diff --git a/ChangeLog b/ChangeLog
index b4bed7840135ea6e47ca48e626b36c840e54f14d..d263a5ec167ec92e6439c5f7eeaba25473182901 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+Fri Feb 16 18:24:08 IST 2007 Mark McLoughlin <markmc@redhat.com>
+
+	* qemud/qemud.c, qemud/bridge.c, qemud/iptables.c: fix
+	our FD_CLOEXEC usage so that all fds which should be
+	closed on exec are marked as such and that we leave
+	exec() to do the actual closing.
+	
 Fri Feb 16 18:23:15 IST 2007 Mark McLoughlin <markmc@redhat.com>
 
 	* qemud/qemud.c: fix qemudEnableIpForwarding() to not leak
diff --git a/qemud/bridge.c b/qemud/bridge.c
index 743824106190be034ae0900c1fce8235903c025c..674d9d4fcd3e8d50919697cb7925f729cfe1fd28 100644
--- a/qemud/bridge.c
+++ b/qemud/bridge.c
@@ -54,6 +54,7 @@ int
 brInit(brControl **ctlp)
 {
     int fd;
+    int flags;
 
     if (!ctlp || *ctlp)
         return EINVAL;
@@ -62,6 +63,13 @@ brInit(brControl **ctlp)
     if (fd < 0)
         return errno;
 
+    if ((flags = fcntl(fd, F_GETFD)) < 0 ||
+        fcntl(fd, F_SETFD, flags | FD_CLOEXEC) < 0) {
+        int err = errno;
+        close(fd);
+        return err;
+    }
+
     *ctlp = (brControl *)malloc(sizeof(struct _brControl));
     if (!*ctlp)
         return ENOMEM;
diff --git a/qemud/iptables.c b/qemud/iptables.c
index 4863581bd77f2ff0aa9da108720ae1090f353b21..bd7c9cf6cc9399a9fdcad9a9ec91adb9ea33f930 100644
--- a/qemud/iptables.c
+++ b/qemud/iptables.c
@@ -317,15 +317,11 @@ iptablesSpawn(int errors, char * const *argv)
     }
 
     if (pid == 0) { /* child */
-        int i, open_max = sysconf(_SC_OPEN_MAX);
-
-        for (i = 0; i < open_max; i++) {
-            if (i != STDOUT_FILENO &&
-                i != STDERR_FILENO &&
-                i != STDIN_FILENO)
-                close(i);
-        else if (errors == NO_ERRORS)
-            dup2(null, i);
+        if (errors == NO_ERRORS) {
+            dup2(null, STDIN_FILENO);
+            dup2(null, STDOUT_FILENO);
+            dup2(null, STDERR_FILENO);
+            close(null);
         }
 
         execvp(argv[0], argv);
diff --git a/qemud/qemud.c b/qemud/qemud.c
index 4fb47fd30e85733a51f0f2ee010426460bc0e2fe..645969621b65c8da323cf09698af3b800dbb7e69 100644
--- a/qemud/qemud.c
+++ b/qemud/qemud.c
@@ -85,7 +85,7 @@ static int qemudGoDaemon(void) {
         {
             int stdinfd = -1;
             int stdoutfd = -1;
-            int i, open_max, nextpid;
+            int nextpid;
 
             if ((stdinfd = open(_PATH_DEVNULL, O_RDONLY)) < 0)
                 goto cleanup;
@@ -104,13 +104,6 @@ static int qemudGoDaemon(void) {
                 goto cleanup;
             stdoutfd = -1;
 
-            open_max = sysconf (_SC_OPEN_MAX);
-            for (i = 0; i < open_max; i++)
-                if (i != STDIN_FILENO &&
-                    i != STDOUT_FILENO &&
-                    i != STDERR_FILENO)
-                    close(i);
-
             if (setsid() < 0)
                 goto cleanup;
 
@@ -352,24 +345,9 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket
 }
 
 
-static int
-qemudLeaveFdOpen(int *openfds, int fd)
-{
-    int i;
-
-    if (!openfds)
-        return 0;
-
-    for (i = 0; openfds[i] != -1; i++)
-        if (fd == openfds[i])
-            return 1;
-
-    return 0;
-}
-
 static int
 qemudExec(struct qemud_server *server, char **argv,
-          int *retpid, int *outfd, int *errfd, int *openfds) {
+          int *retpid, int *outfd, int *errfd) {
     int pid, null;
     int pipeout[2] = {-1,-1};
     int pipeerr[2] = {-1,-1};
@@ -398,11 +376,13 @@ qemudExec(struct qemud_server *server, char **argv,
         if (outfd) {
             close(pipeout[1]);
             qemudSetNonBlock(pipeout[0]);
+            qemudSetCloseExec(pipeout[0]);
             *outfd = pipeout[0];
         }
         if (errfd) {
             close(pipeerr[1]);
             qemudSetNonBlock(pipeerr[0]);
+            qemudSetCloseExec(pipeerr[0]);
             *errfd = pipeerr[0];
         }
         *retpid = pid;
@@ -423,13 +403,11 @@ qemudExec(struct qemud_server *server, char **argv,
     if (dup2(pipeerr[1] > 0 ? pipeerr[1] : null, STDERR_FILENO) < 0)
         _exit(1);
 
-    int i, open_max = sysconf (_SC_OPEN_MAX);
-    for (i = 0; i < open_max; i++)
-        if (i != STDOUT_FILENO &&
-            i != STDERR_FILENO &&
-            i != STDIN_FILENO &&
-            !qemudLeaveFdOpen(openfds, i))
-            close(i);
+    close(null);
+    if (pipeout[1] > 0)
+        close(pipeout[1]);
+    if (pipeerr[1] > 0)
+        close(pipeerr[1]);
 
     execvp(argv[0], argv);
 
@@ -439,13 +417,13 @@ qemudExec(struct qemud_server *server, char **argv,
 
  cleanup:
     if (pipeerr[0] > 0)
-        close(pipeerr[0] > 0);
-    if (pipeerr[1])
-        close(pipeerr[1] > 0);
-    if (pipeout[0])
-        close(pipeout[0] > 0);
-    if (pipeout[1])
-        close(pipeout[1] > 0);
+        close(pipeerr[0]);
+    if (pipeerr[1] > 0)
+        close(pipeerr[1]);
+    if (pipeout[0] > 0)
+        close(pipeout[0]);
+    if (pipeout[1] > 0)
+        close(pipeout[1]);
     if (null > 0)
         close(null);
     return -1;
@@ -465,7 +443,7 @@ int qemudStartVMDaemon(struct qemud_server *server,
     if (qemudBuildCommandLine(server, vm, &argv) < 0)
         return -1;
 
-    if (qemudExec(server, argv, &vm->pid, &vm->stdout, &vm->stderr, vm->tapfds) == 0) {
+    if (qemudExec(server, argv, &vm->pid, &vm->stdout, &vm->stderr) == 0) {
         vm->id = server->nextvmid++;
         ret = 0;
     }
@@ -861,7 +839,7 @@ dhcpStartDhcpDaemon(struct qemud_server *server,
     if (qemudBuildDnsmasqArgv(server, network, &argv) < 0)
         return -1;
 
-    ret = qemudExec(server, argv, &network->dnsmasqPid, NULL, NULL, NULL);
+    ret = qemudExec(server, argv, &network->dnsmasqPid, NULL, NULL);
 
     for (i = 0; argv[i]; i++)
         free(argv[i]);