improve: use lsetxattr instead of chcon via system; fix: not closing socket_fd in error paths

ThePedroo · ThePedroo · commit 86f01a978947 · 2026-03-14T19:55:18.000-03:00
This commit makes ReZygisk use `lsetxattr` directly to set SELinux content instead of starting a shell for that. It also makes "socket_fd" be closed in the error paths, avoiding a fd leak in case it fails.
diff --git a/zygiskd/src/utils.c b/zygiskd/src/utils.c
@@ -10,6 +10,7 @@
 #include <sys/un.h>
 #include <sys/sysmacros.h>
 #include <sys/mount.h>
+#include <sys/xattr.h>
 
 #include <unistd.h>
 #include <linux/limits.h>
@@ -121,9 +122,9 @@ void unix_datagram_sendto(const char *restrict path, const void *restrict buf, s
 
   set_socket_create_context(current_attr);
 
-  struct sockaddr_un addr;
-  addr.sun_family = AF_UNIX;
-
+  struct sockaddr_un addr = {
+    .sun_family = AF_UNIX
+  };
   strncpy(addr.sun_path, path, sizeof(addr.sun_path) - 1);
 
   int socket_fd = socket(AF_UNIX, SOCK_DGRAM, 0);
@@ -136,12 +137,16 @@ void unix_datagram_sendto(const char *restrict path, const void *restrict buf, s
   if (connect(socket_fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
     LOGE("connect: %s\n", strerror(errno));
 
+    close(socket_fd);
+
     return;
   }
 
   if (sendto(socket_fd, buf, len, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
     LOGE("sendto: %s\n", strerror(errno));
 
+    close(socket_fd);
+
     return;
   }
 
@@ -151,10 +156,7 @@ void unix_datagram_sendto(const char *restrict path, const void *restrict buf, s
 }
 
 int chcon(const char *restrict path, const char *context) {
-  char command[PATH_MAX];
-  snprintf(command, PATH_MAX, "chcon %s %s", context, path);
-
-  return system(command);
+  return lsetxattr(path, "security.selinux", context, strlen(context) + 1, 0);
 }
 
 int unix_listener_from_path(const char *restrict path) {
@@ -179,20 +181,23 @@ int unix_listener_from_path(const char *restrict path) {
   if (bind(socket_fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) == -1) {
     LOGE("bind: %s\n", strerror(errno));
 
+    close(socket_fd);
+
     return -1;
   }
 
   if (listen(socket_fd, 2) == -1) {
     LOGE("listen: %s\n", strerror(errno));
 
+    close(socket_fd);
+
     return -1;
   }
 
-  if (chcon(path, "u:object_r:zygisk_file:s0") == -1) {
-    LOGE("chcon: %s\n", strerror(errno));
+  LOGI("socket listening on %s (fd=%d)", path, socket_fd);
 
-    return -1;
-  }
+  if (chcon(path, "u:object_r:zygisk_file:s0") == -1)
+    LOGW("chcon (non-fatal): %s\n", strerror(errno));
 
   return socket_fd;
 }
