Avoid leaking file descriptors Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls. This avoids leaking file descriptors across execs. Addresses the following SELinux denial: audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket and allows the removal of some other SELinux rules which were inappropriately added because of leaking file descriptors. Change-Id: I9c180488ea1969d610e488f967a7276a672bb477

commit: 53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sat Jan 31 13:54:00 2015 -0800
committer: Nick Kralevich <nnk@google.com> Sat Jan 31 13:54:00 2015 -0800
tree: f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd
parent: aea68fddd979bf6852b8aef9bc718567f9da935a [diff] [blame]
diff --git a/client/FwmarkClient.cpp b/client/FwmarkClient.cpp
index 4e02d58..0ac1fbb 100644
--- a/client/FwmarkClient.cpp
+++ b/client/FwmarkClient.cpp

@@ -43,7 +43,7 @@
 }
 
 int FwmarkClient::send(void* data, size_t len, int fd) {
-    mChannel = socket(AF_UNIX, SOCK_STREAM, 0);
+    mChannel = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
     if (mChannel == -1) {
         return -errno;
     }
commit	53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sat Jan 31 13:54:00 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Sat Jan 31 13:54:00 2015 -0800
tree	f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd
parent	aea68fddd979bf6852b8aef9bc718567f9da935a [diff] [blame]