Commit graph

305 commits

Author SHA1 Message Date
Zim
1711236e02 Avoid touching FUSE mounts on vold binder threads
On user unlock when persist.sys.fuse property is set,
StorageManagerService calls into vold to link the primary
volumes. Because this involves accessing a FUSE path that
has not been initialized, vold should offload this work
from the binder thread, otherwise it would wedge and the
system server would wedge causing a Watchdog trigger.

This fixes a bug where we 'link primary' twice and vold
gets wedged on system server restarts.

Bug: 140064376
Test: with the FUSE property set:
adb shell stop && adb shell start && adb shell ls /sdcard

Change-Id: I0eb86f8ba256c385c916e2a0389a4f7482fc3775
2019-09-03 23:12:12 +01:00
Zim
3623a212e3 Mount /dev/fuse on /mnt/user/<userid>/<volumeid>
Since system_server cannot mount devices by itself,
add a binder interface to vold that system_server
can call to initiate this mount when required.

BUG: 135341433
Test: manual
Test: atest --test-mapping packages/providers/MediaProvider
Test: ExternalStorageHostTest DownloadProviderTests

Change-Id: If4fd02a1f1a8d921a3f96783d8c73e085c5b7ca1
2019-08-28 10:49:27 +01:00
Sudheer Shanka
8f2ff80e87 Support "full" mode when updating bind mounts of a process.
Bug: 133829348
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Change-Id: I5f48ecbfe8cce243fa75a2e8447ce1d4676003ad
2019-05-30 16:40:20 -07:00
Sudheer Shanka
ebce4cc16b Remove storage sandboxes related code.
Bug: 131115422
Test: manual
Test: atest --test-mapping packages/providers/MediaProvider
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest DownloadProviderTests
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/app/DownloadManagerLegacyTest/src/android/app/cts/DownloadManagerLegacyTest.java
Test: atest cts/tests/app/DownloadManagerApi28Test/src/android/app/cts/DownloadManagerApi28Test.java
Change-Id: Ib3272a47a901ed106474039e72f123b11f5443ff
Merged-In: Ib3272a47a901ed106474039e72f123b11f5443ff
2019-05-09 17:46:30 +00:00
Sudheer Shanka
36bdf7ab54 Update remountUidLegacy to handle "full" mount mode.
Bug: 130791955
Test: manual
Change-Id: I078c2922d1d5a8d16bbb213201a3cad7b1bf4b86
2019-04-18 15:18:30 -07:00
Sudheer Shanka
a05ea743f0 Allow sandboxed apps to access only package specific dirs.
Bug: 130427780
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Change-Id: I7afcea090306336c4033860084a2a436d2bb4740
2019-04-12 16:40:57 -07:00
Nick Kralevich
58e1a816ba VolumeManager: more O_CLOEXEC changes
Test: compiles and boots
Bug: 129350825
Change-Id: Ie6a0e05f1814d744eb16863f749c939ab1e097e0
2019-03-29 19:23:40 -07:00
Nick Kralevich
9bda3fe810 Merge "vold: cleanups for O_CLOEXEC tidy checks." am: a59868d6de am: 5af0c75525
am: 4197c098df

Change-Id: Ibe3636abcfafab7854c7b0434095b6e91fadcacf
2019-03-29 18:46:07 -07:00
Nick Kralevich
e7e89acbc8 vold: cleanups for O_CLOEXEC tidy checks.
Bug: 129350825
Test: compiles and boots
Change-Id: I83a484ca15df1b757b670008f15af5504bc94df1
2019-03-29 16:04:47 -07:00
Jiyong Park
4b64463572 Merge "Don't unmount /storage for early native processes" am: ee9554b2d9 am: b5acb5bfba
am: f1baff6ddd

Change-Id: I7107dd9d24dd07f9c17ea11d24db17db2cd10f12
2019-03-08 18:05:14 -08:00
Jiyong Park
8d21c924d7 Don't unmount /storage for early native processes
Motivation:

Early processes launched before the runtime APEX - that hosts the bionic
libs - is activated can't use the bionic libs from the APEX, but from the
system partition (which we call the bootstrap bionic). Other processes
after the APEX activation should use the bionic libs from the APEX.
In order to let both types of processes to access the bionic libs via
the same standard paths /system/lib/{libc|libdl|libm}.so, some mount
namespace magic is used.

To be specific, when the device boots, the init initially bind-mounts
the bootstrap bionic libs to the standard paths with MS_PRIVATE. Early
processes are then executed with their own mount namespaces (via
unshare(CLONE_NEWNS)). After the runtime APEX is activated, init
bind-mounts the bionic libs in the APEX to the same standard paths.
Processes launched thereafter use the bionic libs from the APEX (which
can be updated.)

Important thing is that, since the propagation type of the mount points
(the standard paths) is 'private', the new bind-mount events for the
updated bionic libs should not affect the early processes. Otherwise,
they would experience sudden change of bionic libs at runtime. However,
other mount/unmounts events outside of the private mount points are
still shared across early/late processes as before. This is made possible
because the propagation type of / is 'shared' .

Problem:

vold uses the equality of the mount namespace to filter-out processes
that share the global mount namespace (the namespace of the init). However,
due to the aforementioned change, the early processes are not filtered
out because they have different mount namespaces. As a result,
umount2("/storage/") is executed on them and this unmount event
becomes visible to the global mount namespace (because as mentioned before /
is 'shared').

Solution:

Fiter-out the early processes by skipping a native (non-Java) process
whose UID is < AID_APP. The former condition is because all early
processes are native ones; i.e., zygote is started after the runtime
APEX is activated. The latter condition is to not filter-out native
processes created locally by apps.

Bug: 120266448
Test: m; device boots

Change-Id: I054deedc4af8421854cf35be84e14995523a259a
2019-03-04 16:22:41 +09:00
Sudheer Shanka
23d725d85a Ignore packages whose sandboxes are already created.
Bug: 124788246
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Change-Id: Ie80bbdebc9d3d50e96d2cd17db804b7589b49055
2019-02-28 10:46:48 -08:00
Sudheer Shanka
8368040841 Look for visible vols for a user under /mnt/user/<userId>/package/.
Currently, we pass down visisble volumes for a user to zygote so that
it can set up appropriate bind mounts after forking. This method has
atleast a couple of race conditions, so instead make zygote just
look under /mnt/user/<userId>/package for volumes that need to be
handled for a particular user.

Bug: 126069494
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*
Change-Id: If996cde24d9fc158729fcc8a8bdb17ca952a518e
2019-02-24 12:47:27 -08:00
Sudheer Shanka
30df1c61d9 Don't delete /mnt/user/<userId>/package on reset.
We need this to stay mounted at /storage.

Bug: 124466384
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*
Change-Id: I0cc835471ced2822d83d7056bec53d62ddc682f0
2019-02-22 17:03:02 -08:00
Sudheer Shanka
727c5fad41 Avoid creating /mnt/user/<userId>/package/<packageName> for all pkgs.
Bug: 124466384
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*
Change-Id: I678e199ef03805bb85a8a7ad9f1f7bae0a9fc56a
2019-02-21 15:12:42 -08:00
Sudheer Shanka
6d285cec24 Ignore EEXIST errors when creating pkg specific dirs.
Some of the pkg specific dirs could be created by zygote
and vold in parallel, so ignore any EEXIST errors while
creating these dirs.

Bug: 118185801
Test: manual

Change-Id: Ifaa9998131764304867ac027af335414dbfc291c
2019-02-19 14:46:15 -08:00
Sudheer Shanka
f9b38a58e1 Revert "Revert "Ensure necessary external storage dirs while creating sandboxes.""
This reverts commit 88114b2a56.

Reason for revert: blocking issue in b/124345887 is resolved

Change-Id: Ie34843c12b7a471d2384b64ad049ede63aed09e8
2019-02-14 19:11:20 +00:00
Jeff Sharkey
88114b2a56 Revert "Ensure necessary external storage dirs while creating sandboxes."
This reverts commit 083377e593.

Reason for revert: b/124345887

Change-Id: I388d45fab68b611917464a204269a48bf771ac57
2019-02-14 15:41:28 +00:00
Sudheer Shanka
083377e593 Ensure necessary external storage dirs while creating sandboxes.
Bug: 124058579
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*

Change-Id: I0e62de38e9ceff80df75e253443af69d4391a49e
2019-02-13 18:16:50 -08:00
Jeff Sharkey
a6082500e4 Enable isolated storage by default.
We've been dogfooding the isolated storage feature for many months
on various internal groups, and we're ready to enable it globally.

Bug: 112545973
Test: executed entire CTS suite using forrest
Change-Id: I612b6aba4f08dc0ac13f4f94b03c4bddd6de12df
2019-02-11 13:14:37 -07:00
Sudheer Shanka
023b5391f9 Remove sandbox specific bind mounts from root namespace.
Update vold to only create package sandboxes and not do any bind mounts.
After zygote forks, all the necessary bind mounts will be setup for
the process.

Bug: 124009234
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest DownloadProviderTests
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest MediaProviderTests
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*

Change-Id: Ia42209cb74cbc423bb09c1c51cb7a164f7c568da
2019-02-06 19:36:11 -08:00
Sudheer Shanka
5504901bf0 Create a new MOUNT_EXTERNAL_LEGACY storage mode.
Apps that are already installed on the device before isolated_storage
feature is enabled will be granted MOUNT_EXTERNAL_LEGACY mode. In this
mode, /mnt/runtime/write will be mounted at /storage giving them same
level of access as in P.

A new mount directory /mnt/runtime/full is also created which will be
used for mounting at /storage for apps started with MOUNT_EXTERNAL_FULL
mode. This will allow apps with WRITE_MEDIA_STORAGE permission to
read/write anywhere on the secondary devices without needing to bypass
sdcardfs.

Bug: 121277410
Test: manual
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Change-Id: Icc1ff9da35545692daedef7173d7c89290dd2766
2019-01-18 18:48:55 -08:00
Jeff Sharkey
5ee228e3db Merge "Use "sys.isolated_storage_snapshot" prop to check for the feature." 2019-01-18 21:54:30 +00:00
Sudheer Shanka
34b437b301 Use "sys.isolated_storage_snapshot" prop to check for the feature.
StorageManager.hasIsolatedStorage() has already been updated to use
this, so most callers are already using this sys prop. Now, updating
remaining callers to use it as well.

Bug: 122559151
Test: manual
Change-Id: I6982a84b737a1d329f397b8182b7b7cdc5a8897f
2019-01-17 17:20:47 -08:00
Sudheer Shanka
6bf1480813 Update VolumeManager to use UnmountTreeWithPrefix.
Bug: 122905493
Test: manual
Change-Id: Ia6aa1d400277a76dfd2c1db87c613d7e692b0b5c
2019-01-17 15:18:10 -08:00
TreeHugger Robot
37fd66f19d Merge "vold: const-ify some of the API" 2018-12-20 21:19:55 +00:00
Sudheer Shanka
dfd8b64621 Merge "Update process mount points when appop gets updated." 2018-12-20 21:11:30 +00:00
Greg Kaiser
ef9abab5ee vold: const-ify some of the API
We make some of the C++ member functions 'const', to reflect how
they (don't) affect the state of the class.

Test: TreeHugger
Change-Id: Iec1c2801bfe721e2741406ed1ac0ef95662840a6
Merged-In: Iec1c2801bfe721e2741406ed1ac0ef95662840a6
2018-12-20 10:38:15 -08:00
Greg Kaiser
2bc201e6bb vold: const-ify some of the API
We make some of the C++ member functions 'const', to reflect how
they (don't) affect the state of the class.

Test: TreeHugger
Change-Id: Iec1c2801bfe721e2741406ed1ac0ef95662840a6
2018-12-20 10:30:17 -08:00
Sudheer Shanka
ba0c62f752 Remove packageName from vold internal state.
std::remove will only move the matching items to the end, there
should be an erase call after that to actually get rid of those
items from the container.

Test: manual
Change-Id: I7d3b48f77fa5fab703fb10cf429d8c183322ed29
2018-12-16 18:35:53 -08:00
Sudheer Shanka
817b911ca4 Update process mount points when appop gets updated.
When an app is started, it's mountmode is dependent on
OP_REQUEST_INSTALL_PACKAGES. If user changes the appop grant of an app,
we need to update the mounts of any processes running in that app.

Bug: 121099965
Test: atest android.appsecurity.cts.ExternalStorageHostTest#testExternalStorageObbGifts
Change-Id: I87fee492891d33ccc9fc9e2548114f67d90cc759
2018-12-16 16:02:14 -08:00
Sudheer Shanka
03992e3741 Create a new mount mode for installer packages.
New external storage mount mode for installers so
that they can access obb dirs of all apps.

Bug: 111789719
Test: atest android.appsecurity.cts#testExternalStorageObbGifts
Change-Id: Iab112f0273806f8f812f14d6691bbe71dff42d83
2018-12-12 19:04:52 -08:00
Risan
1271b90560 Merge "Extract AppFuse as a util" am: 7be8a7ee1d am: d04a16cbd5
am: 9f7af4b6e3

Change-Id: I92a3fa8828e983df876d42637913737e2b31fd4f
2018-11-30 01:17:08 -08:00
Treehugger Robot
7be8a7ee1d Merge "Extract AppFuse as a util" 2018-11-30 05:05:10 +00:00
TreeHugger Robot
5c801225e4 Merge "Change AppFuse mount location to vold namespace" 2018-11-30 01:34:21 +00:00
LongPing.WEI
60f121b389 Merge "Use setmntent with "e" option" am: 396040ca2c am: a92bdeb7f5
am: 2255cf528f

Change-Id: Ibc84f3b9d2dc8ab0707b354d64529434355f36d6
2018-11-28 10:03:09 -08:00
Risan
8f6198d299 Change AppFuse mount location to vold namespace
Previously, AppFuse is mounted in system_server's mount namespace. This
CL moves the mount location to vold namespace.

Relanding this since it fails to be merged on ag/5521004 (blocked by
Presubmit, seems to be caused by temporary state) - this one now
passes presubmit without any changes.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes
Change-Id: Id93c26d5a98842c78f27850c83e15df619cec1ab
2018-11-26 15:30:01 +00:00
LongPing.WEI
4f04606811 Use setmntent with "e" option
Otherwise it will cause selinux warning in children processes sometimes

Change-Id: I41239c3f9779140622076c644a5f63051d00eaa8
2018-11-23 19:27:35 +08:00
Risan
ac02a4863f Extract AppFuse as a util
Bug: 110379912
Test: testOpenProxyFileDescriptor
Change-Id: I0429a498d7b54682efe9b05815f3470e8745609e
2018-11-14 07:28:06 +00:00
Risan
5f53cd3b79 Change AppFuse mount location to vold namespace
Previously, AppFuse is mounted in system_server's mount namespace. This
CL moves the mount location to vold namespace.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes
Change-Id: Id93c26d5a98842c78f27850c83e15df619cec1ab
2018-11-13 22:46:23 +00:00
Risan
4d8ba07231 Merge "StubVolume as first class Volume in Vold" am: dcbce84fed am: 14955896e5
am: a294e197b4

Change-Id: Iaec41c8ffe6feaa59163987c914fa21edc7ae2cd
2018-11-13 12:13:23 -08:00
Risan
8c9f33242f StubVolume as first class Volume in Vold
StubVolume is a Volume that is maintained by external party such as the
ChromeOS processes in ARC++.

Bug: 110380403
Test: Tested on ARC++

Change-Id: I3198bd7283d5f60a524da3707dea7385ffec599d
2018-11-08 07:40:43 +00:00
Eric Biggers
b288bf0f44 vold: rename from "ext4 encryption" to fscrypt am: a701c458ca am: 10b70834a4
am: a51283d281

Change-Id: I346bca3f23cfe84d77e5de1e8ef601fb7debf620
2018-10-29 10:41:02 -07:00
Eric Biggers
a701c458ca vold: rename from "ext4 encryption" to fscrypt
We support file-based encryption on both ext4 and f2fs now, and the
kernel API is the same.  So rename things appropriately in vold:

    e4crypt => fscrypt
    ext4enc => fscrypt
    Ext4Crypt => FsCrypt
    EXT4_* => FS_*
    ext4_encryption_key => fscrypt_key

Additionally, the common functions shared by 'vold' and 'init' are now
in libfscrypt rather than ext4_utils.  So update vold to link to
libfscrypt and include the renamed headers.

Note: there's a chance of 'fscrypt' being confused with the dm-crypt
based encryption code in vold which is called 'cryptfs'.  However,
fscrypt is the name used in the kernel for ext4/f2fs/ubifs encryption,
and it's preferable to use the same name in userspace.

Test: built, booted device with f2fs encryption
Change-Id: I2a46a49f30d9c0b73d6f6fe09e4a4904d4138ff6
2018-10-25 17:12:32 -07:00
Sudheer Shanka
69bc40f9a9 Update StorageManagerService handling of packages info.
Instead of maintaining local copy of all appIds and sandboxIds,
StorageManagerService will just get required packages info
from PackageManagerService when an user starts and passes it
to vold.

Bug: 117988901
Test: manual
Change-Id: Idab274529e843784c8804929e920c3af63032690
2018-10-25 11:58:43 -07:00
Sudheer Shanka
51a38dada7 Update shared sandbox directory structure.
Sandboxes for apps with sharedUserIds will live
at Android/shared:sharedUserId/ instead of
Android/shared/sharedUserId/.

Bug: 117573457
Test: manual
Change-Id: I7ab920814b501b9cdd4c58fefe81c53162b318f3
2018-10-20 21:00:13 -07:00
Sudheer Shanka
b792c3a210 Merge "Delete package sandbox data when it is uninstalled." 2018-10-10 21:00:04 +00:00
Sudheer Shanka
fa6a174a05 Delete package sandbox data when it is uninstalled.
Bug: 111890351
Test: manual
Change-Id: I989d507f3352959e824b161a94c0eaad6eed9bba
2018-10-09 11:12:52 -07:00
Sudheer Shanka
9acc6d4398 Check isolated_storage is enabled before cleaning up sandboxes.
Also, clear packages state stored for the user being stopped.

Bug: 117329171
Bug: 111890351
Test: manual
Change-Id: Ida48fcec851830dbb756e329c20c322c631ad264
2018-10-06 19:03:02 -07:00
Mark Salyzyn
c4405e9c17 Protect /mnt/scratch from stale umount on userdebug
On userdebug protect /mnt/scratch. On user builds ensure that
/mnt/scratch is considered a stale mount so it can not be used.
vold runs before ro.debuggable is set, so this must be a compile
time decision.

Minor technical debt cleanup associated with using android::base.

Test: compile
Bug: 109821005
Change-Id: I8efdbedfe850dd24daecf03a37aea61de47edc7d
Merged-In: I8efdbedfe850dd24daecf03a37aea61de47edc7d
2018-10-02 18:00:49 +00:00
Mark Salyzyn
86e81e7183 Protect /mnt/scratch from stale umount on userdebug
On userdebug protect /mnt/scratch. On user builds ensure that
/mnt/scratch is considered a stale mount so it can not be used.
vold runs before ro.debuggable is set, so this must be a compile
time decision.

Minor technical debt cleanup associated with using android::base.

Test: compile
Bug: 109821005
Change-Id: I8efdbedfe850dd24daecf03a37aea61de47edc7d
2018-10-01 10:49:23 -07:00
Sudheer Shanka
1fa13825fc Merge "Remove unmount_tree in VolumeManager." am: 9931db7e59 am: 96707825f2
am: 65eac7fc1a

Change-Id: I40174a2504b376ebce6962f23ce1e06b7d2c1666
2018-09-28 20:13:09 -07:00
Sudheer Shanka
99d304ac60 Remove unmount_tree in VolumeManager.
This is not needed anymore since everything else is updated
to use android::vold::UnmountTree.

Bug: 111890351
Test: manual
Change-Id: Idb574469763fa3438fbfc40d6da786d87ac63c38
2018-09-28 13:38:39 -07:00
Sudheer Shanka
40ab6742a7 Bind mount pkg specific dirs in the zygote child namespaces.
- Also update vold to create sandboxes for secondary storage devices.
- Since bind mounts are created in the process specific namespaces, we
  don't need /mnt/storage anymore which we were using it to prevent
  some bind mounts from propagating onto /mnt/runtime/write.
- Create bind mounts for {media,obb} dirs similar to data dir in
  per process namespace.
- Also fix a bug where we are not passing correct packages to vold when
  a new user starts.

Bug: 111890351
Test: manual
Change-Id: I7849efc4fbf3c654606fa30de7ab2de0236d766f
2018-09-27 15:50:26 -07:00
Sudheer Shanka
144e7cc25a Merge "Add unmountTree to utils." am: a64572431e am: f5b24f1015
am: e9c88c4c6c

Change-Id: Iae8f7c972272807f87b2ce9c4ba536cf6458d3cb
2018-09-27 13:35:28 -07:00
Sudheer Shanka
89ddf99119 Add unmountTree to utils.
Bug: 111890351
Test: builds without any errors
Change-Id: I62a94c9e8d101756b686b402774f08a1d71cf875
2018-09-27 10:29:02 -07:00
Jeff Sharkey
dac54dce51 Merge "Update vold to log only debug or higher level messages." am: 9bd07d8760 am: 92c182e4c7
am: 3c5f603158

Change-Id: I2209a3208a26ae649b4d5dc1aa18d30b6a61afcb
2018-09-24 10:34:26 -07:00
Sudheer Shanka
4b6ca4ea65 Update vold to log only debug or higher level messages.
This will allow adding lots of verbose logs which can be enabled
only during local testing/debugging. Update the existing verbose
level logs to debug level since we want those to be logged by
default.

Test: manual
Change-Id: Ib05e2b6efa71308458d49affb6ed81d3975b28ab
2018-09-21 11:16:51 -07:00
Paul Crowley
8915d62847 clang-format the rest of the files
Apply clang-format to fix the remaining files not fixed by
change I23cde3f0bbcac13bef555d13514e922c79d5ad48

Test: Format-only changes; treehugger suffices.
Change-Id: I1bfd5c8d68d298596875d5edae26cdfe27c03489
Merged-In: I1bfd5c8d68d298596875d5edae26cdfe27c03489
2018-09-20 06:27:22 -07:00
Paul Crowley
edf7a4eb95 clang-format the rest of the files
Apply clang-format to fix the remaining files not fixed by
change I23cde3f0bbcac13bef555d13514e922c79d5ad48

Test: Format-only changes; treehugger suffices.
Change-Id: I1bfd5c8d68d298596875d5edae26cdfe27c03489
2018-09-19 19:45:27 -07:00
Sudheer Shanka
c756209b89 Create sandboxes for newly installed apps.
Bug: 111890351
Test: manual
Change-Id: I1b7f5bd25e04f9f4a61d0d4f64bbbb0ca6157fa5
2018-08-24 12:35:56 -07:00
Sudheer Shanka
3a7ee5c2ae Use /mnt/storage for bind mounting package sandboxes.
Create a new slave bind mount at /mnt/storage and use this for
creating package sandboxes. This will help prevent package
specific data directories from getting duplicated and also make
handling bind mounts for packages with sharedUserIds easier.

Bug: 111890351
Test: manual
Change-Id: I0f590cc99a379d93f6db85bf56e8d274e3ea7488
2018-08-23 21:40:07 -07:00
Sudheer Shanka
5cc0d564c8 Merge "Update sandbox structure for apps with sharedUserIds." 2018-08-07 19:09:06 +00:00
Sudheer Shanka
f768c271a3 Update sandbox structure for apps with sharedUserIds.
For apps with sharedUserIds, sandbox/shared:<shared-user-id> is
currently used as sandbox root. Given that <shared-user-id> can
be upto 255 characters, adding "shared:" might tip over the
filename limit on ext4 filesystems. So, instead use
sandbox/shared/<shared-user-id> as the sandbox root.

Bug: 111890351
Test: manual
Change-Id: Iba437b3eed59f9eb3094a823e8bf2a5a58410fd7
2018-08-07 10:47:38 -07:00
Sudheer Shanka
a695f25518 Keep /sdcard working for shell process when isolated storage is enabled.
This is same as what we are doing as of P, symlinking
"/mnt/user/<user-id>/primary" to primary volume path.

Bug: 111890351
Test: manual
Change-Id: I3bc538401bf56fd6243ce7eca424cc4c9b585974
2018-08-03 18:17:03 -07:00
Sudheer Shanka
53947a3662 Update vold to prepare package sandboxes for primary volume.
Vold is updated to create package specific sandboxes for primary
volume and mount them at
"/mnt/user/<user-id>/package/<package-name>/<primary-label>".
This will later be mounted at /storage when a new process starts.

Bug: 111890351
Test: Manually verified that a package has access to "/sdcard" and
      "/storage/emulated/0", both of which are just the package specific
      sandboxes and the package doesn't have access to other sandboxes
      and can't see other package names.

Change-Id: I72dc8ae9eb2260a298159c5de18387dad2f9de48
2018-08-01 10:24:13 -07:00
Sudheer Shanka
62bbb2b1d2 Update vold to handle package info from StorageManagerService.
Bug: 111890351
Test: n/a
Change-Id: I098ad4bc15fae843909d97dad5d301a4e53d51bc
2018-08-01 01:23:15 -07:00
Sudheer Shanka
ebaad1c848 Update IVold interface to take packageNames when a user starts.
Bug: 111890351
Test: n/a
Change-Id: Ia24f15112f9a4ee4994688ff8fedf786cbf479b7
Exempt-From-Owner-Approval: This was approved as part of http://ag/4494673
2018-08-01 07:16:28 +00:00
Sudheer Shanka
d484aa9dad Add APIs for pushing package info to vold.
Bug: 111890351
Test: n/a
Change-Id: I3194a88a9ce612a2e4f2c7ea9e3392e0f8020fc1
2018-07-31 10:07:34 -07:00
Bowgo Tsai
3d4fb41f3d Merge "Do not unmount /mnt/product/* when vold starts"
am: 4a625453bf

Change-Id: Idd91865540106b5030f74b26037b61c00719ef28
2018-07-02 19:03:58 -07:00
Bowgo Tsai
c0cd37be9d Do not unmount /mnt/product/* when vold starts
Bug: 110808288
Test: Boot a device and checks /mnt/product/foo mounted in early mount
      isn't unmounted.

Change-Id: Ide411cd78565505bc72ed57e79f3d31b6392b27c
2018-06-29 13:35:43 +08:00
Tri Vo
e98adee732 Exclude /mnt/vendor from vold's ownership.
Addresses this selinux denial:
avc: denied { search } for name="vendor" dev="tmpfs" ino=11069
scontext=u:r:vold:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir
permissive=0

Bug: 64905218
Test: fixes above denial.
Change-Id: I670b2148e65c7e0fcabd1e11f5bace0c4f4e18bd
Merged-In: I670b2148e65c7e0fcabd1e11f5bace0c4f4e18bd
(cherry picked from commit bca5cd78fe)
2018-06-29 12:22:01 +08:00
Tri Vo
bca5cd78fe Exclude /mnt/vendor from vold's ownership.
Addresses this selinux denial:
avc: denied { search } for name="vendor" dev="tmpfs" ino=11069
scontext=u:r:vold:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir
permissive=0

Bug: 64905218
Test: fixes above denial.
Change-Id: I670b2148e65c7e0fcabd1e11f5bace0c4f4e18bd
2018-04-16 14:33:53 -07:00
Elliott Hughes
32a5b9aed3 StartsWith now allows std::string prefixes.
Bug: N/A
Test: builds
Change-Id: I2e24632e95f2bf929c2c000152c5c4076d53186e
2017-12-20 12:38:47 -08:00
Jeff Sharkey
401b260351 Delay touching disks when secure keyguard showing.
We've tried our best to protect against malicious storage devices
with limited SELinux domains, but let's be even more paranoid and
refuse to look at disks inserted while a secure keyguard is
showing.  We'll gladly scan them right away once the user confirms
their credentials.

Test: builds, boots, manual testing
Bug: 68054513
Change-Id: I37fd6c25bbd6631fa4ba3f84e19384d746a22498
2017-12-15 13:44:55 -07:00
Paul Crowley
b64933a502 Be even more C++. Switch on a warning.
Remove lots of "extern C" and "ifdef __cplusplus" which are no longer
needed now all of vold is C++. Also turn on the cert-err58-cpp warning
we once had to disable.

Bug: 67041047
Test: compiles, boots
Change-Id: I8c6f9dd486f2409e0deed7bb648d959677465b21
2017-10-31 08:40:23 -07:00
Paul Crowley
c6433a299d Forget keys when we forget the volume.
Bug: 25861755
Test: create a volume, forget it, check logs and filesystem.
Change-Id: I0ab662969c51703cb046d57b72330e0f14447ef3
2017-10-26 12:19:03 -07:00
Jeff Sharkey
3ce18256a1 Pass both partition GUID and filesystem UUID.
FDE keys are indexed using the partition GUID, while FBE keys will be
indexed using the filesystem UUID, so pass both of those identifiers
along when forgetting a volume.

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 25861755
Change-Id: I6e239d5ba67a01c9a848d705f6167da00f975924
2017-10-24 12:19:47 -06:00
Jeff Vander Stoep
c923127e23 Merge "Check that dir name is a pid before attempting to read"
am: 6419445383

Change-Id: I8b7639934bcee660bcd84f83afae5cc2c17bae15
2017-10-24 17:19:58 +00:00
TreeHugger Robot
9fd7559813 Merge "Check that dir name is a pid before attempting to read" 2017-10-24 16:04:22 +00:00
Jeff Vander Stoep
a997db73d6 Check that dir name is a pid before attempting to read
Prevents selinux denials for folders in /proc that do not have the
default /proc label.

Bug: 68146208
Test: no selinux denials for vold attempting to read proc_asound dir.
Merged-In: I7cdd3bbe8e687e078372012773e9a34a5c76e0f8
Change-Id: I7cdd3bbe8e687e078372012773e9a34a5c76e0f8
2017-10-24 14:04:27 +00:00
Jeff Vander Stoep
5889083d71 Check that dir name is a pid before attempting to read
Prevents selinux denials for folders in /proc that do not have the
default /proc label.

Bug: 68146208
Test: no selinux denials for vold attempting to read proc_asound dir.
Change-Id: I7cdd3bbe8e687e078372012773e9a34a5c76e0f8
2017-10-24 07:03:01 -07:00
Paul Crowley
56292ef119 Undo Utils dependency on VolumeManager
I want to use Utils in another executable, so breaking this link.

Bug: 25861755
Test: compiles (and boots, though that doesn't exercise changed code)
Change-Id: I6bb447453bb370fefb7f2f3aceb459428bdee6a7
2017-10-20 10:05:36 -07:00
Jeff Sharkey
3472e52fc2 Move to modern utility methods from android::base.
Moves away from crufty char* operations to std::string utility
methods, including android::base methods for splitting/parsing.

Rewrite of how Process handles scanning procfs for filesystem
references; now uses fts(3) for more sane traversal.

Replace sscanf() with new FindValue() method, also has unit tests.

Remove some unused methods.  Switch almost everyone over to using
modern logging library.

Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 67041047
Change-Id: I70dc512f21459d1e25b187f24289002b2c7bc7af
2017-10-17 12:40:51 -06:00
Jeff Sharkey
b21add1d79 Merge "Make Loop::destroyAll() smarter." 2017-09-22 01:10:49 +00:00
Jeff Sharkey
67b8c49530 Make Loop::destroyAll() smarter.
Instead of blindly looping across 4096 possible devices, use
readdir() to only look at valid devices.  This speeds up destroyAll()
from 40ms to 0.7ms.

Add tracing information in several places.

Test: external/chromium-trace/systrace.py -b 128768 sched freq am pm ss core_services binder_driver -a system_server,installd,vold
Bug: 65634729, 65737446
Change-Id: If581de47fb55850c0fcd6e25bf33ed246e1b079d
2017-09-21 17:11:07 -06:00
Jeff Sharkey
95440ebd97 Enable "cert-err34-c" tidy checks.
Now that we've moved to Binder, we only have a few lingering atoi()
usages that are cleaned up in this CL.

Rewrite match_multi_entry() entirely, with tests to verify both old
and new implementations.

Test: adb shell /data/nativetest/vold_tests/vold_tests
Bug: 36655947
Change-Id: Ib79dc1ddc2366db4d5b4e1a1e2ed9456a06a983e
2017-09-20 13:29:48 -06:00
Jeff Sharkey
cbe69fc060 Destroy vold socket interface completely.
Long live Binder.

Test: yes
Bug: 13758960
Change-Id: If6be379b5a873f1b0c66dd1522b87413ad10fc46
2017-09-18 16:00:14 -06:00
Jeff Sharkey
52f7a91934 Move long-running calls to async with listeners.
Now that we're using Binder, we can have callers provide explicit
listeners for every request instead of trying to squeeze them all
into unsolicited socket events.

Move benchmarking to be async to avoid blocking other commands for
up to several minutes.  Remove post-trim benchmarking flag, since
benchmarking now requires a separate callback.  Will bring back in
a future CL.

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Test: adb shell sm fstrim
Bug: 62201209, 13758960
Change-Id: I0f2ebf1ac3b4252ecd6b44303f2887adfdb58e86
2017-09-15 14:18:00 -06:00
Jeff Sharkey
11c2d380a7 Move even more vold commands over to Binder.
This moves fstrim, obb and appfuse commands over to the new Binder
interface.  This change also separates creating/destroying and
mounting/unmounting of OBB volumes, which means they finally flow
nicely into the modern VolumeInfo/VolumeBase design.

We now generate unique identifiers for all OBB volumes, instead of
using a shady MD5 hash.

Change all "loop" and "dm" devices to tag the kernel resources with
a vold-specific prefix so that we can clean them up if vold crashes;
there are new destroyAll() methods that handle this cleanup.

Move appfuse mounting/unmounting into VolumeManager so it can be
shared.  Move various model objects into a separate directory to
tidy things up.

Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Bug: 13758960
Change-Id: I7294e32b3fb6efe07cb3b77bd20166e70b66958f
2017-09-11 18:44:17 -06:00
Jeff Sharkey
9462bdd512 Move "volume" commands over to Binder.
Keep the old socket-based commands intact for awhile so we can
rapidly disable this change using the ENABLE_BINDER feature flag.

Define constants in AIDL to keep Java and C++ in sync.

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.ExternalStorageHostTest
Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 13758960
Change-Id: I0d6f82cbebe67f671b60949fd727409aeb1fdc0d
2017-09-07 15:27:30 -06:00
Keun-young Park
23b87ecf41 Merge "mInternalEmulated could be used after shutdown() called" am: 9b4a443bd6 am: 92052aa582
am: 1b6d8237f2

Change-Id: I71b1ec275e2850c1a8273ac5eebc7373a0729552
2017-08-17 22:21:40 +00:00
Keun-young Park
92052aa582 Merge "mInternalEmulated could be used after shutdown() called"
am: 9b4a443bd6

Change-Id: Ia1007988297c39f391b35ad51645556ceeaf0cc6
2017-08-17 22:13:40 +00:00
Gao Xiang
d263da8807 mInternalEmulated could be used after shutdown() called
It fixes the findvolume() / reset() use-after-free issue after
shutdown called to avoid vold crash.

Fixes: a5bbb5e3c1 ("make shutdown safe for double calls.")
Change-Id: I50f216141b20da08549080291091dc5690c00ffe
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
2017-08-14 14:26:56 +08:00
Keun-young Park
375ac25773 do not sleep if it is shutting down
- Various sleep(5) for vold shutdown can increase shutdown time a lot.
- If it is shutting down, do not sleep at all. init will take care of
  active partitions if not unmounted.

bug: 64143519
Test: reboot and check logs from vold, check if "ShutdownThread: Shutdown wait timed out" happens.
Change-Id: I7cb91427ad2205fe23a054d255caf7ffdfd9f6c3
2017-08-02 17:45:48 -07:00
Elliott Hughes
e4775fdbca Merge "vold should #include <sys/sysmacros.h>" am: 398c0e8274 am: 208b464f72 am: fb3e85cf99
am: 048422d46e

Change-Id: I33406265fcf0c77a6289cb429aa6a2cc5e8f7146
2017-05-19 19:01:20 +00:00
Elliott Hughes
048422d46e Merge "vold should #include <sys/sysmacros.h>" am: 398c0e8274 am: 208b464f72
am: fb3e85cf99

Change-Id: I32ed2a66bb60ba1042737b4bbb0a2195a3fe8e6f
2017-05-19 18:38:38 +00:00
Elliott Hughes
0e08e84df0 vold should #include <sys/sysmacros.h>
Bug: https://github.com/android-ndk/ndk/issues/398
Test: builds
Change-Id: I7a1ca1701099886fb493cc5288d6ee867d5f520a
2017-05-18 09:08:24 -07:00
Jeff Sharkey
32ebb739cb Enable clang-tidy for security sensitive domain.
Start with clang-analyzer-security* and cert-*, but disable two
specific errors:

-- cert-err34-c, which checks for atoi(); heavily triggered by
CommandListener, but will disappear when we move to Binder.
-- cert-err58-cpp, which checks for exceptions before main(); it's
a "Low" severity issue, and filed 36656327 to track cleanup.

Fix all other triggered errors along the way.

Test: builds, boots
Bug: 36655947
Change-Id: I1391693fb521ed39700e25ab6b16bc741293bb79
2017-03-27 17:14:52 -06:00
Jeff Sharkey
fd3dc3c076 Spread around some O_CLOEXEC love.
Also remove some unnecessary SELinux logic when creating image files
for loop devices.

Test: builds, boots, common operations work
Bug: 34903607
Change-Id: I68dfa022ecc39f56c175e786694e0de35b954ca0
2017-03-27 11:13:36 -06:00