FwMarkServer.cpp: Add O_CLOEXEC to received FDs

Add O_CLOEXEC to file descriptors received via the fwmark service. This
prevents netd's file descriptors from leaking across an exec() boundary,
and may address the following non-reproducible SELinux denials:

avc: denied { use } for comm="clatd" path="socket:[860297]" dev="sockfs"
ino=860297 scontext=u:r:clatd:s0 tcontext=u:r:untrusted_app:s0:c512,c768
tclass=fd permissive=0

avc: denied { read write } for comm="clatd" path="socket:[1414454]"
dev="sockfs" ino=1414454 scontext=u:r:clatd:s0
tcontext=u:r:system_server:s0 tclass=tcp_socket permissive=0

avc: denied { use } for comm="clatd" path="socket:[681600]" dev="sockfs"
ino=681600 scontext=u:r:clatd:s0 tcontext=u:r:priv_app:s0:c512,c768
tclass=fd permissive=0

Test: Device boots and no obvious problems
Test: /data/nativetest/netd_integration_test/netd_integration_test passed
Change-Id: I866b1ee0693516b46269c7106e7fc1f85b017639

1 files changed, 1 insertions, 1 deletions

diff --git a/server/FwmarkServer.cpp b/server/FwmarkServer.cpp
index 0fabfc424..000ffef73 100644
--- a/server/FwmarkServer.cpp
+++ b/server/FwmarkServer.cpp
@@ -73,7 +73,7 @@ int FwmarkServer::processClient(SocketClient* client, int* socketFd) {
     message.msg_control = cmsgu.cmsg;
     message.msg_controllen = sizeof(cmsgu.cmsg);
 
-    int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, 0));
+    int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, MSG_CMSG_CLOEXEC));
     if (messageLength <= 0) {
         return -errno;
     }