diff options
| author | Christopher Tate <ctate@google.com> | 2012-09-26 15:25:59 -0700 |
|---|---|---|
| committer | Christopher Tate <ctate@google.com> | 2012-09-27 12:54:37 -0700 |
| commit | f6d6fa8cbc0251da1900e858bb0379cda5014b6f (patch) | |
| tree | f0a25325b6a7534d3afa3b537ccde04d9bfc1e84 /core/java/android/app/backup | |
| parent | dd78d462f6dceac71f9d1cbb723bb38a3b5bdc2e (diff) | |
| download | frameworks_base-f6d6fa8cbc0251da1900e858bb0379cda5014b6f.zip frameworks_base-f6d6fa8cbc0251da1900e858bb0379cda5014b6f.tar.gz frameworks_base-f6d6fa8cbc0251da1900e858bb0379cda5014b6f.tar.bz2 | |
Full (local) restore security changes
(1) Prevent full restore from creating files/directories that are
accessible by other applications
(2) Don't restore filesets from "system" packages; i.e. any that runs
as a special uid, unless they define their own agent for handling
the restore process.
Bug 7168284
Change-Id: Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3
Diffstat (limited to 'core/java/android/app/backup')
| -rw-r--r-- | core/java/android/app/backup/FullBackup.java | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/core/java/android/app/backup/FullBackup.java b/core/java/android/app/backup/FullBackup.java index d7f1c9f..f859599 100644 --- a/core/java/android/app/backup/FullBackup.java +++ b/core/java/android/app/backup/FullBackup.java @@ -64,7 +64,9 @@ public class FullBackup { /** * Copy data from a socket to the given File location on permanent storage. The - * modification time and access mode of the resulting file will be set if desired. + * modification time and access mode of the resulting file will be set if desired, + * although group/all rwx modes will be stripped: the restored file will not be + * accessible from outside the target application even if the original file was. * If the {@code type} parameter indicates that the result should be a directory, * the socket parameter may be {@code null}; even if it is valid, no data will be * read from it in this case. @@ -79,8 +81,9 @@ public class FullBackup { * @param type Must be either {@link BackupAgent#TYPE_FILE} for ordinary file data * or {@link BackupAgent#TYPE_DIRECTORY} for a directory. * @param mode Unix-style file mode (as used by the chmod(2) syscall) to be set on - * the output file or directory. If this parameter is negative then neither - * the mode nor the mtime parameters will be used. + * the output file or directory. group/all rwx modes are stripped even if set + * in this parameter. If this parameter is negative then neither + * the mode nor the mtime values will be applied to the restored file. * @param mtime A timestamp in the standard Unix epoch that will be imposed as the * last modification time of the output file. if the {@code mode} parameter is * negative then this parameter will be ignored. @@ -105,8 +108,6 @@ public class FullBackup { if (!parent.exists()) { // in practice this will only be for the default semantic directories, // and using the default mode for those is appropriate. - // TODO: support the edge case of apps that have adjusted the - // permissions on these core directories parent.mkdirs(); } out = new FileOutputStream(outFile); @@ -146,6 +147,8 @@ public class FullBackup { // Now twiddle the state to match the backup, assuming all went well if (mode >= 0 && outFile != null) { try { + // explicitly prevent emplacement of files accessible by outside apps + mode &= 0700; Libcore.os.chmod(outFile.getPath(), (int)mode); } catch (ErrnoException e) { e.rethrowAsIOException(); |