commit 2a760959c48682245c1236219f2e0dbc1c0377a5
author Isaac J. Manjarres <isaacmanjarres@google.com> Thu Dec 26 18:14:24 2024 -0800
committer Isaac Manjarres <isaacmanjarres@google.com> Tue Jan 07 18:40:48 2025 -0800
tree 8b9d49473fc94a417b0ba6edfac7d9666ed13273
parent 0b62c771d67bae08659adb18b7fd0b9ef01d4abc

ashmem: Allow for restricting mapping permissions multiple times

The existing logic applies F_SEAL_SEAL when applying
F_SEAL_FUTURE_WRITE. This makes it so that no other seals can be applied
on a file.

This could be problematic in the future when executable mappings are
sealed through their own separate seal. For example, setting the buffer
to be mappable as RW would add the executable seal, and changing the
buffer to be mappable as RO would add the write seal. This would fail
if the first seal addition prevented any new seals from being added.

Therefore, only add seals when setting the protection mask for a buffer,
and do not prevent the addition of new seals.

Bug: 111903542
Change-Id: I1b765ba784991d5a3f4d1b866016cb17d3a33aaa
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>

libcutils/ashmem-dev.cpp

diff --git a/libcutils/ashmem-dev.cpp b/libcutils/ashmem-dev.cpp
index cebfa5d..6cb7986 100644
--- a/libcutils/ashmem-dev.cpp
+++ b/libcutils/ashmem-dev.cpp
@@ -390,8 +390,8 @@
     }
 
     /* We would only allow read-only for any future file operations */
-    if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE | F_SEAL_SEAL) == -1) {
-        ALOGE("memfd_set_prot_region(%d, %d): F_SEAL_FUTURE_WRITE | F_SEAL_SEAL seal failed: %s\n",
+    if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE) == -1) {
+        ALOGE("memfd_set_prot_region(%d, %d): F_SEAL_FUTURE_WRITE seal failed: %s\n",
               fd, prot, strerror(errno));
         return -1;
     }