From c756209b898c3951a5d76f84f43d71964b26e498 Mon Sep 17 00:00:00 2001
From: Sudheer Shanka <sudheersai@google.com>
Date: Fri, 24 Aug 2018 10:20:56 -0700
Subject: [PATCH] Create sandboxes for newly installed apps.

Bug: 111890351
Test: manual
Change-Id: I1b7f5bd25e04f9f4a61d0d4f64bbbb0ca6157fa5
---
 VoldNativeService.cpp        | 25 ++++++++++++++++++++
 VoldNativeService.h          |  3 +++
 VolumeManager.cpp            | 46 +++++++++++++++++++++++++-----------
 VolumeManager.h              |  6 +++--
 binder/android/os/IVold.aidl |  3 +++
 5 files changed, 67 insertions(+), 16 deletions(-)

diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
index 8445cd8..999df94 100644
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@@ -251,6 +251,20 @@ binder::Status checkArgumentSandboxIds(const std::vector<std::string>& sandboxId
     }                                                                       \
 }
 
+#define CHECK_ARGUMENT_PACKAGE_NAME(packageName) {                          \
+    binder::Status status = checkArgumentPackageName((packageName));        \
+    if (!status.isOk()) {                                                   \
+        return status;                                                      \
+    }                                                                       \
+}
+
+#define CHECK_ARGUMENT_SANDBOX_ID(sandboxId) {                              \
+    binder::Status status = checkArgumentSandboxId((sandboxId));            \
+    if (!status.isOk()) {                                                   \
+        return status;                                                      \
+    }                                                                       \
+}
+
 #define ACQUIRE_LOCK \
     std::lock_guard<std::mutex> lock(VolumeManager::Instance()->getLock()); \
     ATRACE_CALL();
@@ -856,5 +870,16 @@ binder::Status VoldNativeService::destroyUserStorage(const std::unique_ptr<std::
     return translateBool(e4crypt_destroy_user_storage(uuid_, userId, flags));
 }
 
+binder::Status VoldNativeService::mountExternalStorageForApp(const std::string& packageName,
+        int32_t appId, const std::string& sandboxId, int32_t userId) {
+    ENFORCE_UID(AID_SYSTEM);
+    CHECK_ARGUMENT_PACKAGE_NAME(packageName);
+    CHECK_ARGUMENT_SANDBOX_ID(sandboxId);
+    ACQUIRE_LOCK;
+
+    return translate(VolumeManager::Instance()->mountExternalStorageForApp(
+            packageName, appId, sandboxId, userId));
+}
+
 }  // namespace vold
 }  // namespace android
diff --git a/VoldNativeService.h b/VoldNativeService.h
index e446185..d5de707 100644
--- a/VoldNativeService.h
+++ b/VoldNativeService.h
@@ -118,6 +118,9 @@ public:
             int32_t userId, int32_t userSerial, int32_t flags);
     binder::Status destroyUserStorage(const std::unique_ptr<std::string>& uuid,
             int32_t userId, int32_t flags);
+
+    binder::Status mountExternalStorageForApp(const std::string& packageName, int32_t appId,
+            const std::string& sandboxId, int32_t userId);
 };
 
 }  // namespace vold
diff --git a/VolumeManager.cpp b/VolumeManager.cpp
index 5e012c7..260c2f0 100644
--- a/VolumeManager.cpp
+++ b/VolumeManager.cpp
@@ -375,22 +375,12 @@ int VolumeManager::linkPrimary(userid_t userId, const std::vector<std::string>&
             mMntStorageCreated = true;
         }
 
-        std::string source(StringPrintf("/mnt/storage/%s", mPrimary->getLabel().c_str()));
-        bool isPrimaryEmulated =
-                (mPrimary->getType() == android::vold::VolumeBase::Type::kEmulated);
-        if (isPrimaryEmulated) {
-            StringAppendF(&source, "/%d", userId);
-            if (fs_prepare_dir(source.c_str(), 0755, AID_ROOT, AID_ROOT) != 0) {
-                PLOG(ERROR) << "fs_prepare_dir failed on " << source;
-                return -errno;
-            }
-        }
-        if (mountSandboxesForPrimaryVol(source, userId, packageNames, isPrimaryEmulated) != 0) {
+        if (mountSandboxesForPrimaryVol(userId, packageNames) != 0) {
             return -errno;
         }
         // Keep /sdcard working for shell process
         std::string primarySource(mPrimary->getPath());
-        if (isPrimaryEmulated) {
+        if (mPrimary->getType() == android::vold::VolumeBase::Type::kEmulated) {
             StringAppendF(&primarySource, "/%d", userId);
         }
         std::string target(StringPrintf("/mnt/user/%d/primary", userId));
@@ -425,8 +415,18 @@ int VolumeManager::linkPrimary(userid_t userId, const std::vector<std::string>&
     return 0;
 }
 
-int VolumeManager::mountSandboxesForPrimaryVol(const std::string& primaryRoot, userid_t userId,
-        const std::vector<std::string>& packageNames, bool isPrimaryEmulated) {
+int VolumeManager::mountSandboxesForPrimaryVol(userid_t userId,
+        const std::vector<std::string>& packageNames) {
+    std::string primaryRoot(StringPrintf("/mnt/storage/%s", mPrimary->getLabel().c_str()));
+    bool isPrimaryEmulated =
+            (mPrimary->getType() == android::vold::VolumeBase::Type::kEmulated);
+    if (isPrimaryEmulated) {
+        StringAppendF(&primaryRoot, "/%d", userId);
+        if (fs_prepare_dir(primaryRoot.c_str(), 0755, AID_ROOT, AID_ROOT) != 0) {
+            PLOG(ERROR) << "fs_prepare_dir failed on " << primaryRoot;
+            return -errno;
+        }
+    }
 
     std::string sandboxRoot = prepareSubDirs(primaryRoot, "Android/sandbox/",
             0700, AID_ROOT, AID_ROOT);
@@ -637,6 +637,24 @@ int VolumeManager::addSandboxIds(const std::vector<int32_t>& appIds,
     return 0;
 }
 
+int VolumeManager::mountExternalStorageForApp(const std::string& packageName, appid_t appId,
+        const std::string& sandboxId, userid_t userId) {
+    if (!GetBoolProperty(kIsolatedStorage, false)) {
+        return 0;
+    } else if (mStartedUsers.find(userId) == mStartedUsers.end()) {
+        // User not started, no need to do anything now. Required bind mounts for the package will
+        // be created when the user starts.
+        return 0;
+    }
+    mUserPackages[userId].push_back(packageName);
+    mAppIds[packageName] = appId;
+    mSandboxIds[appId] = sandboxId;
+    if (mPrimary) {
+        return mountSandboxesForPrimaryVol(userId, {packageName});
+    }
+    return 0;
+}
+
 int VolumeManager::onSecureKeyguardStateChanged(bool isShowing) {
     mSecureKeyguardShowing = isShowing;
     if (!mSecureKeyguardShowing) {
diff --git a/VolumeManager.h b/VolumeManager.h
index 52203c5..38355fc 100644
--- a/VolumeManager.h
+++ b/VolumeManager.h
@@ -97,6 +97,8 @@ public:
     int addAppIds(const std::vector<std::string>& packageNames, const std::vector<int32_t>& appIds);
     int addSandboxIds(const std::vector<int32_t>& appIds,
             const std::vector<std::string>& sandboxIds);
+    int mountExternalStorageForApp(const std::string& packageName, appid_t appId,
+            const std::string& sandboxId, userid_t userId);
 
     int onSecureKeyguardStateChanged(bool isShowing);
 
@@ -146,8 +148,8 @@ private:
             const std::string& dataRootDir);
     std::string preparePkgDataTarget(const std::string& packageName, uid_t uid,
             const std::string& pkgSandboxDir);
-    int mountSandboxesForPrimaryVol(const std::string& primaryRoot, userid_t userId,
-            const std::vector<std::string>& packageNames, bool isPrimaryEmulated);
+    int mountSandboxesForPrimaryVol(userid_t userId,
+            const std::vector<std::string>& packageNames);
     std::string prepareSubDirs(const std::string& pathPrefix, const std::string& subDirs,
             mode_t mode, uid_t uid, gid_t gid);
 
diff --git a/binder/android/os/IVold.aidl b/binder/android/os/IVold.aidl
index cc0b32d..cff1baa 100644
--- a/binder/android/os/IVold.aidl
+++ b/binder/android/os/IVold.aidl
@@ -96,6 +96,9 @@ interface IVold {
     void prepareUserStorage(@nullable @utf8InCpp String uuid, int userId, int userSerial, int storageFlags);
     void destroyUserStorage(@nullable @utf8InCpp String uuid, int userId, int storageFlags);
 
+    void mountExternalStorageForApp(in @utf8InCpp String packageName,
+            int appId, in @utf8InCpp String sandboxId, int userId);
+
     const int ENCRYPTION_FLAG_NO_UI = 4;
 
     const int ENCRYPTION_STATE_NONE = 1;