platform/wifi/wifi-utils.h
index 8e2b93f1f..3dca2ac1d 100644
--- a/src/platform/wifi/wifi-utils.h
+++ b/src/platform/wifi/wifi-utils.h
@@ -28,7 +28,7 @@
 
 typedef struct WifiData WifiData;
 
-gboolean wifi_utils_is_wifi (const char *iface);
+gboolean wifi_utils_is_wifi (int ifindex, const char *ifname);
 
 WifiData *wifi_utils_init (const char *iface, int ifindex, gboolean check_scan);
 
diff --git a/src/ppp-manager/nm-ppp-manager.c b/src/ppp-manager/nm-ppp-manager.c
index f6fcca5df..34c550fa1 100644
--- a/src/ppp-manager/nm-ppp-manager.c
+++ b/src/ppp-manager/nm-ppp-manager.c
@@ -197,7 +197,7 @@ monitor_cb (gpointer user_data)
 		if (errno != ENODEV)
 			_LOGW ("could not read ppp stats: %s", strerror (errno));
 	} else {
-		g_signal_emit (manager, signals[STATS], 0, 
+		g_signal_emit (manager, signals[STATS], 0,
 		               stats.p.ppp_ibytes,
 		               stats.p.ppp_obytes);
 	}
@@ -214,7 +214,7 @@ monitor_stats (NMPPPManager *manager)
 	if (priv->monitor_fd >= 0)
 		return;
 
-	priv->monitor_fd = socket (AF_INET, SOCK_DGRAM, 0);
+	priv->monitor_fd = socket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (priv->monitor_fd >= 0) {
 		g_warn_if_fail (priv->monitor_id == 0);
 		if (priv->monitor_id)
diff --git a/src/settings/nm-inotify-helper.c b/src/settings/nm-inotify-helper.c
index ce15246c5..46112648e 100644
--- a/src/settings/nm-inotify-helper.c
+++ b/src/settings/nm-inotify-helper.c
@@ -128,7 +128,7 @@ init_inotify (NMInotifyHelper *self)
 	GIOChannel *channel;
 	guint source_id;
 
-	priv->ifd = inotify_init ();
+	priv->ifd = inotify_init1 (IN_CLOEXEC);
 	if (priv->ifd == -1) {
 		int errsv = errno;
 
diff --git a/src/settings/plugins/ifcfg-rh/shvar.c b/src/settings/plugins/ifcfg-rh/shvar.c
index 75b19d538..a865c7df0 100644
--- a/src/settings/plugins/ifcfg-rh/shvar.c
+++ b/src/settings/plugins/ifcfg-rh/shvar.c
@@ -53,11 +53,11 @@ svOpenFileInternal (const char *name, gboolean create, GError **error)
 
 	s->fd = -1;
 	if (create)
-		s->fd = open (name, O_RDWR); /* NOT O_CREAT */
+		s->fd = open (name, O_RDWR | O_CLOEXEC); /* NOT O_CREAT */
 
 	if (!create || s->fd == -1) {
 		/* try read-only */
-		s->fd = open (name, O_RDONLY); /* NOT O_CREAT */
+		s->fd = open (name, O_RDONLY | O_CLOEXEC); /* NOT O_CREAT */
 		if (s->fd == -1)
 			errsv = errno;
 		else
@@ -461,7 +461,7 @@ svWriteFile (shvarFile *s, int mode, GError **error)
 
 	if (s->modified) {
 		if (s->fd == -1)
-			s->fd = open (s->fileName, O_WRONLY | O_CREAT, mode);
+			s->fd = open (s->fileName, O_WRONLY | O_CREAT | O_CLOEXEC, mode);
 		if (s->fd == -1) {
 			int errsv = errno;
 
diff --git a/src/settings/plugins/ifupdown/interface_parser.c b/src/settings/plugins/ifupdown/interface_parser.c
index 764ba5c93..3386a6ba4 100644
--- a/src/settings/plugins/ifupdown/interface_parser.c
+++ b/src/settings/plugins/ifupdown/interface_parser.c
@@ -117,7 +117,7 @@ _recursive_ifparser (const char *eni_file, int quiet)
 			nm_log_warn (LOGD_SETTINGS, "interfaces file %s doesn't exist\n", eni_file);
 		return;
 	}
-	inp = fopen (eni_file, "r");
+	inp = fopen (eni_file, "re");
 	if (inp == NULL) {
 		if (!quiet)
 			nm_log_warn (LOGD_SETTINGS, "Can't open %s\n", eni_file);
diff --git a/src/tests/test-general-with-expect.c b/src/tests/test-general-with-expect.c
index ab2b15b5f..f04c147fe 100644
--- a/src/tests/test-general-with-expect.c
+++ b/src/tests/test-general-with-expect.c
@@ -26,6 +26,7 @@
 #include <netinet/ether.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <fcntl.h>
 
 #include "NetworkManagerUtils.h"
 #include "nm-multi-index.h"
@@ -173,7 +174,7 @@ test_nm_utils_kill_child_create_and_join_pgroup (void)
 	int pipefd[2];
 	pid_t pgid;
 
-	err = pipe (pipefd);
+	err = pipe2 (pipefd, O_CLOEXEC);
 	g_assert (err == 0);
 
 	pgid = fork();