android-cloexec-epoll-create1¶
epoll_create1()
should include EPOLL_CLOEXEC
in its type argument to
avoid the file descriptor leakage. Without this flag, an opened sensitive file
would remain open across a fork+exec to a lower-privileged SELinux domain.
Examples:
epoll_create1(0);
// becomes
epoll_create1(EPOLL_CLOEXEC);