From 0db0f97d87bae8118e135d5a30edf7f0146098c0 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Wed, 11 Jun 2014 18:23:59 -0700 Subject: [PATCH] installd: change profile files to 0660 Profiling information leaks data about how people interact with apps, so we don't want the data to be available to other apps. Only the app and system_server need access. Don't create the /data/dalvik-cache/profiles directory. init.rc does it for us now. Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3 --- cmds/installd/utils.c | 35 ++++++----------------------------- 1 file changed, 6 insertions(+), 29 deletions(-) diff --git a/cmds/installd/utils.c b/cmds/installd/utils.c index 420ad5ed3..120fd62b0 100644 --- a/cmds/installd/utils.c +++ b/cmds/installd/utils.c @@ -1036,50 +1036,27 @@ int ensure_config_user_dirs(userid_t userid) { int create_profile_file(const char *pkgname, gid_t gid) { const char *profile_dir = DALVIK_CACHE_PREFIX "profiles"; - struct stat profileStat; char profile_file[PKG_PATH_MAX]; - // If we don't have a profile directory under dalvik-cache we need to create one. - if (stat(profile_dir, &profileStat) < 0) { - // Create the profile directory under dalvik-cache. - if (mkdir(profile_dir, 0711) < 0) { - ALOGE("cannot make profile dir '%s': %s\n", profile_dir, strerror(errno)); - return -1; - } - - // Make the profile directory write-only for group and other. Owner can rwx it. - if (chmod(profile_dir, 0711) < 0) { - ALOGE("cannot chown profile dir '%s': %s\n", profile_dir, strerror(errno)); - rmdir(profile_dir); - return -1; - } - - if (selinux_android_restorecon(profile_dir, 0) < 0) { - ALOGE("cannot restorecon profile dir '%s': %s\n", profile_dir, strerror(errno)); - rmdir(profile_dir); - return -1; - } - } - snprintf(profile_file, sizeof(profile_file), "%s/%s", profile_dir, pkgname); // The 'system' user needs to be able to read the profile to determine if dex2oat // needs to be run. This is done in dalvik.system.DexFile.isDexOptNeededInternal(). So - // we make it world readable. Not a problem since the dalvik cache is world - // readable anyway. + // we assign ownership to AID_SYSTEM and ensure it's not world-readable. - int fd = open(profile_file, O_WRONLY | O_CREAT | O_EXCL | O_NOFOLLOW, 0664); + int fd = open(profile_file, O_WRONLY | O_CREAT | O_NOFOLLOW | O_CLOEXEC, 0660); - // Open will fail if the file already exists. We want to ignore that. + // Always set the uid/gid/permissions. The file could have been previously created + // with different permissions. if (fd >= 0) { - if (fchown(fd, -1, gid) < 0) { + if (fchown(fd, AID_SYSTEM, gid) < 0) { ALOGE("cannot chown profile file '%s': %s\n", profile_file, strerror(errno)); close(fd); unlink(profile_file); return -1; } - if (fchmod(fd, 0664) < 0) { + if (fchmod(fd, 0660) < 0) { ALOGE("cannot chmod profile file '%s': %s\n", profile_file, strerror(errno)); close(fd); unlink(profile_file);