Add SOCK_CLOEXEC to adbd's vsock socket Prevent selinux denials on exec. avc: denied { read write } for comm="sh" path="socket:[56571]" dev="sockfs" ino=56571 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=vsock_socket permissive=0 Bug: 179906815 Test: build/boot cuttlefish Change-Id: Ieab0de00de44d0f2e97915e207b47e68b0d2da4c

commit: 58a73ad7cbe0f1a304c96438b147a5b715bd340c [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Thu Sep 30 15:54:36 2021 +0200
committer: Jeff Vander Stoep <jeffv@google.com> Thu Sep 30 15:54:36 2021 +0200
tree: d106054fa225f7350cd133b3524f4ead28e0b530
parent: 867c71e5114e76b4f64e9f38e1be060fd9ba3a26 [diff] [blame]
diff --git a/socket_spec.cpp b/socket_spec.cpp
index c93b023..a71b2c9 100644
--- a/socket_spec.cpp
+++ b/socket_spec.cpp

@@ -264,7 +264,7 @@
             errno = EINVAL;
             return false;
         }
-        fd->reset(socket(AF_VSOCK, SOCK_STREAM, 0));
+        fd->reset(socket(AF_VSOCK, SOCK_STREAM | SOCK_CLOEXEC, 0));
         if (fd->get() == -1) {
             *error = "could not open vsock socket";
             return false;
@@ -374,7 +374,7 @@
             errno = EINVAL;
             return -1;
         }
-        unique_fd serverfd(socket(AF_VSOCK, SOCK_STREAM, 0));
+        unique_fd serverfd(socket(AF_VSOCK, SOCK_STREAM | SOCK_CLOEXEC, 0));
         if (serverfd == -1) {
             int error_num = errno;
             *error = android::base::StringPrintf("could not create vsock server: '%s'",
commit	58a73ad7cbe0f1a304c96438b147a5b715bd340c	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Thu Sep 30 15:54:36 2021 +0200
committer	Jeff Vander Stoep <jeffv@google.com>	Thu Sep 30 15:54:36 2021 +0200
tree	d106054fa225f7350cd133b3524f4ead28e0b530
parent	867c71e5114e76b4f64e9f38e1be060fd9ba3a26 [diff] [blame]