Set CLOEXEC on socket inherited from init
The control sockets a service inherits when spawned from init cannot
have O_CLOEXEC set, or they wouldn't be inherited.
But we don't want them to be further inherited when we are running an
RPC binder server on them, so set the flag.
This showed up in authfs_service, which inherits a socket and spawns
an authfs process, leading to a denial like this (since authfs doesn't
have the SELinux permission to access the socket):
avc: denied { read write } for pid=207 comm="authfs"
path="socket:[6436]" dev="sockfs" ino=6436 scontext=u:r:authfs:s0
tcontext=u:r:authfs_service:s0 tclass=unix_stream_socket permissive=0
The denial is harmless, but it can easily be interpreted as a sign of
a real problem.
Bug: 264496291
Test: composd_cmd --test-compile; denial no longer seen
Change-Id: I516eb07776eb78db046bc4155315cb8267cfe456
1 file changed