Avoid leaking file descriptorsstable/cm-12.0-YNG1TAstable/cm-12.0-YNG1Tstable/cm-12.0-YNG1I

Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.

Addresses the following SELinux denial:

  audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket

and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.

Change-Id: I9c180488ea1969d610e488f967a7276a672bb477

8 files changed, 12 insertions, 12 deletions

diff --git a/client/FwmarkClient.cpp b/client/FwmarkClient.cpp
index db2009ff..363a9051 100644
--- a/client/FwmarkClient.cpp
+++ b/client/FwmarkClient.cpp
@@ -41,7 +41,7 @@ FwmarkClient::~FwmarkClient() {
 }
 
 int FwmarkClient::send(void* data, size_t len, int fd) {
-    mChannel = socket(AF_UNIX, SOCK_STREAM, 0);
+    mChannel = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
     if (mChannel == -1) {
         return -errno;
     }
diff --git a/client/NetdClient.cpp b/client/NetdClient.cpp
index c5e69298..77eae654 100644
--- a/client/NetdClient.cpp
+++ b/client/NetdClient.cpp
@@ -140,9 +140,9 @@ int setNetworkForTarget(unsigned netId, std::atomic_uint* target) {
     // might itself cause another check with the fwmark server, which would be wasteful.
     int socketFd;
     if (libcSocket) {
-        socketFd = libcSocket(AF_INET6, SOCK_DGRAM, 0);
+        socketFd = libcSocket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
     } else {
-        socketFd = socket(AF_INET6, SOCK_DGRAM, 0);
+        socketFd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
     }
     if (socketFd < 0) {
         return -errno;
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index 023008e5..79139a81 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -787,7 +787,7 @@ int BandwidthController::getInterfaceQuota(const char *costName, int64_t *bytes)
         return -1;
 
     asprintf(&fname, "/proc/net/xt_quota/%s", costName);
-    fp = fopen(fname, "r");
+    fp = fopen(fname, "re");
     free(fname);
     if (!fp) {
         ALOGE("Reading quota %s failed (%s)", costName, strerror(errno));
@@ -844,7 +844,7 @@ int BandwidthController::updateQuota(const char *quotaName, int64_t bytes) {
     }
 
     asprintf(&fname, "/proc/net/xt_quota/%s", quotaName);
-    fp = fopen(fname, "w");
+    fp = fopen(fname, "we");
     free(fname);
     if (!fp) {
         ALOGE("Updating quota %s failed (%s)", quotaName, strerror(errno));
diff --git a/server/NetdConstants.cpp b/server/NetdConstants.cpp
index 4823c915..9723593e 100644
--- a/server/NetdConstants.cpp
+++ b/server/NetdConstants.cpp
@@ -113,7 +113,7 @@ int execIptablesSilently(IptablesTarget target, ...) {
 }
 
 int writeFile(const char *path, const char *value, int size) {
-    int fd = open(path, O_WRONLY);
+    int fd = open(path, O_WRONLY | O_CLOEXEC);
     if (fd < 0) {
         ALOGE("Failed to open %s: %s", path, strerror(errno));
         return -1;
@@ -130,7 +130,7 @@ int writeFile(const char *path, const char *value, int size) {
 
 int readFile(const char *path, char *buf, int *sizep)
 {
-    int fd = open(path, O_RDONLY);
+    int fd = open(path, O_RDONLY | O_CLOEXEC);
     int size;
 
     if (fd < 0) {
diff --git a/server/NetlinkManager.cpp b/server/NetlinkManager.cpp
index 1d731acb..c4ef1337 100644
--- a/server/NetlinkManager.cpp
+++ b/server/NetlinkManager.cpp
@@ -62,7 +62,7 @@ NetlinkHandler *NetlinkManager::setupSocket(int *sock, int netlinkFamily,
     nladdr.nl_pid = getpid();
     nladdr.nl_groups = groups;
 
-    if ((*sock = socket(PF_NETLINK, SOCK_DGRAM, netlinkFamily)) < 0) {
+    if ((*sock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, netlinkFamily)) < 0) {
         ALOGE("Unable to create netlink socket: %s", strerror(errno));
         return NULL;
     }
diff --git a/server/RouteController.cpp b/server/RouteController.cpp
index 140c0d37..68c65332 100644
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp
@@ -198,7 +198,7 @@ WARN_UNUSED_RESULT int sendNetlinkRequest(uint16_t action, uint16_t flags, iovec
         nlmsgerr err;
     } response;
 
-    int sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
+    int sock = socket(AF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_ROUTE);
     if (sock != -1 &&
             connect(sock, reinterpret_cast<const sockaddr*>(&NETLINK_ADDRESS),
                     sizeof(NETLINK_ADDRESS)) != -1 &&
diff --git a/server/SoftapController.cpp b/server/SoftapController.cpp
index 79ce618b..fbd66e4e 100755
--- a/server/SoftapController.cpp
+++ b/server/SoftapController.cpp
@@ -257,7 +257,7 @@ int SoftapController::setSoftap(int argc, char *argv[]) {
         asprintf(&fbuf, "%s", wbuf);
     }
 
-    fd = open(HOSTAPD_CONF_FILE, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW, 0660);
+    fd = open(HOSTAPD_CONF_FILE, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, 0660);
     if (fd < 0) {
         ALOGE("Cannot update \"%s\": %s", HOSTAPD_CONF_FILE, strerror(errno));
         free(wbuf);
diff --git a/server/TetherController.cpp b/server/TetherController.cpp
index a5a91b4c..7b4c6a63 100644
--- a/server/TetherController.cpp
+++ b/server/TetherController.cpp
@@ -116,7 +116,7 @@ int TetherController::setIpFwdEnabled(bool enable) {
         return 0;
     }
 
-    int fd = open("/proc/sys/net/ipv4/ip_forward", O_WRONLY);
+    int fd = open("/proc/sys/net/ipv4/ip_forward", O_WRONLY | O_CLOEXEC);
     if (fd < 0) {
         ALOGE("Failed to open ip_forward (%s)", strerror(errno));
         return -1;
@@ -143,7 +143,7 @@ int TetherController::setIpFwdEnabled(bool enable) {
 }
 
 bool TetherController::getIpFwdEnabled() {
-    int fd = open("/proc/sys/net/ipv4/ip_forward", O_RDONLY);
+    int fd = open("/proc/sys/net/ipv4/ip_forward", O_RDONLY | O_CLOEXEC);
 
     if (fd < 0) {
         ALOGE("Failed to open ip_forward (%s)", strerror(errno));