Create sandboxes for newly installed apps.

Bug: 111890351 Test: manual Change-Id: I1b7f5bd25e04f9f4a61d0d4f64bbbb0ca6157fa5
2018-08-24 10:20:56 -07:00 · 2018-08-24 10:20:56 -07:00 · c756209b89
commit c756209b89
parent 4a923e216d
5 changed files with 67 additions and 16 deletions
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@ -251,6 +251,20 @@ binder::Status checkArgumentSandboxIds(const std::vector<std::string>& sandboxId
    }                                                                       \
 }

+#define CHECK_ARGUMENT_PACKAGE_NAME(packageName) {                          \
+    binder::Status status = checkArgumentPackageName((packageName));        \
+    if (!status.isOk()) {                                                   \
+        return status;                                                      \
+    }                                                                       \
+}
+
+#define CHECK_ARGUMENT_SANDBOX_ID(sandboxId) {                              \
+    binder::Status status = checkArgumentSandboxId((sandboxId));            \
+    if (!status.isOk()) {                                                   \
+        return status;                                                      \
+    }                                                                       \
+}
+
 #define ACQUIRE_LOCK \
    std::lock_guard<std::mutex> lock(VolumeManager::Instance()->getLock()); \
    ATRACE_CALL();
@ -856,5 +870,16 @@ binder::Status VoldNativeService::destroyUserStorage(const std::unique_ptr<std::
    return translateBool(e4crypt_destroy_user_storage(uuid_, userId, flags));
 }

+binder::Status VoldNativeService::mountExternalStorageForApp(const std::string& packageName,
+        int32_t appId, const std::string& sandboxId, int32_t userId) {
+    ENFORCE_UID(AID_SYSTEM);
+    CHECK_ARGUMENT_PACKAGE_NAME(packageName);
+    CHECK_ARGUMENT_SANDBOX_ID(sandboxId);
+    ACQUIRE_LOCK;
+
+    return translate(VolumeManager::Instance()->mountExternalStorageForApp(
+            packageName, appId, sandboxId, userId));
+}
+
 }  // namespace vold
 }  // namespace android
--- a/VoldNativeService.h
+++ b/VoldNativeService.h
@ -118,6 +118,9 @@ public:
            int32_t userId, int32_t userSerial, int32_t flags);
    binder::Status destroyUserStorage(const std::unique_ptr<std::string>& uuid,
            int32_t userId, int32_t flags);
+
+    binder::Status mountExternalStorageForApp(const std::string& packageName, int32_t appId,
+            const std::string& sandboxId, int32_t userId);
 };

 }  // namespace vold
--- a/VolumeManager.cpp
+++ b/VolumeManager.cpp
@ -375,22 +375,12 @@ int VolumeManager::linkPrimary(userid_t userId, const std::vector<std::string>&
            mMntStorageCreated = true;
        }

-        std::string source(StringPrintf("/mnt/storage/%s", mPrimary->getLabel().c_str()));
-        bool isPrimaryEmulated =
-                (mPrimary->getType() == android::vold::VolumeBase::Type::kEmulated);
-        if (isPrimaryEmulated) {
-            StringAppendF(&source, "/%d", userId);
-            if (fs_prepare_dir(source.c_str(), 0755, AID_ROOT, AID_ROOT) != 0) {
-                PLOG(ERROR) << "fs_prepare_dir failed on " << source;
-                return -errno;
-            }
-        }
-        if (mountSandboxesForPrimaryVol(source, userId, packageNames, isPrimaryEmulated) != 0) {
+        if (mountSandboxesForPrimaryVol(userId, packageNames) != 0) {
            return -errno;
        }
        // Keep /sdcard working for shell process
        std::string primarySource(mPrimary->getPath());
-        if (isPrimaryEmulated) {
+        if (mPrimary->getType() == android::vold::VolumeBase::Type::kEmulated) {
            StringAppendF(&primarySource, "/%d", userId);
        }
        std::string target(StringPrintf("/mnt/user/%d/primary", userId));
@ -425,8 +415,18 @@ int VolumeManager::linkPrimary(userid_t userId, const std::vector<std::string>&
    return 0;
 }

-int VolumeManager::mountSandboxesForPrimaryVol(const std::string& primaryRoot, userid_t userId,
-        const std::vector<std::string>& packageNames, bool isPrimaryEmulated) {
+int VolumeManager::mountSandboxesForPrimaryVol(userid_t userId,
+        const std::vector<std::string>& packageNames) {
+    std::string primaryRoot(StringPrintf("/mnt/storage/%s", mPrimary->getLabel().c_str()));
+    bool isPrimaryEmulated =
+            (mPrimary->getType() == android::vold::VolumeBase::Type::kEmulated);
+    if (isPrimaryEmulated) {
+        StringAppendF(&primaryRoot, "/%d", userId);
+        if (fs_prepare_dir(primaryRoot.c_str(), 0755, AID_ROOT, AID_ROOT) != 0) {
+            PLOG(ERROR) << "fs_prepare_dir failed on " << primaryRoot;
+            return -errno;
+        }
+    }

    std::string sandboxRoot = prepareSubDirs(primaryRoot, "Android/sandbox/",
            0700, AID_ROOT, AID_ROOT);
@ -637,6 +637,24 @@ int VolumeManager::addSandboxIds(const std::vector<int32_t>& appIds,
    return 0;
 }

+int VolumeManager::mountExternalStorageForApp(const std::string& packageName, appid_t appId,
+        const std::string& sandboxId, userid_t userId) {
+    if (!GetBoolProperty(kIsolatedStorage, false)) {
+        return 0;
+    } else if (mStartedUsers.find(userId) == mStartedUsers.end()) {
+        // User not started, no need to do anything now. Required bind mounts for the package will
+        // be created when the user starts.
+        return 0;
+    }
+    mUserPackages[userId].push_back(packageName);
+    mAppIds[packageName] = appId;
+    mSandboxIds[appId] = sandboxId;
+    if (mPrimary) {
+        return mountSandboxesForPrimaryVol(userId, {packageName});
+    }
+    return 0;
+}
+
 int VolumeManager::onSecureKeyguardStateChanged(bool isShowing) {
    mSecureKeyguardShowing = isShowing;
    if (!mSecureKeyguardShowing) {
--- a/VolumeManager.h
+++ b/VolumeManager.h
@ -97,6 +97,8 @@ public:
    int addAppIds(const std::vector<std::string>& packageNames, const std::vector<int32_t>& appIds);
    int addSandboxIds(const std::vector<int32_t>& appIds,
            const std::vector<std::string>& sandboxIds);
+    int mountExternalStorageForApp(const std::string& packageName, appid_t appId,
+            const std::string& sandboxId, userid_t userId);

    int onSecureKeyguardStateChanged(bool isShowing);

@ -146,8 +148,8 @@ private:
            const std::string& dataRootDir);
    std::string preparePkgDataTarget(const std::string& packageName, uid_t uid,
            const std::string& pkgSandboxDir);
-    int mountSandboxesForPrimaryVol(const std::string& primaryRoot, userid_t userId,
-            const std::vector<std::string>& packageNames, bool isPrimaryEmulated);
+    int mountSandboxesForPrimaryVol(userid_t userId,
+            const std::vector<std::string>& packageNames);
    std::string prepareSubDirs(const std::string& pathPrefix, const std::string& subDirs,
            mode_t mode, uid_t uid, gid_t gid);

--- a/binder/android/os/IVold.aidl
+++ b/binder/android/os/IVold.aidl
@ -96,6 +96,9 @@ interface IVold {
    void prepareUserStorage(@nullable @utf8InCpp String uuid, int userId, int userSerial, int storageFlags);
    void destroyUserStorage(@nullable @utf8InCpp String uuid, int userId, int storageFlags);

+    void mountExternalStorageForApp(in @utf8InCpp String packageName,
+            int appId, in @utf8InCpp String sandboxId, int userId);
+
    const int ENCRYPTION_FLAG_NO_UI = 4;

    const int ENCRYPTION_STATE_NONE = 1;