!1268 限制dev/pids.的权限other 不可读

Merge pull request !1268 from 樊景乐/master
2024-11-23 07:00:17 +00:00 · 2024-07-12 10:10:54 +00:00 · 2024-07-12 10:10:54 +00:00 · 27ae29effd
commit 27ae29effd
parent c85d3faad3 f949b371cf
2 changed files with 4 additions and 4 deletions
--- a/appspawn.cfg
+++ b/appspawn.cfg
@ -17,9 +17,9 @@
                "chown root appspawn /dev/pids",
                "chown root appspawn /dev/pids/tasks",
                "chown root appspawn /dev/pids/cgroup.procs",
-                "chmod 0755 /dev/pids",
-                "chmod 0755 /dev/pids/tasks",
-                "chmod 0755 /dev/pids/cgroup.procs"
+                "chmod 0750 /dev/pids",
+                "chmod 0750 /dev/pids/tasks",
+                "chmod 0750 /dev/pids/cgroup.procs"
            ]
        }
    ],
--- a/modules/common/appspawn_cgroup.c
+++ b/modules/common/appspawn_cgroup.c
@ -194,7 +194,7 @@ static int ProcessMgrAddApp(const AppSpawnMgr *content, const AppSpawnedProcessI
    APPSPAWN_LOGV("ProcessMgrAddApp %{public}d %{public}d to cgroup ", appInfo->pid, appInfo->uid);
    int ret = GetCgroupPath(appInfo, path, sizeof(path));
    APPSPAWN_CHECK(ret == 0, return -1, "Failed to get real path errno: %{public}d", errno);
-    (void)CreateSandboxDir(path, 0755);  // 0755 default mode
+    (void)CreateSandboxDir(path, 0750);  // 0750 default mode
    uint32_t pathLen = strlen(path);
    ret = strcat_s(path, sizeof(path), "cgroup.procs");
    APPSPAWN_CHECK(ret == 0, return ret, "Failed to strcat_s errno: %{public}d", errno);