Commit graph

17 commits

Author SHA1 Message Date
Ricky Wai
07e64a4cea Mount direct boot apps obb dir after fuse is ready.
- Remove bind mounting Android/ code as we want to bind mount obb dir
for each process instead.
- Set property "vold.vold.fuse_running_users" as an array of user id
for which fuse is ready to use.
- After fuse is ready for a user, fork a background process in vold
to bind mount all direct boot apps for that user so its direct boot
apps obb dir will be mounted to lower fs for imporoved performance.

Bug: 148049767
Bug: 137890172
Test: After flag is enabled, AdoptableHostTest still pass.
Change-Id: I90079fbeed1c91f9780ca71e37b0012884680b7c
2020-02-19 16:45:07 +00:00
Suren Baghdasaryan
28af26ac47 Convert ifstream usage into fopen() to prevent fd leaks into child processes
std::ifstream does not use O_CLOEXEC flag when opening files. This leads
to file descriptors being inherited by child processes. In the case of vold
this results in leaking FDs to less privileged children with no permission
for these files which occasionally leads to SELinux denials.

Bug: 129298168
Change-Id: Id2731782a25d65c9a7cbf25dc441f3e7a17609c1
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-03-26 20:10:24 +00:00
Paul Crowley
14c8c0765a clang-format many files.
Test: Format-only changes; treehugger suffices.
Change-Id: I23cde3f0bbcac13bef555d13514e922c79d5ad48
2018-09-18 15:41:22 -07:00
Elliott Hughes
32a5b9aed3 StartsWith now allows std::string prefixes.
Bug: N/A
Test: builds
Change-Id: I2e24632e95f2bf929c2c000152c5c4076d53186e
2017-12-20 12:38:47 -08:00
Jeff Sharkey
3472e52fc2 Move to modern utility methods from android::base.
Moves away from crufty char* operations to std::string utility
methods, including android::base methods for splitting/parsing.

Rewrite of how Process handles scanning procfs for filesystem
references; now uses fts(3) for more sane traversal.

Replace sscanf() with new FindValue() method, also has unit tests.

Remove some unused methods.  Switch almost everyone over to using
modern logging library.

Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 67041047
Change-Id: I70dc512f21459d1e25b187f24289002b2c7bc7af
2017-10-17 12:40:51 -06:00
Jeff Sharkey
32ebb739cb Enable clang-tidy for security sensitive domain.
Start with clang-analyzer-security* and cert-*, but disable two
specific errors:

-- cert-err34-c, which checks for atoi(); heavily triggered by
CommandListener, but will disappear when we move to Binder.
-- cert-err58-cpp, which checks for exceptions before main(); it's
a "Low" severity issue, and filed 36656327 to track cleanup.

Fix all other triggered errors along the way.

Test: builds, boots
Bug: 36655947
Change-Id: I1391693fb521ed39700e25ab6b16bc741293bb79
2017-03-27 17:14:52 -06:00
Jeff Sharkey
fd3dc3c076 Spread around some O_CLOEXEC love.
Also remove some unnecessary SELinux logic when creating image files
for loop devices.

Test: builds, boots, common operations work
Bug: 34903607
Change-Id: I68dfa022ecc39f56c175e786694e0de35b954ca0
2017-03-27 11:13:36 -06:00
George Burgess IV
605d7ae18d Cleanup uses of sprintf, add modes to open() with O_CREAT.
Change-Id: Iaed2538831b19ada26005bbef33cff28209c6512
2016-03-02 22:42:22 +00:00
Jeff Sharkey
89f74fbf25 Kill apps using storage through bind mounts.
When unmounting an emulated volume, look for apps with open files
using the final published volume path.

Without this change, we were only looking at the internal paths
used for runtime permissions, which apps never use directly.  This
meant we'd always fail to unmount the volume if apps didn't respect
the EJECTING broadcast, and volume migration would end up wedged
until the device rebooted.

Bug: 24863778
Change-Id: Ibda484e66ab95744c304c344b226caa5b10b7e2e
2015-10-21 15:05:49 -07:00
Jeff Sharkey
ce6a913aea Exclusive exec() path, format after partition.
Sadly setexeccon() is process global, so we need to carefully ensure
that all exec() are mutually exclusive to avoid transitioning into
unwanted domains.  Also, because we have several threads floating
around, we need to guard all our FDs with O_CLOEXEC.

Format all newly created volumes immediately after partitioning,
but silence all events emitted from those volumes to prevent the
framework from getting all excited.  Unify all notify events under a
single codepath to make them easy to silence.

Sent SIGINT before escalating to SIGTERM when unmounting.

Bug: 19993667
Change-Id: Idc6c806afc7919a004a93e2240b42884f6b52d6b
2015-04-11 08:48:13 -07:00
Jeff Sharkey
36801cccf2 Progress towards dynamic storage support.
Wire up new Disk and VolumeBase objects and events to start replacing
older DirectVolume code.  Use filesystem UUID as visible PublicVolume
name to be more deterministic.

When starting, create DiskSource instances based on fstab, and watch
for kernel devices to appear.  Turn matching devices into Disk
objects, scan for partitions, and create any relevant VolumeBase
objects.  Broadcast all of these events towards userspace so the
framework can decide what to mount.

Keep track of the primary VolumeBase, and update the new per-user
/storage/self/primary symlink for all started users.

Provide a reset command that framework uses to start from a known
state when runtime is restarted.  When vold is unexpectedly killed,
try recovering by unmounting everything under /mnt and /storage
before moving forward.

Remove UMS sharing support for now, since no current devices support
it; MTP is the recommended solution going forward because it offers
better multi-user support.

Switch killProcessesWithOpenFiles() to directly take signal.  Fix
one SOCK_CLOEXEC bug, but SELinux says there are more lurking.

Bug: 19993667
Change-Id: I2dad1303aa4667ec14c52f774e2a28b3c1c1ff6d
2015-03-30 19:46:31 -07:00
Henrik Baard
2152266deb Change strncpy to strlcpy
Change all function calls to strncpy to strlcpy.

Change-Id: I2bbefb7829d715847c5b26f4b9f0faddbd4c89d0
2015-02-06 09:24:14 +01:00
Tim Murray
8439dc9fd5 Make vold compile with -Werror -Wall.
-Wno-missing-field-initializers is used as well, but that is an
overzealous warning from initializing structs with {0} and not a
real warning.

bug 18736778 and 16868177

Change-Id: Iffde89cd7200d9a11193e1614f1819f9fcace30a
2014-12-18 00:21:21 +00:00
jessica_yu
3f14fe45a3 print information about opened files when failed unmount
Change-Id: I88ae719cdae490433390d624f75612a9f4f96677

Cryptfs : Enabling support for allow_discards in dmcrypt.
Cryptfs : Password matches
Cryptfs : test_mount_encrypted_fs(): Master key saved
TrustyKeymaster: Creating device
TrustyKeymaster: Device address: 0x7f8f416100
Cryptfs : keymaster version is 3
Cryptfs : Just asked init to shut down class main
ServiceManager: service 'drm.drmManager' died
ServiceManager: service 'media.audio_flinger' died
ServiceManager: service 'media.player' died
ServiceManager: service 'media.camera' died
ServiceManager: service 'android.security.keystore' died
Cryptfs : unmounting /data failed

Bug: 17576594
2014-09-24 15:46:45 -07:00
San Mehat
97ac40e4e6 vold: Switch from LOG -> SLOG
Change-Id: I48ee8bd90b47f5845f069cdf4d1b8ba6ecdb1b39
Signed-off-by: San Mehat <san@google.com>
2010-03-25 08:02:28 -07:00
Kenny Root
b3b4318ab8 Check length of filenames before strcat
Just in case someone tries to set up a series of links to trick us, do a
quick sanity check on the total length of the strings we're about to
concatenate.

Change-Id: Iba9617008dbc1e93e1907393052caf1e52fbe312
2010-02-18 09:35:35 -08:00
San Mehat
586536c60b vold: Refactor Processkiller and add command to return users of a mount point
Signed-off-by: San Mehat <san@google.com>
2010-02-16 17:12:00 -08:00