Avoid leaking file descriptors
Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.
Addresses the following SELinux denial:
audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket
and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.
Change-Id: I9c180488ea1969d610e488f967a7276a672bb477
diff --git a/server/TetherController.cpp b/server/TetherController.cpp
index 4e1c52f..a91c744 100644
--- a/server/TetherController.cpp
+++ b/server/TetherController.cpp
@@ -66,7 +66,7 @@
return 0;
}
- int fd = open("/proc/sys/net/ipv4/ip_forward", O_WRONLY);
+ int fd = open("/proc/sys/net/ipv4/ip_forward", O_WRONLY | O_CLOEXEC);
if (fd < 0) {
ALOGE("Failed to open ip_forward (%s)", strerror(errno));
return -1;
@@ -82,7 +82,7 @@
}
bool TetherController::getIpFwdEnabled() {
- int fd = open("/proc/sys/net/ipv4/ip_forward", O_RDONLY);
+ int fd = open("/proc/sys/net/ipv4/ip_forward", O_RDONLY | O_CLOEXEC);
if (fd < 0) {
ALOGE("Failed to open ip_forward (%s)", strerror(errno));