Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b9f438ff authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

Protect runtime storage mount points. 

We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.

This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.

Also add CTS tests to verify that we're protecting access to
internal mount points like this.

Bug: 22964288
Change-Id: I32068e63a3362b37e8ebca1418f900bb8537b498
parent d57125af

rootdir/init.rc

+9 −8
Original line number Diff line number Diff line
@@ -69,16 +69,17 @@ on init 


    # Storage views to support runtime permissions

    mkdir /storage 0755 root root

    mkdir /mnt/runtime_default 0755 root root

    mkdir /mnt/runtime_default/self 0755 root root

    mkdir /mnt/runtime_read 0755 root root

    mkdir /mnt/runtime_read/self 0755 root root

    mkdir /mnt/runtime_write 0755 root root

    mkdir /mnt/runtime_write/self 0755 root root

    mkdir /mnt/runtime 0700 root root

    mkdir /mnt/runtime/default 0755 root root

    mkdir /mnt/runtime/default/self 0755 root root

    mkdir /mnt/runtime/read 0755 root root

    mkdir /mnt/runtime/read/self 0755 root root

    mkdir /mnt/runtime/write 0755 root root

    mkdir /mnt/runtime/write/self 0755 root root



    # Symlink to keep legacy apps working in multi-user world

    symlink /storage/self/primary /sdcard

    symlink /mnt/user/0/primary /mnt/runtime_default/self/primary

    symlink /mnt/user/0/primary /mnt/runtime/default/self/primary



    # memory control cgroup

    mkdir /dev/memcg 0700 root system
@@ -216,7 +217,7 @@ on post-fs 
    # Mount shared so changes propagate into child namespaces

    mount rootfs rootfs / shared rec

    # Mount default storage into root namespace

    mount none /mnt/runtime_default /storage slave bind rec

    mount none /mnt/runtime/default /storage slave bind rec



    # We chown/chmod /cache again so because mount is run as root + defaults

    chown system cache /cache

sdcard/sdcard.c

+4 −4
Original line number Diff line number Diff line
@@ -1735,7 +1735,7 @@ static int usage() { 
            "    -g: specify GID to run as\n"

            "    -U: specify user ID that owns device\n"

            "    -m: source_path is multi-user\n"

            "    -w: runtime_write mount has full write access\n"

            "    -w: runtime write mount has full write access\n"

            "\n");

    return 1;

}
@@ -1822,9 +1822,9 @@ static void run(const char* source_path, const char* label, uid_t uid, 
    global.fuse_read = &fuse_read;

    global.fuse_write = &fuse_write;



    snprintf(fuse_default.dest_path, PATH_MAX, "/mnt/runtime_default/%s", label);

    snprintf(fuse_read.dest_path, PATH_MAX, "/mnt/runtime_read/%s", label);

    snprintf(fuse_write.dest_path, PATH_MAX, "/mnt/runtime_write/%s", label);

    snprintf(fuse_default.dest_path, PATH_MAX, "/mnt/runtime/default/%s", label);

    snprintf(fuse_read.dest_path, PATH_MAX, "/mnt/runtime/read/%s", label);

    snprintf(fuse_write.dest_path, PATH_MAX, "/mnt/runtime/write/%s", label);



    handler_default.fuse = &fuse_default;

    handler_read.fuse = &fuse_read;