fs_mgr: make block devices read-only
When a filesystem is mounted read-only, make the underlying
block device read-only too. This helps prevent an attacker
who is able to change permissions on the files in /dev
(for example, symlink attack) from modifying the block device.
In particular, this change would have stopped the LG Thrill / Optimus
3D rooting exploit
(http://vulnfactory.org/blog/2012/02/26/rooting-the-lg-thrill-optimus-3d/)
as that exploit modified the raw block device corresponding to /system.
This change also makes UID=0 less powerful. Block devices cannot
be made writable again without CAP_SYS_ADMIN, so an escalation
to UID=0 by itself doesn't give full root access.
adb/mount: Prior to mounting something read-write, remove the
read-only restrictions on the underlying block device. This avoids
messing up developer workflows.
Change-Id: I135098a8fe06f327336f045aab0d48ed9de33807
diff --git a/remount_service.c b/remount_service.c
index 4cb41e7..ad61284 100644
--- a/remount_service.c
+++ b/remount_service.c
@@ -72,6 +72,8 @@
static int remount_system()
{
char *dev;
+ int fd;
+ int OFF = 0;
if (system_ro == 0) {
return 0;
@@ -82,6 +84,13 @@
if (!dev)
return -1;
+ fd = unix_open(dev, O_RDONLY);
+ if (fd < 0)
+ return -1;
+
+ ioctl(fd, BLKROSET, &OFF);
+ adb_close(fd);
+
system_ro = mount(dev, "/system", "none", MS_REMOUNT, NULL);
free(dev);