From 25889898006d17313fd56194282cf126a09c50b2 Mon Sep 17 00:00:00 2001
From: M66B <marcel@bokhorst.biz>
Date: Sat, 25 Jan 2014 20:49:46 +0100
Subject: [PATCH] Database file/folder permissions

---
 src/biz/bokhorst/xprivacy/PrivacyService.java | 23 ++++++++++++-------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/src/biz/bokhorst/xprivacy/PrivacyService.java b/src/biz/bokhorst/xprivacy/PrivacyService.java
index 2cef27581..bacc555b1 100644
--- a/src/biz/bokhorst/xprivacy/PrivacyService.java
+++ b/src/biz/bokhorst/xprivacy/PrivacyService.java
@@ -766,6 +766,7 @@ private static File getDbFile() {
 	}
 
 	public static void setupDatebase() {
+		// This is run from Zygote with root permissions
 		try {
 			// Move database from experimental location
 			File folder = new File(Environment.getDataDirectory() + File.separator + "xprivacy");
@@ -780,11 +781,20 @@ public static void setupDatebase() {
 				folder.delete();
 			}
 
-			// Set file permission
-			Util.setPermission(getDbFile().getParentFile().getAbsolutePath(), 0771, -1, PrivacyManager.cAndroidUid);
-			if (getDbFile().exists())
-				Util.setPermission(getDbFile().getAbsolutePath(), 0770, -1, PrivacyManager.cAndroidUid);
-			File journal = new File(getDbFile() + "-journal");
+			// Set application folder permission
+			// Owner: rwx (untouched)
+			// Group: rwx (set to system)
+			// World: --x
+			File dbFile = getDbFile();
+			Util.setPermission(dbFile.getParentFile().getAbsolutePath(), 0771, -1, PrivacyManager.cAndroidUid);
+
+			// Set database file permissions
+			// Owner: rwx (untouched)
+			// Group: rwx (set to system)
+			// World: ---
+			if (dbFile.exists())
+				Util.setPermission(dbFile.getAbsolutePath(), 0770, -1, PrivacyManager.cAndroidUid);
+			File journal = new File(dbFile + "-journal");
 			if (journal.exists())
 				Util.setPermission(journal.getAbsolutePath(), 0770, -1, PrivacyManager.cAndroidUid);
 		} catch (Throwable ex) {
@@ -831,9 +841,6 @@ private static SQLiteDatabase getDatabase() {
 				}
 			}
 
-			if (dbFile.exists())
-				Util.setPermission(dbFile.getAbsolutePath(), 0775, -1, PrivacyManager.cAndroidUid);
-
 			Util.log(null, Log.WARN, "Database version=" + db.getVersion());
 			mDatabase = db;
 		}