Harden /mnt/{user,installer} permission bits
These paths previously had 0755 permission bits
(/mnt/installer got its bits from the /mnt/user bind mount).
With such permissive bits, an unauthorized app can access a file using
the /mnt/installer path for instance even if access via /storage
would have been restricted.
In init.rc we create /mnt/user with 0755 initially, this is to keep
/sdcard working without FUSE. When mounting a FUSE filesystem, we
enusure in vold that /mnt/user is changed to 0700
Bug: 135341433
Test: adb shell ls -d /mnt/{user, installer}
Change-Id: Id387e34c5fd257858861246ad51486892653fb3a
diff --git a/Utils.cpp b/Utils.cpp
index a66e33c..202b98d 100644
--- a/Utils.cpp
+++ b/Utils.cpp
@@ -1017,13 +1017,20 @@
std::string pass_through_path(
StringPrintf("%s/%s", pre_pass_through_path.c_str(), relative_upper_path.c_str()));
- // Create directories.
+ // Ensure that /mnt/user is 0700. With FUSE, apps don't need access to /mnt/user paths directly.
+ // Without FUSE however, apps need /mnt/user access so /mnt/user in init.rc is 0755 until here
+ auto result = PrepareDir("/mnt/user", 0700, AID_ROOT, AID_ROOT);
+ if (result != android::OK) {
+ PLOG(ERROR) << "Failed to prepare directory /mnt/user";
+ return -1;
+ }
+
// Shell is neither AID_ROOT nor AID_EVERYBODY. Since it equally needs 'execute' access to
// /mnt/user/0 to 'adb shell ls /sdcard' for instance, we set the uid bit of /mnt/user/0 to
// AID_SHELL. This gives shell access along with apps running as group everybody (user 0 apps)
// These bits should be consistent with what is set in zygote in
// com_android_internal_os_Zygote#MountEmulatedStorage on volume bind mount during app fork
- auto result = PrepareDir(pre_fuse_path, 0710, user_id ? AID_ROOT : AID_SHELL,
+ result = PrepareDir(pre_fuse_path, 0710, user_id ? AID_ROOT : AID_SHELL,
multiuser_get_uid(user_id, AID_EVERYBODY));
if (result != android::OK) {
PLOG(ERROR) << "Failed to prepare directory " << pre_fuse_path;