std::ifstream does not use O_CLOEXEC flag when opening files. This leads
to file descriptors being inherited by child processes. In the case of vold
this results in leaking FDs to less privileged children with no permission
for these files which occasionally leads to SELinux denials.
Bug: 129298168
Change-Id: Id2731782a25d65c9a7cbf25dc441f3e7a17609c1
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Moves away from crufty char* operations to std::string utility
methods, including android::base methods for splitting/parsing.
Rewrite of how Process handles scanning procfs for filesystem
references; now uses fts(3) for more sane traversal.
Replace sscanf() with new FindValue() method, also has unit tests.
Remove some unused methods. Switch almost everyone over to using
modern logging library.
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 67041047
Change-Id: I70dc512f21459d1e25b187f24289002b2c7bc7af
Start with clang-analyzer-security* and cert-*, but disable two
specific errors:
-- cert-err34-c, which checks for atoi(); heavily triggered by
CommandListener, but will disappear when we move to Binder.
-- cert-err58-cpp, which checks for exceptions before main(); it's
a "Low" severity issue, and filed 36656327 to track cleanup.
Fix all other triggered errors along the way.
Test: builds, boots
Bug: 36655947
Change-Id: I1391693fb521ed39700e25ab6b16bc741293bb79
Also remove some unnecessary SELinux logic when creating image files
for loop devices.
Test: builds, boots, common operations work
Bug: 34903607
Change-Id: I68dfa022ecc39f56c175e786694e0de35b954ca0
When unmounting an emulated volume, look for apps with open files
using the final published volume path.
Without this change, we were only looking at the internal paths
used for runtime permissions, which apps never use directly. This
meant we'd always fail to unmount the volume if apps didn't respect
the EJECTING broadcast, and volume migration would end up wedged
until the device rebooted.
Bug: 24863778
Change-Id: Ibda484e66ab95744c304c344b226caa5b10b7e2e
Sadly setexeccon() is process global, so we need to carefully ensure
that all exec() are mutually exclusive to avoid transitioning into
unwanted domains. Also, because we have several threads floating
around, we need to guard all our FDs with O_CLOEXEC.
Format all newly created volumes immediately after partitioning,
but silence all events emitted from those volumes to prevent the
framework from getting all excited. Unify all notify events under a
single codepath to make them easy to silence.
Sent SIGINT before escalating to SIGTERM when unmounting.
Bug: 19993667
Change-Id: Idc6c806afc7919a004a93e2240b42884f6b52d6b
Wire up new Disk and VolumeBase objects and events to start replacing
older DirectVolume code. Use filesystem UUID as visible PublicVolume
name to be more deterministic.
When starting, create DiskSource instances based on fstab, and watch
for kernel devices to appear. Turn matching devices into Disk
objects, scan for partitions, and create any relevant VolumeBase
objects. Broadcast all of these events towards userspace so the
framework can decide what to mount.
Keep track of the primary VolumeBase, and update the new per-user
/storage/self/primary symlink for all started users.
Provide a reset command that framework uses to start from a known
state when runtime is restarted. When vold is unexpectedly killed,
try recovering by unmounting everything under /mnt and /storage
before moving forward.
Remove UMS sharing support for now, since no current devices support
it; MTP is the recommended solution going forward because it offers
better multi-user support.
Switch killProcessesWithOpenFiles() to directly take signal. Fix
one SOCK_CLOEXEC bug, but SELinux says there are more lurking.
Bug: 19993667
Change-Id: I2dad1303aa4667ec14c52f774e2a28b3c1c1ff6d
-Wno-missing-field-initializers is used as well, but that is an
overzealous warning from initializing structs with {0} and not a
real warning.
bug 18736778 and 16868177
Change-Id: Iffde89cd7200d9a11193e1614f1819f9fcace30a
Change-Id: I88ae719cdae490433390d624f75612a9f4f96677
Cryptfs : Enabling support for allow_discards in dmcrypt.
Cryptfs : Password matches
Cryptfs : test_mount_encrypted_fs(): Master key saved
TrustyKeymaster: Creating device
TrustyKeymaster: Device address: 0x7f8f416100
Cryptfs : keymaster version is 3
Cryptfs : Just asked init to shut down class main
ServiceManager: service 'drm.drmManager' died
ServiceManager: service 'media.audio_flinger' died
ServiceManager: service 'media.player' died
ServiceManager: service 'media.camera' died
ServiceManager: service 'android.security.keystore' died
Cryptfs : unmounting /data failed
Bug: 17576594
Just in case someone tries to set up a series of links to trick us, do a
quick sanity check on the total length of the strings we're about to
concatenate.
Change-Id: Iba9617008dbc1e93e1907393052caf1e52fbe312