Avoid leaking file descriptors

Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls. This avoids leaking file descriptors across execs. Addresses the following SELinux denial: audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket and allows the removal of some other SELinux rules which were inappropriately added because of leaking file descriptors. Change-Id: I9c180488ea1969d610e488f967a7276a672bb477
author: Nick Kralevich <nnk@google.com> 2015-01-31 13:54:00 -0800
committer: Nick Kralevich <nnk@google.com> 2015-01-31 13:54:00 -0800
commit: 53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0 (patch)
tree: f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd /server/RouteController.cpp
parent: aea68fddd979bf6852b8aef9bc718567f9da935a (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/server/RouteController.cpp b/server/RouteController.cpp
index 56e3c286..cd5300dc 100644
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp
@@ -200,7 +200,7 @@ WARN_UNUSED_RESULT int sendNetlinkRequest(uint16_t action, uint16_t flags, iovec
         nlmsgerr err;
     } response;
 
-    int sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
+    int sock = socket(AF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_ROUTE);
     if (sock != -1 &&
             connect(sock, reinterpret_cast<const sockaddr*>(&NETLINK_ADDRESS),
                     sizeof(NETLINK_ADDRESS)) != -1 &&
author	Nick Kralevich <nnk@google.com>	2015-01-31 13:54:00 -0800
committer	Nick Kralevich <nnk@google.com>	2015-01-31 13:54:00 -0800
commit	53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0 (patch)
tree	f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd /server/RouteController.cpp
parent	aea68fddd979bf6852b8aef9bc718567f9da935a (diff)