release-request-ee600ee1-fadc-4a92-9feb-e22548c84a75-for-git_oc-mr1-release-4318546 snap-temp-L23800000099760172

Change-Id: Iada703f8bccc97031624744de0300c1f2c7df8af

12 files changed, 40 insertions, 19 deletions

diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp
index d191c05d..27954824 100644
--- a/server/CommandListener.cpp
+++ b/server/CommandListener.cpp
@@ -104,8 +104,7 @@ void CommandListener::registerLockingCmd(FrameworkCommand *cmd, android::RWLock&
     registerCmd(new LockingFrameworkCommand(cmd, lock));
 }
 
-CommandListener::CommandListener() :
-                 FrameworkListener("netd", true) {
+CommandListener::CommandListener() : FrameworkListener(SOCKET_NAME, true) {
     registerLockingCmd(new InterfaceCmd());
     registerLockingCmd(new IpFwdCmd());
     registerLockingCmd(new TetherCmd());
diff --git a/server/CommandListener.h b/server/CommandListener.h
index 762ae7c9..d37e5b3c 100644
--- a/server/CommandListener.h
+++ b/server/CommandListener.h
@@ -42,6 +42,8 @@ public:
     CommandListener();
     virtual ~CommandListener() {}
 
+    static constexpr const char* SOCKET_NAME = "netd";
+
 private:
     void registerLockingCmd(FrameworkCommand *cmd, android::RWLock& lock);
     void registerLockingCmd(FrameworkCommand *cmd) {
diff --git a/server/DnsProxyListener.cpp b/server/DnsProxyListener.cpp
index 8db1da85..8f8858d4 100644
--- a/server/DnsProxyListener.cpp
+++ b/server/DnsProxyListener.cpp
@@ -136,7 +136,7 @@ res_sendhookact qhook(sockaddr* const * nsap, const u_char** buf, int* buflen,
 }  // namespace
 
 DnsProxyListener::DnsProxyListener(const NetworkController* netCtrl, EventReporter* eventReporter) :
-        FrameworkListener("dnsproxyd"), mNetCtrl(netCtrl), mEventReporter(eventReporter) {
+        FrameworkListener(SOCKET_NAME), mNetCtrl(netCtrl), mEventReporter(eventReporter) {
     registerCmd(new GetAddrInfoCmd(this));
     registerCmd(new GetHostByAddrCmd(this));
     registerCmd(new GetHostByNameCmd(this));
diff --git a/server/DnsProxyListener.h b/server/DnsProxyListener.h
index b08a1143..a215bb63 100644
--- a/server/DnsProxyListener.h
+++ b/server/DnsProxyListener.h
@@ -35,6 +35,8 @@ public:
     explicit DnsProxyListener(const NetworkController* netCtrl, EventReporter* eventReporter);
     virtual ~DnsProxyListener() {}
 
+    static constexpr const char* SOCKET_NAME = "dnsproxyd";
+
 private:
     const NetworkController *mNetCtrl;
     EventReporter *mEventReporter;
diff --git a/server/FwmarkServer.cpp b/server/FwmarkServer.cpp
index a9a18c53..48008649 100644
--- a/server/FwmarkServer.cpp
+++ b/server/FwmarkServer.cpp
@@ -34,7 +34,7 @@ namespace android {
 namespace net {
 
 FwmarkServer::FwmarkServer(NetworkController* networkController, EventReporter* eventReporter) :
-        SocketListener("fwmarkd", true), mNetworkController(networkController),
+        SocketListener(SOCKET_NAME, true), mNetworkController(networkController),
         mEventReporter(eventReporter) {
 }
 
diff --git a/server/FwmarkServer.h b/server/FwmarkServer.h
index c9b19a5f..4d109c02 100644
--- a/server/FwmarkServer.h
+++ b/server/FwmarkServer.h
@@ -30,6 +30,8 @@ class FwmarkServer : public SocketListener {
 public:
     explicit FwmarkServer(NetworkController* networkController, EventReporter* eventReporter);
 
+    static constexpr const char* SOCKET_NAME = "fwmarkd";
+
 private:
     // Overridden from SocketListener:
     bool onDataAvailable(SocketClient* client);
diff --git a/server/IptablesRestoreController.cpp b/server/IptablesRestoreController.cpp
index 37b94bf4..88d88f64 100644
--- a/server/IptablesRestoreController.cpp
+++ b/server/IptablesRestoreController.cpp
@@ -143,9 +143,9 @@ IptablesProcess* IptablesRestoreController::forkAndExec(const IptablesProcessTyp
     int stdout_pipe[2];
     int stderr_pipe[2];
 
-    if (pipe2(stdin_pipe, 0) == -1 ||
-        pipe2(stdout_pipe, O_NONBLOCK) == -1 ||
-        pipe2(stderr_pipe, O_NONBLOCK) == -1) {
+    if (pipe2(stdin_pipe,  O_CLOEXEC) == -1 ||
+        pipe2(stdout_pipe, O_NONBLOCK | O_CLOEXEC) == -1 ||
+        pipe2(stderr_pipe, O_NONBLOCK | O_CLOEXEC) == -1) {
 
         ALOGE("pipe2() failed: %s", strerror(errno));
         return nullptr;
@@ -161,16 +161,6 @@ IptablesProcess* IptablesRestoreController::forkAndExec(const IptablesProcessTyp
     if (child_pid.value() == 0) {
         // The child process. Reads from stdin, writes to stderr and stdout.
 
-        // stdin_pipe[1] : The write end of the stdin pipe.
-        // stdout_pipe[0] : The read end of the stdout pipe.
-        // stderr_pipe[0] : The read end of the stderr pipe.
-        if (close(stdin_pipe[1]) == -1 ||
-            close(stdout_pipe[0]) == -1 ||
-            close(stderr_pipe[0]) == -1) {
-
-            ALOGW("close() failed: %s", strerror(errno));
-        }
-
         // stdin_pipe[0] : The read end of the stdin pipe.
         // stdout_pipe[1] : The write end of the stdout pipe.
         // stderr_pipe[1] : The write end of the stderr pipe.
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index 9551d45c..b2a79df0 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp
@@ -45,8 +45,7 @@
 
 #define CEIL(x, y) (((x) + (y) - 1) / (y))
 
-MDnsSdListener::MDnsSdListener() :
-                 FrameworkListener("mdns", true) {
+MDnsSdListener::MDnsSdListener() : FrameworkListener(SOCKET_NAME, true) {
     Monitor *m = new Monitor();
     registerCmd(new Handler(m, this));
 }
diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h
index 3833ad62..8cd596a0 100644
--- a/server/MDnsSdListener.h
+++ b/server/MDnsSdListener.h
@@ -51,6 +51,8 @@ public:
     MDnsSdListener();
     virtual ~MDnsSdListener() {}
 
+    static constexpr const char* SOCKET_NAME = "mdns";
+
     class Context {
     public:
         MDnsSdListener *mListener;
diff --git a/server/NetdConstants.cpp b/server/NetdConstants.cpp
index 5abdacd5..82db842c 100644
--- a/server/NetdConstants.cpp
+++ b/server/NetdConstants.cpp
@@ -29,6 +29,7 @@
 
 #include <android-base/stringprintf.h>
 #include <cutils/log.h>
+#include <cutils/sockets.h>
 #include <logwrap/logwrap.h>
 
 #include "Controllers.h"
@@ -164,3 +165,16 @@ void blockSigpipe() {
     if (sigprocmask(SIG_BLOCK, &mask, NULL) != 0)
         ALOGW("WARNING: SIGPIPE not blocked\n");
 }
+
+void setCloseOnExec(const char *sock) {
+    int fd = android_get_control_socket(sock);
+    int flags = fcntl(fd, F_GETFD, 0);
+    if (flags == -1) {
+        ALOGE("Can't get fd flags for control socket %s", sock);
+        flags = 0;
+    }
+    flags |= FD_CLOEXEC;
+    if (fcntl(fd, F_SETFD, flags) == -1) {
+        ALOGE("Can't set control socket %s to FD_CLOEXEC", sock);
+    }
+}
diff --git a/server/NetdConstants.h b/server/NetdConstants.h
index b1117c43..5fbeae6f 100644
--- a/server/NetdConstants.h
+++ b/server/NetdConstants.h
@@ -48,6 +48,7 @@ int execIptablesRestoreCommand(IptablesTarget target, const std::string& table,
 bool isIfaceName(const std::string& name);
 int parsePrefix(const char *prefix, uint8_t *family, void *address, int size, uint8_t *prefixlen);
 void blockSigpipe();
+void setCloseOnExec(const char *sock);
 
 #define ARRAY_SIZE(a) (sizeof(a) / sizeof(*(a)))
 
diff --git a/server/main.cpp b/server/main.cpp
index 176d3218..d3e0046e 100644
--- a/server/main.cpp
+++ b/server/main.cpp
@@ -79,6 +79,16 @@ int main() {
 
     blockSigpipe();
 
+    // Before we do anything that could fork, mark CLOEXEC the UNIX sockets that we get from init.
+    // FrameworkListener does this on initialization as well, but we only initialize these
+    // components after having initialized other subsystems that can fork.
+    for (const auto& sock : { CommandListener::SOCKET_NAME,
+                              DnsProxyListener::SOCKET_NAME,
+                              FwmarkServer::SOCKET_NAME,
+                              MDnsSdListener::SOCKET_NAME }) {
+        setCloseOnExec(sock);
+    }
+
     NetlinkManager *nm = NetlinkManager::Instance();
     if (nm == nullptr) {
         ALOGE("Unable to create NetlinkManager");