commit 8d42edc7231cddc308a49ee355aca79991f3cf51
author Nicholas Bishop <nicholasbishop@google.com> Mon Jun 13 18:25:18 2022 -0400
committer Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Jun 23 17:48:23 2022 +0000
tree 4581d307b0448d6833af7718bab7db81ad8e19a5
parent 221c768c97d088bd81757885f63d70ff4aa5d339

installer: improve EFI system partition mount in postinst

The boot partition gets mounted on reven during postinst to install or
update the legacy and UEFI bootloaders. Update this code to set the
nodev, noexec, and nosuid flags to improve security. Also update the
code to use the mount and umount syscalls directly instead of invoking
/bin/mount and /bin/umount.

BUG=b:235873557
TEST=cros_workon_make --install --test chromeos-installer
TEST=build_image --board=reven
TEST=Run reven installer, verify it boots in both legacy and UEFI modes

Change-Id: Icd7c4e700999d02ba12faf79fd5eedf424d34ffc
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3702667
Commit-Queue: Nicholas Bishop <nicholasbishop@google.com>
Reviewed-by: Jae Hoon Kim <kimjae@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Nicholas Bishop <nicholasbishop@google.com>
(cherry picked from commit 9b117f88ca3c79e07ac52ea5dd730823b94775e6)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3721276
Auto-Submit: Nicholas Bishop <nicholasbishop@google.com>

installer/chromeos_postinst.cc

diff --git a/installer/chromeos_postinst.cc b/installer/chromeos_postinst.cc
index a8eb4ff..ff08ab6 100644
--- a/installer/chromeos_postinst.cc
+++ b/installer/chromeos_postinst.cc
@@ -5,6 +5,7 @@
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -512,8 +513,14 @@
     return false;
   }
 
-  if (RunCommand({"/bin/mount", install_config.boot.device(),
-                  install_config.boot.mount()}) != 0) {
+  // Mount the EFI system partition.
+  LOG(INFO) << "mount " << install_config.boot.device() << " to "
+            << install_config.boot.mount();
+  if (mount(install_config.boot.device().c_str(),
+            install_config.boot.mount().c_str(), "vfat",
+            MS_NODEV | MS_NOEXEC | MS_NOSUID, nullptr) != 0) {
+    PLOG(ERROR) << "Failed to mount " << install_config.boot.device() << " to "
+                << install_config.boot.mount();
     return false;
   }
 
@@ -574,8 +581,12 @@
       break;
   }
 
-  if (RunCommand({"/bin/umount", install_config.boot.device()}) != 0)
+  // Unmount the EFI system partition.
+  LOG(INFO) << "umount " << install_config.boot.mount();
+  if (umount(install_config.boot.mount().c_str()) != 0) {
+    PLOG(ERROR) << "Failed to unmount " << install_config.boot.mount();
     success = false;
+  }
 
   return success;
 }