From 1bd078fa7b5ca613cb3e793d67ccd86d2602787d Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Thu, 6 Aug 2015 11:40:00 -0700
Subject: [PATCH] Protect runtime storage mount points.

We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.

This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.

Also add CTS tests to verify that we're protecting access to
internal mount points like this.

Bug: 22964288
Change-Id: I83f09f0423f4993e766273c50389dd29b1c50589
---
 EmulatedVolume.cpp | 6 +++---
 PublicVolume.cpp   | 6 +++---
 VolumeManager.cpp  | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/EmulatedVolume.cpp b/EmulatedVolume.cpp
index f1ca97b..6e440cc 100644
--- a/EmulatedVolume.cpp
+++ b/EmulatedVolume.cpp
@@ -61,9 +61,9 @@ status_t EmulatedVolume::doMount() {
         label = "emulated";
     }
 
-    mFuseDefault = StringPrintf("/mnt/runtime_default/%s", label.c_str());
-    mFuseRead = StringPrintf("/mnt/runtime_read/%s", label.c_str());
-    mFuseWrite = StringPrintf("/mnt/runtime_write/%s", label.c_str());
+    mFuseDefault = StringPrintf("/mnt/runtime/default/%s", label.c_str());
+    mFuseRead = StringPrintf("/mnt/runtime/read/%s", label.c_str());
+    mFuseWrite = StringPrintf("/mnt/runtime/write/%s", label.c_str());
 
     setInternalPath(mRawPath);
     setPath(StringPrintf("/storage/%s", label.c_str()));
diff --git a/PublicVolume.cpp b/PublicVolume.cpp
index 2a93213..eb550c3 100644
--- a/PublicVolume.cpp
+++ b/PublicVolume.cpp
@@ -112,9 +112,9 @@ status_t PublicVolume::doMount() {
 
     mRawPath = StringPrintf("/mnt/media_rw/%s", stableName.c_str());
 
-    mFuseDefault = StringPrintf("/mnt/runtime_default/%s", stableName.c_str());
-    mFuseRead = StringPrintf("/mnt/runtime_read/%s", stableName.c_str());
-    mFuseWrite = StringPrintf("/mnt/runtime_write/%s", stableName.c_str());
+    mFuseDefault = StringPrintf("/mnt/runtime/default/%s", stableName.c_str());
+    mFuseRead = StringPrintf("/mnt/runtime/read/%s", stableName.c_str());
+    mFuseWrite = StringPrintf("/mnt/runtime/write/%s", stableName.c_str());
 
     setInternalPath(mRawPath);
     if (getMountFlags() & MountFlags::kVisible) {
diff --git a/VolumeManager.cpp b/VolumeManager.cpp
index ddb7517..ce355df 100755
--- a/VolumeManager.cpp
+++ b/VolumeManager.cpp
@@ -580,11 +580,11 @@ int VolumeManager::remountUid(uid_t uid, const std::string& mode) {
 
             std::string storageSource;
             if (mode == "default") {
-                storageSource = "/mnt/runtime_default";
+                storageSource = "/mnt/runtime/default";
             } else if (mode == "read") {
-                storageSource = "/mnt/runtime_read";
+                storageSource = "/mnt/runtime/read";
             } else if (mode == "write") {
-                storageSource = "/mnt/runtime_write";
+                storageSource = "/mnt/runtime/write";
             } else {
                 // Sane default of no storage visible
                 _exit(0);