android/SukiSU-Ultra
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

ksud: magic_mount: make mount points read only

Browse Source 
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
This commit is contained in:
5ec1cff
2025-09-22 17:38:27 +07:00
committed by ShirkNeko
parent 7026c340b0
commit 3a8ecf1253
1 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
userspace/ksud/src/magic_mount.rs
View File

@@ -6,7 +6,7 @@ use anyhow::{Context, Result, bail};
use extattr::lgetxattr;
use rustix::fs::{
Gid, MetadataExt, Mode, MountFlags, MountPropagationFlags, Uid, UnmountFlags, bind_mount,
chmod, chown, mount, move_mount, unmount,
chmod, chown, mount, move_mount, remount, unmount,
};
use rustix::mount::mount_change;
use rustix::path::Arg;
@@ -254,7 +254,13 @@ fn do_magic_mount<P: AsRef<Path>, WP: AsRef<Path>>(
module_path.display(),
work_dir_path.display()
);
bind_mount(module_path, target_path)?;
bind_mount(module_path, target_path).with_context(|| {
format!("mount module file {module_path:?} -> {work_dir_path:?}")
})?;
// we should use MS_REMOUNT | MS_BIND | MS_xxx to change mount flags
if let Err(e) = remount(target_path, MountFlags::RDONLY | MountFlags::BIND, "") {
log::warn!("make file {target_path:?} ro: {e:#?}");
}
} else {
bail!("cannot mount root file {}!", path.display());
}
@@ -266,7 +272,9 @@ fn do_magic_mount<P: AsRef<Path>, WP: AsRef<Path>>(
module_path.display(),
work_dir_path.display()
);
clone_symlink(module_path, &work_dir_path)?;
clone_symlink(module_path, &work_dir_path).with_context(|| {
format!("create module symlink {module_path:?} -> {work_dir_path:?}")
})?;
} else {
bail!("cannot mount root symlink {}!", path.display());
}
@@ -339,7 +347,9 @@ fn do_magic_mount<P: AsRef<Path>, WP: AsRef<Path>>(
path.display(),
work_dir_path.display()
);
bind_mount(&work_dir_path, &work_dir_path).context("bind self")?;
bind_mount(&work_dir_path, &work_dir_path)
.context("bind self")
.with_context(|| format!("creating tmpfs for {path:?} at {work_dir_path:?}"))?;
}
if path.exists() && !current.replace {
@@ -362,7 +372,7 @@ fn do_magic_mount<P: AsRef<Path>, WP: AsRef<Path>>(
if has_tmpfs {
return Err(e);
} else {
log::error!("mount child {}/{name} failed: {}", path.display(), e);
log::error!("mount child {}/{name} failed: {e:#?}", path.display());
}
}
}
@@ -389,7 +399,7 @@ fn do_magic_mount<P: AsRef<Path>, WP: AsRef<Path>>(
if has_tmpfs {
return Err(e);
} else {
log::error!("mount child {}/{name} failed: {}", path.display(), e);
log::error!("mount child {}/{name} failed: {e:#?}", path.display());
}
}
}
@@ -400,8 +410,16 @@ fn do_magic_mount<P: AsRef<Path>, WP: AsRef<Path>>(
work_dir_path.display(),
path.display()
);
move_mount(&work_dir_path, &path).context("move self")?;
mount_change(&path, MountPropagationFlags::PRIVATE).context("make self private")?;
if let Err(e) = remount(&work_dir_path, MountFlags::RDONLY | MountFlags::BIND, "") {
log::warn!("make dir {path:?} ro: {e:#?}");
}
move_mount(&work_dir_path, &path)
.context("move self")
.with_context(|| format!("moving tmpfs {work_dir_path:?} -> {path:?}"))?;
// make private to reduce peer group count
if let Err(e) = mount_change(&path, MountPropagationFlags::PRIVATE) {
log::warn!("make dir {path:?} private: {e:#?}");
}
}
}
Whiteout => {