We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.
This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.
Also add CTS tests to verify that we're protecting access to
internal mount points like this.
Bug: 22964288
Change-Id: I32068e63a3362b37e8ebca1418f900bb8537b498
Long ago, we mounted secondary physical cards as readable by all
users on the device, which enabled the use-case of loading media on
a card and viewing it from all users.
More recently, we started giving write access to these secondary
physical cards, but this created a one-directional channel for
communication across user boundaries; something that CDD disallows.
This change is designed to give us the best of both worlds: the
package-specific directories are writable for the user that mounted
the card, but access to those "Android" directories are blocked for
all other users. Other users remain able to read content elsewhere
on the card.
Bug: 22787184
Change-Id: I4a04a1a857a65becf5fd37d775d927af022b40ca
Instead of having each view build and maintain its own tree
representing the underlying storage, switch to building a single tree
that each view augments with GID/mode specific behavior.
This has the nice property of a single file always having the same
node ID when presented across multiple views, giving us a firm handle
that we can use to invalidate kernel caches.
Specifically, when a file is deleted through one view, we now tell
the kernel to invalidate that file in the other two views.
Bug: 22477678, 22375891
Change-Id: I3ff041d549d41040839cde9773504719a508219f
Typical apps are restricted so they can only view shared storage
belonging to the user they're running as. However, a handful of
system components need access to shared storage across all users,
such as DefaultContainerService and SystemUI.
Since WRITE_MEDIA_STORAGE already offers this functionality by
bypassing any FUSE emulation, reuse it to grant the "sdcard_rw" GID
which is no longer handed out to third-party apps. Then we change
the FUSE daemon to allow the "sdcard_rw" GID to see shared storage
of all users.
Bug: 19995822
Change-Id: Id2fe846aefbf13fc050e9b00ddef120021e817f4
When someone force-unmounts our target endpoint, gracefully handle by
terminating, instead of looping on the same errno forever.
Bug: 22197797
Change-Id: I7e71632f69d47152ea78a94431c23ae69aba9b93
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
Bug: 21858077
Change-Id: I5a016f0958a92fd390c02b5ae159f8008bd4f4b7
The umount2 call was using the magic constant 2 which is
has a defined and proper macro in mount.h as MNT_DETATCH.
Change-Id: I4ca4a6d31cbf5495c545088e3d90a8894a9f912f
To support external storage devices that are dynamically added and
removed at runtime, we're changing /mnt and /storage to be tmpfs that
are managed by vold.
To support primary storage being inserted/ejected at runtime in a
multi-user environment, we can no longer bind-mount each user into
place. Instead, we have a new /storage/self/primary symlink which
is resolved through /mnt/user/n/primary, and which vold updates at
runtime.
Fix small mode bugs in FUSE daemon so it can be safely mounted
visible to all users on device.
Bug: 19993667
Change-Id: I0ebf4d10aba03d73d9a6fa37d4d43766be8a173b
This will eventually allow us to have a single unified filesystem
instead of requiring zygote to use bind mounts.
Change-Id: I1fc4ada4874698a00e7e0b8800617732e69348f0
The sdcard fuse deamon is not properly handling deleted nodes that are
still in use (opened by some process). Typically Linux filesystems makes
it possible to open a file, unlink it and then still use it. In case of a
storage emulated by sdcard deamon this does not work as expected - other
process are not able to recreate file/dir with the same name until all
references to deleted file are closed.
The easiest way to trigger this problem is:
process1: mkdir /sdcard/test1; cd /sdcard/test1
process2: rm -r /sdcard/test1
process2: mkdir /sdcard/test1
After that, process2 will get an error:
mkdir failed for /sdcard/test1, Device or resource busy
There is exactly the same problem with files as directories.
This may case issues for example with directories that are
automatically recreated when they are missing (like DCIM directory). If
some process holds file opened inside of such directory but that
directory is removed, process trying to recreate the directory will get
EBUSY error and possibly crash.
Verified on the Z Ultra GPE.
Change-Id: I1cbf0bec135e6aaafba0ce8e5bb594e3639e0007
This works around a bug on on 64 bit kernels + sdcard daemons
where we were using memory addresses as inode numbers.
bug: 19012244
(cherry picked from commit faa0935ffb)
Change-Id: Idbf9e285e507e702e04e7461a10153df68ef2322
This works around a bug on on 64 bit kernels + sdcard daemons
where we were using memory addresses as inode numbers.
bug: 19012244
Change-Id: Ia63c5b33b4212bf03ff92fa2faff0bb76e48791c
Vold mounts the sdcard with noexec, but the fuse deamon
mounts with exec, so it is still possible to execute
binaries:
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,
user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/vold/179:65 /mnt/media_rw/sdcard1 vfat rw,dirsync,
nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,
dmask=0007,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,
shortname=mixed,utf8,errors=remount-ro 0 0
With this change both vold and fuse mounts with noexec.
(cherry picked from commit f777d6694eecf6e61d9859df2090199863050017)
Change-Id: I66cbfc3a3a89a26958f83577f5e7a5e27f99184e
Vold mounts the sdcard with noexec, but the fuse deamon
mounts with exec, so it is still possible to execute
binaries:
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,
user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/vold/179:65 /mnt/media_rw/sdcard1 vfat rw,dirsync,
nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,
dmask=0007,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,
shortname=mixed,utf8,errors=remount-ro 0 0
With this change both vold and fuse mounts with noexec.
Change-Id: I66cbfc3a3a89a26958f83577f5e7a5e27f99184e
Add initialization of the output value in handle_write.
This value is referred to in FUSE so initialization is
necessary.
See also handle_open and handle_opendir.
Change-Id: I6507f113da9f6823fbfa459624d6594fc20afa51
Right now we still have the kernel names, but they're only there by
"virtue" of macro namespace pollution, so I'd like to get rid of them.
Bug: 18298106
Change-Id: Ifed0b3a9238c79a99d8a2b62e0f5897c50a725d1
Kernel 2.6.16 is the first stable kernel with struct fuse_init_out
defined (fuse version 7.6). The structure is the same from 7.6 through
7.22. Beginning with 7.23, the structure increased in size and added
new parameters.
If the kernel only works on minor revs older than or equal to 22,
then use the older structure size since this code only uses the 7.22
version of the structure.
Change-Id: If2507a02ad674fcf02869a325221339ae1ace64d
Use truncate64 instead of truncate so we don't truncate (ho ho) the offset.
(cherrypick of 4568565e85bf2e1ea11b2e09d72e244088c05dbc.)
Bug: https://code.google.com/p/android/issues/detail?id=74039
Change-Id: I63711ccd299e3ebc475563b1999817d1919571ab
Before running the sdcard daemon, make sure that installd has
completed all upgrades to /data that it needs to complete.
This avoids race conditions between installd and the sdcard daemon.
Maybe fixes bug 16329437.
Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
When built with "#define FUSE_TRACE 1" numerous TRACE statements
failed to compile because of mismatches between format strings and
types (uint64_t and size_t). These have been corrected by using the
format strings from the inttype.h header file, or %zu.
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>
(cherry picked from commit d33308752f)
Change-Id: I550b422a6b7c92ea903b4dd8f5e4aec5637cdf67
Before running the sdcard daemon, make sure that installd has
completed all upgrades to /data that it needs to complete.
This avoids race conditions between installd and the sdcard daemon.
Maybe fixes bug 16329437.
(cherrypicked from commit 8d28fa71fc)
Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
When built with "#define FUSE_TRACE 1" numerous TRACE statements
failed to compile because of mismatches between format strings and
types (uint64_t and size_t). These have been corrected by using the
format strings from the inttype.h header file, or %zu.
Change-Id: I36cd6f8da0790f1218d7dbaaa5b3bbfa4df7fdee
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>
For a file the FUSE fh is a struct handle containing an int fd;
for a directory it's a struct dirhandle containing a DIR*. Fix
handle_fsync to extract the file descriptor appropriately in
both cases.
Bug: 14613980
Change-Id: I45515cff6638e27a99b849e6fc639d355dbb4d27
This change defines per-app directories on external storage that
will be scanned and included in MediaStore. This gives apps a way
to write content to secondary shared storage in a way that can
easily be surfaced to other apps.
Bug: 14382377
Change-Id: I6f03d8076a9391d8b9eb8421ec3fc93669b3ba0d
There have been issues with sdcard data corruption even after
successfully calling fsync for /sdcard. This is caused by
the sdcard daemon doing nothing in this case.
Change-Id: I48149ceabdac79ac535b35c2598bb1fbb5410883
It is not enough to align the read buffer only, because
consequent writes might still fail with EINVAL. The write
buffer should be also aligned according to the write(2)
manual page.
Change-Id: I7547dec5208732c56f4466c1b0c88f36dabacf5b
