Avoid leaking file descriptors

Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.

Addresses the following SELinux denial:

  audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket

and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.

Change-Id: I9c180488ea1969d610e488f967a7276a672bb477

1 files changed, 2 insertions, 2 deletions

diff --git a/server/TetherController.cpp b/server/TetherController.cpp
index 4e1c52f4..a91c7444 100644
--- a/server/TetherController.cpp
+++ b/server/TetherController.cpp
@@ -66,7 +66,7 @@ int TetherController::setIpFwdEnabled(bool enable) {
         return 0;
     }
 
-    int fd = open("/proc/sys/net/ipv4/ip_forward", O_WRONLY);
+    int fd = open("/proc/sys/net/ipv4/ip_forward", O_WRONLY | O_CLOEXEC);
     if (fd < 0) {
         ALOGE("Failed to open ip_forward (%s)", strerror(errno));
         return -1;
@@ -82,7 +82,7 @@ int TetherController::setIpFwdEnabled(bool enable) {
 }
 
 bool TetherController::getIpFwdEnabled() {
-    int fd = open("/proc/sys/net/ipv4/ip_forward", O_RDONLY);
+    int fd = open("/proc/sys/net/ipv4/ip_forward", O_RDONLY | O_CLOEXEC);
 
     if (fd < 0) {
         ALOGE("Failed to open ip_forward (%s)", strerror(errno));