diff options
| author | Christopher Tate <ctate@google.com> | 2012-09-28 11:32:15 -0700 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2012-09-28 11:32:15 -0700 |
| commit | ad8bda219e9d9b18144ace7853997c536bb2f1fc (patch) | |
| tree | ddb3258752535875a784b2f289563589d9c6b250 /core/java/android | |
| parent | 46cc524a6c45d169750290f06672ee6343af51d7 (diff) | |
| parent | 64d1f3efd759b70462aecb6cf1d8c733872a8911 (diff) | |
| download | frameworks_base-ad8bda219e9d9b18144ace7853997c536bb2f1fc.zip frameworks_base-ad8bda219e9d9b18144ace7853997c536bb2f1fc.tar.gz frameworks_base-ad8bda219e9d9b18144ace7853997c536bb2f1fc.tar.bz2 | |
am 64d1f3ef: DO NOT MERGE - Full (local) restore security changes
* commit '64d1f3efd759b70462aecb6cf1d8c733872a8911':
DO NOT MERGE - Full (local) restore security changes
Diffstat (limited to 'core/java/android')
| -rw-r--r-- | core/java/android/app/backup/FullBackup.java | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/core/java/android/app/backup/FullBackup.java b/core/java/android/app/backup/FullBackup.java index d7f1c9f..f859599 100644 --- a/core/java/android/app/backup/FullBackup.java +++ b/core/java/android/app/backup/FullBackup.java @@ -64,7 +64,9 @@ public class FullBackup { /** * Copy data from a socket to the given File location on permanent storage. The - * modification time and access mode of the resulting file will be set if desired. + * modification time and access mode of the resulting file will be set if desired, + * although group/all rwx modes will be stripped: the restored file will not be + * accessible from outside the target application even if the original file was. * If the {@code type} parameter indicates that the result should be a directory, * the socket parameter may be {@code null}; even if it is valid, no data will be * read from it in this case. @@ -79,8 +81,9 @@ public class FullBackup { * @param type Must be either {@link BackupAgent#TYPE_FILE} for ordinary file data * or {@link BackupAgent#TYPE_DIRECTORY} for a directory. * @param mode Unix-style file mode (as used by the chmod(2) syscall) to be set on - * the output file or directory. If this parameter is negative then neither - * the mode nor the mtime parameters will be used. + * the output file or directory. group/all rwx modes are stripped even if set + * in this parameter. If this parameter is negative then neither + * the mode nor the mtime values will be applied to the restored file. * @param mtime A timestamp in the standard Unix epoch that will be imposed as the * last modification time of the output file. if the {@code mode} parameter is * negative then this parameter will be ignored. @@ -105,8 +108,6 @@ public class FullBackup { if (!parent.exists()) { // in practice this will only be for the default semantic directories, // and using the default mode for those is appropriate. - // TODO: support the edge case of apps that have adjusted the - // permissions on these core directories parent.mkdirs(); } out = new FileOutputStream(outFile); @@ -146,6 +147,8 @@ public class FullBackup { // Now twiddle the state to match the backup, assuming all went well if (mode >= 0 && outFile != null) { try { + // explicitly prevent emplacement of files accessible by outside apps + mode &= 0700; Libcore.os.chmod(outFile.getPath(), (int)mode); } catch (ErrnoException e) { e.rethrowAsIOException(); |