Use AF_INET sockets when checking netIds in setNetworkFor{Process,Resolv}(). DO NOT...

AF_UNIX sockets don't need to be marked, so we don't give netd the permission to
operate on them (cf: netd.te). I.e., netd doesn't expect to receive them.

Make sure that the creation of the AF_INET socket doesn't trigger another
wasteful check with netd by calling the libc version directly.

Bug: 13885501
Change-Id: I6b549232e57cacd47501edcefa4c0b4b79df9da0
(cherry picked from commit 2756045bebaac342f7cb70dad11519f896d44833)

diff --git a/client/NetdClient.cpp b/client/NetdClient.cpp
index c0acdc0..714f110 100644 (file)
--- a/client/NetdClient.cpp
+++ b/client/NetdClient.cpp
@@ -111,9 +111,14 @@ bool setNetworkForTarget(unsigned netId, volatile sig_atomic_t* target) {
         return true;
     }
     // Verify that we are allowed to use |netId|, by creating a socket and trying to have it marked
-    // with the netId. Don't create an AF_INET socket, because then the creation itself might cause
-    // another check with the fwmark server (see netdClientSocket()), which would be wasteful.
-    int socketFd = socket(AF_UNIX, SOCK_DGRAM, 0);
+    // with the netId. Call libcSocket() directly; else the socket creation (via netdClientSocket())
+    // might itself cause another check with the fwmark server, which would be wasteful.
+    int socketFd;
+    if (libcSocket) {
+        socketFd = libcSocket(AF_INET6, SOCK_DGRAM, 0);
+    } else {
+        socketFd = socket(AF_INET6, SOCK_DGRAM, 0);
+    }
     if (socketFd < 0) {
         return false;
     }