From 607c0b795ceac7d73f9b8b1c3e14e88e9c237e43 Mon Sep 17 00:00:00 2001
From: Colin Cross <ccross@android.com>
Date: Wed, 31 Mar 2021 12:54:06 -0700
Subject: [PATCH] Fix multiple copies of read-only files in sbox

Sbox preserves the permissions of input files when copying them into the
sandbox.  A read-only file copied into the sandbox multiple times causes
a permission denied error on the second write.  Building in Bazel results
in more read-only files, which triggers the issue on existing sbox rules
with duplicate input files.  Remove the destination file when copying if
it exists.

Bug: 184113103
Test: m USE_BAZEL=true
Change-Id: I7edf92d82b766100e3cbbd90d22428269d7d0167
---
 cmd/sbox/sbox.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cmd/sbox/sbox.go b/cmd/sbox/sbox.go
index fcc80a94e..7bd086882 100644
--- a/cmd/sbox/sbox.go
+++ b/cmd/sbox/sbox.go
@@ -387,6 +387,14 @@ func copyOneFile(from string, to string, executable bool) error {
 	}
 	defer in.Close()
 
+	// Remove the target before copying.  In most cases the file won't exist, but if there are
+	// duplicate copy rules for a file and the source file was read-only the second copy could
+	// fail.
+	err = os.Remove(to)
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
 	out, err := os.Create(to)
 	if err != nil {
 		return err