Avoid leaking file descriptors Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls. This avoids leaking file descriptors across execs. Addresses the following SELinux denial: audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket and allows the removal of some other SELinux rules which were inappropriately added because of leaking file descriptors. Change-Id: I9c180488ea1969d610e488f967a7276a672bb477

commit: 53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sat Jan 31 13:54:00 2015 -0800
committer: Nick Kralevich <nnk@google.com> Sat Jan 31 13:54:00 2015 -0800
tree: f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd
parent: aea68fddd979bf6852b8aef9bc718567f9da935a [diff] [blame]
diff --git a/server/NetlinkManager.cpp b/server/NetlinkManager.cpp
index 118a5bd..76af46f 100644
--- a/server/NetlinkManager.cpp
+++ b/server/NetlinkManager.cpp

@@ -76,7 +76,7 @@
     nladdr.nl_pid = getpid();
     nladdr.nl_groups = groups;
 
-    if ((*sock = socket(PF_NETLINK, SOCK_DGRAM, netlinkFamily)) < 0) {
+    if ((*sock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, netlinkFamily)) < 0) {
         ALOGE("Unable to create netlink socket: %s", strerror(errno));
         return NULL;
     }
commit	53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sat Jan 31 13:54:00 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Sat Jan 31 13:54:00 2015 -0800
tree	f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd
parent	aea68fddd979bf6852b8aef9bc718567f9da935a [diff] [blame]