Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / refs/heads/stabilize-13982.88.B^! / .
commitc2d16b592cf6bf28dea71bf9f2d1e4274668822f[log] [tgz]
authorAashay Shringarpure <aashay@google.com>Wed Jul 28 11:44:32 2021 -0700
committerCommit Bot <commit-bot@chromium.org>Wed Aug 04 10:32:04 2021 +0000
tree7819edcca4587a60dda45c65fc740ce2408446fe
parent738ec0208a29cd604818d792fa99f021a203587a [diff]
vm_tools: Disallow mount from following symlinks

Adds the --no-canonicalize flag to all mounts in vm_concierge init.
This prevents inadvertently clobbering symlink targets.

BUG=chromium:1232658, chromium:1233585

TEST=Fixes chromium:1232658, CQ

Change-Id: I639c52df3b63414801036f7d3cd0641be9ddb81f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3059380
Tested-by: Aashay Shringarpure <aashay@google.com>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Aashay Shringarpure <aashay@google.com>
(cherry picked from commit e86c716ca1b45422ef1acd1ba2e62a973330cd2f)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3069258

diff --git a/vm_tools/init/vm_concierge.conf b/vm_tools/init/vm_concierge.conf
index 82d3524..eb5dc68 100644
--- a/vm_tools/init/vm_concierge.conf
+++ b/vm_tools/init/vm_concierge.conf

@@ -70,19 +70,20 @@
   chown crosvm:crosvm /run/arcvm
 
   # Make /run/arcvm a shared mountpoint.
-  mount --bind /run/arcvm /run/arcvm
-  mount --make-shared /run/arcvm
+  mount --no-canonicalize --bind /run/arcvm /run/arcvm
+  mount --no-canonicalize --make-shared /run/arcvm
 
   # Create persistent mount namespace at /run/namespaces/mnt_concierge.
   touch /run/namespaces/mnt_concierge
   unshare --mount=/run/namespaces/mnt_concierge --propagation unchanged \
     -- /bin/true
   # Remount the bind-mount as 'noexec'.
-  mount /run/namespaces/mnt_concierge -o remount,noexec
+  mount --no-canonicalize /run/namespaces/mnt_concierge -o remount,noexec
 
   # Prevent mounts at /run/arcvm from propagating out of the namespace.
   nsenter --mount=/run/namespaces/mnt_concierge --no-fork \
-    -- bash -c "mount --make-slave /run/arcvm && mount --make-shared /run/arcvm"
+    -- bash -c "mount --no-canonicalize --make-slave /run/arcvm && \
+                mount --no-canonicalize --make-shared /run/arcvm"
 
   # Create the directory for mojo proxy.
   mkdir -p /run/arcvm/mojo
@@ -136,8 +137,8 @@
   fi
   mkdir -p /run/arcvm/apkcache
   nsenter --mount=/run/namespaces/mnt_concierge --no-fork \
-    -- mount --bind /mnt/stateful_partition/unencrypted/apkcache \
-    /run/arcvm/apkcache
+    -- mount --no-canonicalize --bind \
+    /mnt/stateful_partition/unencrypted/apkcache /run/arcvm/apkcache
 
   # Create the directory for various services that we need to mount in
   # concierge's namespace. Individual service scripts will adjust ownership
@@ -148,8 +149,9 @@
   # to 655360:656360, which corresponds to root:system on the Android side.
   mkdir -p /run/arcvm/media
   nsenter --mount=/run/namespaces/mnt_concierge --no-fork \
-    -- mount -o rw,nodev,noexec,nosuid,mode=0755,uid=655360,gid=656360 \
-             -t tmpfs tmpfs /run/arcvm/media
+    -- mount --no-canonicalize -o \
+             rw,nodev,noexec,nosuid,mode=0755,uid=655360,gid=656360 -t tmpfs \
+             tmpfs /run/arcvm/media
 
   if crossystem "cros_debug?1"; then
     touch /run/vm/dev_mode