commit ab12736ba6c96f1bbbd77619b36fa56ef1697741
author Alan Stokes <alanstokes@google.com> Mon Oct 30 10:54:22 2023 +0000
committer Alan Stokes <alanstokes@google.com> Mon Oct 30 14:16:29 2023 +0000
tree 81c6415c9f3fc28b4c0800ca365f3c37b0186e42
parent 5ab135831b57aa179dc06011fb90f58658bea533

Flag APK permission changes

We added group as well as user read/execute permissions, unflagged
because it's fairly harmless. But it causes Android 14 CTS to break.

So put the change behind a flag, and the corresponding test.

Bug: 308383728
Bug: 296393106
Test: atest MicrodroidTests, with all flags locally disabled, and enabled
Change-Id: I7127c4718d8f49698355a0da7cbe5efb67868980

tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java

diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index 40c5cae..d9d9cb9 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -2019,11 +2019,10 @@
                         | OsConstants.S_IROTH
                         | OsConstants.S_IWOTH
                         | OsConstants.S_IXOTH;
-        int expectedPermissions =
-                OsConstants.S_IRUSR
-                        | OsConstants.S_IXUSR
-                        | OsConstants.S_IRGRP
-                        | OsConstants.S_IXGRP;
+        int expectedPermissions = OsConstants.S_IRUSR | OsConstants.S_IXUSR;
+        if (isFeatureEnabled(VirtualMachineManager.FEATURE_MULTI_TENANT)) {
+            expectedPermissions |= OsConstants.S_IRGRP | OsConstants.S_IXGRP;
+        }
         assertThat(testResults.mFileMode & allPermissionsMask).isEqualTo(expectedPermissions);
     }
 

zipfuse/src/inode.rs

diff --git a/zipfuse/src/inode.rs b/zipfuse/src/inode.rs
index 3175a30..1f74f64 100644
--- a/zipfuse/src/inode.rs
+++ b/zipfuse/src/inode.rs
@@ -31,11 +31,21 @@
 const INVALID: Inode = 0;
 const ROOT: Inode = 1;
 
-const DEFAULT_DIR_MODE: u32 = libc::S_IRUSR | libc::S_IXUSR | libc::S_IRGRP | libc::S_IXGRP;
+#[cfg(multi_tenant)]
+const READ_MODE: u32 = libc::S_IRUSR | libc::S_IRGRP;
+#[cfg(multi_tenant)]
+const EXECUTE_MODE: u32 = libc::S_IXUSR | libc::S_IXGRP;
+
+#[cfg(not(multi_tenant))]
+const READ_MODE: u32 = libc::S_IRUSR;
+#[cfg(not(multi_tenant))]
+const EXECUTE_MODE: u32 = libc::S_IXUSR;
+
+const DEFAULT_DIR_MODE: u32 = READ_MODE | EXECUTE_MODE;
 // b/264668376 some files in APK don't have unix permissions specified. Default to 400
 // otherwise those files won't be readable even by the owner.
-const DEFAULT_FILE_MODE: u32 = libc::S_IRUSR | libc::S_IRGRP;
-const EXECUTABLE_FILE_MODE: u32 = DEFAULT_FILE_MODE | libc::S_IXUSR | libc::S_IXGRP;
+const DEFAULT_FILE_MODE: u32 = READ_MODE;
+const EXECUTABLE_FILE_MODE: u32 = DEFAULT_FILE_MODE | EXECUTE_MODE;
 
 /// `InodeData` represents an inode which has metadata about a file or a directory
 #[derive(Debug)]