diff options
| author | 2016-12-17 19:47:27 -0800 | |
|---|---|---|
| committer | 2016-12-17 19:55:46 -0800 | |
| commit | ec9ec7d55c63f791ab3ed9221e68d6215f7b928a (patch) | |
| tree | fca8c716c710c682fda737df3982a1cda995a525 /vulkan/libvulkan/api.cpp | |
| parent | c4c286f30a60ef9ebfc959ea4869d87ceeb831dc (diff) | |
libbinder: replace dup() with fcntl(F_DUPFD_CLOEXEC)
Replace calls to dup() with fcntl(F_DUPFD_CLOEXEC). The only difference
between the two is that O_CLOEXEC is set on the newly duped file
descriptor. This helps address file descriptor leaks crossing an exec()
boundary in multi-threaded processes, and potentially fixes the following
non-reproducible SELinux denials which may be occurring because of FD
leakage from netd to clatd/dnsmasq.
avc: denied { use } for comm="clatd" path="socket:[860297]" dev="sockfs"
ino=860297 scontext=u:r:clatd:s0 tcontext=u:r:untrusted_app:s0:c512,c768
tclass=fd permissive=0
avc: denied { read write } for comm="clatd" path="socket:[1414454]"
dev="sockfs" ino=1414454 scontext=u:r:clatd:s0
tcontext=u:r:system_server:s0 tclass=tcp_socket permissive=0
avc: denied { use } for comm="clatd" path="socket:[681600]" dev="sockfs"
ino=681600 scontext=u:r:clatd:s0 tcontext=u:r:priv_app:s0:c512,c768
tclass=fd permissive=0
Test: Device boots and no obvious problems
Change-Id: I9dcd9911a093f329c6f12e39d2c49ef3df651ae5
Diffstat (limited to 'vulkan/libvulkan/api.cpp')
0 files changed, 0 insertions, 0 deletions