diff options
| -rw-r--r-- | fs_mgr/fs_mgr_roots.cpp | 50 | ||||
| -rw-r--r-- | init/first_stage_init.cpp | 6 | ||||
| -rw-r--r-- | init/security.cpp | 1 |
3 files changed, 39 insertions, 18 deletions
diff --git a/fs_mgr/fs_mgr_roots.cpp b/fs_mgr/fs_mgr_roots.cpp index a54cbb151..f84f91aaa 100644 --- a/fs_mgr/fs_mgr_roots.cpp +++ b/fs_mgr/fs_mgr_roots.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include "android-base/file.h" #include "fs_mgr/roots.h" #include <sys/mount.h> @@ -39,18 +40,26 @@ FstabEntry* GetEntryForPath(Fstab* fstab, const std::string& path) { while (true) { auto entry = GetEntryForMountPointTryDetectFs(fstab, str); if (entry != nullptr) return entry; - if (str == "/") break; - auto slash = str.find_last_of('/'); - if (slash == std::string::npos) break; - if (slash == 0) { - str = "/"; - } else { - str = str.substr(0, slash); - } + str = android::base::Dirname(str); + if (!str.compare(".") || !str.compare("/")) break; } return nullptr; } +std::vector<FstabEntry*> GetEntriesForPath(Fstab* fstab, const std::string& path) { + std::vector<FstabEntry*> entries; + if (path.empty()) return entries; + + std::string str(path); + while (true) { + entries = GetEntriesForMountPoint(fstab, str); + if (!entries.empty()) return entries; + str = android::base::Dirname(str); + if (!str.compare(".") || !str.compare("/")) break; + } + return entries; +} + enum class MountState { ERROR = -1, NOT_MOUNTED = 0, @@ -71,12 +80,7 @@ static MountState GetMountState(const std::string& mount_point) { return MountState::NOT_MOUNTED; } -bool EnsurePathMounted(Fstab* fstab, const std::string& path, const std::string& mount_pt) { - auto rec = GetEntryForPath(fstab, path); - if (rec == nullptr) { - LERROR << "unknown volume for path [" << path << "]"; - return false; - } +bool TryPathMount(FstabEntry* rec, const std::string& mount_pt) { if (rec->fs_type == "ramdisk") { // The ramdisk is always mounted. return true; @@ -111,7 +115,8 @@ bool EnsurePathMounted(Fstab* fstab, const std::string& path, const std::string& return true; } - static const std::vector<std::string> supported_fs{"ext4", "squashfs", "vfat", "f2fs", "none"}; + static const std::vector<std::string> supported_fs{"ext4", "squashfs", "vfat", "f2fs", "erofs", + "none"}; if (std::find(supported_fs.begin(), supported_fs.end(), rec->fs_type) == supported_fs.end()) { LERROR << "unknown fs_type \"" << rec->fs_type << "\" for " << mount_point; return false; @@ -126,6 +131,21 @@ bool EnsurePathMounted(Fstab* fstab, const std::string& path, const std::string& return true; } +bool EnsurePathMounted(Fstab* fstab, const std::string& path, const std::string& mount_point) { + auto entries = GetEntriesForPath(fstab, path); + if (entries.empty()) { + LERROR << "unknown volume for path [" << path << "]"; + return false; + } + + for (auto entry : entries) { + if (TryPathMount(entry, mount_point)) return true; + } + + LERROR << "Failed to mount for path [" << path << "]"; + return false; +} + bool EnsurePathUnmounted(Fstab* fstab, const std::string& path) { auto rec = GetEntryForPath(fstab, path); if (rec == nullptr) { diff --git a/init/first_stage_init.cpp b/init/first_stage_init.cpp index 021557697..ff16ff344 100644 --- a/init/first_stage_init.cpp +++ b/init/first_stage_init.cpp @@ -192,9 +192,9 @@ int FirstStageMain(int argc, char** argv) { CHECKCALL(mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755")); CHECKCALL(mkdir("/dev/pts", 0755)); CHECKCALL(mkdir("/dev/socket", 0755)); - CHECKCALL(mount("devpts", "/dev/pts", "devpts", 0, NULL)); + CHECKCALL(mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL)); #define MAKE_STR(x) __STRING(x) - CHECKCALL(mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC))); + CHECKCALL(mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, "hidepid=2,gid=" MAKE_STR(AID_READPROC))); #undef MAKE_STR // Don't expose the raw commandline to unprivileged processes. CHECKCALL(chmod("/proc/cmdline", 0440)); @@ -202,7 +202,7 @@ int FirstStageMain(int argc, char** argv) { android::base::ReadFileToString("/proc/cmdline", &cmdline); gid_t groups[] = {AID_READPROC}; CHECKCALL(setgroups(arraysize(groups), groups)); - CHECKCALL(mount("sysfs", "/sys", "sysfs", 0, NULL)); + CHECKCALL(mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL)); CHECKCALL(mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL)); CHECKCALL(mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11))); diff --git a/init/security.cpp b/init/security.cpp index 6cbe642c0..82fc8ca64 100644 --- a/init/security.cpp +++ b/init/security.cpp @@ -78,6 +78,7 @@ Result<void> MixHwrngIntoLinuxRngAction(const BuiltinArguments&) { } chunk_size = TEMP_FAILURE_RETRY(write(urandom_fd, buf, chunk_size)); + explicit_bzero(buf, chunk_size); if (chunk_size == -1) { return ErrnoError() << "Failed to write to /dev/urandom"; } |