bionic: prevent root processes from calling __system_property_add

If a root process other than init calls __system_property_add, which
it should never do, it will break the design assumption that there is
only one mutator.

Pass O_EXCL to open() in map_prop_region_rw to ensure that only one
process ever has the property pages open for write.

(cherry picked from commit fb9b7b436f3ef94385f1b0c55ab81f246f0d96b8)

Change-Id: I6df3afedbfb5d07891b095aa24b78278381a5aaf

libc/bionic/system_properties.c

@@ -128,11 +128,13 @@ static int map_prop_area_rw()
 {
     prop_area *pa;
     int fd;
+    int ret;
 
     /* dev is a tmpfs that we can use to carve a shared workspace
      * out of, so let's do that...
      */
-    fd = open(property_filename, O_RDWR | O_CREAT | O_NOFOLLOW, 0644);
+    fd = open(property_filename, O_RDWR | O_CREAT | O_NOFOLLOW | O_CLOEXEC |
+            O_EXCL, 0444);
     if (fd < 0) {
         if (errno == EACCES) {
             /* for consistency with the case where the process has already
@@ -143,6 +145,10 @@ static int map_prop_area_rw()
         return -1;
     }
 
+    ret = fcntl(fd, F_SETFD, FD_CLOEXEC);
+    if (ret < 0)
+        goto out;
+
     if (ftruncate(fd, PA_SIZE) < 0)
         goto out;
 
@@ -186,8 +192,16 @@ static int map_prop_area()
 {
     bool fromFile = true;
     int result = -1;
+    int fd;
+    int ret;
 
-    int fd = open(property_filename, O_RDONLY | O_NOFOLLOW);
+    fd = open(property_filename, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+    if (fd >= 0) {
+        /* For old kernels that don't support O_CLOEXEC */
+        ret = fcntl(fd, F_SETFD, FD_CLOEXEC);
+        if (ret < 0)
+            goto cleanup;
+    }
 
     if ((fd < 0) && (errno == ENOENT)) {
         /*