Android vold Unsafe Mounting
Posted by deepcore on December 3, 2021 – 3:06 am
Android’s vold’s incremental-fs APIs trust paths from system_server for mounting. There is supposed to be privilege separation between vold (TCB) and system_server (privileged process). However, vold’s IPC handlers related to incremental-fs (mountIncFs, unmountIncFs, bindMount) allow system_server to specify semi-arbitrary paths, allowing system_server to trigger mounting on directories that shouldn’t be under system_server control.
Post a reply
You must be logged in to post a comment.