diff options
author | Nick Kralevich <nnk@google.com> | 2015-01-31 13:54:00 -0800 |
---|---|---|
committer | Alexander Martinz <eviscerationls@gmail.com> | 2015-01-31 23:18:24 +0100 |
commit | aca98064229c7188c3f3d02902dac07ba2a96579 (patch) | |
tree | 8d4469731f87d10431f4cfb17e5c59b9cd6918fb | |
parent | b52170c5e8d005bf035ccbb76d9bf94929443b68 (diff) | |
download | android_system_netd-stable/cm-12.0-YNG1I.tar.gz android_system_netd-stable/cm-12.0-YNG1I.tar.bz2 android_system_netd-stable/cm-12.0-YNG1I.zip |
Avoid leaking file descriptorsstable/cm-12.0-YNG1TAstable/cm-12.0-YNG1Tstable/cm-12.0-YNG1I
Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.
Addresses the following SELinux denial:
audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket
and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.
Change-Id: I9c180488ea1969d610e488f967a7276a672bb477
-rw-r--r-- | client/FwmarkClient.cpp | 2 | ||||
-rw-r--r-- | client/NetdClient.cpp | 4 | ||||
-rw-r--r-- | server/BandwidthController.cpp | 4 | ||||
-rw-r--r-- | server/NetdConstants.cpp | 4 | ||||
-rw-r--r-- | server/NetlinkManager.cpp | 2 | ||||
-rw-r--r-- | server/RouteController.cpp | 2 | ||||
-rwxr-xr-x | server/SoftapController.cpp | 2 | ||||
-rw-r--r-- | server/TetherController.cpp | 4 |
8 files changed, 12 insertions, 12 deletions
diff --git a/client/FwmarkClient.cpp b/client/FwmarkClient.cpp index db2009ff..363a9051 100644 --- a/client/FwmarkClient.cpp +++ b/client/FwmarkClient.cpp @@ -41,7 +41,7 @@ FwmarkClient::~FwmarkClient() { } int FwmarkClient::send(void* data, size_t len, int fd) { - mChannel = socket(AF_UNIX, SOCK_STREAM, 0); + mChannel = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); if (mChannel == -1) { return -errno; } diff --git a/client/NetdClient.cpp b/client/NetdClient.cpp index c5e69298..77eae654 100644 --- a/client/NetdClient.cpp +++ b/client/NetdClient.cpp @@ -140,9 +140,9 @@ int setNetworkForTarget(unsigned netId, std::atomic_uint* target) { // might itself cause another check with the fwmark server, which would be wasteful. int socketFd; if (libcSocket) { - socketFd = libcSocket(AF_INET6, SOCK_DGRAM, 0); + socketFd = libcSocket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); } else { - socketFd = socket(AF_INET6, SOCK_DGRAM, 0); + socketFd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); } if (socketFd < 0) { return -errno; diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp index 023008e5..79139a81 100644 --- a/server/BandwidthController.cpp +++ b/server/BandwidthController.cpp @@ -787,7 +787,7 @@ int BandwidthController::getInterfaceQuota(const char *costName, int64_t *bytes) return -1; asprintf(&fname, "/proc/net/xt_quota/%s", costName); - fp = fopen(fname, "r"); + fp = fopen(fname, "re"); free(fname); if (!fp) { ALOGE("Reading quota %s failed (%s)", costName, strerror(errno)); @@ -844,7 +844,7 @@ int BandwidthController::updateQuota(const char *quotaName, int64_t bytes) { } asprintf(&fname, "/proc/net/xt_quota/%s", quotaName); - fp = fopen(fname, "w"); + fp = fopen(fname, "we"); free(fname); if (!fp) { ALOGE("Updating quota %s failed (%s)", quotaName, strerror(errno)); diff --git a/server/NetdConstants.cpp b/server/NetdConstants.cpp index 4823c915..9723593e 100644 --- a/server/NetdConstants.cpp +++ b/server/NetdConstants.cpp @@ -113,7 +113,7 @@ int execIptablesSilently(IptablesTarget target, ...) { } int writeFile(const char *path, const char *value, int size) { - int fd = open(path, O_WRONLY); + int fd = open(path, O_WRONLY | O_CLOEXEC); if (fd < 0) { ALOGE("Failed to open %s: %s", path, strerror(errno)); return -1; @@ -130,7 +130,7 @@ int writeFile(const char *path, const char *value, int size) { int readFile(const char *path, char *buf, int *sizep) { - int fd = open(path, O_RDONLY); + int fd = open(path, O_RDONLY | O_CLOEXEC); int size; if (fd < 0) { diff --git a/server/NetlinkManager.cpp b/server/NetlinkManager.cpp index 1d731acb..c4ef1337 100644 --- a/server/NetlinkManager.cpp +++ b/server/NetlinkManager.cpp @@ -62,7 +62,7 @@ NetlinkHandler *NetlinkManager::setupSocket(int *sock, int netlinkFamily, nladdr.nl_pid = getpid(); nladdr.nl_groups = groups; - if ((*sock = socket(PF_NETLINK, SOCK_DGRAM, netlinkFamily)) < 0) { + if ((*sock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, netlinkFamily)) < 0) { ALOGE("Unable to create netlink socket: %s", strerror(errno)); return NULL; } diff --git a/server/RouteController.cpp b/server/RouteController.cpp index 140c0d37..68c65332 100644 --- a/server/RouteController.cpp +++ b/server/RouteController.cpp @@ -198,7 +198,7 @@ WARN_UNUSED_RESULT int sendNetlinkRequest(uint16_t action, uint16_t flags, iovec nlmsgerr err; } response; - int sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE); + int sock = socket(AF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_ROUTE); if (sock != -1 && connect(sock, reinterpret_cast<const sockaddr*>(&NETLINK_ADDRESS), sizeof(NETLINK_ADDRESS)) != -1 && diff --git a/server/SoftapController.cpp b/server/SoftapController.cpp index 79ce618b..fbd66e4e 100755 --- a/server/SoftapController.cpp +++ b/server/SoftapController.cpp @@ -257,7 +257,7 @@ int SoftapController::setSoftap(int argc, char *argv[]) { asprintf(&fbuf, "%s", wbuf); } - fd = open(HOSTAPD_CONF_FILE, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW, 0660); + fd = open(HOSTAPD_CONF_FILE, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, 0660); if (fd < 0) { ALOGE("Cannot update \"%s\": %s", HOSTAPD_CONF_FILE, strerror(errno)); free(wbuf); diff --git a/server/TetherController.cpp b/server/TetherController.cpp index a5a91b4c..7b4c6a63 100644 --- a/server/TetherController.cpp +++ b/server/TetherController.cpp @@ -116,7 +116,7 @@ int TetherController::setIpFwdEnabled(bool enable) { return 0; } - int fd = open("/proc/sys/net/ipv4/ip_forward", O_WRONLY); + int fd = open("/proc/sys/net/ipv4/ip_forward", O_WRONLY | O_CLOEXEC); if (fd < 0) { ALOGE("Failed to open ip_forward (%s)", strerror(errno)); return -1; @@ -143,7 +143,7 @@ int TetherController::setIpFwdEnabled(bool enable) { } bool TetherController::getIpFwdEnabled() { - int fd = open("/proc/sys/net/ipv4/ip_forward", O_RDONLY); + int fd = open("/proc/sys/net/ipv4/ip_forward", O_RDONLY | O_CLOEXEC); if (fd < 0) { ALOGE("Failed to open ip_forward (%s)", strerror(errno)); |