Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / a21e72b868be49026df917174e50987e4062b51a^! / . / debugd / src / main.cc
commita21e72b868be49026df917174e50987e4062b51a[log] [tgz]
authorNicole Anderson-Au <nvaa@google.com>Thu Mar 04 21:35:26 2021 +0000
committerNicole Anderson-Au <nvaa@google.com>Fri Mar 05 16:47:17 2021 +0000
treec824435cd451e74b1334c5bc39b2ada9d8472349
parent52f7d224416acd115a8d76bf0258d19bd5b0a1cd [diff] [blame]
Revert "debugd: Harden debugd mountns with change remount"

This reverts commit d2b9098118dd0a662422e9701fe332fdab59634f.

Reason for revert: New information indicates this will likely break
something. Review on https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2737615
has found that recursively remounting of everything as private disconnects
he mount from its original share group which negates the helpfulness of
remounting as slave afterwards.


Original change's description:
> debugd: Harden debugd mountns with change remount
>
> Change the remount mode for debugd to MS_PRIVATE and use the new
> individual remount mode to change just the daemonstore dir to MS_SLAVE.
>
> BUG=None
> TEST=tast run 127.0.0.1:9222 debugd.*
>
> Change-Id: I25cbf3b0d0dfe8f17fccd14436dc96368870062d
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2723096
> Tested-by: Nicole Anderson-Au <nvaa@google.com>
> Commit-Queue: Nicole Anderson-Au <nvaa@google.com>
> Reviewed-by: Mike Frysinger <vapier@chromium.org>

Bug: None
Change-Id: Ifa8289d96361bb9ca28eedb48b0d3bfdf142c6c7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2737559
Tested-by: Nicole Anderson-Au <nvaa@google.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Nicole Anderson-Au <nvaa@google.com>

diff --git a/debugd/src/main.cc b/debugd/src/main.cc
index aa55a5e..7fdaf9a 100644
--- a/debugd/src/main.cc
+++ b/debugd/src/main.cc

@@ -21,8 +21,6 @@
 
 // For TPM 1.2 only: Directory to mount for access to tcsd socket.
 constexpr char kTcsdDir[] = "/run/tcsd";
-// The directory of the daemonstore mount.
-constexpr char daemonstore[] = "/run/daemon-store/debugd";
 
 // @brief Enter a VFS namespace.
 //
@@ -54,18 +52,17 @@
   if (minijail_bind(j.get(), kVpdPath, kVpdPath, 1))
     LOG(FATAL) << "minijail_bind(\"" << kVpdPath << "\") failed";
 
-  minijail_remount_mode(j.get(), MS_PRIVATE);
+  minijail_remount_mode(j.get(), MS_SLAVE);
 
   if (minijail_mount_with_data(j.get(), "tmpfs", "/run", "tmpfs",
                                MS_NOSUID | MS_NOEXEC | MS_NODEV, nullptr)) {
     LOG(FATAL) << "minijail_mount_with_data(\"/run\") failed";
   }
 
-  minijail_add_remount(j.get(), daemonstore, MS_SLAVE);
-
-  if (minijail_mount(j.get(), daemonstore, daemonstore, "none",
+  if (minijail_mount(j.get(), "/run/daemon-store/debugd",
+                     "/run/daemon-store/debugd", "none",
                      MS_BIND | MS_REC) != 0) {
-    LOG(FATAL) << "minijail_mount(\"" << daemonstore << "\") failed";
+    LOG(FATAL) << "minijail_mount(\"/run/daemon-store/debugd\") failed";
   }
 
   // Mount /run/dbus to be able to communicate with D-Bus.