From 5e801e7bd52d890583f44dffc41116c2dbc2a770 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 22 Mar 2017 16:37:42 +0900
Subject: [PATCH] Make the xtables lock readable only by AID_RADIO and root.

Anyone who can read this file can call flock(..., LOCK_EX) on it,
thereby blocking any future iptables commands from running.
Restrict it to user AID_RADIO, which includes device-specific
network management daemons, and group root.

Bug: 36108349
Test: see https://android-review.googlesource.com/#/c/348939/
Change-Id: I4dae4b5a835fabdc1a61a330e0446b39651f8156
---
 libcutils/fs_config.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libcutils/fs_config.c b/libcutils/fs_config.c
index f99519aed..568f0c381 100644
--- a/libcutils/fs_config.c
+++ b/libcutils/fs_config.c
@@ -160,6 +160,7 @@ static const struct fs_path_config android_files[] = {
     { 00555, AID_ROOT,      AID_ROOT,      0, "system/etc/ppp/*" },
     { 00555, AID_ROOT,      AID_ROOT,      0, "system/etc/rc.*" },
     { 00440, AID_ROOT,      AID_ROOT,      0, "system/etc/recovery.img" },
+    { 00440, AID_RADIO,     AID_ROOT,      0, "system/etc/xtables.lock" },
     { 00600, AID_ROOT,      AID_ROOT,      0, "vendor/build.prop" },
     { 00600, AID_ROOT,      AID_ROOT,      0, "vendor/default.prop" },
     { 00444, AID_ROOT,      AID_ROOT,      0, ven_conf_dir + 1 },