[Toybox] toybox mount and Android

enh enh at google.com
Wed Apr 8 11:45:52 PDT 2015


the only difference i can find between toybox's mount and ours is that
we use BLKROSET. if we're mounting r/w, we need to make the block
device r/w because fs_mgr will have made it ro
(e18c0d508a6d8b4376c6f0b8c22600e5aca37f69).

the motivation is described in the original checkin comment:

Author: Nick Kralevich <nnk at google.com>
Date:   Tue Apr 16 16:41:32 2013 -0700

    fs_mgr: make block devices read-only

    When a filesystem is mounted read-only, make the underlying
    block device read-only too. This helps prevent an attacker
    who is able to change permissions on the files in /dev
    (for example, symlink attack) from modifying the block device.

    In particular, this change would have stopped the LG Thrill / Optimus
    3D rooting exploit
    (http://vulnfactory.org/blog/2012/02/26/rooting-the-lg-thrill-optimus-3d/)
    as that exploit modified the raw block device corresponding to /system.

    This change also makes UID=0 less powerful. Block devices cannot
    be made writable again without CAP_SYS_ADMIN, so an escalation
    to UID=0 by itself doesn't give full root access.

    adb/mount: Prior to mounting something read-write, remove the
    read-only restrictions on the underlying block device. This avoids
    messing up developer workflows.

    Change-Id: I135098a8fe06f327336f045aab0d48ed9de33807

adding this extra step to toybox's mount is easy enough, but i assume
you'd want this in an if (__ANDROID__)?


More information about the Toybox mailing list