Commit graph

173 commits

Author SHA1 Message Date
Tao Wu
3d98962269 Don't abort fuse connections for virtiofs.
Android should only abort fuse connections for fuse fs. It shouldn't
touch fuse connections for virtiofs.

Bug: 162284193
Test: manual - Restart zygote, no 'Transport endpoint is not connected' error.
Change-Id: Ie3536734531404e98ad1b6594ab3c52e919b22b7
2022-01-18 18:33:52 -08:00
Thiébaud Weksteen
ae8550fd20 Replace security_context_t type
security_context_t has been marked as deprecated in libselinux from
version 3.2. Update to the `char*` type.

Bug: 190808996
Test: m
Change-Id: I6f40e161251c79893d41e12c368715736578aacc
2021-09-10 10:54:19 +02:00
Alan Stokes
b2678b6654 Merge "Only kill apps with storage app data isolation enabled" 2021-05-05 14:16:00 +00:00
Eric Biggers
39aa9584b1 Log error message if setting project quota ID fails
Otherwise, the only sign of what went wrong may be system_server
logging a "ServiceSpecificException".

Bug: 187079978
Change-Id: I59b2ba2b0e679dfd1ec1fd8fff6790256fbfdf29
2021-05-03 12:39:36 -07:00
Ricky Wai
23356377ae Only kill apps with storage app data isolation enabled
Originally it kills all the apps with obb and data mounted.
Due to recent changes, all apps will have obb and data dirs mounted
in default root namespace. Hence all apps will be killed by
by KillProcessesWithMounts().

To fix this, we also check if the dir is mounted as tmpfs,
as the default namespace one is bind mounted to lowerfs,
which app data isolation is mounted as tmpfs, so we only
kill the process that have obb dir mounted as tmpfs.

Bug: 148049767
Test: Able to boot without warnings
Change-Id: I5f862ad6f64f5df739b68ea7c9815352bae3be5c
Merged-In: I45d9a63ed47cbc27aebb63357a43f51ad62275db
2021-04-30 13:58:07 +00:00
Zim
75273001a2 Avoid killing the FUSE daemon during unmount
The FUSE daemon is often holding fds on behalf of other apps and if a
volume is ejected the daemon would often get killed first while vold
is walking /proc/<pid>/fd to kill pids with open fds on the
volume. This is required for the volume unmount successfully.

To mitigate this, we avoid killing the FUSE daemon during the usual
/proc walk. This ensures that we first send SIGINT, SIGTERM and
SIGKILL to other apps first. There is an additional SIGKILL attempt
and on that last attempt, we kill the FUSE daemon as a last resort

Test: Manual
Bug: 171673908
Change-Id: I100d2ce4cb4c145cbb49e0696842e97dfba2c1c9
2021-03-05 11:05:16 +00:00
Treehugger Robot
f6546171af Merge "Set a default ACL on /data/media/userId." 2021-03-02 09:25:52 +00:00
Martijn Coenen
5adf92a988 Set a default ACL on /data/media/userId.
This directory is used as a root for external storage on adopted storage
devices. It needs to be writable by processes holding the AID_MEDIA_RW
GID permission; in particular, it should be writable by the FUSE daemon.

On devices with sdcardfs, this was ensured automatically, because
sdcardfs presented a view of this directory that was writable, that we
could use for the FUSE daemon. But on devices without sdcardfs, the FUSE
daemon sees the raw filesystem and its permissions. This also means that
files created by the FUSE daemon will have their uid/gid set to the uid
of the FUSE daemon; to ensure these files stay writable to other system
applications that have AID_MEDIA_RW, use a default ACL to make sure the
gid stays AID_MEDIA_RW.

In particular, this fixes an issue with app cloning, where we want the
FUSE daemon of user 0 to be able to access the files of the app clone
user, and vice versa.

Bug: 154057120
Test: inspect uid/gid of /data/media/0 and contents
Change-Id: Ic5d63457ec917ea407b900dbb7773d89311780c6
2021-02-24 12:45:09 +01:00
Treehugger Robot
6c36c6f421 Merge changes from topic "fsync-fixes"
* changes:
  Add syncs when creating parent directories
  Sync parent directory in storeKeyAtomically()
  Move pathExists() to Utils.cpp
2021-02-19 19:23:47 +00:00
Dhiraj Jadhav
72005fd1e6 Revert "Revert "Revert "Set a default ACL on /data/media/userId."""
This reverts commit ea9681e4cd.

Reason for revert: storage Permission causing b/179362637 adb push to fail

Change-Id: Ibc1d8b5b685c22545b7e2d15de58059960b87e14
2021-02-18 04:57:03 +00:00
Eric Biggers
fec0c0e472 Add syncs when creating parent directories
vold creates some directories for storing encryption keys if they don't
already exist, potentially including parent directories:

    /metadata/vold/metadata_encryption
    /data/misc/vold/volume_keys/$volume_uuid
    /data/misc_de/$user/vold/volume_keys/$volume_uuid
    /data/misc_ce/$user/vold/volume_keys/$volume_uuid

Currently fs_mkdirs() is used for this.  However, fs_mkdirs() doesn't
include the fsync()s of the parent directories that are needed to ensure
that the new directories are persisted to disk right away -- which is
important for encryption keys.

Add a utility function MkdirsSync() which does what is needed, and make
the appropriate places call it.

Test: Booted and checked log for "Created directory" message.
      Also ran 'atest vold_tests' to run the new unit test.
Change-Id: Ie9917b616433080139b8db3fd6877203ee6faf77
2021-02-16 16:18:53 -08:00
Eric Biggers
3345a2a98c Sync parent directory in storeKeyAtomically()
When an FBE or metadata encryption key is created, it's important that
it be persisted to disk right away; otherwise the device may fail to
boot after an unclean shutdown.  storeKey() has the needed fsync()s.
However, storeKeyAtomically() doesn't, as it doesn't fsync() the parent
directory of key_path after it renames tmp_path to it.

Two callers do fsync() the parent directory themselves, but others
don't.  E.g., the metadata encryption key doesn't get properly synced.

Therefore, add the needed fsync() to storeKeyAtomically() so that it
gets done for everyone.

Also remove the now-unneeded fsync()s from the two callers that did it
themselves.

Change-Id: I342ebd94f0a3d2bf3a7a443c35b6bda0f12e1ab2
2021-02-16 16:05:38 -08:00
Eric Biggers
bd138dd08a Move pathExists() to Utils.cpp
This is useful as a general utility function.

Change-Id: Id43fc106dc6c544c6e4ce65f10c7d4246b99e54a
2021-02-16 16:05:38 -08:00
Martijn Coenen
ea9681e4cd Revert "Revert "Set a default ACL on /data/media/userId.""
This reverts commit b276e80aec.

Reason for revert: b/177926359 is now fixed

Change-Id: I8ec5d80a44fc9e491ab3430592e17d10a82f40ea
2021-02-01 07:57:02 +00:00
Martijn Coenen
b276e80aec Revert "Set a default ACL on /data/media/userId."
This reverts commit a71323ec0e.

Reason for revert: b/177926359 - note that this is a Google testing infrastructure issue, and no issue with this patch. Partners can keep using this patch. It will be resubmitted in a few weeks.

Change-Id: Ia13279ac1aafa2e4425c4527aeadd5d0fadbc2e4
2021-01-20 15:51:44 +00:00
Martijn Coenen
a71323ec0e Set a default ACL on /data/media/userId.
This directory is used as a root for external storage on adopted storage
devices. It needs to be writable by processes holding the AID_MEDIA_RW
GID permission; in particular, it should be writable by the FUSE daemon.

On devices with sdcardfs, this was ensured automatically, because
sdcardfs presented a view of this directory that was writable, that we
could use for the FUSE daemon. But on devices without sdcardfs, the FUSE
daemon sees the raw filesystem and its permissions. This also means that
files created by the FUSE daemon will have their uid/gid set to the uid
of the FUSE daemon; to ensure these files stay writable to other system
applications that have AID_MEDIA_RW, use a default ACL to make sure the
gid stays AID_MEDIA_RW.

In particular, this fixes an issue with app cloning, where we want the
FUSE daemon of user 0 to be able to access the files of the app clone
user, and vice versa.

Bug: 154057120
Test: inspect uid/gid of /data/media/0 and contents
Change-Id: Ib718b8362df84754ee3cac33865bca3c12df2e3a
2020-12-23 21:05:02 +00:00
Martijn Coenen
94d6c1275d Revert "Set a default ACL on /data/media/userId."
This reverts commit 8688eb4f47.

Reason for revert: Probably causing b/176240229

Change-Id: Id92d1f1589e8927f372960ec2cc5d262d10ad161
2020-12-23 19:14:15 +00:00
Martijn Coenen
8688eb4f47 Set a default ACL on /data/media/userId.
This directory is used as a root for external storage on adopted storage
devices. It needs to be writable by processes holding the AID_MEDIA_RW
GID permission; in particular, it should be writable by the FUSE daemon.

On devices with sdcardfs, this was ensured automatically, because
sdcardfs presented a view of this directory that was writable, that we
could use for the FUSE daemon. But on devices without sdcardfs, the FUSE
daemon sees the raw filesystem and its permissions. This also means that
files created by the FUSE daemon will have their uid/gid set to the uid
of the FUSE daemon; to ensure these files stay writable to other system
applications that have AID_MEDIA_RW, use a default ACL to make sure the
gid stays AID_MEDIA_RW.

In particular, this fixes an issue with app cloning, where we want the
FUSE daemon of user 0 to be able to access the files of the app clone
user, and vice versa.

Bug: 154057120
Test: inspect uid/gid of /data/media/0 and contents
Change-Id: I6dfae41f9cb6a8283978b2667b02708a000f07c0
2020-12-16 17:54:22 +01:00
Martijn Coenen
64b3bba52e Unmount pass_through path last.
There've been reports of issues where, when a volume is ejected, the
MediaProvider process gets killed. This happens because the
MediaProvider has a file open on the volume (eg, during a scan). We do
abort the scan when the volume is ejected, however this could take some
time. So, we give MediaProvider a bit more time before getting killed,
by only looking for files open on the pass_through paths last. This
order anyway seems to make more sense - ideally we kill apps using
external storage before we unmount the pass_through path underlying it.

Bug: 171367622
Test: atets AdoptableHostTest
Change-Id: Ie8eacaa72a80ff8161ecf1e8c0243afcd890ee39
2020-11-19 09:08:50 +01:00
Eric Biggers
f74373b177 KeyStorage: rework key upgrade handling
Remove the error-prone 'keepOld' parameter, and instead make begin()
(renamed to BeginKeymasterOp()) do all the key upgrade handling.

Don't handle /data and /metadata differently anymore.  Previously, when
a checkpoint is active, key blob files were replaced on /data
immediately; only the actual Keymaster key deletion was delayed until
checkpoint commit.  But it's easier to just delay the key blob file
replacement too, as we have to implement that for /metadata anyway.

Also be more vigilant about deleting any leftover upgraded keys.

Test: Tested on bramble using an OTA rvc-d1-release => master.  In OTA
      success case, verified via logcat that the keys were upgraded and
      then were committed after the boot succeeded.  In OTA failure
      case, verified that the device still boots -- i.e., the old keys
      weren't lost.  Verified that in either case, no
      keymaster_key_blob_upgraded files were left over.  Finally, also
      tried 'pm create-user' and 'pm remove-user' and verified via
      logcat that the Keymaster keys still get deleted.
Change-Id: Ic9c3e63e0bcae0c608fc79050ca4a1676b3852ee
2020-11-05 19:58:26 -08:00
Eric Biggers
7bcf427369 Utils: add IsDotOrDotDot() and use it in the appropriate places
Change-Id: I704522b26acfb3e7c423d9a14d69ede513b50482
2020-11-02 15:47:24 -08:00
Eric Biggers
f9d9ac29d0 Fix argument type for FS_IOC_GETFLAGS and FS_IOC_SETFLAGS
These ioctls take a pointer to an 'int' (or an 'unsigned int', it
doesn't matter), not an 'unsigned long'.  See 'man ioctl_iflags'.
Presumably it happened to work anyway because Android only runs on
little endian platforms.

Bug: 146419093
Bug: 163453310
Change-Id: I73099dafd4ee8d497c0a754149271871a37454f6
Signed-off-by: Eric Biggers <ebiggers@google.com>
2020-10-28 04:48:09 +00:00
Daniel Rosenberg
cc874804dd Set media folder +F for adopted storage as well
We previously only set +F for /data/media, but adopted storage needs
this as well. Instead we add support for adding attrs to PrepareDir.

Bug: 163453310
Test: sm set-virtual-disk true
      follow UI setup and confirm +F on /mnt/expand/*/media
Change-Id: I08f13b57a4de3538e88b38eb95b0ac115a5a5ce8
Merged-In: I08f13b57a4de3538e88b38eb95b0ac115a5a5ce8
2020-10-20 18:55:54 -07:00
Martijn Coenen
a485006ab1 Configure backing device max_ratio for FUSE filesystems.
By default FUSE filesystems have a max_ratio of 1%, meaning only 1% of
dirty pages on the system can belong to a FUSE filesystem before we
start writing back pages (and throttling, if writeback can't keep up).
This limit is useful for untrusted filesystems, but in our case, we
trust the FUSE filesystem. Since FUSE writes result in writes to the
lower filesystem, FUSE should take at most 50%. Let's start with
changing max_ratio to 40%, to avoid needless throttling.

Bug: 159254170
Bug: 159770752
Test: inspect /sys/class/bdi manually after boot
Change-Id: I467e3770fc4afba0a08fa480c0b86aa054c8b875
2020-06-30 10:16:55 +02:00
Nikita Ioffe
bcd7d5e7ce Merge "Configure read ahead for fuse mounts" into rvc-dev 2020-06-17 16:37:37 +00:00
Nikita Ioffe
dcee5c1d21 Configure read ahead for fuse mounts
For fuse read ahead can be configured by writing a value to the
/sys/class/bdi/{MAJOR}:{MINOR}/read_ahead_kb file.

There are several different ways of getting {MAJOR}:{MINOR} values of
the filesystem:

* Look at st_dev of stat("/mnt/user/0/emulated").
* Parse /proc/self/mountinfo.

Stat'ing approach is used since it's easier to implement.

Bug: 157982297
Test: atest vold_tests
Test: adb shell cat /proc/self/mountinfo to get MAJOR:MINOR
Test: adb shell cat /sys/class/bdi/{MAJOR}:{MINOR}/read_ahead_kb
Test: created public volume, checked it's read_ahead_kb is also 256
Change-Id: Id0c149c4af1ceabf3afc33b4100563a512b38316
2020-06-17 15:58:25 +01:00
Martijn Coenen
1129b81071 Add app's own UID to the default ACL.
On devices without sdcardfs, /Android/data/com.foo and
/Android/obb/com.foo can be written by other processes (eg installers);
in those cases, file ownership may be wrong. To ensure that the original
app always has access to the files contained in this directory, add a
group to the default ACL that matches the UID of the app. Since all apps
have their own UID also as their group ID, this ensures that things keep
working correctly.

Bug: 157530951
Test: atest
android.appsecurity.cts.ExternalStorageHostTest#testExternalStorageUnsharedObb
Change-Id: I829a2a7c7b578a8328643f38681e68796adcd6b2

Change-Id: Ibbc333fb395507363830dfcf5dc6f1cfd55f008d
2020-06-16 15:16:18 +02:00
Martijn Coenen
23c0445355 vold: Support aborting FUSE connections.
This can be done through binder as well as vdc, using 'vdc volume
abort_fuse'.

Bug: 153411204
Test: adb shell vdc volume abort_fuse
Change-Id: I93e46dc1cd361729cc1162c63520cf73152ea409
2020-05-28 16:07:16 +02:00
Daniel Rosenberg
f36bdddc7e Move enabling sdcardfs behind a property
This allows devices that have sdcardfs enabled in the kernel to not use
it. When external_storage.sdcardfs.enabled=0, sdcardfs will not be
mounted. This is treated as default true to not affect upgrading
devices. It does not use the old ro.sys.sdcardfs as that has been
repurposed over time and no longer can be relied on to turn off
sdcardfs. This is included within emulated_storage.mk

Bug: 155222498
Test: mount|grep "type sdcardfs" should find nothing after boot complete
      if external_storage.sdcardfs.enabled=0
Change-Id: I23d75fb1225aeabbcb1a035ad62fd042b6b3c7b5
2020-05-19 22:11:49 -07:00
Alistair Delva
ff1fc9bc41 Expand virtio_block check to other virtual devices
The Android Emulator isn't the only virtual device the virtio-block
detection code is useful for, and those platforms might not set any
discriminating properties to indicate that they are virtual.

Rework the virtio-block major detection to use /proc/devices instead
of hardcoding the assumption that any virtual platform can have
virtio-block at any experimental major; the new code permits only the
exact experimental major assigned to virtio-block.

The new code runs everywhere, but it will only run once and could be
expanded later to detect dynamic or experimental majors.

Bug: 156286088
Change-Id: Ieae805d08fddd0124a397636f04d99194a9ef7e5
2020-05-15 17:00:44 -07:00
Martijn Coenen
9171fcc984 Only set quota project ID inheritance on app-private dirs.
Previously every directory on external storage had project ID quota
inheritance enabled; this means that if any new file/directory is
created under such a directory, it will inherit the project ID from the
parent. We use a default project ID of 1000 for generic directories, and
application-specific project IDs for app-specific directories.

MediaProvider is responsible for updating the quota type in the generic
directories, as it scans all files there. However, there is a problem
with this approach: if you move a file to a directory with project ID
inheritance set, and the project ID of that file differs from the
project ID of the dir, that results in an EXDEV error, and requires a
copy instead. For example, if /sdcard/DCIM/test.jpg has a project ID of
1003 (for images), and you try to move it to /sdcard/Pictures/test.jpg,
that would require a copy, because the project ID of /sdcard/Pictures is
1000.

While this is not a very common scenario, it's still better to avoid it.
Luckily we can - since MediaProvider anyway scans all files, it will set
the project ID on individual files correctly - there's no need to
inherit them.

We then only need to inherit quota in application-specific directories,
since in those directories the app can create files itself, and those
need to be tagged correctly.

This change enables that, by removing quota inheritance setting from the
top-level directory, and instead doing it for app-specific directories
instead.

Bug: 151078664
Test: atest StorageHostTest
      atest com.android.tests.fused.host.FuseDaemonHostTest#testRenameAndReplaceFile
Change-Id: I38a057ec61cb627e39a3ff7ac58c7218dc251bdc
2020-03-11 11:51:45 +01:00
Martijn Coenen
6a4d95d08e Merge "Switch to new project ID constants." 2020-02-20 08:58:56 +00:00
Martijn Coenen
aee40511ae Switch to new project ID constants.
Use new constants, instead of reusing previous sdcardfs values.

Bug: 146419093
Test: lsattr -pR
Change-Id: I7409d86cac5360e125e843cc79f3c5f41d74dd1e
2020-02-20 00:39:05 +01:00
Ricky Wai
879b9c0a59 Merge "Mount direct boot apps obb dir after fuse is ready." 2020-02-19 19:42:13 +00:00
Ricky Wai
07e64a4cea Mount direct boot apps obb dir after fuse is ready.
- Remove bind mounting Android/ code as we want to bind mount obb dir
for each process instead.
- Set property "vold.vold.fuse_running_users" as an array of user id
for which fuse is ready to use.
- After fuse is ready for a user, fork a background process in vold
to bind mount all direct boot apps for that user so its direct boot
apps obb dir will be mounted to lower fs for imporoved performance.

Bug: 148049767
Bug: 137890172
Test: After flag is enabled, AdoptableHostTest still pass.
Change-Id: I90079fbeed1c91f9780ca71e37b0012884680b7c
2020-02-19 16:45:07 +00:00
Martijn Coenen
816f4d94f6 Add fixupAppDir() API.
This can be used to fixup application directories in case they have been
created by some other entity besides vold; the main use case for this
API right now is OBB directories, which can be created by installers
outside of vold; on devices without sdcardfs, such directories and the
files contained therein are not setup correctly. This API will make sure
everything is setup the way it needs to be setup.

Bug: 146419093
Test: inspect OBB dir after install
Change-Id: I2e35b7ac2992dbb21cc950e53651ffc07cfca907
2020-02-19 12:11:34 +01:00
Martijn Coenen
442bb83828 Set a default ACL on the top-level OBB directory.
Since installers can create directories in Android/obb, make sure those
directories end up with the correct ACL bits as well.

Bug: 146419093
Test: inspect filesystem manually
Change-Id: I211e921197560a40599938463f3171a0ff92d9aa
2020-02-18 15:24:26 +01:00
Martijn Coenen
10570c00db Add sticky dir bit to Android/ dirs.
We want subdirectories of Android/data, Android/obb etc. to
automatically maintain their group-id.

Bug: 146419093
Test: manual inspection of /sdcard/Android
Change-Id: I36883febb01aa155dfafb0e86f8b99223cde9815
2020-02-18 15:24:26 +01:00
Ricky Wai
e50ddb786a Fix vold cannot create obb directory
Test: setupAppDir works now
Change-Id: I4bc67ecb57c30b1d0728580abc738e91f97de722
2020-02-18 11:42:32 +00:00
Martijn Coenen
b5a31c9985 Stop using a regex for setupAppDir.
This was hard to read and understand. Instead, fall back to explicit
string operations with more comments on what we're doing and what we're
allowing.

This also fixes an issue where apps were asking us to create dirs on
their behalf that our more than 2 levels deep, eg
com.foo/files/downloads ; I thought such paths weren't allowed, but
apparently they are (and there's no good reason for us to not set them
up correctly).

Bug: 149407572
Test: launch opera
Change-Id: I7c64831032b66e90960b96e41ee42c7d616a759c
2020-02-13 23:37:12 +01:00
Greg Kaiser
724f0092a3 Avoid extra string copy
We directly pass a reference to our std::string, instead of
forcing the creation of a temporary std::string from the
result of c_str().

Test: TreeHugger
Change-Id: Ibab13f1e1ff43af076df60ae4032bf9dd111dd27
2020-02-12 07:11:09 -08:00
Martijn Coenen
879fa8015d Set default ACL on application-specific directories.
On devices without sdcardfs, application-specific directories have a
particular GID that ensure some privileged daemons (like installers) are
able to write to them. Android applications however run with a umask of 0077, which means that
any subdirectory they create within their app-specific directory has
mode 700, which in turn prevents things like DownloadManager from
working, since it can be asked to download into a subdir of the app's
private storage.

To prevent this from happening, set a default 770 ACL on the top-level
app-specific directory (eg, /data/media/0/Android/data/com.foo); the
effect of that default ACL is that all directories that are created
within these directories automatically get a 770 mask, regardless of the
umask that the process has.

Bug: 146419093
Test: atest FuseDaemonHostTest on cf_x86 (without sdcardfs)

Change-Id: I3178694e6d25ce3d04a0918ac66862f644635704
2020-02-12 13:18:44 +01:00
Martijn Coenen
04bb17f112 Use a regex to create application directories.
A regex allows us to be more specific in what kind of directories we
accept here, which in turn makes it easier to correctly create them.

Bug: 146419093
Test: atest FuseDaemonHostTest
Change-Id: Icb8911f6516eab81b9bbd567c7287be9f605e8b0
2020-02-11 14:22:30 +01:00
Martijn Coenen
a0213ff0c3 Merge "Add SetQuotaInherit API." 2020-02-10 07:54:30 +00:00
Zim
a13d81bbf5 Create Android/media dirs
I3a879089422c7fc449b6a3e6f1c4b386b86687a4 enforces some gids on the
Android/ dirs but left out Android/media. We now create it

Test: atest FuseDaemonHostTest#testListFilesFromExternalMediaDirectory
Bug: 149072341
Change-Id: I260c414906cd491a6bdd83522ff45f8663e15604
2020-02-07 17:42:47 +00:00
Martijn Coenen
5fe1b16330 Add SetQuotaInherit API.
This allows setting the "inherit project ID" flags on directories; in
our case, we want to set this on the root of the lower filesystem, eg
"/data/media/0".

Bug: 146419093
Test: manual invocation works
Change-Id: Ic74588fd972d464e7021bef953da0e5aaafc4286
2020-02-06 18:57:47 +01:00
Martijn Coenen
ba9868bd78 Set correct quota project ID on application directories.
Use PrepareAppDirsFromRoot() to setup the quota project ID on
application-specific directories correctly. App directories use
AID_EXT_GID_START + their application ID offset, whereas cache
directories use AID_CACHE_GID_START. This is consistent with the GIDs
sdcardfs used to label these directories with.

Bug: 146419093
Test: verified project IDs with lsattr -p
Change-Id: Idca8a30d185012efb0d19ceb9b346b9a4de34f18
2020-02-04 13:02:51 +01:00
Martijn Coenen
62a4b279ab Setup Android/, Android/data and Android/obb dirs correctly.
Normally sdcardfs takes care of setting up these directories on-demand,
for example when an app requests its private data directory to be
created. On devices without sdcardfs however, we ourselves need to make
sure to setup the UID/GID of these directories correctly.

Introduce a new PrepareAndroidDirs() function which sets the dirs up
correctly. On devices without sdcardfs, that means:

Path              UID         GID         mode
/Android          media_rw    media_rw     771
/Android/data     media_rw    ext_data_rw  771
/Android/obb      media_rw    ext_obb_rw   771

Bug: 146419093
Test: wipe Android/, reboot, with and without sdcardfs, verify
      contents

Change-Id: I3a879089422c7fc449b6a3e6f1c4b386b86687a4
2020-02-04 13:02:49 +01:00
Zim
26eec7049b Harden /mnt/pass_through paths
Even though /mnt/pass_through itself is 700 root root, the paths under
it are quite permissive. Now, change them from 755 to 710 root
media_rw since the FUSE daemon is the only one that should access it
and it has media_rw gid

Test: manual
Bug: 135341433
Change-Id: I743c014f2c0273c68a1cead7f4331b55a3abcb4e
2020-01-31 16:10:06 +00:00
Zim
4dd47090a5 Allow media_rw access to /mnt/user
This allows the FUSE daemon (with media_rw) explicitly use /mnt/user
paths for redaction.

Test: atest FuseDaemonHostTest#testVfsCacheConsistency
Change-Id: If5b5f5aa6a0ce7c8e2fd300ff6146b345b25cf04
2020-01-29 02:44:46 +00:00