netd: Enable clang-tidy and fix all warnings
Bug: 65246407
Test: m netd && system/netd/tests/runtests.sh
Change-Id: I1d22b2bc317fe7218ccde78859ed0623d6a1f8df
diff --git a/server/Android.bp b/server/Android.bp
index d06797d..e5e5eac 100644
--- a/server/Android.bp
+++ b/server/Android.bp
@@ -10,6 +10,18 @@
srcs: ["binder/android/net/metrics/INetdEventListener.aidl"],
}
+cc_defaults {
+ tidy: true,
+ tidy_checks: [
+ "android-*",
+ "cert-*",
+ "clang-analyzer-security*",
+ ],
+ tidy_flags: [
+ "-warnings-as-errors=android-*,clang-analyzer-security*,cert-*"
+ ],
+}
+
cc_library {
name: "libnetdaidl",
diff --git a/server/Android.mk b/server/Android.mk
index 1bc119e..da02788 100644
--- a/server/Android.mk
+++ b/server/Android.mk
@@ -14,11 +14,17 @@
LOCAL_PATH := $(call my-dir)
+common_local_tidy_flags := -warnings-as-errors=android-*,clang-analyzer-security*,cert-*
+common_local_tidy_checks := \
+ android-*,clang-analyzer-security*,cert-*,-cert-err34-c,-cert-err58-cpp,-google-runtime-int
+
###
### netd daemon.
###
include $(CLEAR_VARS)
+LOCAL_MODULE := netd
+
LOCAL_C_INCLUDES := \
$(call include-path-for, libhardware_legacy)/hardware_legacy \
bionic/libc/dns/include \
@@ -26,10 +32,12 @@
system/netd/include \
LOCAL_CPPFLAGS := -Wall -Werror -Wthread-safety -Wnullable-to-nonnull-conversion
-LOCAL_MODULE := netd
+LOCAL_TIDY := true
+LOCAL_TIDY_FLAGS := $(common_local_tidy_flags)
+LOCAL_TIDY_CHECKS := $(common_local_tidy_checks)
# Bug: http://b/29823425 Disable -Wvarargs for Clang update to r271374
-LOCAL_CPPFLAGS += -Wno-varargs \
+LOCAL_CPPFLAGS += -Wno-varargs
ifeq ($(TARGET_ARCH), x86)
ifneq ($(TARGET_PRODUCT), gce_x86_phone)
@@ -124,10 +132,13 @@
###
include $(CLEAR_VARS)
+LOCAL_MODULE := ndc
LOCAL_CFLAGS := -Wall -Werror -Wthread-safety
LOCAL_SANITIZE := unsigned-integer-overflow
-LOCAL_CLANG := true
-LOCAL_MODULE := ndc
+LOCAL_TIDY := true
+LOCAL_TIDY_FLAGS := $(common_local_tidy_flags)
+LOCAL_TIDY_CHECKS := $(common_local_tidy_checks)
+
LOCAL_SHARED_LIBRARIES := libcutils
LOCAL_SRC_FILES := ndc.cpp
@@ -137,12 +148,16 @@
### netd unit tests.
###
include $(CLEAR_VARS)
+
LOCAL_MODULE := netd_unit_test
LOCAL_COMPATIBILITY_SUITE := device-tests
LOCAL_SANITIZE := unsigned-integer-overflow
LOCAL_CFLAGS := -Wall -Werror -Wunused-parameter -Wthread-safety
# Bug: http://b/29823425 Disable -Wvarargs for Clang update to r271374
LOCAL_CFLAGS += -Wno-varargs
+LOCAL_TIDY := true
+LOCAL_TIDY_FLAGS := $(common_local_tidy_flags)
+LOCAL_TIDY_CHECKS := $(common_local_tidy_checks)
LOCAL_C_INCLUDES := \
bionic/libc/dns/include \
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index 7cd1598..5006478 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -256,12 +256,8 @@
}
-std::vector<std::string> toStrVec(int num, char* strs[]) {
- std::vector<std::string> tmp;
- for (int i = 0; i < num; ++i) {
- tmp.emplace_back(strs[i]);
- }
- return tmp;
+std::vector<std::string> toStrVec(int num, const char* const strs[]) {
+ return std::vector<std::string>(strs, strs + num);
}
} // namespace
@@ -337,22 +333,22 @@
return ret;
}
-int BandwidthController::addNaughtyApps(int numUids, char *appUids[]) {
+int BandwidthController::addNaughtyApps(int numUids, const char* const appUids[]) {
return manipulateSpecialApps(toStrVec(numUids, appUids), NAUGHTY_CHAIN,
IptJumpReject, IptOpInsert);
}
-int BandwidthController::removeNaughtyApps(int numUids, char *appUids[]) {
+int BandwidthController::removeNaughtyApps(int numUids, const char* const appUids[]) {
return manipulateSpecialApps(toStrVec(numUids, appUids), NAUGHTY_CHAIN,
IptJumpReject, IptOpDelete);
}
-int BandwidthController::addNiceApps(int numUids, char *appUids[]) {
+int BandwidthController::addNiceApps(int numUids, const char* const appUids[]) {
return manipulateSpecialApps(toStrVec(numUids, appUids), NICE_CHAIN,
IptJumpReturn, IptOpInsert);
}
-int BandwidthController::removeNiceApps(int numUids, char *appUids[]) {
+int BandwidthController::removeNiceApps(int numUids, const char* const appUids[]) {
return manipulateSpecialApps(toStrVec(numUids, appUids), NICE_CHAIN,
IptJumpReturn, IptOpDelete);
}
diff --git a/server/BandwidthController.h b/server/BandwidthController.h
index efacdce..adf64c8 100644
--- a/server/BandwidthController.h
+++ b/server/BandwidthController.h
@@ -47,10 +47,10 @@
int getInterfaceQuota(const std::string& iface, int64_t* bytes);
int removeInterfaceQuota(const std::string& iface);
- int addNaughtyApps(int numUids, char *appUids[]);
- int removeNaughtyApps(int numUids, char *appUids[]);
- int addNiceApps(int numUids, char *appUids[]);
- int removeNiceApps(int numUids, char *appUids[]);
+ int addNaughtyApps(int numUids, const char* const appUids[]);
+ int removeNaughtyApps(int numUids, const char* const appUids[]);
+ int addNiceApps(int numUids, const char* const appUids[]);
+ int removeNiceApps(int numUids, const char* const appUids[]);
int setGlobalAlert(int64_t bytes);
int removeGlobalAlert();
diff --git a/server/DumpWriter.cpp b/server/DumpWriter.cpp
index 44e5e9e..ef3ffc8 100644
--- a/server/DumpWriter.cpp
+++ b/server/DumpWriter.cpp
@@ -59,6 +59,7 @@
::write(mFd, "\n", 1);
}
+// NOLINTNEXTLINE(cert-dcl50-cpp): Grandfathered C-style variadic function.
void DumpWriter::println(const char* fmt, ...) {
std::string line;
va_list ap;
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index 3d51cb6..6e572af 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -247,7 +247,7 @@
}
std::string command = "*filter\n";
- for (std::string chainName : chainNames) {
+ for (const std::string& chainName : chainNames) {
StringAppendF(&command, "%s %s -m owner --uid-owner %d -j %s\n",
op, chainName.c_str(), uid, target);
}
diff --git a/server/InterfaceController.cpp b/server/InterfaceController.cpp
index 7258ee6..34b8004 100644
--- a/server/InterfaceController.cpp
+++ b/server/InterfaceController.cpp
@@ -107,8 +107,9 @@
}
// Run @fn on each interface as well as 'default' in the path @dirname.
-void forEachInterface(const std::string& dirname,
- std::function<void(const std::string& path, const std::string& iface)> fn) {
+void forEachInterface(
+ const std::string& dirname,
+ const std::function<void(const std::string& path, const std::string& iface)>& fn) {
// Run on default, which controls the behavior of any interfaces that are created in the future.
fn(dirname, "default");
DIR* dir = opendir(dirname.c_str());
@@ -190,7 +191,9 @@
} // namespace
android::netdutils::Status InterfaceController::enableStablePrivacyAddresses(
- const std::string& iface, GetPropertyFn getProperty, SetPropertyFn setProperty) {
+ const std::string& iface,
+ const GetPropertyFn& getProperty,
+ const SetPropertyFn& setProperty) {
const auto& sys = sSyscalls.get();
const std::string procTarget = std::string(ipv6_proc_path) + "/" + iface + "/stable_secret";
auto procFd = sys.open(procTarget, O_CLOEXEC | O_WRONLY);
diff --git a/server/InterfaceController.h b/server/InterfaceController.h
index f97547f..58505a6 100644
--- a/server/InterfaceController.h
+++ b/server/InterfaceController.h
@@ -66,9 +66,10 @@
std::function<android::netdutils::Status(const std::string& key, const std::string& val)>;
// Helper function exported from this compilation unit for testing.
- static android::netdutils::Status enableStablePrivacyAddresses(const std::string& iface,
- GetPropertyFn getProperty,
- SetPropertyFn setProperty);
+ static android::netdutils::Status enableStablePrivacyAddresses(
+ const std::string& iface,
+ const GetPropertyFn& getProperty,
+ const SetPropertyFn& setProperty);
static void setAcceptRA(const char* value);
static void setAcceptRARouteTable(int tableOrOffset);
diff --git a/server/IptablesBaseTest.cpp b/server/IptablesBaseTest.cpp
index bc56b49..c81773b 100644
--- a/server/IptablesBaseTest.cpp
+++ b/server/IptablesBaseTest.cpp
@@ -68,7 +68,7 @@
std::string realCmd = StringPrintf("echo '%s'", sPopenContents.front().c_str());
sPopenContents.pop_front();
- return popen(realCmd.c_str(), "r");
+ return popen(realCmd.c_str(), "r"); // NOLINT(cert-env33-c)
}
int IptablesBaseTest::fakeExecIptablesRestoreWithOutput(IptablesTarget target,
diff --git a/server/IptablesRestoreControllerTest.cpp b/server/IptablesRestoreControllerTest.cpp
index 45b05f0..7ccb1ce 100644
--- a/server/IptablesRestoreControllerTest.cpp
+++ b/server/IptablesRestoreControllerTest.cpp
@@ -81,7 +81,7 @@
// We can't readlink /proc/PID/exe, because zombie processes don't have it.
// Parse /proc/PID/stat instead.
std::string statPath = StringPrintf("/proc/%d/stat", pid);
- int fd = open(statPath.c_str(), O_RDONLY);
+ int fd = open(statPath.c_str(), O_RDONLY | O_CLOEXEC);
if (fd == -1) {
// ENOENT means the process is gone (expected).
ASSERT_EQ(errno, ENOENT)
@@ -131,7 +131,7 @@
}
int acquireIptablesLock() {
- mIptablesLock = open(XT_LOCK_NAME, O_CREAT, 0600);
+ mIptablesLock = open(XT_LOCK_NAME, O_CREAT | O_CLOEXEC, 0600);
if (mIptablesLock == -1) return mIptablesLock;
int attempts;
for (attempts = 0; attempts < XT_LOCK_ATTEMPTS; attempts++) {
diff --git a/server/NetdConstants.cpp b/server/NetdConstants.cpp
index cb0e905..2f0500f 100644
--- a/server/NetdConstants.cpp
+++ b/server/NetdConstants.cpp
@@ -38,7 +38,6 @@
const size_t SHA256_SIZE = EVP_MD_size(EVP_sha256());
-const char * const OEM_SCRIPT_PATH = "/system/bin/oem-iptables-init.sh";
const char * const ADD = "add";
const char * const DEL = "del";
diff --git a/server/NetdConstants.h b/server/NetdConstants.h
index f929219..4f7d923 100644
--- a/server/NetdConstants.h
+++ b/server/NetdConstants.h
@@ -34,7 +34,6 @@
extern const size_t SHA256_SIZE;
-extern const char * const OEM_SCRIPT_PATH;
extern const char * const ADD;
extern const char * const DEL;
diff --git a/server/NetlinkHandler.cpp b/server/NetlinkHandler.cpp
index d0aafde..928e329 100644
--- a/server/NetlinkHandler.cpp
+++ b/server/NetlinkHandler.cpp
@@ -162,6 +162,7 @@
}
}
+// NOLINTNEXTLINE(cert-dcl50-cpp): Grandfathered C-style variadic function.
void NetlinkHandler::notify(int code, const char *format, ...) {
char *msg;
va_list args;
diff --git a/server/SockDiag.cpp b/server/SockDiag.cpp
index cd66040..5caf347 100644
--- a/server/SockDiag.cpp
+++ b/server/SockDiag.cpp
@@ -329,7 +329,7 @@
return mSocketsDestroyed;
}
-int SockDiag::destroyLiveSockets(DestroyFilter destroyFilter, const char *what,
+int SockDiag::destroyLiveSockets(const DestroyFilter& destroyFilter, const char *what,
iovec *iov, int iovcnt) {
const int proto = IPPROTO_TCP;
const uint32_t states = (1 << TCP_ESTABLISHED) | (1 << TCP_SYN_SENT) | (1 << TCP_SYN_RECV);
@@ -423,16 +423,10 @@
return ret;
}
- std::vector<uid_t> skipUidStrings;
- for (uid_t uid : skipUids) {
- skipUidStrings.push_back(uid);
- }
- std::sort(skipUidStrings.begin(), skipUidStrings.end());
-
if (mSocketsDestroyed > 0) {
ALOGI("Destroyed %d sockets for %s skip={%s} in %.1f ms",
mSocketsDestroyed, uidRanges.toString().c_str(),
- android::base::Join(skipUidStrings, " ").c_str(), s.timeTaken());
+ android::base::Join(skipUids, " ").c_str(), s.timeTaken());
}
return 0;
diff --git a/server/SockDiag.h b/server/SockDiag.h
index a44c144..af96409 100644
--- a/server/SockDiag.h
+++ b/server/SockDiag.h
@@ -93,7 +93,7 @@
int sendDumpRequest(uint8_t proto, uint8_t family, uint8_t extensions, uint32_t states,
iovec *iov, int iovcnt);
int destroySockets(uint8_t proto, int family, const char *addrstr);
- int destroyLiveSockets(DestroyFilter destroy, const char *what, iovec *iov, int iovcnt);
+ int destroyLiveSockets(const DestroyFilter& destroy, const char *what, iovec *iov, int iovcnt);
bool hasSocks() { return mSock != -1 && mWriteSock != -1; }
void closeSocks() { close(mSock); close(mWriteSock); mSock = mWriteSock = -1; }
static bool isLoopbackSocket(const inet_diag_msg *msg);
diff --git a/server/SockDiagTest.cpp b/server/SockDiagTest.cpp
index a7b911d..a263fea 100644
--- a/server/SockDiagTest.cpp
+++ b/server/SockDiagTest.cpp
@@ -73,11 +73,11 @@
}
TEST_F(SockDiagTest, TestDump) {
- int v4socket = socket(AF_INET, SOCK_STREAM, 0);
+ int v4socket = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
ASSERT_NE(-1, v4socket) << "Failed to open IPv4 socket: " << strerror(errno);
- int v6socket = socket(AF_INET6, SOCK_STREAM, 0);
+ int v6socket = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
ASSERT_NE(-1, v6socket) << "Failed to open IPv6 socket: " << strerror(errno);
- int listensocket = socket(AF_INET6, SOCK_STREAM, 0);
+ int listensocket = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
ASSERT_NE(-1, listensocket) << "Failed to open listen socket: " << strerror(errno);
uint16_t port = bindAndListen(listensocket);
@@ -93,8 +93,10 @@
sockaddr_in6 client46, client6;
socklen_t clientlen = std::max(sizeof(client46), sizeof(client6));
- int accepted4 = accept(listensocket, (sockaddr *) &client46, &clientlen);
- int accepted6 = accept(listensocket, (sockaddr *) &client6, &clientlen);
+ int accepted4 = accept4(
+ listensocket, (sockaddr *) &client46, &clientlen, SOCK_CLOEXEC);
+ int accepted6 = accept4(
+ listensocket, (sockaddr *) &client6, &clientlen, SOCK_CLOEXEC);
ASSERT_NE(-1, accepted4);
ASSERT_NE(-1, accepted6);
@@ -457,7 +459,7 @@
fprintf(stderr, "Benchmarking closing %d sockets based on %s\n",
numSockets, testTypeName(mode));
- int listensocket = socket(AF_INET6, SOCK_STREAM, 0);
+ int listensocket = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
ASSERT_NE(-1, listensocket) << "Failed to open listen socket";
uint16_t port = bindAndListen(listensocket);
@@ -473,12 +475,13 @@
auto start = std::chrono::steady_clock::now();
for (int i = 0; i < numSockets; i++) {
- int s = socket(AF_INET6, SOCK_STREAM, 0);
+ int s = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
clientlen = sizeof(client);
ASSERT_EQ(0, connect(s, (sockaddr *) &server, sizeof(server)))
<< "Connecting socket " << i << " failed " << strerror(errno);
ASSERT_EQ(0, modifySocketForTest(s, i));
- serversockets[i] = accept(listensocket, (sockaddr *) &client, &clientlen);
+ serversockets[i] = accept4(
+ listensocket, (sockaddr *) &client, &clientlen, SOCK_CLOEXEC);
ASSERT_NE(-1, serversockets[i])
<< "Accepting socket " << i << " failed " << strerror(errno);
clientports[i] = client.sin6_port;
diff --git a/server/TetherController.cpp b/server/TetherController.cpp
index 779426f..d134099 100644
--- a/server/TetherController.cpp
+++ b/server/TetherController.cpp
@@ -298,11 +298,13 @@
return (mDaemonPid == 0 ? false : true);
}
-#define MAX_CMD_SIZE 1024
+// dnsmasq can't parse commands larger than this due to the fixed-size buffer
+// in check_android_listeners(). The receiving buffer is 1024 bytes long, but
+// dnsmasq reads up to 1023 bytes.
+#define MAX_CMD_SIZE 1023
int TetherController::setDnsForwarders(unsigned netId, char **servers, int numServers) {
int i;
- char daemonCmd[MAX_CMD_SIZE] = {};
Fwmark fwmark;
fwmark.netId = netId;
@@ -310,8 +312,7 @@
fwmark.protectedFromVpn = true;
fwmark.permission = PERMISSION_SYSTEM;
- snprintf(daemonCmd, sizeof(daemonCmd), "update_dns%s0x%x", SEPARATOR, fwmark.intValue);
- int cmdLen = strlen(daemonCmd);
+ std::string daemonCmd = StringPrintf("update_dns%s0x%x", SEPARATOR, fwmark.intValue);
mDnsForwarders.clear();
for (i = 0; i < numServers; i++) {
@@ -327,19 +328,18 @@
return -1;
}
- cmdLen += (strlen(servers[i]) + 1);
- if (cmdLen + 1 >= MAX_CMD_SIZE) {
- ALOGD("Too many DNS servers listed");
+ if (daemonCmd.size() + 1 + strlen(servers[i]) >= MAX_CMD_SIZE) {
+ ALOGE("Too many DNS servers listed");
break;
}
- strcat(daemonCmd, SEPARATOR);
- strcat(daemonCmd, servers[i]);
+ daemonCmd += SEPARATOR;
+ daemonCmd += servers[i];
mDnsForwarders.push_back(servers[i]);
}
mDnsNetId = netId;
- mDnsmasqState.update_dns_cmd = std::string(daemonCmd);
+ mDnsmasqState.update_dns_cmd = std::move(daemonCmd);
if (mDaemonFd != -1) {
if (mDnsmasqState.sendAllState(mDaemonFd) != 0) {
mDnsForwarders.clear();
@@ -359,28 +359,24 @@
}
bool TetherController::applyDnsInterfaces() {
- char daemonCmd[MAX_CMD_SIZE] = {};
-
- strcpy(daemonCmd, "update_ifaces");
- int cmdLen = strlen(daemonCmd);
+ std::string daemonCmd = "update_ifaces";
bool haveInterfaces = false;
- for (const auto &ifname : mInterfaces) {
- cmdLen += (ifname.size() + 1);
- if (cmdLen + 1 >= MAX_CMD_SIZE) {
- ALOGD("Too many DNS ifaces listed");
+ for (const auto& ifname : mInterfaces) {
+ if (daemonCmd.size() + 1 + ifname.size() >= MAX_CMD_SIZE) {
+ ALOGE("Too many DNS servers listed");
break;
}
- strcat(daemonCmd, SEPARATOR);
- strcat(daemonCmd, ifname.c_str());
+ daemonCmd += SEPARATOR;
+ daemonCmd += ifname;
haveInterfaces = true;
}
if (!haveInterfaces) {
mDnsmasqState.update_ifaces_cmd.clear();
} else {
- mDnsmasqState.update_ifaces_cmd = std::string(daemonCmd);
+ mDnsmasqState.update_ifaces_cmd = std::move(daemonCmd);
if (mDaemonFd != -1) return (mDnsmasqState.sendAllState(mDaemonFd) == 0);
}
return true;
diff --git a/server/TrafficController.cpp b/server/TrafficController.cpp
index d6a6480..ff74ef6 100644
--- a/server/TrafficController.cpp
+++ b/server/TrafficController.cpp
@@ -580,7 +580,7 @@
return StringPrintf("OK");
}
-void dumpBpfMap(std::string mapName, DumpWriter& dw, const std::string& header) {
+void dumpBpfMap(const std::string& mapName, DumpWriter& dw, const std::string& header) {
dw.blankline();
dw.println("%s:", mapName.c_str());
if(!header.empty()) {
diff --git a/server/TrafficControllerTest.cpp b/server/TrafficControllerTest.cpp
index a354f83..43efc4e 100644
--- a/server/TrafficControllerTest.cpp
+++ b/server/TrafficControllerTest.cpp
@@ -128,7 +128,7 @@
}
int setUpSocketAndTag(int protocol, uint64_t* cookie, uint32_t tag, uid_t uid) {
- int sock = socket(protocol, SOCK_STREAM, 0);
+ int sock = socket(protocol, SOCK_STREAM | SOCK_CLOEXEC, 0);
EXPECT_LE(0, sock);
*cookie = getSocketCookie(sock);
EXPECT_NE(NONEXISTENT_COOKIE, *cookie);
@@ -293,7 +293,7 @@
int invalidSocket = -1;
ASSERT_GT(0, mTc.untagSocket(invalidSocket));
- int v4socket = socket(AF_INET, SOCK_STREAM, 0);
+ int v4socket = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
ASSERT_GT(0, mTc.untagSocket(v4socket));
expectTagMapEmpty();
}
diff --git a/server/XfrmController.cpp b/server/XfrmController.cpp
index e229cf8..59500f9 100644
--- a/server/XfrmController.cpp
+++ b/server/XfrmController.cpp
@@ -182,7 +182,7 @@
}
// returns the address family, placing the string in the provided buffer
-StatusOr<uint16_t> convertStringAddress(std::string addr, uint8_t* buffer) {
+StatusOr<uint16_t> convertStringAddress(const std::string& addr, uint8_t* buffer) {
if (inet_pton(AF_INET, addr.c_str(), buffer) == 1) {
return AF_INET;
} else if (inet_pton(AF_INET6, addr.c_str(), buffer) == 1) {
diff --git a/server/XfrmControllerTest.cpp b/server/XfrmControllerTest.cpp
index 5715a6b..d868d9b 100644
--- a/server/XfrmControllerTest.cpp
+++ b/server/XfrmControllerTest.cpp
@@ -159,7 +159,7 @@
TEST_F(XfrmControllerTest, TestFchown) {
XfrmController ctrl;
- unique_fd sockFd(socket(AF_INET, SOCK_DGRAM, 0));
+ unique_fd sockFd(socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0));
EXPECT_CALL(mockSyscalls, getsockopt(Fd(sockFd), IPPROTO_UDP, UDP_ENCAP, _, _))
.WillOnce(DoAll(SetArg3IntValue(UDP_ENCAP_ESPINUDP), Return(netdutils::status::ok)));
@@ -181,7 +181,7 @@
TEST_F(XfrmControllerTest, TestFchownIncorrectCallerUid) {
XfrmController ctrl;
- unique_fd sockFd(socket(AF_INET, SOCK_DGRAM, 0));
+ unique_fd sockFd(socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0));
netdutils::Status res = ctrl.ipSecSetEncapSocketOwner(sockFd, 1001, 1001);
EXPECT_EQ(netdutils::statusFromErrno(EPERM, "fchown disabled for non-owner calls"), res);
@@ -189,7 +189,7 @@
TEST_F(XfrmControllerTest, TestFchownNonSocketFd) {
XfrmController ctrl;
- unique_fd fd(open("/dev/null", 0));
+ unique_fd fd(open("/dev/null", O_CLOEXEC));
netdutils::Status res = ctrl.ipSecSetEncapSocketOwner(fd, 1001, getuid());
EXPECT_EQ(netdutils::statusFromErrno(EINVAL, "File descriptor was not a socket"), res);
@@ -197,7 +197,7 @@
TEST_F(XfrmControllerTest, TestFchownNonUdp) {
XfrmController ctrl;
- unique_fd sockFd(socket(AF_INET, SOCK_STREAM, 0));
+ unique_fd sockFd(socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0));
EXPECT_CALL(mockSyscalls, getsockopt(Fd(sockFd), IPPROTO_UDP, UDP_ENCAP, _, _))
.WillOnce(DoAll(SetArg3IntValue(0), Return(netdutils::status::ok)));
@@ -208,7 +208,7 @@
TEST_F(XfrmControllerTest, TestFchownNonUdpEncap) {
XfrmController ctrl;
- unique_fd sockFd(socket(AF_INET, SOCK_DGRAM, 0));
+ unique_fd sockFd(socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0));
EXPECT_CALL(mockSyscalls, getsockopt(Fd(sockFd), IPPROTO_UDP, UDP_ENCAP, _, _))
.WillOnce(DoAll(SetArg3IntValue(0), Return(netdutils::status::ok)));
@@ -410,7 +410,7 @@
struct sockaddr socketaddr;
socketaddr.sa_family = AF_INET;
- unique_fd sock(socket(AF_INET, SOCK_STREAM, 0));
+ unique_fd sock(socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0));
EXPECT_CALL(mockSyscalls, getsockname(Fd(sock), _, _))
.WillOnce(DoAll(SetArgPointee<1>(socketaddr), Return(netdutils::status::ok)));
@@ -441,7 +441,7 @@
struct sockaddr socketaddr;
socketaddr.sa_family = sockFamily;
- unique_fd sock(socket(sockFamily, SOCK_STREAM, 0));
+ unique_fd sock(socket(sockFamily, SOCK_STREAM | SOCK_CLOEXEC, 0));
EXPECT_CALL(mockSyscalls, getsockname(_, _, _))
.WillOnce(DoAll(SetArgPointee<1>(socketaddr), Return(netdutils::status::ok)));
@@ -477,7 +477,7 @@
struct sockaddr socketaddr;
socketaddr.sa_family = family;
- unique_fd sock(socket(family, SOCK_STREAM, 0));
+ unique_fd sock(socket(family, SOCK_STREAM | SOCK_CLOEXEC, 0));
EXPECT_CALL(mockSyscalls, getsockname(_, _, _))
.WillOnce(DoAll(SetArgPointee<1>(socketaddr), Return(netdutils::status::ok)));
diff --git a/server/oem_iptables_hook.cpp b/server/oem_iptables_hook.cpp
index 1b8a6e4..057020b 100644
--- a/server/oem_iptables_hook.cpp
+++ b/server/oem_iptables_hook.cpp
@@ -22,12 +22,18 @@
#include <string.h>
#include <unistd.h>
+#include <string>
+
#define LOG_TAG "OemIptablesHook"
#include <log/log.h>
#include <logwrap/logwrap.h>
#include "NetdConstants.h"
-static bool oemCleanupHooks() {
+namespace {
+
+const char OEM_SCRIPT_PATH[] = "/system/bin/oem-iptables-init.sh";
+
+bool oemCleanupHooks() {
std::string cmd =
"*filter\n"
":oem_out -\n"
@@ -40,8 +46,8 @@
return (execIptablesRestore(V4V6, cmd) == 0);
}
-static bool oemInitChains() {
- int ret = system(OEM_SCRIPT_PATH);
+bool oemInitChains() {
+ int ret = system(OEM_SCRIPT_PATH); // NOLINT(cert-env33-c)
if ((-1 == ret) || (0 != WEXITSTATUS(ret))) {
ALOGE("%s failed: %s", OEM_SCRIPT_PATH, strerror(errno));
oemCleanupHooks();
@@ -50,6 +56,7 @@
return true;
}
+} // namespace
void setupOemIptablesHook() {
if (0 == access(OEM_SCRIPT_PATH, R_OK | X_OK)) {