Avoid leaking file descriptors
Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.
Addresses the following SELinux denial:
audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket
and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.
Change-Id: I9c180488ea1969d610e488f967a7276a672bb477
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index 2fe249d..e5cf36c 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -786,7 +786,7 @@
return -1;
asprintf(&fname, "/proc/net/xt_quota/%s", costName);
- fp = fopen(fname, "r");
+ fp = fopen(fname, "re");
free(fname);
if (!fp) {
ALOGE("Reading quota %s failed (%s)", costName, strerror(errno));
@@ -843,7 +843,7 @@
}
asprintf(&fname, "/proc/net/xt_quota/%s", quotaName);
- fp = fopen(fname, "w");
+ fp = fopen(fname, "we");
free(fname);
if (!fp) {
ALOGE("Updating quota %s failed (%s)", quotaName, strerror(errno));