Commit graph

94 commits

Author SHA1 Message Date
Martijn Coenen
73e3010a25 Support bind mounting volumes into other volume's mountpoint.
With the way the FUSE mount point are currently setup for emulated
volumes, there can be multiple paths that serve the same files on the
lower filesystem; eg

* /mnt/user/0/emulated/0/Android
* /mnt/user/10/emulated/0/Android

both refer to the same file on the lower filesystem:
* /data/media/0/Android

this is normally not a problem, because cross-user file access is not
allowed, and so the FUSE daemon won't serve files for other users.

With clone profiles this is no longer true however, as their volumes
are accessible by each other.

So, it can happen that an app running in clone profile 10 accesses
"/mnt/user/10/emulated/0/Android", which would be served by the FUSE
daemon for the user 10 filesystem.

At the same time, an app running in the owner profile 0 accesses
"mnt/user/0/emulated/0/Android", which would be served by the FUSE
daemon for the user 0 filesystem.

This can cause page cache inconsistencies, because multiple FUSE daemons
can be running on top of the same entries in the lower filesystem.

To prevent this, use bind mounts to make sure that cross-profile
accesses actually end up in the FUSE daemon to which the volume
belongs: "/mnt/user/10/emulated/0" is bind-mounted to
"/mnt/user/0/emulated/0", and vice-versa.

Bug: 228271997
Test: manual
Change-Id: Iefcbc813670628b329a1a5d408b6126b84991e09
2022-12-07 09:01:27 +00:00
Daeho Jeong
37cf9d79ab Introduce target dirty segment ratio tunable parameter
We introduce a new parameter of target dirty segment ratio,
which can be used to set a target dirty / (dirty + free) segments
ratio. For example, if we set this as 80%, GC sleep time will be
calculated to achieve this ratio in a GC period.

Test: check smart idle maint log of StorageManagerService
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Change-Id: I73f2bcf4bdb810164c174bd0d2518b15d577d5d5
2022-07-04 21:23:46 +00:00
Daeho Jeong
3fd33ece35 Make minimum gc sleep time tunnable
Test: check smart idle maint log of StorageManagerService
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Change-Id: I5a70e4ec2ca895551b6446a9dfd4bb5003a3fbd0
2022-06-23 16:20:45 -07:00
Jaegeuk Kim
f6151b434c Support zoned device with dm-default-key
Note that, encrypt_inplace cannot support zoned device, since it
doesn't support in-place updates. And, dm-default-key will have
a different key.

Bug: 172378121
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I34cb1e747e0f3faa07c5a4bfeded11fb789a033c
2022-06-07 18:43:54 -07:00
Daeho Jeong
c0de6d8184 Merge changes from topic "change_period"
* changes:
  vold: remove overprovision area from free segments
  vold: do not set gc sleep time with zero dirty segments
  vold: add gc period in setGCUrgentPace
2022-03-25 22:26:12 +00:00
Eric Biggers
b3ea454002 Remove FDE methods from binder interface
Now that none of these methods are used anymore, we can remove them.
Also remove the related constants.

Bug: 208476087
Change-Id: I1f56c8e05fb3fba09aab4bf5f8609b0f552b8999
2022-03-21 05:11:21 +00:00
Daeho Jeong
7c788fc3e9 vold: add gc period in setGCUrgentPace
To make gc period changable, added a new gcPeriod parameter to
setGCUrgentPace.

Test: adb shell device_config put storage_native_boot smart_idle_maint_period 10
Bug: 202283480
Bug: 181079477
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Change-Id: I4e44a80ea5b51d9a7cde69d25e129dd0673b271f
2022-03-18 12:56:17 -07:00
Eric Biggers
90a305232e Remove HardwareAuthToken parameters from binder interface
These are no longer used.

Test: atest com.android.server.locksettings
Bug: 184723544
Change-Id: I6160d30deb138a5366532de84cbf6f02cbc69b8c
(cherry picked from commit 5bb9faab49)
Merged-In: I6160d30deb138a5366532de84cbf6f02cbc69b8c
2022-03-15 01:26:08 +00:00
Eric Biggers
7e79a43a72 Remove broken code for mounting encrypted OBB files
Mounting encrypted OBB files has never worked reliably across devices,
partly due to its reliance on Twofish encryption support in the kernel.
This is because Twofish support (CONFIG_CRYPTO_TWOFISH) has never been
required or even recommended for Android.  It has never been enabled in
GKI, but even before GKI it wasn't required or recommended.  Moreover,
this is now the only Android feature that still uses dm-crypt
(CONFIG_DM_CRYPT), and some devices don't have that enabled either.

Therefore, it appears that this feature is unused.  That's perhaps not
surprising, considering that the documentation for OBBs
(https://developer.android.com/google/play/expansion-files) says that
they are deprecated, and also it explains OBBs as being app files that
are opaque to the platform; the ability of the platform to mount OBBs
that happen to be in a particular format is never mentioned.  That means
that OBB mounting is probably rarely used even with unencrypted OBBs.
Finally, the usefulness of OBBs having their own encryption layer (in
addition to what the platform already provides via FBE) is not clear
either, especially with such an unusual choice of cipher.

To avoid the confusion that is being caused by having the broken code
for mounting encrypted OBBs still sitting around, let's remove it.

Test: atest StorageManagerTest # on Cuttlefish
Test: atest StorageManagerIntegrationTest # on Cuttlefish
Bug: 216475849
Change-Id: Iaef32cce90f95ea745ba2b143f89e66f533f3479
2022-03-01 21:19:18 +00:00
Daeho Jeong
999fceb07c Add interfaces required by smart idle maintenance service
Added interfaces required by smart idle maintenance service in
StorageManagerService, whose goal is to determine when to trigger
filesystem defragmentation while keeping the best user experience
as long as possible, and avoiding hurting UFS lifetime.

Test: check smart idle maintenance log every hour
Bug: 202283480
Bug: 181079477
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Change-Id: I012cfb9b01e5d21ec71700c3c52ac9c096cd1a90
2022-01-12 10:54:37 -08:00
Songchun Fan
0e53c1cdb0 [vold] pass along sysfs name in setOptions
Ignore-AOSP-First: Will cherry-pick to AOSP

BUG: 187308584
Test: atest CtsContentTestCases:android.content.pm.cts.PackageManagerShellCommandIncrementalTest#testInstallWithIdSigNoMissingPages
Change-Id: Iacfe6b735458051f2848b1b766c2b00198b397d9
2021-05-10 16:22:40 -07:00
Songchun Fan
046e68abd6 [vold] pass sysfs_name to mount options
Ignore-AOSP-First: Will cherry-pick to AOSP

Test: manual
BUG: 184844615
Change-Id: I216210132f49f55098c0f2d1b8d4e571b22cfcc4
2021-04-29 08:35:43 -07:00
Eric Biggers
23d93638c5 Merge "vold: add getUnlockedUsers() method to Binder interface" into sc-dev 2021-04-13 17:52:02 +00:00
Eric Biggers
1799debfd6 vold: add getUnlockedUsers() method to Binder interface
This is needed so that system_server can remind itself about which users
have their storage unlocked, if system_server is restarted due to a
userspace reboot (soft restart).

Bug: 146206679
Test: see I482ed8017f7bbc8f7d4fd5a2c0f58629317ce4ed
Change-Id: I02f0494d827094bd41bcfe5f63c24e204b728595
2021-04-08 12:29:57 -07:00
Alex Buynytskyy
dcfeaa1d76 Adding an option to shorten the read timeout.
E.g. during installation to protect the system.

Ignore-AOSP-First: this depends on changes to framework and/or incfs and does not make sense without them. We'll merge it at a single large scale merge later.

Bug: 160635296
Test: atest PackageManagerShellCommandTest PackageManagerShellCommandIncrementalTest IncrementalServiceTest PackageManagerServiceTest ChecksumsTest

Change-Id: I5851e1e9dbc8e8c2b331c407002cf7133bf6e35a
2021-04-08 09:58:15 +00:00
Seth Moore
5a43d61e66 Add support for binding storage encryption to a seed
With this change, vold exposes an API that may be used to bind key
storage encryption keys to a given seed value. The seed value passed to
vold must be consistent across reboots, or key storage keys will not be
derived consistently. The seed is expected to be set very early in boot,
prior to the use of any key storage encryption keys.

This feature is intended to be used for embedded applications such as
in autos, where the seed may be provided by some other component of the
system. In such systems, there is a default user that is automatically
signed in without a PIN or other credentials. By binding the file
encryption to a platform-provided seed, the default user's data gains
additional protection against removal of the Android embedded device
from the integrated system.

Bug: 157501579
Test: Set seed at startup via init.rc. Seed changes fail as expected.
Change-Id: I9b048ec5e045b84c45883724ace2356d4ef6244d
2021-01-26 21:30:19 +00:00
Ricky Wai
a2ca11e49b Add a method in vold to unmount app data and obb dir for testing
This new method will be used in new sm command.
Tests can use this so data and obb dirs are unmounted, and won't
be killed when volume is unmounted.

Bug: 148049767
Test: New sm command able to unmount app's data and obb dirs
Change-Id: Ifbc661ca510e996abd4b7ce1fb195aaa7afc37ad
2021-01-18 13:47:44 +00:00
Jaegeuk Kim
0c52c7125f Let vold format the encrypted partition
Bug: 172378121
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I03997eb4cbf25a80e36ea738c50e0adb7f4013dd
2020-12-22 11:28:50 -08:00
Ricky Wai
bbfb6ea1ac Check if storage app data and obb directories exist in vold
As storage is not mounted in system server, we use vold
to check if storage app data and obb directories exist instead.

We add a method in vold so it only creates app data and obb dirs
if dirs do not exist to speed up app starting time.

Bug: 160336374
Test: Data and obb directories are created when a new app is started
Change-Id: I1bd784d9c9e05463f71433fc782ac4e0c831cbf1
2020-12-03 15:38:03 +00:00
Martijn Coenen
eed957f6a4 Call earlyBootEnded from vdc.
This allows us to determine the place where early boot ends from init.
It also allows fixing a bug where early boot wasn't ended previously on
devices without metadata encryption.

Bug: 168585635
Bug: 173005594
Test: inspect logs
Change-Id: I78775672a7d3c140e007235a10fb1d1bc816fcee
2020-11-12 11:03:27 +01:00
Yo Chiang
0af25a3a98 Add IVold::destroyDsuMetadataKey()
destroyDsuMetadataKey() / destroy_dsu_metadata_key() calls
android::gsi::GetDsuMetadataKeyDir() to query the DSU metadata
encryption key dir and destroy the key.
This releases the resource and allows consecutive DSU installations to
use the same key *directory*, but not the same key *blob*.

Bug: 168571434
Test: 1. Install a DSU system.
  2. Boot the DSU system and reboot back to the host system.
  3. Wipe the DSU installation.
  4. DSU metadata key dir /metadata/vold/metadata_encryption/dsu/dsu is
     destroyed.
Change-Id: Ib851177315a5a266807f46ccfd446de1848232cf
2020-10-13 16:00:43 +08:00
Eric Biggers
4cd238b900 Merge "vold: remove checkEncryption" am: 2d9777bfbf am: 15c0d3e5d0
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1363339

Change-Id: I23b9a01632b61a92896ae83e2152fa047dd85c48
2020-07-16 21:00:33 +00:00
Eric Biggers
b7a14053c3 vold: remove checkEncryption
The testing-only "checkEncryption" command has been replaced with
VtsKernelEncryptionTest [1].  In particular, the metadata encryption
documentation [2] no longer mentions checkEncryption but rather
recommends running VtsKernelEncryptionTest.  Also, checkEncryption
hasn't really been maintained, and it has some known bugs; it's unclear
that many people ever really used it.

So, just remove it.

[1] https://android.googlesource.com/platform/test/vts-testcase/kernel/+/refs/heads/master/encryption/
[2] https://source.android.com/security/encryption/metadata#tests

Bug: 155037012
Change-Id: I258829c60768fd11aafdf2faad956cecc1ae9826
2020-07-15 11:21:33 -07:00
David Anderson
026ae1a9ac Merge "Add an isCheckpointing() binder call for adb remount." am: b50480bb96 am: 60e41b7084
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1330854

Change-Id: I0aa0536cfd33f189525115efa07e49930f53b79a
2020-06-18 22:15:56 +00:00
David Anderson
23850d30f6 Add an isCheckpointing() binder call for adb remount.
This is needed so "adb remount" can avoid writing to /data during a
checkpoint.

Bug: 157540389
Test: manual test
Change-Id: I33a691da3b99343acfc1e8ddf68a14504c3bfbe1
2020-06-10 23:52:25 -07:00
Martijn Coenen
eaca298077 Merge "vold: Support aborting FUSE connections." into rvc-dev am: cbb69e548a
Change-Id: I9f3435a686e76f9fbc8b8ec8cae33f5538a94ec5
2020-05-29 16:00:05 +00:00
Martijn Coenen
23c0445355 vold: Support aborting FUSE connections.
This can be done through binder as well as vdc, using 'vdc volume
abort_fuse'.

Bug: 153411204
Test: adb shell vdc volume abort_fuse
Change-Id: I93e46dc1cd361729cc1162c63520cf73152ea409
2020-05-28 16:07:16 +02:00
Alex Buynytskyy
31e2a7c5c5 Merge "Checking LOADER_USAGE_STATS before enabling read logs." into rvc-dev am: 6ce90ced12
Change-Id: I9b04f7a6201cf148c310dc7c1598c40076839f64
2020-04-02 00:48:17 +00:00
Alex Buynytskyy
91e0bf4998 Checking LOADER_USAGE_STATS before enabling read logs.
Bug: b/152633648
Test: atest PackageManagerShellCommandTest PackageManagerShellCommandIncrementalTest
Change-Id: I29bf16d06a013566c8dd08e64be2a23ad805e37d
2020-03-31 16:28:30 -07:00
Yurii Zubrytskyi
d05bcc8070 Expose new IncFS interface through Vold
CL is a part of multi-repository topic and will be merged
to AOSP

Bug: 146080380
Test: manual

Change-Id: I09b33a34ff1ac7f6e415b7bd090c22e7df24d72d
Merged-In: I09b33a34ff1ac7f6e415b7bd090c22e7df24d72d
2020-03-24 14:26:27 -07:00
Automerger Merge Worker
fdacc8d462 Make storage dirs remount fork() safe am: 6b12257702
Change-Id: I589afb12062914cc3da9ff8f7c8dd43014ac6ce9
2020-03-16 15:56:09 +00:00
Ricky Wai
6b12257702 Make storage dirs remount fork() safe
Also, use the pids provided by system server to remount all existing
processes, so we don't need to do the heavy and unreliable scanning in
/proc anymore.

Bug: 149548518
Test: atest AdoptableHostTest
Change-Id: Ifb5b79a3bc5438f36e0d61ec8aec96bdbc60ca13
2020-03-12 18:16:27 +00:00
Jooyung Han
4fcb707ecd Use optional for nullable types
AIDL generates optional<T> for nullable T types for C++, which is more
efficient and idomatic and easy to use.

Bug: 144773267
Test: build/flash/boot
Merged-In: I98549c8614c9152d5d45e2f1f33f2f3c31a9bbbf
Change-Id: I98549c8614c9152d5d45e2f1f33f2f3c31a9bbbf
(cherry picked from commit 3ce0ee5363)

Exempt-From-Owner-Approval: CP from master
2020-02-26 03:58:22 +00:00
Jooyung Han
d75a10ac6f Use optional for nullable types
AIDL generates optional<T> for nullable T types for C++, which is more
efficient and idomatic and easy to use.

Bug: 144773267
Test: build/flash/boot
Merged-In: I98549c8614c9152d5d45e2f1f33f2f3c31a9bbbf
Change-Id: I98549c8614c9152d5d45e2f1f33f2f3c31a9bbbf
(cherry picked from commit 0568fd287cfc0affc8e985f21da3793cdda286a3)
2020-02-20 17:32:21 +09:00
Martijn Coenen
816f4d94f6 Add fixupAppDir() API.
This can be used to fixup application directories in case they have been
created by some other entity besides vold; the main use case for this
API right now is OBB directories, which can be created by installers
outside of vold; on devices without sdcardfs, such directories and the
files contained therein are not setup correctly. This API will make sure
everything is setup the way it needs to be setup.

Bug: 146419093
Test: inspect OBB dir after install
Change-Id: I2e35b7ac2992dbb21cc950e53651ffc07cfca907
2020-02-19 12:11:34 +01:00
TreeHugger Robot
dd85fe2e5e Merge "Add disk for StubVolume" 2020-02-14 04:35:15 +00:00
Martijn Coenen
8a68a075a2 Remove appDirRoot argument from setupAppDir.
This is no longer needed, because vold can deduce this itself now.

Bug: 146419093
Test: builds
Change-Id: Ib4f4a4109919af683722a63b305b343ef5fe972d
2020-02-12 15:38:45 +01:00
Risan
82e90de23d Add disk for StubVolume
StubVolume is a volume type for ARC++ external storage. Named StubVolume
because it is managed from outside Android (not through Android kernel).

Previously, StubVolume is a diskless volume. However, as mentioned in
jsharkey@ email, a disk is needed for StubVolume to hold "kInternal"
(external storage type that is "external" from Android perspective,
but is "internal" to the device. For example shared directory from
ChromeOS to Android) and "kIndexable" (whether or not a disk should be
indexed by MediaStore).

The addition of disk means we could expose the createStubVolume API to
add a disk flags, which is also introduced in this CL.

Both kInternal and kIndexable will be introduced in separate CL.

Bug: 132796154
Test: Mount/unmount ARC++ removable device in ChromeOS.
Change-Id: I8b77fa1cf50ab38a2892272154dafdb78f079378
2020-02-12 07:42:40 +00:00
Yurii Zubrytskyi
3497cb5be5 Expose new IncFS interface through Vold
CL is a part of multi-repository topic and will be merged
to AOSP

Bug: 146080380
Test: manual

Change-Id: I09b33a34ff1ac7f6e415b7bd090c22e7df24d72d
2020-01-27 22:26:37 -08:00
Barani Muthukumaran
b1927c2a0a vold: Do not cache CE keys in vold
CE keys were cached in vold to support untrusted reset
by a device admin, this is now supported by Locksettingservice
using synthetic password. This change requires a secret to be
provided to retrieve the CE key and re-wrap without the secret
when user removes the credential.

Test: Set credential, remove credential, swipe to none
and vice-versa.
Bug: 26948053
Merged-In: I4cb1c035a472477e70c1ff5bf0b2c3fcfad495e5
Change-Id: I4cb1c035a472477e70c1ff5bf0b2c3fcfad495e5
2020-01-24 00:20:22 +00:00
Barani Muthukumaran
9ad51adeb9 vold: Do not cache CE keys in vold
CE keys were cached in vold to support untrusted reset
by a device admin, this is now supported by Locksettingservice
using synthetic password. This change requires a secret to be
provided to retrieve the CE key and re-wrap without the secret
when user removes the credential.

Test: Set credential, remove credential, swipe to none
and vice-versa.
Bug: 26948053
Change-Id: I4cb1c035a472477e70c1ff5bf0b2c3fcfad495e5
2020-01-16 12:16:25 -08:00
Martijn Coenen
13ff668775 Replace mkdirs() with setupAppDir().
vold historically offerred functionality to create directories on behalf
of others. This functionality was purely used to create app-specific
data/obb/media dirs. Make this more explicit by renaming the method to
indicate this.

Additionally, in the past, we never needed to care about the UID set on
these directories, because sdcardfs would take care of that for us
automatically. But with sdcardfs going away, we need to make sure the
UID of the app-specific directories is set correctly. Allow the caller
to pass this in as an argument.

Bug: 146419093
Test: atest FuseDaemonHostTest
Change-Id: Ibeb5fdc91b40d53583bc0960ee11c4d640549c34
2019-12-31 15:58:41 +01:00
Songchun Fan
0583015a57 Merge "[incremental] use vold to mount/unmount IncrementalFileSystem" am: 6bdfb77d8b am: a0945f468a
am: 1119bc8531

Change-Id: I772667d5c43cdf1ff37b156db9f47b61820433c7
2019-12-06 01:16:26 -08:00
Songchun Fan
ab55cecdc1 [incremental] use vold to mount/unmount IncrementalFileSystem
Let vold mount IncFs onto directories under data and open control files.

Test: builds
Change-Id: Ibd96aae254b4fefaf56c9d549c4672a987c46221
2019-12-04 14:01:22 -08:00
Zim
5048b4b2bc Add mount callback
Mounting a FUSE path needs two steps:
1. Mounting the filesystem
2. Starting the FUSE session in the FUSE daemon

The second part requires retriving an fd from (1) and the mount paths
and passing it to the FUSE daemon.

Previously, we'd return from the Vold mount call and mark the volume
as mounted while we scramble to do (2). This means there's a time
period where the Volume is marked as MOUNTED but not actually ready
and any IO access on the paths will hang forever. This could also be
misleading when interpreting bug reports.

Now, we block the Vold mount call until the FUSE session is started

Test: atest AdoptableHostTest
Bug: 144275217

Change-Id: I45238a31df71286f67ef1c65c711d0085d72e97f
2019-11-22 17:06:04 +01:00
Nikita Ioffe
7a04dfe86d Merge "vold: implement resetCheckpoint" am: 4eeebff8d5 am: e182b26d64 am: 3631ac59fd
am: 3ec81f1059

Change-Id: I00ce96ee4c6c6f729c5335a04aee08712ee4ae91
2019-10-18 15:37:54 -07:00
Nikita Ioffe
a5798fc115 vold: implement resetCheckpoint
It will be used by userspace reboot to reset checkpoint state, to make
sure that when /data is remounted, it will be remounted in checkpointing
if a checkpoint was requested beforee userspace reboot.

Test: /system/bin/vdc startCheckpoint 1
      /system/bin/vdc needsCheckpoint (returns 0)
      /system/bin/vdc resetCheckpoint
      /system/bin/vdc needsCheckpoint (returns 1)

Bug: 135984674
Change-Id: Ia29238686289b4eed93e2fb936a8b3d894b94dc9
2019-10-12 00:43:04 +01:00
Zim
3623a212e3 Mount /dev/fuse on /mnt/user/<userid>/<volumeid>
Since system_server cannot mount devices by itself,
add a binder interface to vold that system_server
can call to initiate this mount when required.

BUG: 135341433
Test: manual
Test: atest --test-mapping packages/providers/MediaProvider
Test: ExternalStorageHostTest DownloadProviderTests

Change-Id: If4fd02a1f1a8d921a3f96783d8c73e085c5b7ca1
2019-08-28 10:49:27 +01:00
Paul Lawrence
4ad86a9315 Merge "Make ext4 userdata checkpoints work with metadata encryption" am: 2c792e0720
am: 5f19ef31c8

Change-Id: I7da7077c70484cb5873b9316058bc73158c19ab6
2019-06-27 11:03:03 -07:00
Paul Lawrence
236e5e800e Make ext4 userdata checkpoints work with metadata encryption
When both ext4 user data checkpoints and metadata encryption are
enabled, we are creating two stacked dm devices. This had not been
properly thought through or debugged.

Test: Enable metadata encryption on taimen (add
keydirectory=/metadata/vold/metadata_encryption to flags for userdata in
fstab.hardware)
    Unfortunately metadata is not wiped by fastboot -w, so it is
    necessary to rm metadata/vold -rf whenever you wipe data.
    fastboot flashall -w works
    fastboot reboot -w works
    A normal boot works
    Disable checkpoint commits with
    setprop persist.vold.dont_commit_checkpoint 1
    vdc checkpoint startCheckpoint 10
    adb reboot
    wait for device to fully boot then
    adb reboot
    Wait for device to fully boot then
    adb logcat -d | grep Checkpoint shows the rollback in the logs

    This tests encryption on top of checkpoints with commit, encryption
    without checkpoints, and rollback, which seems to be the key cases.

Bug: 135905679
Change-Id: I8365a40298b752af4bb10d00d9ff58ce04beab1f
2019-06-26 15:19:24 -07:00