Commit graph

45 commits

Author SHA1 Message Date
Elliott Hughes
0e08e84df0 vold should #include <sys/sysmacros.h>
Bug: https://github.com/android-ndk/ndk/issues/398
Test: builds
Change-Id: I7a1ca1701099886fb493cc5288d6ee867d5f520a
2017-05-18 09:08:24 -07:00
cjbao
eb50114a83 BuildDataUserCePath always use dir instead of symbolic link
Select whichever is real dir instead of symbolic link from either /data/data
or /data/user/0. This is to minimize path walking overhead in kernel.

This works together with Change 369787

Test: Manual test
Change-Id: I338518673fc22ccbfed6ddd6be196931fce18525
Signed-off-by: cjbao <cathy.bao@intel.com>
2017-04-18 19:57:54 +08:00
Bowgo Tsai
e8fb6c3000 vold: replacing fs_mgr_read_fstab() with fs_mgr_read_fstab_default()
The original default /fstab.{ro.hardware} might be moved to /vendor/etc/.
or /odm/etc/. Use the new API to get the default fstab instead of using
the hard-coded /fstab.{ro.hardware}.

Bug: 35811655
Test: boot marlin with /vendor/etc/fstab.marlin
Change-Id: I92d6aefe6ff3433b7d1a671358d990bb7b1f2150
2017-03-09 23:31:18 +08:00
Calin Juravle
3a68f14192 Vold: Clean up code related to foreign dex use
We simplified the way we track whether or not a dex file is used by
other apps. DexManger in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: Id0360205b019be92049f36eab4339f4736e974f4
2017-03-03 18:24:21 -08:00
Chih-Hung Hsieh
73a3576ef9 Merge \\\"Fix clang-tidy performance warnings in system/vold.\\\" am: e24d4eef9b am: aa668f3d13
am: ed1c4cf456

Change-Id: I345cfce27a2b20048953d85bb2dd39adc34190d8
2016-07-28 00:30:43 +00:00
Chih-Hung Hsieh
aa668f3d13 Merge \"Fix clang-tidy performance warnings in system/vold.\"
am: e24d4eef9b

Change-Id: I8e882391fb343a5dd8b5cd32b2e7c087219334dc
2016-07-27 23:17:57 +00:00
Chih-Hung Hsieh
11a2ce8da3 Fix clang-tidy performance warnings in system/vold.
* Use const reference type for for-loop index variables
  to avoid unnecessary copy.

Bug: 30413223
Change-Id: Id4d980ae8afec1374fc3be0b23f1c6a39bff86e0
Test: build with WITH_TIDY=1
2016-07-27 14:11:02 -07:00
Jeff Sharkey
e30c22a65b Only restorecon CE storage after unlocked.
am: d24aeda425

Change-Id: Ia4151dc87769bb4c4b7bee1bb0a09933c74f3d6c
2016-07-18 16:06:34 +00:00
Jeff Sharkey
d24aeda425 Only restorecon CE storage after unlocked.
On FBE devices, the filenames inside credential-encrypted directories
are mangled until the key is installed.  This means the initial
restorecon at boot needs to skip these directories until the keys
are installed.

This CL uses an existing facility to request that init run a
recursive restorecon over a given path, and it requests that
operation for the CE directories that would have been omitted by
the SKIPCE flag earlier during boot.

Bug: 30126557
Change-Id: I8c7abea27215075a091f615a7185a82a2f4a4a95
2016-07-18 09:52:46 -06:00
Jeff Sharkey
0068f8e490 Consistent creation/destruction of user data. am: be70c9a
am: 30b0a1f

* commit '30b0a1fcdd2c7a60c104ffcd3dca4c9c2c1e682b':
  Consistent creation/destruction of user data.

Change-Id: I72e91bbf15eaf91c72a61a26baf2e6908934958a
2016-04-18 20:05:56 +00:00
Jeff Sharkey
c85be2fc40 Consistent creation/destruction of user data.
am: be70c9a

* commit 'be70c9ae2251ac8f3bfbbe75146f8c533d64e01b':
  Consistent creation/destruction of user data.

Change-Id: Iddb906f6df0587faf95198446c376b2e8d550bec
2016-04-18 19:59:50 +00:00
Jeff Sharkey
be70c9ae22 Consistent creation/destruction of user data.
Preparing and destroying users currently needs to be split across
installd, system_server, and vold, since no single party has all the
required SELinux permissions.

Bug: 27896918, 25861755
Change-Id: Ieec14ccacfc7a3a5ab00df47ace7318feb900c38
2016-04-15 13:47:52 -06:00
Dan Austin
8afff3bfe1 Merge "Address const issues in preparation for libcxx rebase." am: a4f7dad
am: 3cc69fa

* commit '3cc69faa6797ae0cfe43f4243d564fbe14f4cfe4':
  Address const issues in preparation for libcxx rebase.

Change-Id: I58f814d71e5d5c067ade613d0bf8a88911d53424
2016-04-12 22:35:50 +00:00
Dan Austin
49ab5f9e6d Address const issues in preparation for libcxx rebase.
Change-Id: I5199c1eb4e874fd354beefa1232707949483e88d
2016-03-28 13:24:48 -07:00
Yu Ning
942d4e830b Support emulator's virtio-blk based SD card
Currently, vold only supports MMC (for SD cards) and SCSI (for USB
drives) devices. It does not recognize any device whose major number is
not one of those used by MMC and SCSI. Unfortunately, virtio-blk is one
such device. It is used by the new Android emulator (a.k.a. qemu2,
featuring the "ranchu" virtual board) for SD card emulation.

In order to make this virtio-blk based SD card device appear in Android
and appear as an SD card (rather than a USB drive), changes have to be
made to both vold (wherever the device major number is checked) and
ranchu's storage configuration. This CL implements former.

This is a stop-gap solution for emulator in nyc.
A longer term solution in-tune with upstream kernel is in the pipes.

Updated from aosp/master version.

BUG:27431753

Change-Id: I5014edec73be7c5b565d91542464c82cbe58992c
Signed-off-by: Yu Ning <yu.ning@intel.com>
(cherry picked from commit 5b1d1c7dfa13b4dca75213581dc8351b841b76c8)
2016-03-08 12:19:41 -08:00
Calin Juravle
493f5aa160 Create profile folder for foreign dex markers.
This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide if the apks should be fully compiled instead of
profile guide compiled.

Bug: 27334750
Bug: 26080105
Change-Id: Ib18f20cf78a8dbfc465610ec6ceec52699c5420a
2016-02-25 23:31:50 +00:00
Calin Juravle
79f55a461f Prepare user profile folder
Bug: 26719109
Bug: 26563023
Change-Id: I4737b7f73df74b2b787a62db2e231f136115b359
2016-02-19 13:43:02 +00:00
Jeff Sharkey
47695b29af Allow callers to prepare CE/DE user storage.
Give callers the option of preparing CE and/or DE storage.  The
framework will only prepare CE storage after the CE keys have been
unlocked for that user.

When init is calling enablecrypto, kick off the work in a thread so
that we can make other calls back into vold without causing
deadlock.  Leaves blocking call intact for framework callers.

Clean up 'vdc' tool to send useful transaction numbers, and
actually watch for the matching result to come back.  This fixes
race conditions when there are multiple 'vdc' callers.

Also add other system and misc directories to match spec.

Bug: 25796509
Change-Id: Ie4f853db6e387916b845d2b5fb92925d743b063d
2016-02-05 13:03:52 -07:00
Daichi Hirono
10d34887b3 Mount appfuse in process namespace.
BUG=26148108

Change-Id: I2297fd227a4c607054e0403e73bd9c857f580a1c
2016-02-02 18:56:19 +09:00
Jeff Sharkey
fc505c3ff6 Emulate media encryption, always chmod to unlock.
When FBE emulation is enabled, lock/unlock the media directories that
store emulated SD card contents.

Change unlocking logic to always chmod directories back to known
state so that we can recover devices that have disabled FBE
emulation.

Bug: 26010607, 26027473
Change-Id: I6d4bff25d8ad7b948679290106f585f777f7a249
2015-12-07 17:35:58 -07:00
Elliott Hughes
6bf0547ccc resolve merge conflicts of b7d5a47cec to master.
Change-Id: I0c5211a00d92d0ee796bb9c77d2e13675a2a3e8d
2015-12-04 17:55:33 -08:00
Elliott Hughes
a9d5080109 Merge "Track rename from base/ to android-base/."
am: 20a8fa98f6

* commit '20a8fa98f6b858999b623272a182843259e1044c':
  Track rename from base/ to android-base/.
2015-12-04 17:39:41 -08:00
Elliott Hughes
7e128fbe21 Track rename from base/ to android-base/.
Change-Id: I3096cfa50afa395d8e9a8043ab69c1e390f86ccb
2015-12-04 15:50:53 -08:00
Jeff Sharkey
d2c96e7883 New granular encryption commands for framework.
We now have separate methods for key creation/destruction and
unlocking/locking.  Key unlocking can pass through an opaque token,
but it's left empty for now.

Extend user storage setup to also create system_ce and user_de
paths.  Bring over some path generation logic from installd.

Use strong type checking on user arguments.

Bug: 22358539
Change-Id: I00ba15c7b10dd682640b3f082feade4fb7cbbb5d
2015-11-10 15:57:14 -08:00
Bill Yi
abcf4c6fca Merge commit 'aebfa6e7eee173b8e02f869c3a25cfe2a5fffb9b' into HEAD 2015-11-03 14:30:42 -08:00
Elliott Hughes
8185d3d8ba Merge "Fix ioctl parameter" am: 0eaad8ce8c
am: 5cd32f73d8

* commit '5cd32f73d8b5e6db60d397d102e5b1b193a76c77':
  Fix ioctl parameter
2015-10-29 20:44:35 +00:00
caozhiyuan
9102b0b175 Fix ioctl parameter
Change-Id: I922c8ae77056db81bc5152346299a07a34c527d2
2015-10-29 08:48:20 +00:00
Jeff Sharkey
71ac649c1d Kill apps using storage through bind mounts.
am: 89f74fbf25

* commit '89f74fbf2529d708534c041d2b711af0f1feff9f':
  Kill apps using storage through bind mounts.
2015-10-21 23:08:56 +00:00
Jeff Sharkey
89f74fbf25 Kill apps using storage through bind mounts.
When unmounting an emulated volume, look for apps with open files
using the final published volume path.

Without this change, we were only looking at the internal paths
used for runtime permissions, which apps never use directly.  This
meant we'd always fail to unmount the volume if apps didn't respect
the EJECTING broadcast, and volume migration would end up wedged
until the device rebooted.

Bug: 24863778
Change-Id: Ibda484e66ab95744c304c344b226caa5b10b7e2e
2015-10-21 15:05:49 -07:00
Oleksiy Avramchenko
e76cf536a4 Promote free bytes calculation to 64 bits
The expression otherwise overflows for large devices.
It's fsblkcnt_t -> unsigned long, which is 32 bit on ARMv7.

Change-Id: I46c5e00558b7dbd6abd50fae4727396079044df2
2015-10-07 13:13:38 +02:00
Jeff Sharkey
eddf9bd63c Request specific tags from blkid.
Otherwise blkid can emit tags like SEC_TYPE which mess with the value
extraction code.

Bug: 23069906
Change-Id: Id2a588ff43a538747d1e44cd8218c96ebd0192c2
2015-08-12 16:04:52 -07:00
Jeff Sharkey
c86ab6f538 Trim both internal and adopted private storage.
Refactor fstrim code to be encapsulated in unique task object, and
give it option of benchmarking when finished.  Trimming now includes
both storage from fstab and adopted private volumes.  Cleaner timing
stats are logged for each unique volume.

Add wakelock during ongoing async move tasks.  Push disk sysfs path
to framework so it can parse any SD card registers as desired.

Bug: 21831325
Change-Id: I76577685f5cae4929c251ad314ffdaeb5eb1c8bf
2015-07-01 15:53:51 -07:00
Jeff Sharkey
66270a21df Let's reinvent storage, yet again!
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app.  This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that.  This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions.  When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

Bug: 21858077
Change-Id: Iade538e4bc7af979fe20095f74416e8a0f165a4a
2015-06-25 22:40:08 -07:00
Jeff Sharkey
bc40cc8f07 Add method to forget private partition keys.
Report both the disk and the partition GUID for private volumes to
userspace, and offer to forget the encryption key for a given
partition GUID.

Bug: 21782268
Change-Id: Ie77a3a58e47bf3563cdb3e4b0edfab1de4d0e6b4
2015-06-22 14:04:54 -07:00
Jeff Sharkey
d0640f6358 Add f2fs support for private volumes.
When formatting volumes, pass along fsType string which can be "auto"
to let the volume select the best choice.  For now, private volumes
assume that MMC devices (like SD cards) are best off using f2fs when
both kernel support and tools are present, otherwise fall back to
ext4.  Use blkid when mounting to pick the right set of tools.

Move filesystem utility methods into namespaces and place in separate
directory to be more organized.

Bug: 20275581
Change-Id: Id5f82d8672dda2e9f68c35b075f28232b0b55ed4
2015-06-08 20:21:25 -07:00
Elliott Hughes
a623108ef4 Don't use TEMP_FAILURE_RETRY on close in vold.
Bug: http://b/20501816
Change-Id: Ieecce9304539c250ed1728252b8c2c09d29afd7f
2015-05-15 18:34:24 -07:00
Jeff Sharkey
ef3697545b Fix signed issue with hex conversion.
Change-Id: Ia11c689c373f41b2a63bc84151eb16f7c7b9d155
2015-04-29 15:57:48 -07:00
Jeff Sharkey
1d6fbcc389 Migrate primary external storage.
When requested, kick off a thread that will migrate storage contents
between two locations.  This is performed in several steps that
also interact with the framework:

1. Take old and new volumes offline during migration
2. Wipe new location clean (10% of progress)
3. Copy files from old to new (60% of progress)
4. Inform framework that move was successful so it can persist
5. Wipe old location clean (15% of progress)

Derives a hacky progress estimate by using a rough proxy of free
disk space changes while a cp/rm is taking place.

Add new internal path for direct access to volumes to bypass any
FUSE emulation overhead, and send it to framework.  Remove mutex
around various exec calls since setexeccon() is already per-thread.

Bug: 19993667
Change-Id: Ibcb4f6fe0126d05b2365f316f53e71dc3e79a2b8
2015-04-24 16:08:07 -07:00
Jeff Sharkey
ce6a913aea Exclusive exec() path, format after partition.
Sadly setexeccon() is process global, so we need to carefully ensure
that all exec() are mutually exclusive to avoid transitioning into
unwanted domains.  Also, because we have several threads floating
around, we need to guard all our FDs with O_CLOEXEC.

Format all newly created volumes immediately after partitioning,
but silence all events emitted from those volumes to prevent the
framework from getting all excited.  Unify all notify events under a
single codepath to make them easy to silence.

Sent SIGINT before escalating to SIGTERM when unmounting.

Bug: 19993667
Change-Id: Idc6c806afc7919a004a93e2240b42884f6b52d6b
2015-04-11 08:48:13 -07:00
Jeff Sharkey
f0121c574e Updates for expanded storage.
Mount private volumes at /mnt/expand, which is where we have new
SELinux policy waiting for us.  Also ensure that foundational
directories are ready when mounting.

Create local fs_prepare_dir() wrapper that sets SELinux context
based on path, avoiding the need for a later restorecon.

Use UUID as directory name for public volumes.  Wait a few seconds
before issuing first signal when force unmounting.

Bug: 19993667
Change-Id: If22595380faaae321705b06c87d877419620da48
2015-04-06 17:41:30 -07:00
Jeff Sharkey
95c87cce35 Different blkid and fsck execution domains.
vold works with two broad classes of block devices: untrusted devices
that come in from the wild, and trusted devices like PrivateVolume
which are encrypted.

When running blkid and fsck, we pick which SELinux execution domain
to use based on which class the device belongs to.

Bug: 19993667
Change-Id: I2695f028710a4863f0c3b2ed6da437f466401272
2015-04-01 14:08:40 -07:00
Jeff Sharkey
9c48498f45 Support for private (adopted) volumes.
This adds support for private volumes which is just a filesystem
wrapped in a dm-crypt layer.  For now we're using the exact same
configuration as internal encryption (aes-cbc-essiv:sha256), but we
don't store any key material on the removable media.  Instead, we
store the key on internal storage, and use the GPT partition GUID
to identify which key should be used.

This means that private external storage is effectively as secure as
the internal storage of the device.  That is, if the internal storage
is encrypted, then our external storage key is also encrypted.

When partitioning disks, we now support a "private" mode which has
a PrivateVolume partition, and a currently unused 16MB metadata
partition reserved for future use.  It also supports a "mixed" mode
which creates both a PublicVolume and PrivateVolume on the same
disk.  Mixed mode is currently experimental.

For now, just add ext4 support to PrivateVolume; we'll look at f2fs
in a future change.  Add VolumeBase lifecycle for setting up crypto
mappings, and extract blkid logic into shared method.  Sprinkle some
more "static" around the cryptfs code to improve invariants.

Bug: 19993667
Change-Id: Ibd1df6250735b706959a1eb9d9f7219ea85912a0
2015-04-01 10:45:05 -07:00
Jeff Sharkey
36801cccf2 Progress towards dynamic storage support.
Wire up new Disk and VolumeBase objects and events to start replacing
older DirectVolume code.  Use filesystem UUID as visible PublicVolume
name to be more deterministic.

When starting, create DiskSource instances based on fstab, and watch
for kernel devices to appear.  Turn matching devices into Disk
objects, scan for partitions, and create any relevant VolumeBase
objects.  Broadcast all of these events towards userspace so the
framework can decide what to mount.

Keep track of the primary VolumeBase, and update the new per-user
/storage/self/primary symlink for all started users.

Provide a reset command that framework uses to start from a known
state when runtime is restarted.  When vold is unexpectedly killed,
try recovering by unmounting everything under /mnt and /storage
before moving forward.

Remove UMS sharing support for now, since no current devices support
it; MTP is the recommended solution going forward because it offers
better multi-user support.

Switch killProcessesWithOpenFiles() to directly take signal.  Fix
one SOCK_CLOEXEC bug, but SELinux says there are more lurking.

Bug: 19993667
Change-Id: I2dad1303aa4667ec14c52f774e2a28b3c1c1ff6d
2015-03-30 19:46:31 -07:00
Dan Albert
ae9e890337 Update for libbase.
Change-Id: I23b1281a63031a7481ea7b33c9ddbdbe7d3d6174
2015-03-16 10:35:17 -07:00
Jeff Sharkey
deb2405737 Checkpoint of better dynamic device support.
This is the first in a series of changes that are designed to
introduce better support for dynamic block devices.

It starts by defining a new Volume object which represents a storage
endpoint that knows how to mount, unmount, and format itself.  This
could be a filesystem directly on a partition, or it could be an
emulated FUSE filesystem, an ASEC, or an OBB.

These new volumes can be "stacked" so that unmounting a volume will
also unmount any volumes stacked above it.  Volumes that provide
shared storage can also be asked to present themselves (through bind
mounts) into user-specific mount areas.

This change also adds a Disk class which is created based on block
kernel netlink events.  Instead of waiting for partition events from
the kernel, it uses gptfdisk to read partition details and creates
the relevant Volume objects.

Change-Id: I0e8bc1f8f9dcb24405f5e795c0658998e22ae2f7
2015-03-13 10:12:57 -07:00