SockDiag.cpp: Add O_CLOEXEC to tcpdiag sockets
Add O_CLOEXEC to NETLINK_INET_DIAG sockets. This ensures that the file
descriptors associated with these sockets do not leak across an exec()
boundary. Please see "man 2 open" for a description of why this is
desirable.
Addresses the following SELinux denial:
avc: denied { read write } for comm="clatd" path="socket:[902062]"
dev="sockfs" ino=902062 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0
tclass=netlink_tcpdiag_socket permissive=0
which occurs when netd executes clatd and inadvertantly leaks the file
descriptors to that process.
Test: Android compiles and boots, and no obvious errors
Change-Id: Ic5662fa8df6884e7002a0ec89839fe90abe05574
diff --git a/server/SockDiag.cpp b/server/SockDiag.cpp
index d5150e2..c6a0a92 100644
--- a/server/SockDiag.cpp
+++ b/server/SockDiag.cpp
@@ -73,8 +73,8 @@
return false;
}
- mSock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_INET_DIAG);
- mWriteSock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_INET_DIAG);
+ mSock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_INET_DIAG);
+ mWriteSock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_INET_DIAG);
if (!hasSocks()) {
closeSocks();
return false;