When formatting volumes, pass along fsType string which can be "auto"
to let the volume select the best choice. For now, private volumes
assume that MMC devices (like SD cards) are best off using f2fs when
both kernel support and tools are present, otherwise fall back to
ext4. Use blkid when mounting to pick the right set of tools.
Move filesystem utility methods into namespaces and place in separate
directory to be more organized.
Bug: 20275581
Change-Id: Id5f82d8672dda2e9f68c35b075f28232b0b55ed4
Now that we're offering to store private app data on adopted storage
devices, the performance of those devices is much more important to
overall user experience.
To help set user expectations, this change offers to execute a
real-world benchmark on a storage device, returning a metric that can
be used to compare internal and external storage. The benchmark is
generated from the strace-instrumented storage access patterns of
typical apps.
A typical device completes the benchmark in under two seconds on
internal storage, a UHS-3 SD card is even faster (!), but a very slow
Class 4 SD card takes about 30 seconds to complete, giving us a clear
signal.
The measured benchmark numbers are logged along with information
about the storage device, such as manufacturer, model, etc. Card
serial numbers are scrubbed from output.
Bug: 21172095
Change-Id: I9b2713dafdfdfcf5d97bf1bc21841f39409a7e54
The VolumeManager::mountObb() creates a mapping between
a loopback device and a dm device. However the device-mapper
carries it out asynchronously, so there is a possibility that
Vold accesses to the dm device which is being built. Added
waiting for completion of the mapping in that function, like
mountAsec().
To verify install FrameworksCoreTests.apk and do:
adb shell am instrument -r -w -e class android.os.storage.\
StorageManagerIntegrationTest#testMountTwoEncryptedObb \
com.android.frameworks.coretests/android.test.\
InstrumentationTestRunner
Change-Id: If42f4b7494bb2f8a8b72d106ad84b3e3bf91fd9b
We eventually should move back to per-disk locks, but use a giant
lock to keep development rolling forward. Also move force adoptable
flag to framework since, since encrypted devices don't have persisted
properties loaded early during boot.
Bug: 19993667
Change-Id: Ifa3016ef41b038f8f71fc30bc81596cfd21dcd2a
This is cleaner and more direct than the reverse of having the disk
publish child volume membership. Rename state constants to match
public API. Add state representing bad removal. Make it clear that
volume flags are related to mounting.
Send new unsupported disk event when we finish scanning an entire
disk and have no meaningful volumes.
Bug: 19993667
Change-Id: I08a91452ff561171a484d1da5745293ec893aec0
Otherwise we get really excited and trip over ourselves while
partitions are still being created.
Bug: 19993667
Change-Id: I034e56b3063a71d73f9311a945c05ea2ae255f7d
When a private volume is mounted, create an emulated volume above it
hosted at the /media path on that device. That emulated volume is
automatically torn down when unmounting the private volume.
Add "removed" state for volume, which signals to framework that
media has left the building, send when the volume is destroyed.
Bug: 19993667
Change-Id: I1f82b51de578ac5cfcc5d7b9a6fb44f6f25c775c
Sadly setexeccon() is process global, so we need to carefully ensure
that all exec() are mutually exclusive to avoid transitioning into
unwanted domains. Also, because we have several threads floating
around, we need to guard all our FDs with O_CLOEXEC.
Format all newly created volumes immediately after partitioning,
but silence all events emitted from those volumes to prevent the
framework from getting all excited. Unify all notify events under a
single codepath to make them easy to silence.
Sent SIGINT before escalating to SIGTERM when unmounting.
Bug: 19993667
Change-Id: Idc6c806afc7919a004a93e2240b42884f6b52d6b
This adds support for private volumes which is just a filesystem
wrapped in a dm-crypt layer. For now we're using the exact same
configuration as internal encryption (aes-cbc-essiv:sha256), but we
don't store any key material on the removable media. Instead, we
store the key on internal storage, and use the GPT partition GUID
to identify which key should be used.
This means that private external storage is effectively as secure as
the internal storage of the device. That is, if the internal storage
is encrypted, then our external storage key is also encrypted.
When partitioning disks, we now support a "private" mode which has
a PrivateVolume partition, and a currently unused 16MB metadata
partition reserved for future use. It also supports a "mixed" mode
which creates both a PublicVolume and PrivateVolume on the same
disk. Mixed mode is currently experimental.
For now, just add ext4 support to PrivateVolume; we'll look at f2fs
in a future change. Add VolumeBase lifecycle for setting up crypto
mappings, and extract blkid logic into shared method. Sprinkle some
more "static" around the cryptfs code to improve invariants.
Bug: 19993667
Change-Id: Ibd1df6250735b706959a1eb9d9f7219ea85912a0
Wire up new Disk and VolumeBase objects and events to start replacing
older DirectVolume code. Use filesystem UUID as visible PublicVolume
name to be more deterministic.
When starting, create DiskSource instances based on fstab, and watch
for kernel devices to appear. Turn matching devices into Disk
objects, scan for partitions, and create any relevant VolumeBase
objects. Broadcast all of these events towards userspace so the
framework can decide what to mount.
Keep track of the primary VolumeBase, and update the new per-user
/storage/self/primary symlink for all started users.
Provide a reset command that framework uses to start from a known
state when runtime is restarted. When vold is unexpectedly killed,
try recovering by unmounting everything under /mnt and /storage
before moving forward.
Remove UMS sharing support for now, since no current devices support
it; MTP is the recommended solution going forward because it offers
better multi-user support.
Switch killProcessesWithOpenFiles() to directly take signal. Fix
one SOCK_CLOEXEC bug, but SELinux says there are more lurking.
Bug: 19993667
Change-Id: I2dad1303aa4667ec14c52f774e2a28b3c1c1ff6d
ioctl(BLKGETSIZE) expects unsigned long
(8 bytes on 64 bit environment).
This is fixing fails in android.os.storage.StorageManagerIntegrationTest
(in FrameworkCoreTests).
To verify, install FrameworksCoreTests.apk and do:
adb shell am instrument -r -w -e class android.os.storage.\
StorageManagerIntegrationTest#testMountSingleEncryptedObb \
com.android.frameworks.coretests/android.test.InstrumentationTestRunner
Change-Id: Ib6d5c7490c02521c93f107c35ad0aac49f6a3f1a
Don't use faccessat(AT_SYMLINK_NOFOLLOW). In Android, AT_SYMLINK_NOFOLLOW
is ignored. In glibc, it returns counter intuitive results when a
symbolic link is encountered, returning true all the time even though
an open(O_NOFOLLOW) will eventually fail.
Instead, stat the file and check to see if it's a regular file,
not a directory or symlink or some other weirdness.
In addition, fix a bug where isAsecInDirectory would return
true ("-1") if the asec directory didn't exist. It should return
false.
Bug: 18867827
Change-Id: I33d90e9095fad36ce0f83fde105b70f72e4eaef4
-Wno-missing-field-initializers is used as well, but that is an
overzealous warning from initializing structs with {0} and not a
real warning.
bug 18736778 and 16868177
Change-Id: Iffde89cd7200d9a11193e1614f1819f9fcace30a
Previously this would fail if the framework wasn't stopped. The failure
would then stop full disk encryption. The fact that the unmount worked,
however, would then stop the second attempt from achieving anything.
Fix in line with current retry philosophy
We still need to figure out why Devmapper::destroy() fails at first.
Bug: 17301843
Change-Id: I405a36c832ccdebf2d904bef77f15eea174a6bfb
Resize is no-op when sector count is unchanged; the caller can't
anticipate how vold does its sector calculations.
After resizing, we need to mount the container read-write, so allow
the caller to request "ro" or "rw" mode.
Handle ENOTSUP when trying to fallocate() on some filesystems
Bug: 16514385
Change-Id: I0d3a378280d4c36d14f8108ff428102283d583fa
Sometimes when an sdcard is already mounted,
some info like uuid and label are not re-broadcast to new listeners.
The extra argument to list allows late listeners to catch up by asking
volume list to broadcast that info again.
Bug: 16253597
Bug: 16306775
Change-Id: Ie7d0c1132c22d307a5b2a0e50075a3716138d00b
Signed-off-by: Benson Huang <benson.huang@mediatek.com>
(cherry picked from commit 85f4700f44170b772697e627b3075dcb9137e1b7)
From Shawn Heo's patch:
Ext4 introduced reserved clusters to prevent costly zeroout, or
unexpected ENOSPC. The size is 2% or 4096 clusters, whichever
is smaller (http://lwn.net/Articles/546473/).
So, we need to allocate additionally this amount of free space
to asecs when vold create asec images. This is required when
Android runs on Linux kernel 3.10 or later.
see: https://android-review.git.corp.google.com/#/c/96160
Change-Id: Iacff16b8cf0314493c355fa741bcfa519f744d6c
Signed-off-by: Daniel Rosenberg <drosen@google.com>
ASECs formatted as ext4 can now be resized using vdc asec resize.
Refactored some common code.
Requires resize2fs.
Change-Id: Ie78bb6015114a7bc4af42b16d1f299322ffc1e2a
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Changed ext4 to be 4kb aligned, and fat to be 32kb aligned.
Fixed issue that could potentially cause unencrypted ext4
ASECS to overwrite the ASEC super block when filled.
Change-Id: I890426c82ac9cbc65add85a8e3f5063504193c31
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Must limit vold calls to fs_mkdirs() only when the volume is mounted.
If NOT, it will trigger selinux warning as follows.
audit(1398835637.785:8): avc: denied { write } for pid=137 comm="vold" name="sdcard0" dev="rootfs" ino=3191 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
Change-Id: I1113fc961cbdd8bbd2fcbf740c2f504628c8399d
Signed-off-by: Cylen Yao <cylen.yao@mediatek.com>
libselinux selinux_android_restorecon API is changing to the more
general interface with flags and dropping the older variants.
Also get rid of the old, no longer used selinux_android_setfilecon API
and rename selinux_android_setfilecon2 to it as it is the only API in use.
Change-Id: I1e71ec398ccdc24cac4ec76f1b858d0f680f4925
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This will allow fine-grained labeling of the
contents of ASEC containers. Some of the contents
need to be world readable and thus should be
distinguishable in policy.
Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Replace MINOR(dev_t) and MAJOR(dev_t) with minor and major,
which cast to int.
Cast int to uintptr_t before casting to pointer
Change-Id: I59375518f15d27f400fcd4f8a8dfe5ebdd8350e6
When physical devices are unsafely removed, unmountAllAsecsInDir()
fails to find any ASECs, and leaves them all mounted, preventing the
rest of volume from going down.
Now we examine all ASEC containers, and remove when on external
storage, or when the storage media is no longer found.
Bug: 11175082
Change-Id: Iffa38ea43f7e5ad78b598374ebeb60a8727d99fd
We now run an sdcard fuse daemon on top of a physical SD card.
Add support for that.
Bug: 10330128
Change-Id: I6a291f861ccb0f2911c07cc8f659e2cec4e6d76c
Apps without sdcard_r or sdcard_rw need to have someone create
package-specific directories on their behalf. If apps have trouble
creating on their own, they now delegate through system to have
vold create the paths.
Requires that the requested path is actually managed by vold.
Bug: 10577808
Change-Id: I6835fc8f52240f9de07f89742a426a153e3ca32a
The new wipe option to the vold format command will invoke BLKDISCARD
on the partition before invoking newfs_msdos. This will be used whenever
a full wipe of the device is wanted, as this is more secure than just
doing newfs_msdos.
Bug: 9392982
Change-Id: Ie106f1b9cc70abc61206006d1821641c27c7ccae
Mount OBB containers using shared app GID, so that an app can read
the mount point across users.
Bug: 7212801
Change-Id: Ia1be52df9854c259b20728111f3a2c9facf4beaa
Augment the Ext4::format function to take
a mountpoint parameter. This will then
be passed to make_ext4fs through the
-a option to allow proper security labeling.
Change-Id: Ic26703406a2c463c12e32c8103a0c75c727b7d29
Any ASEC or OBB files were unmounted when USB storage was set to UMS
mode. This changes it so only ASEC files on external storage and OBB
files mounted from external storage are unmounted.
(Cherry-pick of 93ecb38dad)
Bug: 6948035
Change-Id: Ib60727bd360caa32173797ff5b4e1e21fcf20054
Any ASEC or OBB files were unmounted when USB storage was set to UMS
mode. This changes it so only ASEC files on external storage and OBB
files mounted from external storage are unmounted.
Bug: 6948035
Change-Id: I91bc09ee5b792970b0eef895f6886f3ffad00e8f
Now that forward locked apps are stored on /data as asec image files
that are mounted, they need to be unmounted before /data can be unmounted
so it can be encrypted.
Change-Id: I7c87deb52aaed21c8ad8ce8aceb7c15c2338620a
There appears to be a race condition from when the device mapper is
asked to create a device and when it actually appears. When we moved
ASECs to use Ext4, mount started winning the race more often.
Just insert a sleep-retry loop here to counter-act this race. We should
ideally look at the uevent replies, but it takes a bit more effort to
separate them out.
Change-Id: Ie8a5b36b1c9a26f2320a178d37312059d03a1281
When calling System.loadLibrary(), it needs to be able to read the
directory to load the file. We could probably fix that, but changing
permissions here is faster.
Bug: 6478606
Change-Id: I296b0805839da5a19950157f9a16755a4d258ca8
Traversal would mark directories with the correct permissions, but
they're visited again in post-order which is a different fts_info flag.
Then it would set that to regular file permissions.
Explicitly check to make sure we're looking at a file instead.
Bug: 6478606
Change-Id: I13cab3e69f451da6a994fa974d575ef366f82025
Now forward locked applications will be in ASEC containers both internal
to the system and externally.
This change adds support for putting applications in ext4-based ASECs.
Change-Id: I8d6765b72dd2606e429c067b47a2dbcaa8bef37d
Add the force_and_revert option to the unmount command which will force
the unmount, and revert a crypto mapping. This is used during factory
reset so that when the internal sdcard volume is formatted, it formats
the raw device, not the encrypted mapping.
Change-Id: I36b6ff9bb54863b121de635472a303bf4a2334a9
Mounting was already not allowed, but also unshare before starting
encryption, and don't allow sharing or formatting to be initiated
during encrytion.
Change-Id: Ida188d81f025739ba4dd90492b3e66088735991e
Add support for keeping the keys in a separate file on another partition,
for devices with no space reserved for a footer after the userdata filesystem.
Add support for encrypting the volumes managed by vold, if they meet certain
criteria, namely being marked as nonremovable and encryptable in vold.fstab.
A bit of trickiness is required to keep vold happy.
Change-Id: Idf0611f74b56c1026c45742ca82e0c26e58828fe
Improves UI responsiveness when copying large amount of data to the device.
BUG: 3131847
Change-Id: I4aa5ade7e2cd7e5110c8f0f7ee43bdc57577e11d
Signed-off-by: Mike Lockwood <lockwood@google.com>
ENOENT is more descriptive than the generic error that EINVAL gets
turned into. Then we can actually treat it how we want on the other
side.
Change-Id: I9b4f3be6308e13f680eae368d2167ab9ee6aae5f
OBB and ASEC are tracked in the same active container list, but when it
comes time to unmount everything, it was trying to unmount the OBBs
according to ASEC rules. This led to the OBB not being unmounted and the
volume unmount failing.
Change-Id: I12c1d4d387b8022185d552b63edd61a50b9c0fc3
Only share a single partition via UMS if a specific partition
is specified in vold.fstab (rather than "auto")
Do not fail to reformat if MBR cannot be found.
Change-Id: I544ca2ee325c308af656ab9f4732c788a964c156
Signed-off-by: Mike Lockwood <lockwood@android.com>
This allows us to place shared libraries in these containers which may
only be loaded if they are executable.
Change-Id: I78fa9ab6d5c58ec8b98c40004da72aebc0aade2a
* Rename all functions dealing with OBB files to mention Obb
* Add 'path' and 'list' functionality to OBB commands
* Store hashed filename in loop's lo_crypt_name and keep lo_file_name
for the real source filename. That way we can recover it later with an
ioctl call.
Change-Id: I29e468265988bfb931d981532d86d7be7b3adfc8
Allow the mounting of OBB filesystem images if they're encrypted with
twofish and in FAT filesystem format.
Change-Id: I54804e598f46b1f3a784ffe517ebd9d7626de7aa
The usb_mass_storage switch no longer exists in our 2.6.35 kernel.
Instead we will consider mass storage to be available if both USB is connected
and the USB mass storage function is enable.
Change-Id: I730d1b3cb3cac664fc2abcdc36cd39856a08404a
Signed-off-by: Mike Lockwood <lockwood@android.com>
Fixes bug: http://b/issue?id=2567572
Note: The framework will still likely restart since the system_server
is holding references to assets on the card which are mmaped, but
at least now storage will be available when a new card is re-inserted.
Change-Id: I4e195c0c666426b93da47198fa826a6f58d855a9
Signed-off-by: San Mehat <san@google.com>
- Fix issue where container-names > 64 bytes were getting truncated in the
kernel. lo_name is only 64 bytes in length, so we now hash the container
id via md5
- Add 'dump' command to dump loop and devicemapper status
- Add 'debug' command to enable more detailed logging at runtime
- Log vold IPC arguments (minus encryption keys)
- Fix premature return from Loop::lookupActive() and friends
Change-Id: I0e833261a445ce9dc1a8187e5501d27daba1ca76
Signed-off-by: San Mehat <san@google.com>
Add an un-encrypted superblock to the end of a secure container to
help identify the crypto cipher used. This is required in order to
provide some semblence of versioning, in case we have cause to
change the crypto type on an update - say for example switching
from software to hardware encryption, or from 128 -> a zillion
bit keys.
NOTE: This format is incompatible with previous secure containers.
After this change they will no longer be mountable.
Signed-off-by: San Mehat <san@google.com>
In order to protect the '/android_secure' directory on VFAT removable media
from being mucked with by 3rd party applications on the device, we hide the
directory with a read-only, zero-sized tmpfs mounted on-top. A reference to the
hidden directory is kept by a bind-mount which is mounted at a location which
only root can access.
Staging consists of:
1. Mount checked media at a secure location (/mnt/secure/staging)
2. Ensure /android_secure exists on the media, (creating if it doesnt)
3. Bind-mount /mnt/secure/staging/android_secure -> /mnt/secure/asec
(where only root can access it)
4. Mount an RDONLY zero-sized tmpfs over /mnt/secure/staging/android_secure
5. Atomically move /mnt/secure/staging to the publicly accessable storage
directory (/mnt/sdcard)
Signed-off-by: San Mehat <san@google.com>
- share command was taking wrong arguments
- shared command was returning two termination codes
- Force FAT32 cluster size to 4k when formatting
Signed-off-by: San Mehat <san@google.com>
- Supports up to 4096 containers
- Keys are now implemented - specifying a key of 'none' means no encryption.
Otherwise, the key must be a string of 32 characters
Signed-off-by: San Mehat <san@google.com>
