Make the xtables lock readable only by AID_RADIO and root.

Anyone who can read this file can call flock(..., LOCK_EX) on it, thereby blocking any future iptables commands from running. Restrict it to user AID_RADIO, which includes device-specific network management daemons, and group root. Bug: 36108349 Test: see https://android-review.googlesource.com/#/c/348939/ Change-Id: I4dae4b5a835fabdc1a61a330e0446b39651f8156
2017-03-22 16:37:42 +09:00 · 2017-03-22 16:37:42 +09:00 · 5e801e7bd5
commit 5e801e7bd5
parent 2a54ae97eb
1 changed files with 1 additions and 0 deletions
--- a/libcutils/fs_config.c
+++ b/libcutils/fs_config.c
@ -160,6 +160,7 @@ static const struct fs_path_config android_files[] = {
    { 00555, AID_ROOT,      AID_ROOT,      0, "system/etc/ppp/*" },
    { 00555, AID_ROOT,      AID_ROOT,      0, "system/etc/rc.*" },
    { 00440, AID_ROOT,      AID_ROOT,      0, "system/etc/recovery.img" },
+    { 00440, AID_RADIO,     AID_ROOT,      0, "system/etc/xtables.lock" },
    { 00600, AID_ROOT,      AID_ROOT,      0, "vendor/build.prop" },
    { 00600, AID_ROOT,      AID_ROOT,      0, "vendor/default.prop" },
    { 00444, AID_ROOT,      AID_ROOT,      0, ven_conf_dir + 1 },