commit 548bbd4643841bbd058c31e832af5e9d213edf90
author Lorenzo Colitti <lorenzo@google.com> Mon Aug 28 23:05:12 2017 +0900
committer Lorenzo Colitti <lorenzo@google.com> Mon Aug 28 23:13:39 2017 +0900
tree af362ed6d0f01f30dca6ce77bbdcb7b1c4e2b13f
parent e2e18f0400f9b5ef5a1329cbdddfb447d72910f5

Ensure the sockets we inherit from init are FD_CLOEXEC.

Bug: 65104811
Test: bullhead builds, boots
Test: lsof of iptables-restore doesn't show /dev/socket/netd and friends
Change-Id: I64c7c30364662147ae1b010500635f8ce21b2d0a

server/main.cpp

diff --git a/server/main.cpp b/server/main.cpp
index 27596f7..40b549e 100644
--- a/server/main.cpp
+++ b/server/main.cpp
@@ -77,6 +77,16 @@
 
     blockSigpipe();
 
+    // Before we do anything that could fork, mark CLOEXEC the UNIX sockets that we get from init.
+    // FrameworkListener does this on initialization as well, but we only initialize these
+    // components after having initialized other subsystems that can fork.
+    for (const auto& sock : { CommandListener::SOCKET_NAME,
+                              DnsProxyListener::SOCKET_NAME,
+                              FwmarkServer::SOCKET_NAME,
+                              MDnsSdListener::SOCKET_NAME }) {
+        setCloseOnExec(sock);
+    }
+
     NetlinkManager *nm = NetlinkManager::Instance();
     if (nm == nullptr) {
         ALOGE("Unable to create NetlinkManager");