Set /system/xbin permissions to 750. This directory contains only the su binary which is executable only by root and shell uids, so need not be accessible to other users. Test: Device boots Test: adb shell ls -ld /system/xbin Change-Id: I4c9daab68b29832ef0ace2dec274687e4496da81

commit: 42a1a126e554a8bca31d0afc832848b7b0fa1f4e [log] [tgz]
author: Mathew Inwood <mathewi@google.com> Mon Jul 20 15:14:55 2020 +0000
committer: Mathew Inwood <mathewi@google.com> Tue Aug 18 14:48:38 2020 +0000
tree: 090e150c6862be5ba1cdd574b9c3717bb633bd07
parent: d7cb6e1fd098af49354ad242e5ac01b9d95e34dd [diff] [blame]
diff --git a/libcutils/fs_config.cpp b/libcutils/fs_config.cpp
index b9fc82e..a0fc039 100644
--- a/libcutils/fs_config.cpp
+++ b/libcutils/fs_config.cpp

@@ -85,7 +85,7 @@
     { 00751, AID_ROOT,         AID_SHELL,        0, "system/bin" },
     { 00755, AID_ROOT,         AID_ROOT,         0, "system/etc/ppp" },
     { 00755, AID_ROOT,         AID_SHELL,        0, "system/vendor" },
-    { 00751, AID_ROOT,         AID_SHELL,        0, "system/xbin" },
+    { 00750, AID_ROOT,         AID_SHELL,        0, "system/xbin" },
     { 00751, AID_ROOT,         AID_SHELL,        0, "system/apex/*/bin" },
     { 00751, AID_ROOT,         AID_SHELL,        0, "system_ext/bin" },
     { 00751, AID_ROOT,         AID_SHELL,        0, "system_ext/apex/*/bin" },
commit	42a1a126e554a8bca31d0afc832848b7b0fa1f4e	[log] [tgz]
author	Mathew Inwood <mathewi@google.com>	Mon Jul 20 15:14:55 2020 +0000
committer	Mathew Inwood <mathewi@google.com>	Tue Aug 18 14:48:38 2020 +0000
tree	090e150c6862be5ba1cdd574b9c3717bb633bd07
parent	d7cb6e1fd098af49354ad242e5ac01b9d95e34dd [diff] [blame]