Revert changes about libsafe_ownedfd
It actually was an unsafe abstraction over OwnedFd::from_raw_fd.
This change reverts following changes:
Revert "Remove the use of from_raw_fd from fd_server/aidl.rs"
This reverts commit 105153e486d7d2dfded4d0c41b22fb2bc493a5ee.
Revert "Remove yet another use of from_raw_fd"
This reverts commit abdbd756f696a1c0d0035d1a80b3d6e827c635f0.
Revert "Don't use unsafe raw_from_fd"
This reverts commit 2867dd3e838fb4deb71f335a15e0c9dc2d617240.
Revert "Remove one more use of from_raw_fd"
This reverts commit 9ef2732fb3d55ee6b085e4a02cfbb1078b041ef8.
Revert "Use take_fd_ownership instead of the unsafe from_raw_fd"
This reverts commit ba3099ec10003d6bb2c84138bbb422997142466d.
Revert "Add libsafe_ownedfd crate"
This reverts commit 1743878cd20564e42fe41e4fbaefcb964bf83e02.
Bug: 243500154
Test: N/A
Change-Id: I4e12876518a337f1f14dc1301de909b8ace28282
diff --git a/guest/microdroid_manager/src/main.rs b/guest/microdroid_manager/src/main.rs
index d12bfd3..7352a2c 100644
--- a/guest/microdroid_manager/src/main.rs
+++ b/guest/microdroid_manager/src/main.rs
@@ -50,14 +50,13 @@
use rustutils::sockets::android_get_control_socket;
use rustutils::system_properties;
use rustutils::system_properties::PropertyWatcher;
-use safe_ownedfd::take_fd_ownership;
use secretkeeper_comm::data_types::ID_SIZE;
use std::borrow::Cow::{Borrowed, Owned};
use std::env;
use std::ffi::CString;
use std::fs::{self, create_dir, File, OpenOptions};
use std::io::{Read, Write};
-use std::os::unix::io::OwnedFd;
+use std::os::unix::io::{FromRawFd, OwnedFd};
use std::os::unix::process::CommandExt;
use std::os::unix::process::ExitStatusExt;
use std::path::Path;
@@ -200,7 +199,13 @@
);
info!("started.");
- let vm_payload_service_fd = prepare_vm_payload_service_socket()?;
+ // SAFETY: This is the only place we take the ownership of the fd of the vm payload service.
+ //
+ // To ensure that the CLOEXEC flag is set on the file descriptor as early as possible,
+ // it is necessary to fetch the socket corresponding to vm_payload_service at the
+ // very beginning, as android_get_control_socket() sets the CLOEXEC flag on the file
+ // descriptor.
+ let vm_payload_service_fd = unsafe { prepare_vm_payload_service_socket()? };
load_crashkernel_if_supported().context("Failed to load crashkernel")?;
@@ -482,9 +487,22 @@
}
/// Prepares a socket file descriptor for the vm payload service.
-fn prepare_vm_payload_service_socket() -> Result<OwnedFd> {
+///
+/// # Safety
+///
+/// The caller must ensure that this function is the only place that claims ownership
+/// of the file descriptor and it is called only once.
+unsafe fn prepare_vm_payload_service_socket() -> Result<OwnedFd> {
let raw_fd = android_get_control_socket(VM_PAYLOAD_SERVICE_SOCKET_NAME)?;
- Ok(take_fd_ownership(raw_fd)?)
+
+ // Creating OwnedFd for stdio FDs is not safe.
+ if [libc::STDIN_FILENO, libc::STDOUT_FILENO, libc::STDERR_FILENO].contains(&raw_fd) {
+ bail!("File descriptor {raw_fd} is standard I/O descriptor");
+ }
+ // SAFETY: Initializing OwnedFd for a RawFd created by the init.
+ // We checked that the integer value corresponds to a valid FD and that the caller
+ // ensures that this is the only place to claim its ownership.
+ Ok(unsafe { OwnedFd::from_raw_fd(raw_fd) })
}
fn is_strict_boot() -> bool {