When unmounting an emulated volume, look for apps with open files
using the final published volume path.
Without this change, we were only looking at the internal paths
used for runtime permissions, which apps never use directly. This
meant we'd always fail to unmount the volume if apps didn't respect
the EJECTING broadcast, and volume migration would end up wedged
until the device rebooted.
Bug: 24863778
Change-Id: Ibda484e66ab95744c304c344b226caa5b10b7e2e
When formatting media as a public volume, we write an MBR, but we
might leave a stale GPT floating around. Some devices are configured
to aggressively prefer GPT when detected, even if the checksums
between primary/secondary don't match.
To work around this, nuke both MBR and GPT tables from the media
before we lay down our new MBR.
Bug: 24112219
Change-Id: Ibf1be466a6877cbab925a24db5e5dbab0613bea7
The framework can request that a benchmark be run after an fstrim,
but it was disabled due to a kernel bug on certain devices. That bug
has long been fixed, so it should be safe to enable this again.
Bug: 23942769
Change-Id: Ibe967a75856d0cbad45e2f8f3120f1970caf36d0
Otherwise blkid can emit tags like SEC_TYPE which mess with the value
extraction code.
Bug: 23069906
Change-Id: Id2a588ff43a538747d1e44cd8218c96ebd0192c2
We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.
This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.
Also add CTS tests to verify that we're protecting access to
internal mount points like this.
Bug: 22964288
Change-Id: I83f09f0423f4993e766273c50389dd29b1c50589
This allows apps like ExternalStorageProvider to still read/write
files on transient storage devices which aren't mounted as visible.
Bug: 22545248
Change-Id: Idacb15f2233245a8e1861d9be977535a82b218ec
If we always write zeros, we're leaving a giant pile of known
plaintext at an almost deterministic location on newly formatted
volumes. To avoid this, repeat a 64K chunk of random data.
Bug: 22816936
Change-Id: Iedc067a519bd676a93b9d74ea4f9f77c84c8461c
Long ago, we mounted secondary physical cards as readable by all
users on the device, which enabled the use-case of loading media on
a card and viewing it from all users.
More recently, we started giving write access to these secondary
physical cards, but this created a one-directional channel for
communication across user boundaries; something that CDD disallows.
This change is designed to give us the best of both worlds: the
package-specific directories are writable for the user that mounted
the card, but access to those "Android" directories are blocked for
all other users. Other users remain able to read content elsewhere
on the card.
Bug: 22787184
Change-Id: I75dbd339f11402ae774c7e4b8f2b15ee216270e8
When mounting a primary external storage device that is multi-user
aware, ensure that the user-specific directory actually exists before
moving forward.
Bug: 22472026
Change-Id: I33c8eed261a9c0d5acedd5be6133ed9990679d08
We really only support a single emulated volume on the device at a
time, either on internal storage, or moved to a private volume. To
avoid kicking off a giant rescan of all media when moved, keep all
the paths the same when mounted as primary.
Also ensure we have /data/media/0 ready on private volumes.
Bug: 20275423
Change-Id: I0c102f430b865ca7536772b1fae56d8c9660a97a
Refactor fstrim code to be encapsulated in unique task object, and
give it option of benchmarking when finished. Trimming now includes
both storage from fstab and adopted private volumes. Cleaner timing
stats are logged for each unique volume.
Add wakelock during ongoing async move tasks. Push disk sysfs path
to framework so it can parse any SD card registers as desired.
Bug: 21831325
Change-Id: I76577685f5cae4929c251ad314ffdaeb5eb1c8bf
In order to compare results from readlink() calls, we need to null
terminate the read value, otherwise we can end up doing an infinitely
recursive remount in the root namespace.
When remounting inside a namespace, unmount all existing mounts before
mounting the new storage into place. This also means we need to mount
the user-specific symlinks back into place.
Skip spinning up the FUSE daemon when not visible, otherwise we get
stuck waiting for a daemon that never shows up.
Bug: 22192518, 22204412
Change-Id: Icc7db822354ab7ffc47c39cd0611f65edecc32e5
Some storage devices can be formatted as bare partitions, without an
MBR or GPT header. If we found no partitions, try poking at the raw
disk, and treat it as a public volume if we found a valid filesystem.
Bug: 20503551
Change-Id: I80304e1ad865435321c341b667c0daf2daf4d56c
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
Bug: 21858077
Change-Id: Iade538e4bc7af979fe20095f74416e8a0f165a4a
Report both the disk and the partition GUID for private volumes to
userspace, and offer to forget the encryption key for a given
partition GUID.
Bug: 21782268
Change-Id: Ie77a3a58e47bf3563cdb3e4b0edfab1de4d0e6b4
vold will eventually use the serial numbers to clean up stale user
directories when mounting private storage devices.
Bug: 20275572
Change-Id: Ia29cb5da23e969f3087bb5caa5dc8f4e88f07613
This ensures that we have consistent SELinux policy in place before
going any further, and it mirrors the way we restorecon /data when
first mounted.
Bug: 21121357
Change-Id: I2a7e3584ade655fe1fae8916cf54f9eae3a0f99d
When formatting volumes, pass along fsType string which can be "auto"
to let the volume select the best choice. For now, private volumes
assume that MMC devices (like SD cards) are best off using f2fs when
both kernel support and tools are present, otherwise fall back to
ext4. Use blkid when mounting to pick the right set of tools.
Move filesystem utility methods into namespaces and place in separate
directory to be more organized.
Bug: 20275581
Change-Id: Id5f82d8672dda2e9f68c35b075f28232b0b55ed4
In order to prevent this bug from happening, we must allow vold cryptfs
commands to complete while a long running mount is underway.
While waiting for vold to be changed to a binder interface, we will simply
create two listeners, one for cryptfs and one for everything else.
Bug: 19197175
Change-Id: If74142aa81abd58f718a9de6c9e387f6ea442754
