From e0b3e643e1b98d46a82a22d62c00e08fa16e10e8 Mon Sep 17 00:00:00 2001
From: Sangyoon Jang <jeremy.jang@samsung.com>
Date: Tue, 7 Aug 2018 20:29:27 +0900
Subject: [PATCH] Add app2sd-mount-helper tool

When launching an application which is installed at external storage,
app2sd-server mounts application's image at internal storage.
Since process label of app2sd-server is "System", the directory which is
mount point for application's image has same label as app2sd-server.
This can cause smack denial in some cases.

This app2sd-mount-helper tool does mount instead of app2sd-server, and its
process label is "User::Home" which is same as other directories or
files at package root. Using this tool, the smack denial will not
happened.

Change-Id: Ic89bc960372d0a2595cd21aa6d9372473aafc2c8
Signed-off-by: Sangyoon Jang <jeremy.jang@samsung.com>
---
 packaging/app2sd-plugin.manifest          |  1 +
 packaging/app2sd.spec                     |  1 +
 plugin/app2sd/CMakeLists.txt              |  8 +++++++
 plugin/app2sd/mount_helper/mount_helper.c | 39 +++++++++++++++++++++++++++++++
 plugin/app2sd/server/app2sd_internals.c   | 30 +++++++++++++++---------
 5 files changed, 68 insertions(+), 11 deletions(-)
 create mode 100644 plugin/app2sd/mount_helper/mount_helper.c

diff --git a/packaging/app2sd-plugin.manifest b/packaging/app2sd-plugin.manifest
index e5b4de8..46657d7 100644
--- a/packaging/app2sd-plugin.manifest
+++ b/packaging/app2sd-plugin.manifest
@@ -4,5 +4,6 @@
 	</request>
 	<assign>
 		<filesystem path="/usr/bin/app2sd-server" label="System"/>
+		<filesystem path="/usr/bin/app2sd-mount-helper" label="System" exec_label="User::Home"/>
 	</assign>
 </manifest>
diff --git a/packaging/app2sd.spec b/packaging/app2sd.spec
index 6624de0..b0f4142 100644
--- a/packaging/app2sd.spec
+++ b/packaging/app2sd.spec
@@ -93,3 +93,4 @@ rm -rf %{buildroot}
 %{_unitdir}/app2sd-server.service
 %{_datadir}/dbus-1/system-services/org.tizen.app2sd.service
 %config %{_sysconfdir}/dbus-1/system.d/org.tizen.app2sd.conf
+%{_bindir}/app2sd-mount-helper
diff --git a/plugin/app2sd/CMakeLists.txt b/plugin/app2sd/CMakeLists.txt
index 4ae4172..47c4de8 100644
--- a/plugin/app2sd/CMakeLists.txt
+++ b/plugin/app2sd/CMakeLists.txt
@@ -48,3 +48,11 @@ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tizen.app2sd.service DESTINATION
 INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tizen.app2sd.conf DESTINATION
 	${SYSCONF_INSTALL_DIR}/dbus-1/system.d/)
 INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/app2sd-server.service DESTINATION ${UNITDIR})
+
+# build app2sd-mount-helper binary
+SET(APP2SD_MOUNT_HELPER "app2sd-mount-helper")
+AUX_SOURCE_DIRECTORY(${CMAKE_CURRENT_SOURCE_DIR}/mount_helper APP2SD_MOUNT_HELPER_SRCS)
+ADD_EXECUTABLE(${APP2SD_MOUNT_HELPER} ${APP2SD_MOUNT_HELPER_SRCS})
+SET_TARGET_PROPERTIES(${APP2SD_MOUNT_HELPER} PROPERTIES COMPILE_FLAGS ${CFLAGS} "-fPIE -fstack-protector-strong")
+SET_TARGET_PROPERTIES(${APP2SD_MOUNT_HELPER} PROPERTIES LINK_FLAGS "-pie -Wl,--as-needed,-z,relro")
+INSTALL(TARGETS ${APP2SD_MOUNT_HELPER} DESTINATION bin)
diff --git a/plugin/app2sd/mount_helper/mount_helper.c b/plugin/app2sd/mount_helper/mount_helper.c
new file mode 100644
index 0000000..4b83525
--- /dev/null
+++ b/plugin/app2sd/mount_helper/mount_helper.c
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/mount.h>
+
+int main(int argc, char *argv[])
+{
+	char *source;
+	char *target;
+	char *filesystemtype;
+	unsigned long mountflags;
+
+	if (argc < 5)
+		return -EINVAL;
+
+	source = argv[1];
+	target = argv[2];
+	filesystemtype = argv[3];
+	mountflags = strtoul(argv[4], NULL, 0);
+
+	return mount(source, target, filesystemtype, mountflags, NULL);
+}
diff --git a/plugin/app2sd/server/app2sd_internals.c b/plugin/app2sd/server/app2sd_internals.c
index 4133c9f..81a2015 100644
--- a/plugin/app2sd/server/app2sd_internals.c
+++ b/plugin/app2sd/server/app2sd_internals.c
@@ -435,6 +435,9 @@ int _app2sd_mount_app_content(const char *application_path, const char *pkgid,
 		.tv_sec = 0,
 		.tv_nsec = 1000 * 1000 * 200
 	};
+	char mountflags_str[BUF_SIZE];
+	const char *argv_mount[] = { "/bin/app2sd-mount-helper", dev,
+		app_mmc_path, FS_TYPE, mountflags_str, NULL };
 
 	if (dev == NULL) {
 		_E("input param is NULL (%s)", dev);
@@ -463,8 +466,9 @@ int _app2sd_mount_app_content(const char *application_path, const char *pkgid,
 
 	switch (mount_type) {
 	case MOUNT_TYPE_RD:
-		ret = mount(dev, app_mmc_path, FS_TYPE,
-				MS_MGC_VAL | MS_RDONLY | MS_NOSUID, NULL);
+		snprintf(mountflags_str, sizeof(mountflags_str), "%u",
+				MS_MGC_VAL | MS_RDONLY | MS_NOSUID);
+		ret = _xsystem(argv_mount);
 		if (ret < 0) {
 			_E("read only mount failed, errono is (%d), "
 					"dev is (%s) path is (%s)",
@@ -473,33 +477,37 @@ int _app2sd_mount_app_content(const char *application_path, const char *pkgid,
 		}
 		break;
 	case MOUNT_TYPE_RW:
-		ret = mount(dev, app_mmc_path, FS_TYPE, MS_MGC_VAL | MS_NOSUID,
-				NULL);
+		snprintf(mountflags_str, sizeof(mountflags_str), "%u",
+				MS_MGC_VAL | MS_NOSUID);
+		ret = _xsystem(argv_mount);
 		if (ret < 0) {
 			_E("read write mount failed, errono is (%d)", errno);
 			ret = APP2EXT_ERROR_MOUNT;
 		}
 		break;
 	case MOUNT_TYPE_RW_NOEXEC:
-		ret = mount(dev, app_mmc_path, FS_TYPE,
-				MS_MGC_VAL | MS_NOEXEC | MS_NOSUID, NULL);
+		snprintf(mountflags_str, sizeof(mountflags_str), "%u",
+				MS_MGC_VAL | MS_NOEXEC | MS_NOSUID);
+		ret = _xsystem(argv_mount);
 		if (ret < 0) {
 			_E("rwnx mount failed errono is (%d)", errno);
 			ret = APP2EXT_ERROR_MOUNT;
 		}
 		break;
 	case MOUNT_TYPE_RD_REMOUNT:
-		ret = mount(dev, app_mmc_path, FS_TYPE,
-				MS_MGC_VAL | MS_RDONLY | MS_REMOUNT | MS_NOSUID,
-				NULL);
+		snprintf(mountflags_str, sizeof(mountflags_str), "%u",
+				MS_MGC_VAL | MS_RDONLY | MS_REMOUNT |
+				MS_NOSUID);
+		ret = _xsystem(argv_mount);
 		if (ret < 0) {
 			_E("read remount failed errono is (%d)", errno);
 			ret = APP2EXT_ERROR_MOUNT;
 		}
 		break;
 	case MOUNT_TYPE_RW_REMOUNT:
-		ret = mount(dev, app_mmc_path, FS_TYPE,
-				MS_MGC_VAL | MS_REMOUNT | MS_NOSUID, NULL);
+		snprintf(mountflags_str, sizeof(mountflags_str), "%u",
+				MS_MGC_VAL | MS_REMOUNT | MS_NOSUID);
+		ret = _xsystem(argv_mount);
 		strerror_r(errno, err_buf, sizeof(err_buf));
 		if (ret < 0) {
 			_E("read write remount failed errono(%d), errstr(%s)",
-- 
2.7.4