Am.java: Use write-only file descriptors

Use write only file descriptors for am commands. Having read-write file descriptors isn't needed, and not all SELinux app domains have read access to /data/local/tmp file descriptors. Addresses the following denial: avc: denied { read } for path="/data/local/tmp/foo" dev="dm-2" ino=654084 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0 Steps to reproduce: adb shell ps | grep settings adb shell am dumpheap PID_FROM_ABOVE /data/local/tmp/settings.hat Expected: 1) command works Actual: 1) SELinux denial and no settings.hat output. Bug: 27472701 Change-Id: Id8df0c5a41046b405444e14c70075c986d9936c3
author: Nick Kralevich <nnk@google.com> 2016-03-03 15:20:39 -0800
committer: Nick Kralevich <nnk@google.com> 2016-03-03 15:24:29 -0800
commit: bb8b4814df6123b9a411ff7224a35761def9ece7 (patch)
tree: 87970320a545cd6e884a394f3759ef8b467fa4a1 /cmds/am
parent: 2e54da0d4af2decb2f9a9bd007132ae401e4b11d (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/cmds/am/src/com/android/commands/am/Am.java b/cmds/am/src/com/android/commands/am/Am.java
index df0e5fc6f1bb..fea6f0e18a32 100644
--- a/cmds/am/src/com/android/commands/am/Am.java
+++ b/cmds/am/src/com/android/commands/am/Am.java
@@ -606,7 +606,7 @@ public class Am extends BaseCommand {
                             new File(mProfileFile),
                             ParcelFileDescriptor.MODE_CREATE |
                             ParcelFileDescriptor.MODE_TRUNCATE |
-                            ParcelFileDescriptor.MODE_READ_WRITE);
+                            ParcelFileDescriptor.MODE_WRITE_ONLY);
                 } catch (FileNotFoundException e) {
                     System.err.println("Error: Unable to open file: " + mProfileFile);
                     System.err.println("Consider using a file under /data/local/tmp/");
@@ -903,7 +903,7 @@ public class Am extends BaseCommand {
             fd = openForSystemServer(file,
                     ParcelFileDescriptor.MODE_CREATE |
                             ParcelFileDescriptor.MODE_TRUNCATE |
-                            ParcelFileDescriptor.MODE_READ_WRITE);
+                            ParcelFileDescriptor.MODE_WRITE_ONLY);
         } catch (FileNotFoundException e) {
             System.err.println("Error: Unable to open file: " + filename);
             System.err.println("Consider using a file under /data/local/tmp/");
@@ -992,7 +992,7 @@ public class Am extends BaseCommand {
                         new File(profileFile),
                         ParcelFileDescriptor.MODE_CREATE |
                         ParcelFileDescriptor.MODE_TRUNCATE |
-                        ParcelFileDescriptor.MODE_READ_WRITE);
+                        ParcelFileDescriptor.MODE_WRITE_ONLY);
             } catch (FileNotFoundException e) {
                 System.err.println("Error: Unable to open file: " + profileFile);
                 System.err.println("Consider using a file under /data/local/tmp/");
@@ -1052,7 +1052,7 @@ public class Am extends BaseCommand {
             fd = openForSystemServer(file,
                     ParcelFileDescriptor.MODE_CREATE |
                     ParcelFileDescriptor.MODE_TRUNCATE |
-                    ParcelFileDescriptor.MODE_READ_WRITE);
+                    ParcelFileDescriptor.MODE_WRITE_ONLY);
         } catch (FileNotFoundException e) {
             System.err.println("Error: Unable to open file: " + heapFile);
             System.err.println("Consider using a file under /data/local/tmp/");
author	Nick Kralevich <nnk@google.com>	2016-03-03 15:20:39 -0800
committer	Nick Kralevich <nnk@google.com>	2016-03-03 15:24:29 -0800
commit	bb8b4814df6123b9a411ff7224a35761def9ece7 (patch)
tree	87970320a545cd6e884a394f3759ef8b467fa4a1 /cmds/am
parent	2e54da0d4af2decb2f9a9bd007132ae401e4b11d (diff)