Avoid leaking file descriptors Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls. This avoids leaking file descriptors across execs. Addresses the following SELinux denial: audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket and allows the removal of some other SELinux rules which were inappropriately added because of leaking file descriptors. Change-Id: I9c180488ea1969d610e488f967a7276a672bb477

commit: 53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sat Jan 31 13:54:00 2015 -0800
committer: Nick Kralevich <nnk@google.com> Sat Jan 31 13:54:00 2015 -0800
tree: f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd
parent: aea68fddd979bf6852b8aef9bc718567f9da935a [diff] [blame]
diff --git a/server/RouteController.cpp b/server/RouteController.cpp
index 56e3c28..cd5300d 100644
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp

@@ -200,7 +200,7 @@
         nlmsgerr err;
     } response;
 
-    int sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
+    int sock = socket(AF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_ROUTE);
     if (sock != -1 &&
             connect(sock, reinterpret_cast<const sockaddr*>(&NETLINK_ADDRESS),
                     sizeof(NETLINK_ADDRESS)) != -1 &&
commit	53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sat Jan 31 13:54:00 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Sat Jan 31 13:54:00 2015 -0800
tree	f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd
parent	aea68fddd979bf6852b8aef9bc718567f9da935a [diff] [blame]