Ensure the sockets we inherit from init are FD_CLOEXEC.

Bug: 65104811
Test: bullhead builds, boots
Test: lsof of iptables-restore doesn't show /dev/socket/netd and friends
Change-Id: I64c7c30364662147ae1b010500635f8ce21b2d0a

1 files changed, 10 insertions, 0 deletions

diff --git a/server/main.cpp b/server/main.cpp
index 27596f7d0..40b549ea0 100644
--- a/server/main.cpp
+++ b/server/main.cpp
@@ -77,6 +77,16 @@ int main() {
 
     blockSigpipe();
 
+    // Before we do anything that could fork, mark CLOEXEC the UNIX sockets that we get from init.
+    // FrameworkListener does this on initialization as well, but we only initialize these
+    // components after having initialized other subsystems that can fork.
+    for (const auto& sock : { CommandListener::SOCKET_NAME,
+                              DnsProxyListener::SOCKET_NAME,
+                              FwmarkServer::SOCKET_NAME,
+                              MDnsSdListener::SOCKET_NAME }) {
+        setCloseOnExec(sock);
+    }
+
     NetlinkManager *nm = NetlinkManager::Instance();
     if (nm == nullptr) {
         ALOGE("Unable to create NetlinkManager");