Clean fix for the chown race condition on new input devices.

Drop init's egid to AID_INPUT while creating the device node, so that it is created with the correct gid. This eliminates the possibility of system_server opening the device node before its permissions are set correctly. Using setegid() allows us to swap back to AID_ROOT immediately after mknod(). Bug: 2375632
2010-01-21 18:13:39 -08:00 · 2010-01-21 18:13:39 -08:00 · 6405c6953f
parent 25eab084c5
commit 6405c6953f
1 changed files with 8 additions and 1 deletions
--- a/init/devices.c
+++ b/init/devices.c
@ -306,8 +306,15 @@ static void make_device(const char *path, int block, int major, int minor)

    mode = get_device_perm(path, &uid, &gid) | (block ? S_IFBLK : S_IFCHR);
    dev = (major << 8) | minor;
+    /* Temporarily change egid to avoid race condition setting the gid of the
+     * device node. Unforunately changing the euid would prevent creation of
+     * some device nodes, so the uid has to be set with chown() and is still
+     * racy. Fixing the gid race at least fixed the issue with system_server
+     * opening dynamic input devices under the AID_INPUT gid. */
+    setegid(gid);
    mknod(path, mode, dev);
-    chown(path, uid, gid);
+    chown(path, uid, -1);
+    setegid(AID_ROOT);
 }

 #if LOG_UEVENTS