Avoid leaking file descriptors

Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.

Addresses the following SELinux denial:

  audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket

and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.

Change-Id: I9c180488ea1969d610e488f967a7276a672bb477

1 files changed, 2 insertions, 2 deletions

diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index 2fe249d0..e5cf36cc 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -786,7 +786,7 @@ int BandwidthController::getInterfaceQuota(const char *costName, int64_t *bytes)
         return -1;
 
     asprintf(&fname, "/proc/net/xt_quota/%s", costName);
-    fp = fopen(fname, "r");
+    fp = fopen(fname, "re");
     free(fname);
     if (!fp) {
         ALOGE("Reading quota %s failed (%s)", costName, strerror(errno));
@@ -843,7 +843,7 @@ int BandwidthController::updateQuota(const char *quotaName, int64_t bytes) {
     }
 
     asprintf(&fname, "/proc/net/xt_quota/%s", quotaName);
-    fp = fopen(fname, "w");
+    fp = fopen(fname, "we");
     free(fname);
     if (!fp) {
         ALOGE("Updating quota %s failed (%s)", quotaName, strerror(errno));