Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / c7f7743f4feb8a0afea970b06d075de556a177e2^1..c7f7743f4feb8a0afea970b06d075de556a177e2 / .
commitc7f7743f4feb8a0afea970b06d075de556a177e2[log] [tgz]
authorEric Biggers <ebiggers@google.com>Tue Jun 20 17:54:45 2023 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Tue Jun 20 17:54:45 2023 +0000
tree3f230ebc374e2b9ec7b653c10b8b25331aafcc31
parent614857c7823a1befc1caa98b32974b5064b2a5fe [diff]
parent46477f1d820a0825c531ce4838288f6f8defe36d [diff]
Merge "Remove write permission from file mode of top-level user dirs" am: 46477f1d82

Original change: https://android-review.googlesource.com/c/platform/system/core/+/2620458

Change-Id: Idc00da3c1d5ce7f5ffc8a3f7942b947fe1b59833
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 0ee85c7..5344368 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -919,15 +919,22 @@
     # encryption policies apply recursively.  These directories should never
     # contain any subdirectories other than the per-user ones.  /data/media/obb
     # is an exception that exists for legacy reasons.
-    mkdir /data/media 0770 media_rw media_rw encryption=None
-    mkdir /data/misc_ce 01771 system misc encryption=None
-    mkdir /data/misc_de 01771 system misc encryption=None
-    mkdir /data/system_ce 0770 system system encryption=None
-    mkdir /data/system_de 0770 system system encryption=None
-    mkdir /data/user 0711 system system encryption=None
-    mkdir /data/user_de 0711 system system encryption=None
-    mkdir /data/vendor_ce 0771 root root encryption=None
-    mkdir /data/vendor_de 0771 root root encryption=None
+    #
+    # Don't use any write mode bits (0222) for any of these directories, since
+    # the only process that should write to them directly is vold (since it
+    # needs to set up file-based encryption on the subdirectories), which runs
+    # as root with CAP_DAC_OVERRIDE.  This is also fully enforced via the
+    # SELinux policy.  But we also set the DAC file modes accordingly, to try to
+    # minimize differences in behavior if SELinux is set to permissive mode.
+    mkdir /data/media 0550 media_rw media_rw encryption=None
+    mkdir /data/misc_ce 0551 system misc encryption=None
+    mkdir /data/misc_de 0551 system misc encryption=None
+    mkdir /data/system_ce 0550 system system encryption=None
+    mkdir /data/system_de 0550 system system encryption=None
+    mkdir /data/user 0511 system system encryption=None
+    mkdir /data/user_de 0511 system system encryption=None
+    mkdir /data/vendor_ce 0551 root root encryption=None
+    mkdir /data/vendor_de 0551 root root encryption=None
 
     # Set the casefold flag on /data/media.  For upgrades, a restorecon can be
     # needed first to relabel the directory from media_rw_data_file.