From b84e5aad59c2abe95442965603a5afcad17d6ea4 Mon Sep 17 00:00:00 2001
From: William Loh <wloh@google.com>
Date: Tue, 14 Feb 2023 04:45:54 +0000
Subject: Set app.metadata file permission to 640

This should prevent apps from circumventing the GET_APP_METADATA
permission by reading the file directly if they are aware of the file
path.

Bug: 267823160
Test: atest android.packageinstaller.install.cts.InstallAppMetadataTest
Change-Id: I4aab10b48e62234bc252535ab2e2c8b9c77a7ac3
---
 services/incremental/BinderIncrementalService.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'services/incremental/BinderIncrementalService.cpp')

diff --git a/services/incremental/BinderIncrementalService.cpp b/services/incremental/BinderIncrementalService.cpp
index 45ca5cd84e39..aff8e97257d4 100644
--- a/services/incremental/BinderIncrementalService.cpp
+++ b/services/incremental/BinderIncrementalService.cpp
@@ -223,7 +223,7 @@ static std::span<const uint8_t> toSpan(const ::std::optional<::std::vector<uint8
 }
 
 binder::Status BinderIncrementalService::makeFile(
-        int32_t storageId, const std::string& path,
+        int32_t storageId, const std::string& path, int32_t mode,
         const ::android::os::incremental::IncrementalNewFileParams& params,
         const ::std::optional<::std::vector<uint8_t>>& content, int32_t* _aidl_return) {
     auto [err, fileId, nfp] = toMakeFileParams(params);
@@ -232,7 +232,7 @@ binder::Status BinderIncrementalService::makeFile(
         return ok();
     }
 
-    *_aidl_return = mImpl.makeFile(storageId, path, 0777, fileId, nfp, toSpan(content));
+    *_aidl_return = mImpl.makeFile(storageId, path, mode, fileId, nfp, toSpan(content));
     return ok();
 }
 binder::Status BinderIncrementalService::makeFileFromRange(int32_t storageId,
-- 
cgit v1.2.3-59-g8ed1b