commit 6405c6953fa02d41d9f6377f4cdb947604f481c4
author Nick Pelly <npelly@google.com> Thu Jan 21 18:13:39 2010 -0800
committer Nick Pelly <npelly@google.com> Fri Jan 22 11:50:49 2010 -0800
tree d0d1fa9a7c0bafbbdb74d5882e77b554bc544f3a
parent 25eab084c5bc6b6ed68001b4f67ca405fc541fcb

Clean fix for the chown race condition on new input devices.

Drop init's egid to AID_INPUT while creating the device node, so that it is
created with the correct gid. This eliminates the
possibility of system_server opening the device node before its permissions
are set correctly.

Using setegid() allows us to swap back to AID_ROOT immediately after mknod().

Bug: 2375632

init/devices.c

diff --git a/init/devices.c b/init/devices.c
index 55c5ee4..11328f6 100644
--- a/init/devices.c
+++ b/init/devices.c
@@ -306,8 +306,15 @@
 
     mode = get_device_perm(path, &uid, &gid) | (block ? S_IFBLK : S_IFCHR);
     dev = (major << 8) | minor;
+    /* Temporarily change egid to avoid race condition setting the gid of the
+     * device node. Unforunately changing the euid would prevent creation of
+     * some device nodes, so the uid has to be set with chown() and is still
+     * racy. Fixing the gid race at least fixed the issue with system_server
+     * opening dynamic input devices under the AID_INPUT gid. */
+    setegid(gid);
     mknod(path, mode, dev);
-    chown(path, uid, gid);
+    chown(path, uid, -1);
+    setegid(AID_ROOT);
 }
 
 #if LOG_UEVENTS