Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5e801e7b authored by Lorenzo Colitti's avatar Lorenzo Colitti
Browse files

Make the xtables lock readable only by AID_RADIO and root. 

Anyone who can read this file can call flock(..., LOCK_EX) on it,
thereby blocking any future iptables commands from running.
Restrict it to user AID_RADIO, which includes device-specific
network management daemons, and group root.

Bug: 36108349
Test: see https://android-review.googlesource.com/#/c/348939/
Change-Id: I4dae4b5a835fabdc1a61a330e0446b39651f8156
parent 2a54ae97

libcutils/fs_config.c

+1 −0
Original line number Diff line number Diff line
@@ -160,6 +160,7 @@ static const struct fs_path_config android_files[] = { 
    { 00555, AID_ROOT,      AID_ROOT,      0, "system/etc/ppp/*" },

    { 00555, AID_ROOT,      AID_ROOT,      0, "system/etc/rc.*" },

    { 00440, AID_ROOT,      AID_ROOT,      0, "system/etc/recovery.img" },

    { 00440, AID_RADIO,     AID_ROOT,      0, "system/etc/xtables.lock" },

    { 00600, AID_ROOT,      AID_ROOT,      0, "vendor/build.prop" },

    { 00600, AID_ROOT,      AID_ROOT,      0, "vendor/default.prop" },

    { 00444, AID_ROOT,      AID_ROOT,      0, ven_conf_dir + 1 },