Zygote: remount /system nosuid/nodev
Android no longer has any setuid / setgid programs accessible
to zygote. Make sure /system is remounted nosuid and nodev
for zygote spawned processes.
We use mount namespaces to make sure these changes are
only visible to zygote spawned processes. We continue to need
/system mounted with suid to support /system/bin/run-as.
See also: b/8253345
Change-Id: Ib58a8d56b42e4b022b6b4e51932f0a415298c920
diff --git a/vm/Init.cpp b/vm/Init.cpp
index 11d884e..35c1085 100644
--- a/vm/Init.cpp
+++ b/vm/Init.cpp
@@ -1629,6 +1629,33 @@
return true;
}
+/*
+ * Copied and modified slightly from system/core/toolbox/mount.c
+ */
+static std::string getMountsDevDir(const char *arg)
+{
+ char mount_dev[256];
+ char mount_dir[256];
+ int match;
+
+ FILE *fp = fopen("/proc/self/mounts", "r");
+ if (fp == NULL) {
+ ALOGE("Could not open /proc/self/mounts: %s", strerror(errno));
+ return "";
+ }
+
+ while ((match = fscanf(fp, "%255s %255s %*s %*s %*d %*d\n", mount_dev, mount_dir)) != EOF) {
+ mount_dev[255] = 0;
+ mount_dir[255] = 0;
+ if (match == 2 && (strcmp(arg, mount_dir) == 0)) {
+ fclose(fp);
+ return mount_dev;
+ }
+ }
+
+ fclose(fp);
+ return "";
+}
/*
* Do zygote-mode-only initialization.
@@ -1664,6 +1691,26 @@
}
}
+ // Mark /system as NOSUID | NODEV
+ const char* android_root = getenv("ANDROID_ROOT");
+
+ if (android_root == NULL) {
+ SLOGE("environment variable ANDROID_ROOT does not exist?!?!");
+ return -1;
+ }
+
+ std::string mountDev(getMountsDevDir(android_root));
+ if (mountDev.empty()) {
+ SLOGE("Unable to find mount point for %s", android_root);
+ return -1;
+ }
+
+ if (mount(mountDev.c_str(), android_root, "none",
+ MS_REMOUNT | MS_NOSUID | MS_NODEV | MS_RDONLY | MS_BIND, NULL) == -1) {
+ SLOGE("Remount of %s failed: %s", android_root, strerror(errno));
+ return -1;
+ }
+
return true;
}
