Commit graph

169 commits

Author SHA1 Message Date
Treehugger Robot
a17427cb1e Merge "Convert fuse.c to C++." 2016-07-14 19:42:32 +00:00
Jorge Lucangeli Obes
c9e1710acc Use C++ logging in sdcard.cpp.
This gets rid of a bunch of "strerror(errno)" bits.
Will convert fuse.cpp after
https://android-review.googlesource.com/#/c/247780 lands.

Bug: 30110940

Change-Id: Iacefe5b6519b217ed687c709763fe5827b3b0b59
2016-07-14 10:06:34 -04:00
Jorge Lucangeli Obes
f08ba05581 Convert fuse.c to C++.
Fix string literals and cast void* appropriately. Alternatively, we
could switch some of the allocations to new/delete, but we would need
to make sure that none of those end up passed to other code that will
call free(3) on them.

Bug: 30110940
Change-Id: I6f39df65cd960930530e5a1f8420a28d50adc25d
2016-07-14 10:03:22 -04:00
Jorge Lucangeli Obes
dba909bd9e resolve merge conflicts of 1b9b273 to stage-aosp-master
Change-Id: I12a541cb698d1df866b8be4dc1e35cb99e6f1e64
2016-07-13 15:23:45 -04:00
Jorge Lucangeli Obes
c255f25ccb Extract the FUSE implementation from the main sdcard.c file.
sdcard.c is a *really* big file. This makes it hard to do things like
improving priv dropping or adding more sandboxing. Extract all
FUSE-related code to a separate unit, fuse.{h|c}, which exports only
two functions. Convert the rest of sdcard.c to C++ as sdcard.cpp.
fuse.c is kept as C (at least for now) since interacting with the FUSE
API is realistically easier from C.

Bug: 30110940

Change-Id: I188bfdc21c184742117e07539adb09090d4d747c
2016-07-13 10:57:29 -04:00
Nick Kralevich
478c557145 Merge "enable integer sanitizer for sdcard service" am: 532ab82e10
am: 2f67f4687b

* commit '2f67f4687b94bcead719d504ea4f77571ae84b3b':
  enable integer sanitizer for sdcard service

Change-Id: Ib54476445c01a1f5bd6234aec66c7019939a3858
2016-05-06 17:10:38 +00:00
Daniel Micay
83c0c7b2ab enable integer sanitizer for sdcard service
The previous false positive fix (df9c4a01) is enough to pass tests, and
it doesn't appear that there are any remaining issues.

Change-Id: Ib9812f1201ff0cd2ae8c8371737754fc328765b5
2016-05-05 16:03:32 -04:00
Daniel Rosenberg
d4f91171bd Add support for FUSE_CANONICAL_PATH
am: 2abee9e

* commit '2abee9e063d1549fb006853b27f378c7d22192af':
  Add support for FUSE_CANONICAL_PATH

Change-Id: I47a41bc0b5b3a013e59932cbf66ae6852e15b1c3
2016-04-26 23:05:23 +00:00
Treehugger Robot
e307f769f1 Merge "sdcard: avoid benign unsigned overflow" am: 64461c2
am: 182b310

* commit '182b310b1de5654a93c21417c77722897b93882d':
  sdcard: avoid benign unsigned overflow

Change-Id: I14e80911060bb609de5b91a4c56315cd701857f9
2016-04-26 17:19:46 +00:00
Daniel Micay
df9c4a0166 sdcard: avoid benign unsigned overflow
Change-Id: Id9427b4e01602bba31f8958b8d491b092b31482b
2016-04-26 12:08:46 -04:00
Daniel Rosenberg
2abee9e063 Add support for FUSE_CANONICAL_PATH
This allows inotify requests on FUSE to be alerted when any
other stacked filesystem would trigger an inotify for the
same file.

Bug: 23904372
Change-Id: I4289b38230c314432eaf2c0d20d4ccefc058f59e
2016-04-25 20:42:57 -07:00
Daniel Rosenberg
2a9dc6581f Merge "Fix overflow in path building" into nyc-dev
am: c414027

* commit 'c414027e927fa025877afd53b27886b6c3b19cfd':
  Fix overflow in path building

Change-Id: I6e2692539738d81055cc49a183a34261074e5e68
2016-04-13 18:39:06 +00:00
Daniel Rosenberg
db4638ee30 Fix overflow in path building
An incorrect size was causing an unsigned value
to wrap, causing it to write past the end of
the buffer.

Bug: 28085658
Change-Id: Ie9625c729cca024d514ba2880ff97209d435a165
2016-04-12 16:38:41 -07:00
Jeff Sharkey
0762e99064 Give users and devices control over sdcardfs.
am: 20ca983

* commit '20ca9836b9a780c41a22850f478a29f29677553e':
  Give users and devices control over sdcardfs.

Change-Id: I0144b346157952f79fdde5100f0fdc01daa58d9b
2016-04-07 18:05:28 +00:00
Jeff Sharkey
20ca9836b9 Give users and devices control over sdcardfs.
Instead of relying only on kernel support for sdcardfs, give each
device the ability to quickly toggle between sdcardfs and FUSE.  Also
add the ability to users to explicitly enable/disable the behavior
for testing and debugging purposes.

Bug: 27991427
Change-Id: Ie188cb044be2ad87166f2d43c32a1f6b97660de0
2016-04-07 11:05:22 -06:00
Daniel Rosenberg
298cb9a1e9 Merge "Revert "Revert "sdcard: Support sdcardfs""" into nyc-dev
am: 71f6b95

* commit '71f6b9569c2c707d061b96e48021b4be617e40a4':
  Revert "Revert "sdcard: Support sdcardfs""

Change-Id: I37880f88c21bec8a0dcd4ff8e93ea0986f0b8475
2016-03-31 22:47:30 +00:00
Daniel Rosenberg
3aa261c05a Revert "Revert "sdcard: Support sdcardfs""
Issue resolved by commit
6855c48093e109c92df39340a8355a3be2540b8e
"Skip mounting sdcardfs in core mode."

This reverts commit f8fccd2f5a.

Bug: 27932087
Change-Id: Ibdb72ad16a1e6c3a01edcb03d003c42de7a03cd6
2016-03-31 22:01:41 +00:00
Mark Salyzyn
35b004a56d Merge "Revert "sdcard: Support sdcardfs"" into nyc-dev
am: 6267d70

* commit '6267d70b2646e020c09439944bebc6aff1d7d652':
  Revert "sdcard: Support sdcardfs"

Change-Id: Iab8254f8cbbf54c29857dcf51911a208eab02115
2016-03-31 16:15:59 +00:00
Mark Salyzyn
f8fccd2f5a Revert "sdcard: Support sdcardfs"
This reverts commit 2bd0efa89c.

Bug: 27932087
Change-Id: Ie27f17c1f283514b90ce9da0c895b528d87e5f47
2016-03-31 16:03:22 +00:00
Daniel Rosenberg
65c8f0b9e6 Merge "sdcard: Support sdcardfs" into nyc-dev
am: a775e62

* commit 'a775e6269308db9c56a8b53b85e7bfbb739b2221':
  sdcard: Support sdcardfs
2016-03-17 22:02:23 +00:00
Daniel Rosenberg
2bd0efa89c sdcard: Support sdcardfs
Add ability to use sdcardfs if kernel support is found.
In the future, we will likely remove the fuse components
entirely, but for now, just use sdcardfs when possible.

Bug: 19160983
Change-Id: I35e4d6cb5976c00c6f87ff7fc478ba9f9d212c05
Signed-off-by: Daniel Rosenberg <drosen@google.com>
2016-03-16 15:58:24 -07:00
Bill Yi
4409f1446c Merge commit '4352ee87fd74b931d4b58192fb8974e91aa899d0' into HEAD 2016-02-17 11:37:00 -08:00
Dimitry Ivanov
3042d6d040 Add dependency on liblog
Bug: http://b/27171986
Change-Id: I4af3b4b9f17972327b926ad9ee0d03672d1d4a64
2016-02-12 14:56:40 -08:00
Thierry Strudel
234a846ac8 Merge "[DO NOT MERGE] Use FUSE_SHORTCIRCUIT if available" into mnc-dr1.5-dev am: b84295d027
am: bbaa2b296a

* commit 'bbaa2b296ad836e9d6511549661884d94b53ccee':
  [DO NOT MERGE] Use FUSE_SHORTCIRCUIT if available
2016-01-14 00:52:50 +00:00
Thierry Strudel
ac5175f9a6 [DO NOT MERGE] Use FUSE_SHORTCIRCUIT if available
Use a non yet maintainer reviewed kernel patch from QCOM that greatly
improves IO speed in case it is available from the device specific
kernel headers.

Bug: 24216004
Change-Id: I4101d80082c9ad9d042dde5c620ddb309d193d52
2016-01-13 15:11:35 -08:00
Jeff Sharkey
f7aad11c1c Re-derive permissions after package changes.
When packages change, existing package-specific directories may have
gained/lost a UID mapping, so we need to update the permissions for
any in-memory nodes.

This allows an app to deliver data for another package before that
package is installed, which is the typical pattern of how OBB files
are delivered.

Also fix bug by re-deriving permissions when files are moved.

Bug: 25399427
Change-Id: I06f38a24ad7dee5f5099ba81429aef03208e5683
2015-12-16 13:20:53 -07:00
Jeff Sharkey
22b912628e Re-derive permissions after package changes.
When packages change, existing package-specific directories may have
gained/lost a UID mapping, so we need to update the permissions for
any in-memory nodes.

This allows an app to deliver data for another package before that
package is installed, which is the typical pattern of how OBB files
are delivered.

Also fix bug by re-deriving permissions when files are moved.

Bug: 25399427
Change-Id: I06f38a24ad7dee5f5099ba81429aef03208e5683
2015-12-16 13:08:29 -07:00
Jeff Sharkey
fe76461944 Re-derive permissions after package changes.
When packages change, existing package-specific directories may have
gained/lost a UID mapping, so we need to update the permissions for
any in-memory nodes.

This allows an app to deliver data for another package before that
package is installed, which is the typical pattern of how OBB files
are delivered.

Also fix bug by re-deriving permissions when files are moved.

Bug: 25399427
Change-Id: I06f38a24ad7dee5f5099ba81429aef03208e5683
2015-12-14 15:38:24 -07:00
William Roberts
e509980542 sdcard: use libpackageparser
Switch from the internal packages.list file parser
implementation to a common parser library.

See Change-Id: I87a406802f95d8e7bfd8ee85f723f80e9e6b6c0c
for all of the details.

Change-Id: I98924dce406b322e0d402bca7fdac51f6a1e6a4b
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-10-22 22:52:35 +00:00
Jeff Sharkey
fdf1487493 resolved conflicts for merge of b9f438ff to mnc-dev-plus-aosp
Change-Id: I7103bacb1b2d7dc29b4f8d9dddb2fec1feb869d3
2015-08-06 12:52:25 -07:00
Jeff Sharkey
b9f438ff84 Protect runtime storage mount points.
We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.

This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.

Also add CTS tests to verify that we're protecting access to
internal mount points like this.

Bug: 22964288
Change-Id: I32068e63a3362b37e8ebca1418f900bb8537b498
2015-08-06 11:45:31 -07:00
Jeff Sharkey
e01761998b am d57125af: Merge "Give secondary users read-only physical cards." into mnc-dev
* commit 'd57125af1a81f34b162ecd5de81e6f1365aff588':
  Give secondary users read-only physical cards.
2015-07-29 04:04:33 +00:00
Elliott Hughes
b6bfa337e5 am 07bed194: am 87998c07: Merge "Move sdcard off PAGESIZE and onto PAGE_SIZE."
* commit '07bed1941f902c1d65a410e49d33882e0da7b5ed':
  Move sdcard off PAGESIZE and onto PAGE_SIZE.
2015-07-29 00:17:17 +00:00
Elliott Hughes
e24e9a5091 Move sdcard off PAGESIZE and onto PAGE_SIZE.
Only sdcard is using PAGESIZE, and glibc doesn't have it.

Bug: http://b/22735893
Change-Id: Ib8af14a2e99d98881a79f21ad1a695499c7d74bd
2015-07-28 16:36:47 -07:00
Jeff Sharkey
10a239b971 Give secondary users read-only physical cards.
Long ago, we mounted secondary physical cards as readable by all
users on the device, which enabled the use-case of loading media on
a card and viewing it from all users.

More recently, we started giving write access to these secondary
physical cards, but this created a one-directional channel for
communication across user boundaries; something that CDD disallows.

This change is designed to give us the best of both worlds: the
package-specific directories are writable for the user that mounted
the card, but access to those "Android" directories are blocked for
all other users.  Other users remain able to read content elsewhere
on the card.

Bug: 22787184
Change-Id: I4a04a1a857a65becf5fd37d775d927af022b40ca
2015-07-28 14:42:21 -07:00
Jeff Sharkey
ed2fe57c25 Use single tree for multiple storage views.
Instead of having each view build and maintain its own tree
representing the underlying storage, switch to building a single tree
that each view augments with GID/mode specific behavior.

This has the nice property of a single file always having the same
node ID when presented across multiple views, giving us a firm handle
that we can use to invalidate kernel caches.

Specifically, when a file is deleted through one view, we now tell
the kernel to invalidate that file in the other two views.

Bug: 22477678, 22375891
Change-Id: I3ff041d549d41040839cde9773504719a508219f
2015-07-16 15:30:45 -07:00
Mark Salyzyn
6b6c1bd996 Gracefully handle ENODEV in sdcard daemon (part deux)
reorder to handle errno correctly and remove log stutter

Bug: 22197797
Bug: 22241640
Change-Id: I81e6b2ff15b6ea6e5e780bd3599bf1019ff36f26
2015-07-06 13:46:49 -07:00
Jeff Sharkey
25aabb9ede Permission to view shared storage for all users.
Typical apps are restricted so they can only view shared storage
belonging to the user they're running as.  However, a handful of
system components need access to shared storage across all users,
such as DefaultContainerService and SystemUI.

Since WRITE_MEDIA_STORAGE already offers this functionality by
bypassing any FUSE emulation, reuse it to grant the "sdcard_rw" GID
which is no longer handed out to third-party apps.  Then we change
the FUSE daemon to allow the "sdcard_rw" GID to see shared storage
of all users.

Bug: 19995822
Change-Id: Id2fe846aefbf13fc050e9b00ddef120021e817f4
2015-07-06 10:54:53 -07:00
Jeff Sharkey
4a48581851 Gracefully handle ENODEV in sdcard daemon.
When someone force-unmounts our target endpoint, gracefully handle by
terminating, instead of looping on the same errno forever.

Bug: 22197797
Change-Id: I7e71632f69d47152ea78a94431c23ae69aba9b93
2015-06-30 16:02:52 -07:00
Jeff Sharkey
169944afdf Remove unused methods to fix build.
Change-Id: I6e1f85a7cc3428d558460737da3b3193d035b73e
2015-06-26 09:43:52 -07:00
Jeff Sharkey
f38f29c87d Let's reinvent storage, yet again!
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app.  This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that.  This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions.  When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

Bug: 21858077
Change-Id: I5a016f0958a92fd390c02b5ae159f8008bd4f4b7
2015-06-25 22:27:04 -07:00
Elliott Hughes
dac7f85d16 am 3d671000: am 28693983: am 1a39a994: Merge "Correct magic number on umount2"
* commit '3d671000c7268fcfcaf5445734b88428af26c294':
  Correct magic number on umount2
2015-04-24 04:01:13 +00:00
William Roberts
4555b69f26 Correct magic number on umount2
The umount2 call was using the magic constant 2 which is
has a defined and proper macro in mount.h as MNT_DETATCH.

Change-Id: I4ca4a6d31cbf5495c545088e3d90a8894a9f912f
2015-04-24 01:13:35 +00:00
Elliott Hughes
c5f37661f9 am 03c0adab: am 6a99ff0a: am 3a4aedfc: Merge "sdcard: Properly handle deleted nodes"
* commit '03c0adab88fcb91393f934f213f953c1f23762d5':
  sdcard: Properly handle deleted nodes
2015-04-04 01:06:09 +00:00
Elliott Hughes
3a4aedfcd3 Merge "sdcard: Properly handle deleted nodes" 2015-04-04 00:27:46 +00:00
Elliott Hughes
bfe72ddb20 am d71b0943: am 2d4a347e: am fad9b3eb: Merge "sdcard: Turn on noatime for fuse mounted sdcard"
* commit 'd71b0943de271d308ec1aeb1fa834dd35fedee50':
  sdcard: Turn on noatime for fuse mounted sdcard
2015-04-02 02:59:56 +00:00
Elliott Hughes
fad9b3ebb8 Merge "sdcard: Turn on noatime for fuse mounted sdcard" 2015-04-02 02:05:42 +00:00
Jeff Sharkey
fc0004894a Progress towards dynamic storage support.
To support external storage devices that are dynamically added and
removed at runtime, we're changing /mnt and /storage to be tmpfs that
are managed by vold.

To support primary storage being inserted/ejected at runtime in a
multi-user environment, we can no longer bind-mount each user into
place.  Instead, we have a new /storage/self/primary symlink which
is resolved through /mnt/user/n/primary, and which vold updates at
runtime.

Fix small mode bugs in FUSE daemon so it can be safely mounted
visible to all users on device.

Bug: 19993667
Change-Id: I0ebf4d10aba03d73d9a6fa37d4d43766be8a173b
2015-03-30 19:48:38 -07:00
Jeff Sharkey
6c161fa7d8 Fix bug blocking access to secondary users.
Change-Id: I97ce510b6bc705488b9bea3340a72fb5449f8134
2015-03-24 11:53:10 -07:00
Jeff Sharkey
05edf7a5a9 Fix build, missed refactoring.
Change-Id: I17337133d8ca6a421e12c0834f42655f1a10197e
2015-03-23 20:05:32 -07:00
Jeff Sharkey
a140afe454 Add multi-user GIDs to SD card daemon.
This will eventually allow us to have a single unified filesystem
instead of requiring zygote to use bind mounts.

Change-Id: I1fc4ada4874698a00e7e0b8800617732e69348f0
2015-03-23 19:25:27 -07:00
Elliott Hughes
f184f54466 sdcard doesn't need to explicitly ask for libc!
Change-Id: I110063f39b02da979f97d29e9cb4f5b295de0311
2015-03-16 20:12:58 -07:00
Krzysztof Adamski
c5353126be sdcard: Properly handle deleted nodes
The sdcard fuse deamon is not properly handling deleted nodes that are
still in use (opened by some process). Typically Linux filesystems makes
it possible to open a file, unlink it and then still use it. In case of a
storage emulated by sdcard deamon this does not work as expected - other
process are not able to recreate file/dir with the same name until all
references to deleted file are closed.

The easiest way to trigger this problem is:

process1: mkdir /sdcard/test1; cd /sdcard/test1
process2: rm -r /sdcard/test1
process2: mkdir /sdcard/test1

After that, process2 will get an error:
mkdir failed for /sdcard/test1, Device or resource busy

There is exactly the same problem with files as directories.
This may case issues for example with directories that are
automatically recreated when they are missing (like DCIM directory). If
some process holds file opened inside of such directory but that
directory is removed, process trying to recreate the directory will get
EBUSY error and possibly crash.

Verified on the Z Ultra GPE.

Change-Id: I1cbf0bec135e6aaafba0ce8e5bb594e3639e0007
2015-02-20 20:56:10 +00:00
Johan Redestig
55cc5e5217 sdcard: Turn on noatime for fuse mounted sdcard
This provides symmetry with /data and /cache that are
typically mounted with noatime.

Change-Id: I6fe1bead368b52632424b03b50d4081852824cdb
2015-01-25 12:30:37 +01:00
Narayan Kamath
5aadceb56f sdcard : inode numbers must be fully representable as uint32_t.
This works around a bug on on 64 bit kernels + sdcard daemons
where we were using memory addresses as inode numbers.

bug: 19012244

(cherry picked from commit faa0935ffb)

Change-Id: Idbf9e285e507e702e04e7461a10153df68ef2322
2015-01-15 11:58:53 +00:00
Marco Nelissen
5eb431180b Merge "Allow updates for open file descriptors" 2014-12-10 18:50:08 +00:00
Marco Nelissen
a80f0986bb Allow updates for open file descriptors
even if the calling process itself would not be able to open the file.

Bug: 18688419

Change-Id: I640db19f19c1a677735fd0c14b7e2e38977d0f4d
2014-12-10 10:44:20 -08:00
Daisuke Okitsu
00690852b4 sdcard: mount sdcard with the noexec option
Vold mounts the sdcard with noexec, but the fuse deamon
mounts with exec, so it is still possible to execute
binaries:

  /dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,
  user_id=1023,group_id=1023,default_permissions,allow_other 0 0

  /dev/block/vold/179:65 /mnt/media_rw/sdcard1 vfat rw,dirsync,
  nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,
  dmask=0007,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,
  shortname=mixed,utf8,errors=remount-ro 0 0

With this change both vold and fuse mounts with noexec.

Change-Id: I66cbfc3a3a89a26958f83577f5e7a5e27f99184e
2014-11-24 09:52:14 +01:00
Daisuke Okitsu
19ec8860c1 Sdcard: Initialize the padding output value
Add initialization of the output value in handle_write.
This value is referred to in FUSE so initialization is
necessary.

See also handle_open and handle_opendir.

Change-Id: I6507f113da9f6823fbfa459624d6594fc20afa51
2014-11-13 10:51:07 +01:00
Elliott Hughes
f1df854e58 bionic's struct stat is now POSIX-compliant.
Right now we still have the kernel names, but they're only there by
"virtue" of macro namespace pollution, so I'd like to get rid of them.

Bug: 18298106
Change-Id: Ifed0b3a9238c79a99d8a2b62e0f5897c50a725d1
2014-11-10 11:03:38 -08:00
Christopher Ferris
9d859fee5e am f37bfb32: am 23aeeff5: Merge "Use the correct fuse_init_out structure size."
* commit 'f37bfb32eb82393d14e339684c9f508cea3b0ab4':
  Use the correct fuse_init_out structure size.
2014-09-16 19:42:53 +00:00
Christopher Ferris
ff649ea5ab Use the correct fuse_init_out structure size.
Kernel 2.6.16 is the first stable kernel with struct fuse_init_out
defined (fuse version 7.6). The structure is the same from 7.6 through
7.22. Beginning with 7.23, the structure increased in size and added
new parameters.

If the kernel only works on minor revs older than or equal to 22,
then use the older structure size since this code only uses the 7.22
version of the structure.

Change-Id: If2507a02ad674fcf02869a325221339ae1ace64d
2014-09-15 18:29:47 -07:00
Elliott Hughes
787a2cce94 am 33a5575a: am 39a8ade7: Merge "Fix sdcard truncates."
* commit '33a5575a585bdc4000be06f96554309b5d3471ff':
  Fix sdcard truncates.
2014-07-31 22:28:57 +00:00
Elliott Hughes
853574ddc7 Fix sdcard truncates.
Use truncate64 instead of truncate so we don't truncate (ho ho) the offset.

(cherrypick of 4568565e85bf2e1ea11b2e09d72e244088c05dbc.)

Bug: https://code.google.com/p/android/issues/detail?id=74039
Change-Id: I63711ccd299e3ebc475563b1999817d1919571ab
2014-07-31 12:20:14 -07:00
Nick Kralevich
504b4e9cc9 Merge "sdcard: ensure installd fs upgrade has completed" into lmp-dev 2014-07-24 22:43:15 +00:00
Nick Kralevich
8d28fa71fc sdcard: ensure installd fs upgrade has completed
Before running the sdcard daemon, make sure that installd has
completed all upgrades to /data that it needs to complete.
This avoids race conditions between installd and the sdcard daemon.

Maybe fixes bug 16329437.

Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
2014-07-24 17:05:59 -07:00
Marcus Oakland
e43b99a074 Correction to TRACE format strings
When built with "#define FUSE_TRACE 1" numerous TRACE statements
failed to compile because of mismatches between format strings and
types (uint64_t and size_t). These have been corrected by using the
format strings from the inttype.h header file, or %zu.

Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>

(cherry picked from commit d33308752f)

Change-Id: I550b422a6b7c92ea903b4dd8f5e4aec5637cdf67
2014-07-24 11:51:54 -07:00
Nick Kralevich
506edb5f7c sdcard: ensure installd fs upgrade has completed
Before running the sdcard daemon, make sure that installd has
completed all upgrades to /data that it needs to complete.
This avoids race conditions between installd and the sdcard daemon.

Maybe fixes bug 16329437.

(cherrypicked from commit 8d28fa71fc)

Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
2014-07-25 09:44:29 -07:00
Marcus Oakland
d33308752f Correction to TRACE format strings
When built with "#define FUSE_TRACE 1" numerous TRACE statements
failed to compile because of mismatches between format strings and
types (uint64_t and size_t). These have been corrected by using the
format strings from the inttype.h header file, or %zu.

Change-Id: I36cd6f8da0790f1218d7dbaaa5b3bbfa4df7fdee
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>
2014-07-24 11:30:19 -07:00
Elliott Hughes
6ebab06dc4 am f043f061: am 060b6ecb: am 6e141aea: Merge "Fix sdcard\'s FUSE_FSYNCDIR handling."
* commit 'f043f061295a787aca42186fe9ab87c24d393b92':
  Fix sdcard's FUSE_FSYNCDIR handling.
2014-07-09 12:16:46 +00:00
Elliott Hughes
40372e5b4e am 94645665: am f8acdcbe: am 75b7171f: Merge "Make sdcard log to the log rather than stderr."
* commit '9464566580559b7353e6e2c898da79ffbbf993aa':
  Make sdcard log to the log rather than stderr.
2014-07-09 12:16:41 +00:00
Elliott Hughes
300d564980 Make sdcard log to the log rather than stderr.
Change-Id: I9c78941184c5e364055bfac766e1e542d3c23c87
2014-07-08 13:53:26 -07:00
Elliott Hughes
f6d6737529 Fix sdcard's FUSE_FSYNCDIR handling.
For a file the FUSE fh is a struct handle containing an int fd;
for a directory it's a struct dirhandle containing a DIR*. Fix
handle_fsync to extract the file descriptor appropriately in
both cases.

Bug: 14613980
Change-Id: I45515cff6638e27a99b849e6fc639d355dbb4d27
2014-07-08 14:38:26 -07:00
Jeff Sharkey
40f321ab49 am 2e7d80d1: Per-app media directories on external storage.
* commit '2e7d80d10acf95076dfb1f2727455432091de65f':
  Per-app media directories on external storage.
2014-05-30 23:48:00 +00:00
Jeff Sharkey
2e7d80d10a Per-app media directories on external storage.
This change defines per-app directories on external storage that
will be scanned and included in MediaStore.  This gives apps a way
to write content to secondary shared storage in a way that can
easily be surfaced to other apps.

Bug: 14382377
Change-Id: I6f03d8076a9391d8b9eb8421ec3fc93669b3ba0d
2014-05-30 16:28:49 -07:00
Mark Salyzyn
676ffd54cb sdcard: Turn on -Werror
Change-Id: I40fce5a69a898e79542aa7688d077ff7bc40ed4f
2014-05-21 12:58:38 -07:00
Elliott Hughes
60281d556d Use bionic's <linux/fuse.h>.
No need for an out-of-date copy of a uapi header.

Change-Id: Iec68c6ceb2bceca1ceef0c57e0b45a89a139e292
2014-05-07 14:39:58 -07:00
Daisuke Okitsu
b2831a2db9 Handle FUSE_FSYNCDIR as FUSE_FSYNC
There have been issues with sdcard data corruption even after
successfully calling fsync for /sdcard. This is caused by
the sdcard daemon doing nothing in this case.

Change-Id: I48149ceabdac79ac535b35c2598bb1fbb5410883
2014-02-19 20:33:50 +00:00
Arpad Horvath
49e9344bdd sdcard: direct I/O file access write buffer alignment
It is not enough to align the read buffer only, because
consequent writes might still fail with EINVAL. The write
buffer should be also aligned according to the write(2)
manual page.

Change-Id: I7547dec5208732c56f4466c1b0c88f36dabacf5b
2014-02-18 10:18:25 +01:00
Arpad Horvath
80b435a3f3 sdcard: direct I/O file access fix
If a file is opened in direct I/O mode (with O_DIRECT flag),
the read buffer addess must be aligned to memory page size
boundary. The Direct I/O is not needed for normal files,
however, some special hardware access (e.g. smart SD cards)
will not work without it.

Change-Id: I42babeee86dba1880fd23e2592fddd7060da3e20
2014-02-14 16:50:27 -08:00
Elliott Hughes
5d9fe779c8 system/core LP64 cleanup.
Fixes -Wint-to-pointer and -Wpointer-to-int warnings, plus various -Wformat
warnings.

Change-Id: I6c5eea6b4273d82d28b8e5d2925f3e5457511b17
2014-02-05 18:02:11 -08:00
Jeff Sharkey
e93a0517f4 Set GID required to write, media_rw mount point.
Add sdcard FUSE daemon flag to specify the GID required for a package
to have write access.  Normally sdcard_rw, but it will be media_rw
for secondary external storage devices, so DefaultContainerService
can still clean up package directories after uninstall.

Create /mnt/media_rw which is where vold will mount raw secondary
external storage devices before wrapping them in a FUSE instance.

Bug: 10330128, 10330229
Change-Id: I4385c36fd9035cdf56892aaf7b36ef4b81f4418a
2013-10-08 12:56:37 -07:00
Jeff Sharkey
44d6342caa Remove mkdir() side effect, add .nomedia, utils.
Before this change, FUSE lookup() would have the side effect of
creating the directory on behalf of apps.  This resulted in most
directories being created just by Settings trying to measure disk
space.  Instead, we're switching to have vold do directory creation
when an app doesn't have enough permissions.

Create fs_mkdirs() utility to create all parent directories in a
path as needed.  Allow traversal (+x) into /storage directories.

Fix FUSE derived permissions to be case insensitive.  Mark well-known
directories as .nomedia when created.

Bug: 10577808, 10330221
Change-Id: I53114f2e63ffbe6de4ba6a72d94a232523231cad
2013-09-20 14:21:09 -07:00
Jeff Sharkey
39ff0ae0f6 Only check caller when deriving permissions.
Bug: 10547597
Change-Id: Ied909f9047c2567e93dde0f4658d6e4b9ff161ab
2013-08-30 13:58:13 -07:00
Jeff Sharkey
aa04e818a4 Fix recursive locking bug.
handle_rename() would end up acquiring the lock twice.  Change to
always derive has_rw inside earlier locks (instead of acquiring a
second time), and pass the value into check_caller_access_to_name().

Bug: 10547597
Change-Id: If5744d6d226a4785676c19d0f7fdf1c05060ed76
2013-08-30 10:28:21 -07:00
Ken Sumrall
57d4b4ea6f Merge "Fix handle_opendir() in the sdcard daemon" into klp-dev 2013-08-15 03:28:31 +00:00
Ken Sumrall
3a8768804c Fix handle_opendir() in the sdcard daemon
The fuse_open_out structure returned to the kernel by handle_opendir()
was not properly initializing all the fields.  The symptom was recursive
ls (ls -R) failing on the emulated sdcard filesystem, because rewinddir(3)
was failing with ESPIPE.

Bug: 7168594
Change-Id: I56ddfd3453e6aac34fe6e001e88c4c46fb2eb271
2013-08-14 20:02:13 -07:00
Jeff Sharkey
977a9f3b1a Add legacy layout support to FUSE, enforce write.
The legacy internal layout places users at the top-level of the
filesystem, so handle with new PERM_LEGACY_PRE_ROOT when requested.

Mirror single OBB directory between all users without requiring fancy
bind mounts by letting a nodes graft in another part of the
underlying tree.

Move to everything having "sdcard_r" GID by default, and verify that
calling apps hold "sdcard_rw" when performing mutations. Determines
app group membership from new packages.list column.

Flag to optionally enable sdcard_pics/sdcard_av permissions
splitting. Flag to supply a default GID for all files. Ignore
attempts to access security sensitive files. Fix run-as to check for
new "package_info" GID.

Change-Id: Id5f3680779109141c65fb8fa1daf56597f49ea0d
2013-08-14 12:01:38 -07:00
Jeff Sharkey
dfe0cbab3f Richer SD card permissions through FUSE.
Changes the FUSE daemon to synthesize an Android-specific set of
filesystem permissions, even when the underlying media storage is
permissionless.  This is designed to support several features:

First, apps can access their own files in /Android/data/com.example/
without requiring any external storage permissions.  This is enabled
by allowing o+x on parent directories, and assigning the UID owner
based on the directory name (package name).  The mapping from package
to appId is parsed from packages.list, which is updated when apps are
added/removed.  Changes are observed through inotify.  It creates
missing package name directories when requested and valid.

Second, support for separate permissions for photos and audio/video
content on the device through new GIDs which are assigned based on
top-level directory names.

Finally, support for multi-user separation on the same physical media
through new /Android/user/ directory, which will be bind-mounted
into place.  It recursively applies the above rules to each secondary
user.

rwxrwx--x root:sdcard_rw     /
rwxrwx--- root:sdcard_pics   /Pictures
rwxrwx--- root:sdcard_av     /Music

rwxrwx--x root:sdcard_rw     /Android
rwxrwx--x root:sdcard_rw     /Android/data
rwxrwx--- u0_a12:sdcard_rw   /Android/data/com.example
rwxrwx--x root:sdcard_rw     /Android/obb/
rwxrwx--- u0_a12:sdcard_rw   /Android/obb/com.example

rwxrwx--- root:sdcard_all    /Android/user
rwxrwx--x root:sdcard_rw     /Android/user/10
rwxrwx--- u10_a12:sdcard_rw  /Android/user/10/Android/data/com.example

These derived permissions are disabled by default.  Switched option
parsing to getopt().

Change-Id: I21bf5d79d13f0f07a6a116122b16395f4f97505b
2013-08-08 17:26:41 -07:00
Ken Sumrall
2fd72cc221 Raise the max file open limit in sdcard
The default is 1024 files, and in some testing, the limit has been
hit.  This raises the limit to 8192.  Going higher starts to cause
performance issues (I started to notice that around 16K open files
in my testing) as sdcard does linear searches.  If a higher max
is needed, then the sdcard daemon will need some optimizations.

Bug: 7442187

Change-Id: I7aba7f4556ed70651f36244294a6756f3d6b8963
2013-02-11 15:42:22 -08:00
Jean-Baptiste Queru
e92372ba9e resolved conflicts for merge of 2237ca4c to jb-mr1-dev
Change-Id: I04982ff2b092274b940a621b238c2246349aa85e
2012-08-15 10:01:12 -07:00
Edwin Vane
29bdc876e4 Fixing signed/unsigned comparison warnings
Clang turned up some signed/unsigned comparison warnings. These warnings
have been fixed by cleaning up sdcard slightly:
- Don't use negative numbers for invalid gid/uid.
- sdcard takes a fixed number of arguments now so assert on that instead
  of using a for loop.
  - Also fixed usage string to reflect this fact.

Change-Id: Iee58a8e9aaedb3d40ad7dfeef63d8cd1fe1cd248
Author: Edwin Vane <edwin.vane@intel.com>
Reviewed-by: Kevin P Schoedel <kevin.p.schoedel@intel.com>
2012-08-14 13:16:55 -04:00
Jeff Sharkey
e169bd05ec Source and destination paths for sdcard.
Enables init.rc to provide both paths, instead of hard-coding the
destination.

Bug: 6925012
Change-Id: I666cde710baad965b98619b68fcbcbb104973da3
2012-08-13 16:58:39 -07:00
Jeff Brown
6249b9009f Make sdcard daemon multi-threaded.
The essential idea here is that a handler thread only needs to
hold a lock on the global node table while it is manipulating
nodes.  The actual I/O operation is then performed without
holding any locks.

By default, we use 2 threads but this can be configured on the
command-line.  Work is sheduled somewhat arbitrarily by the
handler threads.  Whichever thread happens to read() the next
request first wins the right process it.  This policy is very
simple but potentially wastes threads when there isn't much
work to be done.  We can always improve this later if needed.

Change-Id: Id27a27c2c9b40d4f8e35a6bef9dd84f0dfacf337
2012-06-04 13:15:04 -07:00
Jeff Brown
fc1e1a0ab4 Refactor request opcode handlers.
This is mostly a structural change.  The handlers have been moved
into individual functions, which will help with upcoming changes.

Change-Id: I774739d859e177d6b5d4186d2771444166b734fa
2012-06-04 13:14:16 -07:00
Jeff Brown
7729d2450f Move buffers into a handler structure.
Also use PATH_MAX instead of PATH_BUFFER to determine the
maximum path length.

Change-Id: Ic78f731d339a2a97766d29d222dd27cac4e620ce
2012-06-04 13:14:04 -07:00
Jeff Brown
6fd921ae03 Implement FUSE_FSYNC request.
This request is needed for application correctness, without which
data corruption may result.

Bug: 6488845
Change-Id: I3d676c2e40f6e6b37d5d270c7cb40f1bf8c1fa47
2012-06-04 13:13:57 -07:00
Jeff Brown
847158476c More code cleanup.
Use constants to specify MAX_READ and MAX_WRITE buffer sizes and
use that to determine the size of the buffers that we need.

Be more careful about how the request header and data payload are
extracted.  For example, the old code did len -= hdr->len, but
since len == hdr->len, this value was always 0.  It turns out we
didn't use len thereafter, but we might want to for sanity checking
incoming requests.

Use const to make it clearer what data is coming out of the request.

Removed spurious error reply from FUSE_WRITE.  It serves no purpose
and is ignored by the kernel.

Bug: 6488845
Change-Id: Ia328532979868f0aaea43744a49662f2f4511bfe
2012-06-04 13:13:48 -07:00
Jeff Brown
2656735f51 Code cleanup.
Removed references to unsupported command-line arguments.

Fixed compiler warnings.

Bug: 6488845
Change-Id: I50cb865609ea0fa5824ae2741b831cd886033055
2012-06-04 13:13:39 -07:00
Sundar Raman
e5d32128b0 sdcard: use FUSE_BIG_WRITES for FUSE writes
Slightly optimizes the writes used by sdcard to increase
throughput and decrease cpu load. Update the read
size to 256 x 1024 + 128 from current 8192 bytes since
writes can go as high as that.

Change-Id: I3bad425f31d4aa6f44f546e3d31439fd5bdca9ea
Signed-off-by: Sundar Raman <sunds@ti.com>
2012-05-01 15:28:05 -07:00