Fix multiple copies of read-only files in sbox
Sbox preserves the permissions of input files when copying them into the
sandbox. A read-only file copied into the sandbox multiple times causes
a permission denied error on the second write. Building in Bazel results
in more read-only files, which triggers the issue on existing sbox rules
with duplicate input files. Remove the destination file when copying if
it exists.
Bug: 184113103
Test: m USE_BAZEL=true
Change-Id: I7edf92d82b766100e3cbbd90d22428269d7d0167
diff --git a/cmd/sbox/sbox.go b/cmd/sbox/sbox.go
index fcc80a9..7bd0868 100644
--- a/cmd/sbox/sbox.go
+++ b/cmd/sbox/sbox.go
@@ -387,6 +387,14 @@
}
defer in.Close()
+ // Remove the target before copying. In most cases the file won't exist, but if there are
+ // duplicate copy rules for a file and the source file was read-only the second copy could
+ // fail.
+ err = os.Remove(to)
+ if err != nil && !os.IsNotExist(err) {
+ return err
+ }
+
out, err := os.Create(to)
if err != nil {
return err