app: close payload_stream in qubesd_call

This is to prevent leaking file descriptors. QubesOS/qubes-issues#2622
QubesOS · May 26, 2017 · 0a556fa · 0a556fa
1 parent 2675d63
commit 0a556fa
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/qubesadmin/app.py b/qubesadmin/app.py
@@ -350,6 +350,8 @@ def qubesd_call(self, dest, method, arg=None, payload=None,
         :param payload: Payload send to the method
         :param payload_stream: file-like object to read payload from
         :return: Data returned by qubesd (string)
+
+        .. warning:: *payload_stream* will get closed by this function
         '''
         if payload and payload_stream:
             raise ValueError(
@@ -369,6 +371,7 @@ def qubesd_call(self, dest, method, arg=None, payload=None,
             qrexec_call_env['QREXEC_REQUESTED_TARGET'] = dest
             proc = subprocess.Popen([method_path, arg], stdin=payload_stream,
                 stdout=subprocess.PIPE, env=qrexec_call_env)
+            payload_stream.close()
             (return_data, _) = proc.communicate()
             return self._parse_qubesd_response(return_data)
 
@@ -455,6 +458,8 @@ def qubesd_call(self, dest, method, arg=None, payload=None,
         :param payload: Payload send to the method
         :param payload_stream: file-like object to read payload from
         :return: Data returned by qubesd (string)
+
+        .. warning:: *payload_stream* will get closed by this function
         '''
         if payload and payload_stream:
             raise ValueError(
@@ -467,6 +472,8 @@ def qubesd_call(self, dest, method, arg=None, payload=None,
             stdin=(payload_stream or subprocess.PIPE),
             stdout=subprocess.PIPE,
             stderr=subprocess.PIPE)
+        if payload_stream is not None:
+            payload_stream.close()
         (stdout, stderr) = p.communicate(payload)
         if p.returncode != 0:
             # TODO: use dedicated exception

diff --git a/qubesadmin/tools/qvm_template_postprocess.py b/qubesadmin/tools/qvm_template_postprocess.py
@@ -96,13 +96,12 @@ def import_root_img(vm, source_dir):
         tar = subprocess.Popen(['tar', 'xSOf', '-'],
             stdin=cat.stdout,
             stdout=subprocess.PIPE)
+        cat.stdout.close()
         vm.volumes['root'].import_data(stream=tar.stdout)
         if tar.wait() != 0:
             raise qubesadmin.exc.QubesException('root.img extraction failed')
         if cat.wait() != 0:
             raise qubesadmin.exc.QubesException('root.img extraction failed')
-        cat.stdout.close()
-        tar.stdout.close()
     elif os.path.exists(root_path):
         if vm.app.qubesd_connection_type == 'socket':
             # check if root.img was already overwritten, i.e. if the source