fix: File system permissions for prog_dir

Privacy Sandbox Team · copybara-github · commit 91189d55be76 · 2025-01-09T11:24:03.000-08:00
Bug: N/A
Change-Id: Icd095562f7ddee2a534459890ad92fe8eec85a9a
GitOrigin-RevId: 15f11b99e0094385af2c63cde7ce0b79737ade20
diff --git a/src/roma/byob/container/run_workers.cc b/src/roma/byob/container/run_workers.cc
@@ -428,6 +428,14 @@ class WorkerRunner final : public WorkerRunnerService::Service {
       return absl::InternalError(absl::StrCat(
           "Failed to create ", binary_dir.native(), ": ", ec.message()));
     }
+    std::error_code ec;
+    if (std::filesystem::permissions(binary_dir,
+                                     std::filesystem::perms::owner_all, ec);
+        ec) {
+      return absl::InternalError(
+          absl::StrCat("Failed to modify permissions for ", binary_dir.native(),
+                       ": ", ec.message()));
+    }
     std::filesystem::path binary_path = binary_dir / *kBinaryExe;
     if (request.has_binary_content()) {
       PS_RETURN_IF_ERROR(SaveNewBinary(binary_path, request.binary_content()));
@@ -561,6 +569,13 @@ int main(int argc, char** argv) {
     LOG(ERROR) << "Failed to create " << prog_dir << ": " << ec;
     return -1;
   }
+  std::error_code ec;
+  if (std::filesystem::permissions(prog_dir, std::filesystem::perms::owner_all,
+                                   ec);
+      ec) {
+    LOG(ERROR) << "Failed to modify permission for " << prog_dir << ": " << ec;
+    return -1;
+  }
   absl::Cleanup progdir_cleanup = [&prog_dir] {
     if (absl::Status status =
             ::privacy_sandbox::server_common::byob::RemoveDirectories(prog_dir);
