Skip to content

Mount tmpfs as private#864

Merged
Admirepowered merged 1 commit intobmax121:mainfrom
JingMatrix:mount
Dec 31, 2024
Merged

Mount tmpfs as private#864
Admirepowered merged 1 commit intobmax121:mainfrom
JingMatrix:mount

Conversation

@JingMatrix
Copy link
Contributor

A shared mount point will create a new mounting peer group. It results in a new detection point, because after unmounting these mount points, gaps will appear in peer group IDs. One can check these gaps by the command

cat /proc/self/mountinfo | grep -Eo "master:.." | cut -d':' -f2 | sort | uniq

In Holmes V1.5.1, the above detection point is named as Evil Modification (04).

A shared mount point will create a new mounting peer group.
It results in a new detection point, because after unmounting these mount points, gaps will appear in peer group IDs.
One can check these gaps by the command
```
cat /proc/self/mountinfo | grep -Eo "master:.." | cut -d':' -f2 | sort | uniq
```

In Holmes V1.5.1, the above detection point is named as Evil Modification (04).
@Admirepowered
Copy link
Collaborator

if it some modules want use tempfs,it will work proper or not?

@JingMatrix
Copy link
Contributor Author

Yes, it will work properly.

A mount point being shared or private only affects the behavior of its devried mounting namespace created by unshare or clone system calls with parameter CLONE_NEWNS.
The Linux doc has given nice examples to help people understand it: mount namespace.

In Android, the most known call of unshare happens at Zygote process, before app specialization. Most Zygisk implementation will choose to clean mounting namespaces at this point, see this paragraph as an example: https://github.com/JingMatrix/NeoZygisk/blob/3496703fdd46bedd260b10edc48b709600d19b2d/loader/src/injector/hook.cpp#L102-L118

In root implementations, including APatch, /debug_ramdisk only serves a working directory, no unshare or clone calls are involved. And no worries, a mounting point being private won't change its access permission for other processes.

Moreover, you can find in the codebase of APatch that almost all mounting points are set to be private, which is the correct way to avoid detections after unmount.

@Admirepowered Admirepowered merged commit b2f3477 into bmax121:main Dec 31, 2024
1 check passed
@aviraxp
Copy link
Contributor

aviraxp commented Jan 26, 2025

Won't this cause unmonting /debug_ramdisk in global namespace not propagated to other mountspaces? That is a behaviour change.

@JingMatrix

This comment was marked as outdated.

@JingMatrix
Copy link
Contributor Author

JingMatrix commented Jan 26, 2025

There might be an ambiguity in your question, hence I should make it clearer. By unmonting /debug_ramdisk, if you meant

  1. unmounting the very mount point /debug_ramdisk, then this mount point is unmounted for every namespace;
  2. unmounting mount points inside the directory /debug_ramdisk, then these unmounting events were propagated before this commit for namespace derived from it, and not now.

Regarding this problem, please keep in mind that there were not that many unshare calls in APatch or Zygote.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants