From 5c7fa7c36acddda7b7cc392ec360116b03e09880 Mon Sep 17 00:00:00 2001
From: Jesse Wilson <jessewilson@google.com>
Date: Fri, 6 Jan 2012 17:01:37 -0500
Subject: Refuse to write optimized dex files to a non-private directory.

It's infeasible to test if other applications can write to a
given directory, particularly since directories like /sdcard/
are accessible to named groups like sdcard_rw. Instead we take
a shortcut and just test that the optimized directory is owned
by the current process.

I tested this manually; the '/data/data/vogar.test.java.StatTest/'
app directory could be successfully used but other directories
('/data', '/sdcard', '/') throw exceptions as expected.

Bug: http://b/4609061
Change-Id: Ia72b50aa3c73051b0c03c06c0bc7c0470f76b212
---
 dalvik/src/main/java/dalvik/system/DexFile.java | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'dalvik')

diff --git a/dalvik/src/main/java/dalvik/system/DexFile.java b/dalvik/src/main/java/dalvik/system/DexFile.java
index dc3e063..8db3985 100644
--- a/dalvik/src/main/java/dalvik/system/DexFile.java
+++ b/dalvik/src/main/java/dalvik/system/DexFile.java
@@ -20,6 +20,9 @@ import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.util.Enumeration;
+import libcore.io.ErrnoException;
+import libcore.io.Libcore;
+import libcore.io.StructStat;
 
 /**
  * Manipulates DEX files. The class is similar in principle to
@@ -90,6 +93,19 @@ public final class DexFile {
      *  Enable optional features.
      */
     private DexFile(String sourceName, String outputName, int flags) throws IOException {
+        if (outputName != null) {
+            try {
+                String parent = new File(outputName).getParent();
+                if (Libcore.os.getuid() != Libcore.os.stat(parent).st_uid) {
+                    throw new IllegalArgumentException("Optimized data directory " + parent
+                            + " is not owned by the current user. Shared storage cannot protect"
+                            + " your application from code injection attacks.");
+                }
+            } catch (ErrnoException ignored) {
+                // assume we'll fail with a more contextual error later
+            }
+        }
+
         mCookie = openDexFile(sourceName, outputName, flags);
         mFileName = sourceName;
         guard.open("close");
-- 
cgit v1.1