mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-20 04:11:32 -05:00
42 lines
1.7 KiB
Diff
42 lines
1.7 KiB
Diff
|
From 3c272f5a65fa8ebabb22bd344ff65c14be47183c Mon Sep 17 00:00:00 2001
|
||
|
From: Nick Kralevich <nnk@google.com>
|
||
|
Date: Tue, 20 Dec 2016 06:51:32 -0800
|
||
|
Subject: [PATCH] FwMarkServer.cpp: Add O_CLOEXEC to received FDs
|
||
|
|
||
|
Add O_CLOEXEC to file descriptors received via the fwmark service. This
|
||
|
prevents netd's file descriptors from leaking across an exec() boundary,
|
||
|
and may address the following non-reproducible SELinux denials:
|
||
|
|
||
|
avc: denied { use } for comm="clatd" path="socket:[860297]" dev="sockfs"
|
||
|
ino=860297 scontext=u:r:clatd:s0 tcontext=u:r:untrusted_app:s0:c512,c768
|
||
|
tclass=fd permissive=0
|
||
|
|
||
|
avc: denied { read write } for comm="clatd" path="socket:[1414454]"
|
||
|
dev="sockfs" ino=1414454 scontext=u:r:clatd:s0
|
||
|
tcontext=u:r:system_server:s0 tclass=tcp_socket permissive=0
|
||
|
|
||
|
avc: denied { use } for comm="clatd" path="socket:[681600]" dev="sockfs"
|
||
|
ino=681600 scontext=u:r:clatd:s0 tcontext=u:r:priv_app:s0:c512,c768
|
||
|
tclass=fd permissive=0
|
||
|
|
||
|
Test: Device boots and no obvious problems
|
||
|
Test: /data/nativetest/netd_integration_test/netd_integration_test passed
|
||
|
Change-Id: I866b1ee0693516b46269c7106e7fc1f85b017639
|
||
|
---
|
||
|
server/FwmarkServer.cpp | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/server/FwmarkServer.cpp b/server/FwmarkServer.cpp
|
||
|
index 80df03f4..38a116d6 100644
|
||
|
--- a/server/FwmarkServer.cpp
|
||
|
+++ b/server/FwmarkServer.cpp
|
||
|
@@ -74,7 +74,7 @@ int FwmarkServer::processClient(SocketClient* client, int* socketFd) {
|
||
|
message.msg_control = cmsgu.cmsg;
|
||
|
message.msg_controllen = sizeof(cmsgu.cmsg);
|
||
|
|
||
|
- int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, 0));
|
||
|
+ int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, MSG_CMSG_CLOEXEC));
|
||
|
if (messageLength <= 0) {
|
||
|
return -errno;
|
||
|
}
|