From 00690852b4a8a02bf76a3ab15555cda11c860493 Mon Sep 17 00:00:00 2001 From: Daisuke Okitsu Date: Mon, 24 Nov 2014 09:37:55 +0100 Subject: [PATCH] sdcard: mount sdcard with the noexec option Vold mounts the sdcard with noexec, but the fuse deamon mounts with exec, so it is still possible to execute binaries: /dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime, user_id=1023,group_id=1023,default_permissions,allow_other 0 0 /dev/block/vold/179:65 /mnt/media_rw/sdcard1 vfat rw,dirsync, nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007, dmask=0007,allow_utime=0020,codepage=cp437,iocharset=iso8859-1, shortname=mixed,utf8,errors=remount-ro 0 0 With this change both vold and fuse mounts with noexec. Change-Id: I66cbfc3a3a89a26958f83577f5e7a5e27f99184e --- sdcard/sdcard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdcard/sdcard.c b/sdcard/sdcard.c index 9ba81ff10..2318978b3 100644 --- a/sdcard/sdcard.c +++ b/sdcard/sdcard.c @@ -1834,7 +1834,7 @@ static int run(const char* source_path, const char* dest_path, uid_t uid, "fd=%i,rootmode=40000,default_permissions,allow_other,user_id=%d,group_id=%d", fd, uid, gid); - res = mount("/dev/fuse", dest_path, "fuse", MS_NOSUID | MS_NODEV, opts); + res = mount("/dev/fuse", dest_path, "fuse", MS_NOSUID | MS_NODEV | MS_NOEXEC, opts); if (res < 0) { ERROR("cannot mount fuse filesystem: %s\n", strerror(errno)); goto error;