Harden /mnt/{user,installer} permission bits

These paths previously had 0755 permission bits (/mnt/installer got its bits from the /mnt/user bind mount). With such permissive bits, an unauthorized app can access a file using the /mnt/installer path for instance even if access via /storage would have been restricted. In init.rc we create /mnt/user with 0755 initially, this is to keep /sdcard working without FUSE. When mounting a FUSE filesystem, we enusure in vold that /mnt/user is changed to 0700 Bug: 135341433 Test: adb shell ls -d /mnt/{user, installer} Change-Id: Id387e34c5fd257858861246ad51486892653fb3a
5 years ago · 1242be866c
parent e3d2051668
commit 1242be866c
1 changed files with 9 additions and 2 deletions
--- a/Utils.cpp
+++ b/Utils.cpp
@ -1017,13 +1017,20 @@ status_t MountUserFuse(userid_t user_id, const std::string& absolute_lower_path,
    std::string pass_through_path(
            StringPrintf("%s/%s", pre_pass_through_path.c_str(), relative_upper_path.c_str()));

-    // Create directories.
+    // Ensure that /mnt/user is 0700. With FUSE, apps don't need access to /mnt/user paths directly.
+    // Without FUSE however, apps need /mnt/user access so /mnt/user in init.rc is 0755 until here
+    auto result = PrepareDir("/mnt/user", 0700, AID_ROOT, AID_ROOT);
+    if (result != android::OK) {
+        PLOG(ERROR) << "Failed to prepare directory /mnt/user";
+        return -1;
+    }
+
    // Shell is neither AID_ROOT nor AID_EVERYBODY. Since it equally needs 'execute' access to
    // /mnt/user/0 to 'adb shell ls /sdcard' for instance, we set the uid bit of /mnt/user/0 to
    // AID_SHELL. This gives shell access along with apps running as group everybody (user 0 apps)
    // These bits should be consistent with what is set in zygote in
    // com_android_internal_os_Zygote#MountEmulatedStorage on volume bind mount during app fork
-    auto result = PrepareDir(pre_fuse_path, 0710, user_id ? AID_ROOT : AID_SHELL,
+    result = PrepareDir(pre_fuse_path, 0710, user_id ? AID_ROOT : AID_SHELL,
                             multiuser_get_uid(user_id, AID_EVERYBODY));
    if (result != android::OK) {
        PLOG(ERROR) << "Failed to prepare directory " << pre_fuse_path;