installd: change profile files to 0660

Profiling information leaks data about how people interact
with apps, so we don't want the data to be available
to other apps. Only the app and system_server need access.

Don't create the /data/dalvik-cache/profiles directory. init.rc
does it for us now.

Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3

1 files changed, 6 insertions, 29 deletions

diff --git a/cmds/installd/utils.c b/cmds/installd/utils.c
index 420ad5ed3e..120fd62b09 100644
--- a/cmds/installd/utils.c
+++ b/cmds/installd/utils.c
@@ -1036,50 +1036,27 @@ int ensure_config_user_dirs(userid_t userid) {
 
 int create_profile_file(const char *pkgname, gid_t gid) {
     const char *profile_dir = DALVIK_CACHE_PREFIX "profiles";
-    struct stat profileStat;
     char profile_file[PKG_PATH_MAX];
 
-    // If we don't have a profile directory under dalvik-cache we need to create one.
-    if (stat(profile_dir, &profileStat) < 0) {
-        // Create the profile directory under dalvik-cache.
-        if (mkdir(profile_dir, 0711) < 0) {
-            ALOGE("cannot make profile dir '%s': %s\n", profile_dir, strerror(errno));
-            return -1;
-        }
-
-        // Make the profile directory write-only for group and other. Owner can rwx it.
-        if (chmod(profile_dir, 0711) < 0) {
-            ALOGE("cannot chown profile dir '%s': %s\n", profile_dir, strerror(errno));
-            rmdir(profile_dir);
-            return -1;
-        }
-
-        if (selinux_android_restorecon(profile_dir, 0) < 0) {
-            ALOGE("cannot restorecon profile dir '%s': %s\n", profile_dir, strerror(errno));
-            rmdir(profile_dir);
-            return -1;
-        }
-    }
-
     snprintf(profile_file, sizeof(profile_file), "%s/%s", profile_dir, pkgname);
 
     // The 'system' user needs to be able to read the profile to determine if dex2oat
     // needs to be run.  This is done in dalvik.system.DexFile.isDexOptNeededInternal().  So
-    // we make it world readable.  Not a problem since the dalvik cache is world
-    // readable anyway.
+    // we assign ownership to AID_SYSTEM and ensure it's not world-readable.
 
-    int fd = open(profile_file, O_WRONLY | O_CREAT | O_EXCL | O_NOFOLLOW, 0664);
+    int fd = open(profile_file, O_WRONLY | O_CREAT | O_NOFOLLOW | O_CLOEXEC, 0660);
 
-    // Open will fail if the file already exists.  We want to ignore that.
+    // Always set the uid/gid/permissions. The file could have been previously created
+    // with different permissions.
     if (fd >= 0) {
-        if (fchown(fd, -1, gid) < 0) {
+        if (fchown(fd, AID_SYSTEM, gid) < 0) {
             ALOGE("cannot chown profile file '%s': %s\n", profile_file, strerror(errno));
             close(fd);
             unlink(profile_file);
             return -1;
         }
 
-        if (fchmod(fd, 0664) < 0) {
+        if (fchmod(fd, 0660) < 0) {
             ALOGE("cannot chmod profile file '%s': %s\n", profile_file, strerror(errno));
             close(fd);
             unlink(profile_file);