Avoid leaking file descriptors Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls. This avoids leaking file descriptors across execs. Addresses the following SELinux denial: audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket and allows the removal of some other SELinux rules which were inappropriately added because of leaking file descriptors. Change-Id: I9c180488ea1969d610e488f967a7276a672bb477

commit: 53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sat Jan 31 13:54:00 2015 -0800
committer: Nick Kralevich <nnk@google.com> Sat Jan 31 13:54:00 2015 -0800
tree: f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd
parent: aea68fddd979bf6852b8aef9bc718567f9da935a [diff] [blame]
diff --git a/server/SoftapController.cpp b/server/SoftapController.cpp
index 07c77b0..17982d5 100644
--- a/server/SoftapController.cpp
+++ b/server/SoftapController.cpp

@@ -158,7 +158,7 @@
         asprintf(&fbuf, "%s", wbuf);
     }
 
-    fd = open(HOSTAPD_CONF_FILE, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW, 0660);
+    fd = open(HOSTAPD_CONF_FILE, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, 0660);
     if (fd < 0) {
         ALOGE("Cannot update \"%s\": %s", HOSTAPD_CONF_FILE, strerror(errno));
         free(wbuf);
commit	53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sat Jan 31 13:54:00 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Sat Jan 31 13:54:00 2015 -0800
tree	f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd
parent	aea68fddd979bf6852b8aef9bc718567f9da935a [diff] [blame]