Merge "Harden /mnt/{user,installer} permission bits"
This commit is contained in:
commit
7ca3481d92
1 changed files with 9 additions and 2 deletions
11
Utils.cpp
11
Utils.cpp
|
@ -1017,13 +1017,20 @@ status_t MountUserFuse(userid_t user_id, const std::string& absolute_lower_path,
|
|||
std::string pass_through_path(
|
||||
StringPrintf("%s/%s", pre_pass_through_path.c_str(), relative_upper_path.c_str()));
|
||||
|
||||
// Create directories.
|
||||
// Ensure that /mnt/user is 0700. With FUSE, apps don't need access to /mnt/user paths directly.
|
||||
// Without FUSE however, apps need /mnt/user access so /mnt/user in init.rc is 0755 until here
|
||||
auto result = PrepareDir("/mnt/user", 0700, AID_ROOT, AID_ROOT);
|
||||
if (result != android::OK) {
|
||||
PLOG(ERROR) << "Failed to prepare directory /mnt/user";
|
||||
return -1;
|
||||
}
|
||||
|
||||
// Shell is neither AID_ROOT nor AID_EVERYBODY. Since it equally needs 'execute' access to
|
||||
// /mnt/user/0 to 'adb shell ls /sdcard' for instance, we set the uid bit of /mnt/user/0 to
|
||||
// AID_SHELL. This gives shell access along with apps running as group everybody (user 0 apps)
|
||||
// These bits should be consistent with what is set in zygote in
|
||||
// com_android_internal_os_Zygote#MountEmulatedStorage on volume bind mount during app fork
|
||||
auto result = PrepareDir(pre_fuse_path, 0710, user_id ? AID_ROOT : AID_SHELL,
|
||||
result = PrepareDir(pre_fuse_path, 0710, user_id ? AID_ROOT : AID_SHELL,
|
||||
multiuser_get_uid(user_id, AID_EVERYBODY));
|
||||
if (result != android::OK) {
|
||||
PLOG(ERROR) << "Failed to prepare directory " << pre_fuse_path;
|
||||
|
|
Loading…
Reference in a new issue