Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8fcb6313 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

adb: avoid leaking file descriptors 

If an adb shell connection comes in while taking a screenshot,
an open pipe file descriptor will be leaked to the shell process.
This causes SELinux denials of the form:

  avc: denied { read } for path="pipe:[21838]" dev="pipefs" ino=21838 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=fifo_file permissive=0
  avc: denied { write } for path="pipe:[21838]" dev="pipefs" ino=21838 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=fifo_file permissive=0

Set O_CLOEXEC on the pipe connections, to avoid leaking them
across an exec boundary.

Bug: 15437785
Change-Id: Id2304b316bd7082d8baac246dce1f0e0e26e9197
parent 4ca26ce8

adb/framebuffer_service.c

+1 −1
Original line number Diff line number Diff line
@@ -61,7 +61,7 @@ void framebuffer_service(int fd, void *cookie) 
    int w, h, f;

    int fds[2];



    if (pipe(fds) < 0) goto pipefail;

    if (pipe2(fds, O_CLOEXEC) < 0) goto pipefail;



    pid_t pid = fork();

    if (pid < 0) goto done;