If you're suggesting to set FDs CLOEXEC by default, I think it's neither possible nor reasonable:
- you have to take into account not only files, but also pipes, sockets, etc
- there's no portable way to e.g. open a file and set it CLOEXEC atomically
- first and foremost, it' going to break a lot of existing code, for example, pipe + fork, accept + fork, etc
As for the dedicated syscalls, there's already been some discussion about closefrom and friends, but Gregory did some research and it looked like those are not async-safe - which, if it's really the case, renders those calls mostly useless.