Loading cmds/installd/InstalldNativeService.cpp +13 −4 Original line number Original line Diff line number Diff line Loading @@ -373,13 +373,22 @@ static bool prepare_app_profile_dir(const std::string& packageName, int32_t appI const std::string ref_profile_path = const std::string ref_profile_path = create_primary_reference_profile_package_dir_path(packageName); create_primary_reference_profile_package_dir_path(packageName); // dex2oat/profman runs under the shared app gid and it needs to read/write reference // profiles. // Prepare the reference profile directory. Note that we use the non strict version of if (fs_prepare_dir_strict( // fs_prepare_dir. This will fix the permission and the ownership to the correct values. ref_profile_path.c_str(), 0701, shared_app_gid, shared_app_gid) != 0) { // This is particularly important given that in O there were some fixes for how the // shared_app_gid is computed. // // Note that by the time we get here we know that we are using a correct uid (otherwise // prepare_app_dir and the above fs_prepare_file_strict which check the uid). So we // are sure that the gid being used belongs to the owning app and not someone else. // // dex2oat/profman runs under the shared app gid and it needs to read/write reference profiles. if (fs_prepare_dir(ref_profile_path.c_str(), 0770, AID_SYSTEM, shared_app_gid) != 0) { PLOG(ERROR) << "Failed to prepare " << ref_profile_path; PLOG(ERROR) << "Failed to prepare " << ref_profile_path; return false; return false; } } return true; return true; } } Loading cmds/installd/tests/installd_dexopt_test.cpp +33 −1 Original line number Original line Diff line number Diff line Loading @@ -574,7 +574,39 @@ TEST_F(ProfileTest, ProfileDirOk) { CheckFileAccess(cur_profile_dir, kTestAppUid, kTestAppUid, 0700 | S_IFDIR); CheckFileAccess(cur_profile_dir, kTestAppUid, kTestAppUid, 0700 | S_IFDIR); CheckFileAccess(cur_profile_file, kTestAppUid, kTestAppUid, 0600 | S_IFREG); CheckFileAccess(cur_profile_file, kTestAppUid, kTestAppUid, 0600 | S_IFREG); CheckFileAccess(ref_profile_dir, kTestAppGid, kTestAppGid, 0701 | S_IFDIR); CheckFileAccess(ref_profile_dir, kSystemUid, kTestAppGid, 0770 | S_IFDIR); } // Verify that the profile directories are fixed up during an upgrade. // (The reference profile directory is prepared lazily). TEST_F(ProfileTest, ProfileDirOkAfterFixup) { LOG(INFO) << "ProfileDirOkAfterFixup"; std::string cur_profile_dir = create_primary_current_profile_package_dir_path( kTestUserId, package_name_); std::string cur_profile_file = create_current_profile_path(kTestUserId, package_name_, /*is_secondary_dex*/false); std::string ref_profile_dir = create_primary_reference_profile_package_dir_path(package_name_); // Simulate a pre-P setup by changing the owner to kTestAppGid and permissions to 0700. ASSERT_EQ(0, chown(ref_profile_dir.c_str(), kTestAppGid, kTestAppGid)); ASSERT_EQ(0, chmod(ref_profile_dir.c_str(), 0700)); // Run createAppData again which will offer to fix-up the profile directories. ASSERT_TRUE(service_->createAppData( volume_uuid_, package_name_, kTestUserId, kAppDataFlags, kTestAppUid, se_info_, kOSdkVersion, &ce_data_inode_).isOk()); // Check the file access. CheckFileAccess(cur_profile_dir, kTestAppUid, kTestAppUid, 0700 | S_IFDIR); CheckFileAccess(cur_profile_file, kTestAppUid, kTestAppUid, 0600 | S_IFREG); CheckFileAccess(ref_profile_dir, kSystemUid, kTestAppGid, 0770 | S_IFDIR); } } } // namespace installd } // namespace installd Loading Loading
cmds/installd/InstalldNativeService.cpp +13 −4 Original line number Original line Diff line number Diff line Loading @@ -373,13 +373,22 @@ static bool prepare_app_profile_dir(const std::string& packageName, int32_t appI const std::string ref_profile_path = const std::string ref_profile_path = create_primary_reference_profile_package_dir_path(packageName); create_primary_reference_profile_package_dir_path(packageName); // dex2oat/profman runs under the shared app gid and it needs to read/write reference // profiles. // Prepare the reference profile directory. Note that we use the non strict version of if (fs_prepare_dir_strict( // fs_prepare_dir. This will fix the permission and the ownership to the correct values. ref_profile_path.c_str(), 0701, shared_app_gid, shared_app_gid) != 0) { // This is particularly important given that in O there were some fixes for how the // shared_app_gid is computed. // // Note that by the time we get here we know that we are using a correct uid (otherwise // prepare_app_dir and the above fs_prepare_file_strict which check the uid). So we // are sure that the gid being used belongs to the owning app and not someone else. // // dex2oat/profman runs under the shared app gid and it needs to read/write reference profiles. if (fs_prepare_dir(ref_profile_path.c_str(), 0770, AID_SYSTEM, shared_app_gid) != 0) { PLOG(ERROR) << "Failed to prepare " << ref_profile_path; PLOG(ERROR) << "Failed to prepare " << ref_profile_path; return false; return false; } } return true; return true; } } Loading
cmds/installd/tests/installd_dexopt_test.cpp +33 −1 Original line number Original line Diff line number Diff line Loading @@ -574,7 +574,39 @@ TEST_F(ProfileTest, ProfileDirOk) { CheckFileAccess(cur_profile_dir, kTestAppUid, kTestAppUid, 0700 | S_IFDIR); CheckFileAccess(cur_profile_dir, kTestAppUid, kTestAppUid, 0700 | S_IFDIR); CheckFileAccess(cur_profile_file, kTestAppUid, kTestAppUid, 0600 | S_IFREG); CheckFileAccess(cur_profile_file, kTestAppUid, kTestAppUid, 0600 | S_IFREG); CheckFileAccess(ref_profile_dir, kTestAppGid, kTestAppGid, 0701 | S_IFDIR); CheckFileAccess(ref_profile_dir, kSystemUid, kTestAppGid, 0770 | S_IFDIR); } // Verify that the profile directories are fixed up during an upgrade. // (The reference profile directory is prepared lazily). TEST_F(ProfileTest, ProfileDirOkAfterFixup) { LOG(INFO) << "ProfileDirOkAfterFixup"; std::string cur_profile_dir = create_primary_current_profile_package_dir_path( kTestUserId, package_name_); std::string cur_profile_file = create_current_profile_path(kTestUserId, package_name_, /*is_secondary_dex*/false); std::string ref_profile_dir = create_primary_reference_profile_package_dir_path(package_name_); // Simulate a pre-P setup by changing the owner to kTestAppGid and permissions to 0700. ASSERT_EQ(0, chown(ref_profile_dir.c_str(), kTestAppGid, kTestAppGid)); ASSERT_EQ(0, chmod(ref_profile_dir.c_str(), 0700)); // Run createAppData again which will offer to fix-up the profile directories. ASSERT_TRUE(service_->createAppData( volume_uuid_, package_name_, kTestUserId, kAppDataFlags, kTestAppUid, se_info_, kOSdkVersion, &ce_data_inode_).isOk()); // Check the file access. CheckFileAccess(cur_profile_dir, kTestAppUid, kTestAppUid, 0700 | S_IFDIR); CheckFileAccess(cur_profile_file, kTestAppUid, kTestAppUid, 0600 | S_IFREG); CheckFileAccess(ref_profile_dir, kSystemUid, kTestAppGid, 0770 | S_IFDIR); } } } // namespace installd } // namespace installd Loading
