From 0b218ec5fc7a1bce349dc319de6c5c904d9368e6 Mon Sep 17 00:00:00 2001
From: Dave Platt <dplatt@google.com>
Date: Wed, 5 Feb 2014 17:07:07 -0800
Subject: [PATCH] Finish fixing Zygote descriptor leakage problem

In order to prevent Zygote descriptors from leaking into the child
environment, they should be closed by the forked-off child process
before the child switches to the application UID.  These changes close
the descriptors via dup2(), substituting a descriptor open to
/dev/null in their place; this allows the Zygote Java code to close
the FileDescriptor objects cleanly.

This is a multi-project change: dalvik, art, libcore, frameworks/base,
and external/sepolicy are affected.  The CLs need to be approved
together, lest the build break or the software fail to boot.

Bug: 12114500
Change-Id: Ie45ddf6d661a1ea8570cd49dfea76421f2cadf72
---
 app.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/app.te b/app.te
index a0672c78f..cb6ecbc4e 100644
--- a/app.te
+++ b/app.te
@@ -17,10 +17,6 @@ unix_socket_connect(appdomain, keystore, keystore)
 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;
 
-# Needed to close the zygote socket, which involves getopt / getattr
-# This should be deleted after b/12061011 is fixed
-allow appdomain zygote:unix_stream_socket { getopt getattr };
-
 # gdbserver for ndk-gdb reads the zygote.
 allow appdomain zygote_exec:file r_file_perms;
 
-- 
GitLab