From 26a93ec411098bf29fa8ebe9b84940f8c9455423 Mon Sep 17 00:00:00 2001
From: chenjiayi <chenjiayi22@huawei.com>
Date: Tue, 31 Oct 2023 20:24:30 +0800
Subject: [PATCH 014/103] fix(devmaster): adjust temporary file permissions

Adjust temporary file permissions.
---
 exts/devmaster/src/lib/rules/node.rs | 10 +++++++++-
 libs/device/src/device.rs            | 22 +++++++++++++++++++---
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/exts/devmaster/src/lib/rules/node.rs b/exts/devmaster/src/lib/rules/node.rs
index 45b8b36b..9fba906e 100644
--- a/exts/devmaster/src/lib/rules/node.rs
+++ b/exts/devmaster/src/lib/rules/node.rs
@@ -33,7 +33,7 @@
 //! directory, the directory will be removed.
 
 use crate::{error::*, log_dev, log_dev_option};
-use basic::fs_util::path_simplify;
+use basic::fs_util::{chmod, path_simplify};
 use basic::fs_util::{fchmod_and_chown, futimens_opath, symlink};
 use basic::{fd_util::xopendirat, fs_util::remove_dir_until};
 use cluFlock::ExclusiveFlock;
@@ -355,6 +355,14 @@ pub(crate) fn open_prior_dir(symlink: &str) -> Result<(Dir, File)> {
         })
         .log_error(&format!("failed to create directory all '{}'", dirname))?;
 
+    if let Err(e) = chmod(dirname.as_str(), 0o750) {
+        log::error!("Failed to set permission for {}: {}", &dirname, e);
+    }
+
+    if let Err(e) = chmod("/run/devmaster/links", 0o750) {
+        log::error!("Failed to set permission for /run/devmaster/links: {}", e);
+    }
+
     let dir = nix::dir::Dir::from_fd(
         nix::fcntl::open(
             dirname.as_str(),
diff --git a/libs/device/src/device.rs b/libs/device/src/device.rs
index 5b1eff1f..5a95e0f5 100644
--- a/libs/device/src/device.rs
+++ b/libs/device/src/device.rs
@@ -15,7 +15,7 @@
 use crate::err_wrapper;
 use crate::utils::readlink_value;
 use crate::{error::*, DeviceAction};
-use basic::fs_util::{open_temporary, touch_file};
+use basic::fs_util::{chmod, open_temporary, touch_file};
 use basic::parse::{device_path_parse_devnum, parse_devnum, parse_ifindex};
 use libc::{
     dev_t, faccessat, gid_t, mode_t, uid_t, F_OK, S_IFBLK, S_IFCHR, S_IFDIR, S_IFLNK, S_IFMT,
@@ -1532,6 +1532,10 @@ impl Device {
                 .map_or_else(|| nix::Error::EIO, nix::Error::from_i32),
         })?;
 
+        if let Err(e) = chmod(DB_BASE_DIR, 0o750) {
+            log::error!("Failed to set permission for /run/devmaster/data/: {}", e);
+        }
+
         let (mut file, tmp_file) = open_temporary(&db_path).map_err(|e| {
             let errno = match e {
                 basic::error::Error::Nix { source } => source,
@@ -1546,9 +1550,9 @@ impl Device {
         fchmod(
             file.as_raw_fd(),
             if *self.db_persist.borrow() {
-                Mode::from_bits(0o1644).unwrap()
+                Mode::from_bits(0o1640).unwrap()
             } else {
-                Mode::from_bits(0o644).unwrap()
+                Mode::from_bits(0o640).unwrap()
             },
         )
         .map_err(|e| {
@@ -1697,6 +1701,18 @@ impl Device {
                 source: nix::Error::EINVAL,
             })?;
 
+            if let Err(e) = chmod(TAGS_BASE_DIR, 0o750) {
+                log::error!("Failed to set permission for {}: {}", TAGS_BASE_DIR, e);
+            }
+
+            if let Err(e) = chmod(&format!("{}{}", TAGS_BASE_DIR, tag), 0o750) {
+                log::error!(
+                    "Failed to set permission for {}: {}",
+                    format!("{}{}", TAGS_BASE_DIR, tag),
+                    e
+                );
+            }
+
             return Ok(());
         }
 
-- 
2.33.0