From b9f438ff841f87c8ffbca85b13a533718a18e15f Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Thu, 6 Aug 2015 11:39:44 -0700
Subject: [PATCH] Protect runtime storage mount points.

We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.

This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.

Also add CTS tests to verify that we're protecting access to
internal mount points like this.

Bug: 22964288
Change-Id: I32068e63a3362b37e8ebca1418f900bb8537b498
---
 rootdir/init.rc | 17 +++++++++--------
 sdcard/sdcard.c |  8 ++++----
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 9019b1f7a5..b71908c0e2 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -69,16 +69,17 @@ on init
 
     # Storage views to support runtime permissions
     mkdir /storage 0755 root root
-    mkdir /mnt/runtime_default 0755 root root
-    mkdir /mnt/runtime_default/self 0755 root root
-    mkdir /mnt/runtime_read 0755 root root
-    mkdir /mnt/runtime_read/self 0755 root root
-    mkdir /mnt/runtime_write 0755 root root
-    mkdir /mnt/runtime_write/self 0755 root root
+    mkdir /mnt/runtime 0700 root root
+    mkdir /mnt/runtime/default 0755 root root
+    mkdir /mnt/runtime/default/self 0755 root root
+    mkdir /mnt/runtime/read 0755 root root
+    mkdir /mnt/runtime/read/self 0755 root root
+    mkdir /mnt/runtime/write 0755 root root
+    mkdir /mnt/runtime/write/self 0755 root root
 
     # Symlink to keep legacy apps working in multi-user world
     symlink /storage/self/primary /sdcard
-    symlink /mnt/user/0/primary /mnt/runtime_default/self/primary
+    symlink /mnt/user/0/primary /mnt/runtime/default/self/primary
 
     # memory control cgroup
     mkdir /dev/memcg 0700 root system
@@ -216,7 +217,7 @@ on post-fs
     # Mount shared so changes propagate into child namespaces
     mount rootfs rootfs / shared rec
     # Mount default storage into root namespace
-    mount none /mnt/runtime_default /storage slave bind rec
+    mount none /mnt/runtime/default /storage slave bind rec
 
     # We chown/chmod /cache again so because mount is run as root + defaults
     chown system cache /cache
diff --git a/sdcard/sdcard.c b/sdcard/sdcard.c
index 41bf0454f9..a79e2ddce5 100644
--- a/sdcard/sdcard.c
+++ b/sdcard/sdcard.c
@@ -1735,7 +1735,7 @@ static int usage() {
             "    -g: specify GID to run as\n"
             "    -U: specify user ID that owns device\n"
             "    -m: source_path is multi-user\n"
-            "    -w: runtime_write mount has full write access\n"
+            "    -w: runtime write mount has full write access\n"
             "\n");
     return 1;
 }
@@ -1822,9 +1822,9 @@ static void run(const char* source_path, const char* label, uid_t uid,
     global.fuse_read = &fuse_read;
     global.fuse_write = &fuse_write;
 
-    snprintf(fuse_default.dest_path, PATH_MAX, "/mnt/runtime_default/%s", label);
-    snprintf(fuse_read.dest_path, PATH_MAX, "/mnt/runtime_read/%s", label);
-    snprintf(fuse_write.dest_path, PATH_MAX, "/mnt/runtime_write/%s", label);
+    snprintf(fuse_default.dest_path, PATH_MAX, "/mnt/runtime/default/%s", label);
+    snprintf(fuse_read.dest_path, PATH_MAX, "/mnt/runtime/read/%s", label);
+    snprintf(fuse_write.dest_path, PATH_MAX, "/mnt/runtime/write/%s", label);
 
     handler_default.fuse = &fuse_default;
     handler_read.fuse = &fuse_read;
-- 
GitLab