Block symlinks in bind mount source paths.
Minijail is sometimes asked to bind mount directories owned by
less-privileged users. These less-privileged users can manufacture
a "mount-anything-anywhere" primitive by replacing bind mount paths
with symlinks.
Prevent this by checking whether the bind mount source path is a
canonical path. Because this happens at minijail_bind() time, there is
still the risk of TOCTOU issues. A follow-up patch will re-check things
closer to the mount() call. Unfortunately mount() takes paths so it is
not possible to fully eliminate this race.
Because some files that processes might want to bind mount (like files
in /sys or /dev) can be symlinks, allow users to specify a set of
prefixes exempt from these restrictions. This can also help with
rolling this restriction out (exclude some prefixes, fix the callers,
then remove the exclusions).
A follow-up to this change will add checks on the destination path,
which need to happen after the path is created. Ideally, these would
happen as close as possible to the mount() call.
Bug: 219093918
Test: New unit tests.
Change-Id: Ia747e4318ed4eabf27c64e04e0dd71723735bae2
diff --git a/Android.bp b/Android.bp
index 2b571ae..e771f95 100644
--- a/Android.bp
+++ b/Android.bp
@@ -75,6 +75,7 @@
"-DALLOW_DEBUG_LOGGING",
"-DALLOW_DUPLICATE_SYSCALLS",
"-DDEFAULT_PIVOT_ROOT=\"/var/empty\"",
+ "-DBINDMOUNT_ALLOWED_PREFIXES=\"\"",
"-Wall",
"-Werror",
],
