services: shepherd: Install O_CLOEXEC variant of 'call-with-input-file' & co.

Fixes a bug introduced with the Shepherd 0.9.2 upgrade in commit
1ba0e38267 whereby files opened by, say,
the 'start' method of 'urandom-seed', could leak into the execution
environment of some other service--e.g., 'term-tty4'.

* gnu/services/shepherd.scm (shepherd-configuration-file)[config]:
Override 'call-with-input-file' and 'call-with-output-file'.

gnu/services/shepherd.scm

@@ -344,6 +344,31 @@ (define config
           (use-modules (srfi srfi-34)
                        (system repl error-handling))
 
+          (define (call-with-file file flags proc)
+            (let ((port #f))
+              (dynamic-wind
+                (lambda ()
+                  (set! port (open file flags)))
+                (lambda ()
+                  (proc port))
+                (lambda ()
+                  (close-port port)
+                  (set! port #f)))))
+
+          ;; There's code run from shepherd that uses 'call-with-input-file' &
+          ;; co.--e.g., the 'urandom-seed' service.  Starting from Shepherd
+          ;; 0.9.2, users need to make sure not to leak non-close-on-exec file
+          ;; descriptors to child processes.  To address that, replace the
+          ;; standard bindings with O_CLOEXEC variants.
+          (set! call-with-input-file
+                (lambda (file proc)
+                  (call-with-file file (logior O_RDONLY O_CLOEXEC)
+                                  proc)))
+          (set! call-with-output-file
+                (lambda (file proc)
+                  (call-with-file file (logior O_WRONLY O_CREAT O_CLOEXEC)
+                                  proc)))
+
           ;; Specify the default environment visible to all the services.
           ;; Without this statement, all the environment variables of PID 1
           ;; are inherited by child services.