Android's vold's incremental-fs APIs trust paths from system_server for mounting. There is supposed to be privilege separation between vold (TCB) and system_server (privileged process). However, vold's IPC handlers related to incremental-fs (mountIncFs, unmountIncFs, bindMount) allow system_server to specify semi-arbitrary paths, allowing system_server to trigger mounting on directories that shouldn't be under system_server control. Continue reading...
