From 06b0cafb29d1b6b968534c19aeb0815b0beb7c48 Mon Sep 17 00:00:00 2001 From: Zim Date: Sun, 5 Jan 2020 02:11:47 +0000 Subject: [PATCH] Fix /mnt/user/ permission bits Previously, when mounting a FUSE volume, the permission bits for /mnt/user/ were very strict, 700 which was good, however this value was ignored because it was overriden in zygote to 755. In fact if it wasn't ignored, apps wouldn't have had access to /sdcard becase they would lack the directory 'execute' bit for /mnt/user/ needed while looking up /mnt/user//emulated Now we set it to a strict enough value, 710 that only allows apps running under the same user id to lookup /mnt/user/. This ensures that user 10 cannot access /mnt/user/0. A special case is added for /mnt/user/0 for shell since it is not in the 'everybody' group and would otherwise not be able to 'adb shell ls /sdcard' Bug: 135341433 Test: atest -c android.appsecurity.cts.ExternalStorageHostTest#testSecondaryUsersInaccessible Change-Id: Ia427d1b69c7140254ae3459b98e51531d8322f1a --- Utils.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Utils.cpp b/Utils.cpp index 67c48ad..968f22f 100644 --- a/Utils.cpp +++ b/Utils.cpp @@ -1021,7 +1021,13 @@ status_t MountUserFuse(userid_t user_id, const std::string& absolute_lower_path, StringPrintf("/mnt/runtime/full/%s", relative_upper_path.c_str())); // Create directories. - auto result = PrepareDir(pre_fuse_path, 0700, AID_ROOT, AID_ROOT); + // Shell is neither AID_ROOT nor AID_EVERYBODY. Since it equally needs 'execute' access to + // /mnt/user/0 to 'adb shell ls /sdcard' for instance, we set the uid bit of /mnt/user/0 to + // AID_SHELL. This gives shell access along with apps running as group everybody (user 0 apps) + // These bits should be consistent with what is set in zygote in + // com_android_internal_os_Zygote#MountEmulatedStorage on volume bind mount during app fork + auto result = PrepareDir(pre_fuse_path, 0710, user_id ? AID_ROOT : AID_SHELL, + multiuser_get_uid(user_id, AID_EVERYBODY)); if (result != android::OK) { PLOG(ERROR) << "Failed to prepare directory " << pre_fuse_path; return -1;