Commit graph

71 commits

Author SHA1 Message Date
Jeff Sharkey
d24aeda425 Only restorecon CE storage after unlocked.
On FBE devices, the filenames inside credential-encrypted directories
are mangled until the key is installed.  This means the initial
restorecon at boot needs to skip these directories until the keys
are installed.

This CL uses an existing facility to request that init run a
recursive restorecon over a given path, and it requests that
operation for the CE directories that would have been omitted by
the SKIPCE flag earlier during boot.

Bug: 30126557
Change-Id: I8c7abea27215075a091f615a7185a82a2f4a4a95
2016-07-18 09:52:46 -06:00
Jeff Sharkey
be70c9ae22 Consistent creation/destruction of user data.
Preparing and destroying users currently needs to be split across
installd, system_server, and vold, since no single party has all the
required SELinux permissions.

Bug: 27896918, 25861755
Change-Id: Ieec14ccacfc7a3a5ab00df47ace7318feb900c38
2016-04-15 13:47:52 -06:00
Yu Ning
942d4e830b Support emulator's virtio-blk based SD card
Currently, vold only supports MMC (for SD cards) and SCSI (for USB
drives) devices. It does not recognize any device whose major number is
not one of those used by MMC and SCSI. Unfortunately, virtio-blk is one
such device. It is used by the new Android emulator (a.k.a. qemu2,
featuring the "ranchu" virtual board) for SD card emulation.

In order to make this virtio-blk based SD card device appear in Android
and appear as an SD card (rather than a USB drive), changes have to be
made to both vold (wherever the device major number is checked) and
ranchu's storage configuration. This CL implements former.

This is a stop-gap solution for emulator in nyc.
A longer term solution in-tune with upstream kernel is in the pipes.

Updated from aosp/master version.

BUG:27431753

Change-Id: I5014edec73be7c5b565d91542464c82cbe58992c
Signed-off-by: Yu Ning <yu.ning@intel.com>
(cherry picked from commit 5b1d1c7dfa13b4dca75213581dc8351b841b76c8)
2016-03-08 12:19:41 -08:00
Calin Juravle
493f5aa160 Create profile folder for foreign dex markers.
This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide if the apks should be fully compiled instead of
profile guide compiled.

Bug: 27334750
Bug: 26080105
Change-Id: Ib18f20cf78a8dbfc465610ec6ceec52699c5420a
2016-02-25 23:31:50 +00:00
Calin Juravle
79f55a461f Prepare user profile folder
Bug: 26719109
Bug: 26563023
Change-Id: I4737b7f73df74b2b787a62db2e231f136115b359
2016-02-19 13:43:02 +00:00
Jeff Sharkey
47695b29af Allow callers to prepare CE/DE user storage.
Give callers the option of preparing CE and/or DE storage.  The
framework will only prepare CE storage after the CE keys have been
unlocked for that user.

When init is calling enablecrypto, kick off the work in a thread so
that we can make other calls back into vold without causing
deadlock.  Leaves blocking call intact for framework callers.

Clean up 'vdc' tool to send useful transaction numbers, and
actually watch for the matching result to come back.  This fixes
race conditions when there are multiple 'vdc' callers.

Also add other system and misc directories to match spec.

Bug: 25796509
Change-Id: Ie4f853db6e387916b845d2b5fb92925d743b063d
2016-02-05 13:03:52 -07:00
Daichi Hirono
10d34887b3 Mount appfuse in process namespace.
BUG=26148108

Change-Id: I2297fd227a4c607054e0403e73bd9c857f580a1c
2016-02-02 18:56:19 +09:00
Jeff Sharkey
fc505c3ff6 Emulate media encryption, always chmod to unlock.
When FBE emulation is enabled, lock/unlock the media directories that
store emulated SD card contents.

Change unlocking logic to always chmod directories back to known
state so that we can recover devices that have disabled FBE
emulation.

Bug: 26010607, 26027473
Change-Id: I6d4bff25d8ad7b948679290106f585f777f7a249
2015-12-07 17:35:58 -07:00
Jeff Sharkey
d2c96e7883 New granular encryption commands for framework.
We now have separate methods for key creation/destruction and
unlocking/locking.  Key unlocking can pass through an opaque token,
but it's left empty for now.

Extend user storage setup to also create system_ce and user_de
paths.  Bring over some path generation logic from installd.

Use strong type checking on user arguments.

Bug: 22358539
Change-Id: I00ba15c7b10dd682640b3f082feade4fb7cbbb5d
2015-11-10 15:57:14 -08:00
Jeff Sharkey
89f74fbf25 Kill apps using storage through bind mounts.
When unmounting an emulated volume, look for apps with open files
using the final published volume path.

Without this change, we were only looking at the internal paths
used for runtime permissions, which apps never use directly.  This
meant we'd always fail to unmount the volume if apps didn't respect
the EJECTING broadcast, and volume migration would end up wedged
until the device rebooted.

Bug: 24863778
Change-Id: Ibda484e66ab95744c304c344b226caa5b10b7e2e
2015-10-21 15:05:49 -07:00
Jeff Sharkey
c86ab6f538 Trim both internal and adopted private storage.
Refactor fstrim code to be encapsulated in unique task object, and
give it option of benchmarking when finished.  Trimming now includes
both storage from fstab and adopted private volumes.  Cleaner timing
stats are logged for each unique volume.

Add wakelock during ongoing async move tasks.  Push disk sysfs path
to framework so it can parse any SD card registers as desired.

Bug: 21831325
Change-Id: I76577685f5cae4929c251ad314ffdaeb5eb1c8bf
2015-07-01 15:53:51 -07:00
Jeff Sharkey
66270a21df Let's reinvent storage, yet again!
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app.  This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that.  This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions.  When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

Bug: 21858077
Change-Id: Iade538e4bc7af979fe20095f74416e8a0f165a4a
2015-06-25 22:40:08 -07:00
Jeff Sharkey
bc40cc8f07 Add method to forget private partition keys.
Report both the disk and the partition GUID for private volumes to
userspace, and offer to forget the encryption key for a given
partition GUID.

Bug: 21782268
Change-Id: Ie77a3a58e47bf3563cdb3e4b0edfab1de4d0e6b4
2015-06-22 14:04:54 -07:00
Jeff Sharkey
d0640f6358 Add f2fs support for private volumes.
When formatting volumes, pass along fsType string which can be "auto"
to let the volume select the best choice.  For now, private volumes
assume that MMC devices (like SD cards) are best off using f2fs when
both kernel support and tools are present, otherwise fall back to
ext4.  Use blkid when mounting to pick the right set of tools.

Move filesystem utility methods into namespaces and place in separate
directory to be more organized.

Bug: 20275581
Change-Id: Id5f82d8672dda2e9f68c35b075f28232b0b55ed4
2015-06-08 20:21:25 -07:00
Jeff Sharkey
1d6fbcc389 Migrate primary external storage.
When requested, kick off a thread that will migrate storage contents
between two locations.  This is performed in several steps that
also interact with the framework:

1. Take old and new volumes offline during migration
2. Wipe new location clean (10% of progress)
3. Copy files from old to new (60% of progress)
4. Inform framework that move was successful so it can persist
5. Wipe old location clean (15% of progress)

Derives a hacky progress estimate by using a rough proxy of free
disk space changes while a cp/rm is taking place.

Add new internal path for direct access to volumes to bypass any
FUSE emulation overhead, and send it to framework.  Remove mutex
around various exec calls since setexeccon() is already per-thread.

Bug: 19993667
Change-Id: Ibcb4f6fe0126d05b2365f316f53e71dc3e79a2b8
2015-04-24 16:08:07 -07:00
Jeff Sharkey
ce6a913aea Exclusive exec() path, format after partition.
Sadly setexeccon() is process global, so we need to carefully ensure
that all exec() are mutually exclusive to avoid transitioning into
unwanted domains.  Also, because we have several threads floating
around, we need to guard all our FDs with O_CLOEXEC.

Format all newly created volumes immediately after partitioning,
but silence all events emitted from those volumes to prevent the
framework from getting all excited.  Unify all notify events under a
single codepath to make them easy to silence.

Sent SIGINT before escalating to SIGTERM when unmounting.

Bug: 19993667
Change-Id: Idc6c806afc7919a004a93e2240b42884f6b52d6b
2015-04-11 08:48:13 -07:00
Jeff Sharkey
f0121c574e Updates for expanded storage.
Mount private volumes at /mnt/expand, which is where we have new
SELinux policy waiting for us.  Also ensure that foundational
directories are ready when mounting.

Create local fs_prepare_dir() wrapper that sets SELinux context
based on path, avoiding the need for a later restorecon.

Use UUID as directory name for public volumes.  Wait a few seconds
before issuing first signal when force unmounting.

Bug: 19993667
Change-Id: If22595380faaae321705b06c87d877419620da48
2015-04-06 17:41:30 -07:00
Jeff Sharkey
95c87cce35 Different blkid and fsck execution domains.
vold works with two broad classes of block devices: untrusted devices
that come in from the wild, and trusted devices like PrivateVolume
which are encrypted.

When running blkid and fsck, we pick which SELinux execution domain
to use based on which class the device belongs to.

Bug: 19993667
Change-Id: I2695f028710a4863f0c3b2ed6da437f466401272
2015-04-01 14:08:40 -07:00
Jeff Sharkey
9c48498f45 Support for private (adopted) volumes.
This adds support for private volumes which is just a filesystem
wrapped in a dm-crypt layer.  For now we're using the exact same
configuration as internal encryption (aes-cbc-essiv:sha256), but we
don't store any key material on the removable media.  Instead, we
store the key on internal storage, and use the GPT partition GUID
to identify which key should be used.

This means that private external storage is effectively as secure as
the internal storage of the device.  That is, if the internal storage
is encrypted, then our external storage key is also encrypted.

When partitioning disks, we now support a "private" mode which has
a PrivateVolume partition, and a currently unused 16MB metadata
partition reserved for future use.  It also supports a "mixed" mode
which creates both a PublicVolume and PrivateVolume on the same
disk.  Mixed mode is currently experimental.

For now, just add ext4 support to PrivateVolume; we'll look at f2fs
in a future change.  Add VolumeBase lifecycle for setting up crypto
mappings, and extract blkid logic into shared method.  Sprinkle some
more "static" around the cryptfs code to improve invariants.

Bug: 19993667
Change-Id: Ibd1df6250735b706959a1eb9d9f7219ea85912a0
2015-04-01 10:45:05 -07:00
Jeff Sharkey
36801cccf2 Progress towards dynamic storage support.
Wire up new Disk and VolumeBase objects and events to start replacing
older DirectVolume code.  Use filesystem UUID as visible PublicVolume
name to be more deterministic.

When starting, create DiskSource instances based on fstab, and watch
for kernel devices to appear.  Turn matching devices into Disk
objects, scan for partitions, and create any relevant VolumeBase
objects.  Broadcast all of these events towards userspace so the
framework can decide what to mount.

Keep track of the primary VolumeBase, and update the new per-user
/storage/self/primary symlink for all started users.

Provide a reset command that framework uses to start from a known
state when runtime is restarted.  When vold is unexpectedly killed,
try recovering by unmounting everything under /mnt and /storage
before moving forward.

Remove UMS sharing support for now, since no current devices support
it; MTP is the recommended solution going forward because it offers
better multi-user support.

Switch killProcessesWithOpenFiles() to directly take signal.  Fix
one SOCK_CLOEXEC bug, but SELinux says there are more lurking.

Bug: 19993667
Change-Id: I2dad1303aa4667ec14c52f774e2a28b3c1c1ff6d
2015-03-30 19:46:31 -07:00
Jeff Sharkey
deb2405737 Checkpoint of better dynamic device support.
This is the first in a series of changes that are designed to
introduce better support for dynamic block devices.

It starts by defining a new Volume object which represents a storage
endpoint that knows how to mount, unmount, and format itself.  This
could be a filesystem directly on a partition, or it could be an
emulated FUSE filesystem, an ASEC, or an OBB.

These new volumes can be "stacked" so that unmounting a volume will
also unmount any volumes stacked above it.  Volumes that provide
shared storage can also be asked to present themselves (through bind
mounts) into user-specific mount areas.

This change also adds a Disk class which is created based on block
kernel netlink events.  Instead of waiting for partition events from
the kernel, it uses gptfdisk to read partition details and creates
the relevant Volume objects.

Change-Id: I0e8bc1f8f9dcb24405f5e795c0658998e22ae2f7
2015-03-13 10:12:57 -07:00