From d30027e387f6a201813da9ffea25be1fa93a430a Mon Sep 17 00:00:00 2001
From: Kevin Wang <wy721@qq.com>
Date: Thu, 26 Mar 2026 08:18:44 +0000
Subject: [PATCH] fix(cc-eventlog): restrict runtime event log permissions

---
 cc-eventlog/src/runtime_events.rs | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/cc-eventlog/src/runtime_events.rs b/cc-eventlog/src/runtime_events.rs
index ace6cd970..fa948f36c 100644
--- a/cc-eventlog/src/runtime_events.rs
+++ b/cc-eventlog/src/runtime_events.rs
@@ -64,9 +64,18 @@ impl RuntimeEvent {
             .context("failed to get event log directory")?;
         fs::create_dir_all(logfile_dir).context("failed to create event log directory")?;
 
-        let mut logfile = fs::OpenOptions::new()
-            .append(true)
-            .create(true)
+        let mut options = fs::OpenOptions::new();
+        options.append(true).create(true);
+
+        // Restrict runtime event log visibility and writability to the owner (root).
+        // This avoids other processes in the CVM tampering with or reading the log.
+        #[cfg(unix)]
+        {
+            use fs_err::os::unix::fs::OpenOptionsExt;
+            options.mode(0o600);
+        }
+
+        let mut logfile = options
             .open(logfile_path)
             .context("failed to open event log file")?;