Revert changes about libsafe_ownedfd
It actually was an unsafe abstraction over OwnedFd::from_raw_fd.
This change reverts following changes:
Revert "Remove the use of from_raw_fd from fd_server/aidl.rs"
This reverts commit 105153e486d7d2dfded4d0c41b22fb2bc493a5ee.
Revert "Remove yet another use of from_raw_fd"
This reverts commit abdbd756f696a1c0d0035d1a80b3d6e827c635f0.
Revert "Don't use unsafe raw_from_fd"
This reverts commit 2867dd3e838fb4deb71f335a15e0c9dc2d617240.
Revert "Remove one more use of from_raw_fd"
This reverts commit 9ef2732fb3d55ee6b085e4a02cfbb1078b041ef8.
Revert "Use take_fd_ownership instead of the unsafe from_raw_fd"
This reverts commit ba3099ec10003d6bb2c84138bbb422997142466d.
Revert "Add libsafe_ownedfd crate"
This reverts commit 1743878cd20564e42fe41e4fbaefcb964bf83e02.
Bug: 243500154
Test: N/A
Change-Id: I4e12876518a337f1f14dc1301de909b8ace28282
diff --git a/guest/authfs_service/Android.bp b/guest/authfs_service/Android.bp
index e508c17..2101a36 100644
--- a/guest/authfs_service/Android.bp
+++ b/guest/authfs_service/Android.bp
@@ -18,7 +18,6 @@
"libnix",
"librpcbinder_rs",
"librustutils",
- "libsafe_ownedfd",
"libshared_child",
],
prefer_rlib: true,
diff --git a/guest/authfs_service/src/main.rs b/guest/authfs_service/src/main.rs
index ff2f770..97e684d 100644
--- a/guest/authfs_service/src/main.rs
+++ b/guest/authfs_service/src/main.rs
@@ -26,10 +26,9 @@
use log::*;
use rpcbinder::RpcServer;
use rustutils::sockets::android_get_control_socket;
-use safe_ownedfd::take_fd_ownership;
use std::ffi::OsString;
use std::fs::{create_dir, read_dir, remove_dir_all, remove_file};
-use std::os::unix::io::OwnedFd;
+use std::os::unix::io::{FromRawFd, OwnedFd};
use std::sync::atomic::{AtomicUsize, Ordering};
use authfs_aidl_interface::aidl::com::android::virt::fs::AuthFsConfig::AuthFsConfig;
@@ -110,9 +109,22 @@
}
/// Prepares a socket file descriptor for the authfs service.
-fn prepare_authfs_service_socket() -> Result<OwnedFd> {
+///
+/// # Safety requirement
+///
+/// The caller must ensure that this function is the only place that claims ownership
+/// of the file descriptor and it is called only once.
+unsafe fn prepare_authfs_service_socket() -> Result<OwnedFd> {
let raw_fd = android_get_control_socket(AUTHFS_SERVICE_SOCKET_NAME)?;
- Ok(take_fd_ownership(raw_fd)?)
+
+ // Creating OwnedFd for stdio FDs is not safe.
+ if [libc::STDIN_FILENO, libc::STDOUT_FILENO, libc::STDERR_FILENO].contains(&raw_fd) {
+ bail!("File descriptor {raw_fd} is standard I/O descriptor");
+ }
+ // SAFETY: Initializing OwnedFd for a RawFd created by the init.
+ // We checked that the integer value corresponds to a valid FD and that the caller
+ // ensures that this is the only place to claim its ownership.
+ Ok(unsafe { OwnedFd::from_raw_fd(raw_fd) })
}
#[allow(clippy::eq_op)]
@@ -125,7 +137,8 @@
clean_up_working_directory()?;
- let socket_fd = prepare_authfs_service_socket()?;
+ // SAFETY: This is the only place we take the ownership of the fd of the authfs service.
+ let socket_fd = unsafe { prepare_authfs_service_socket()? };
let service = AuthFsService::new_binder(debuggable).as_binder();
debug!("{} is starting as a rpc service.", AUTHFS_SERVICE_SOCKET_NAME);
let server = RpcServer::new_bound_socket(service, socket_fd)?;