Commit graph

5724 commits

Author SHA1 Message Date
Eric Biggers
c7c4f5a902 Check for SELinux labelling errors
It's essential that files created by vold get the correct SELinux
labels, so make sure to check for errors when setting them.

ENOENT (no label defined) is expected on some files such as
/mnt/appfuse/*, so allow ENOENT but log a DEBUG message.

This will help debug b/269567270.  This is not a fix for b/269567270.

Bug: 269567270
Test: Created user and checked SELinux labels of user's directories
Test: atest CtsBlobStoreHostTestCases
Change-Id: Ife005bdd896952653943c57336deb33456f7c5d8
2023-03-01 22:11:29 +00:00
Austin Delgado
545f0ab758 Merge "Revert "Strictly check for SELinux labelling errors"" 2023-02-28 22:05:45 +00:00
Austin Delgado
b0f997deae Revert "Strictly check for SELinux labelling errors"
This reverts commit 2ef4e85448.

Reason for revert: b/271157681

Change-Id: I7224fd68027e2e9824694171547b8b2c808f9923
2023-02-28 21:58:08 +00:00
Eric Biggers
5554b80afb Merge "Strictly check for SELinux labelling errors" 2023-02-28 19:31:24 +00:00
Eric Biggers
2ef4e85448 Strictly check for SELinux labelling errors
It's essential that files created by vold get the correct SELinux
labels, so make sure to check for errors when setting them.

This will help debug b/269567270.  This is not a fix for b/269567270.

Bug: 269567270
Test: Created user and checked SELinux labels of user's directories
Change-Id: I99e4d530a00f9401532c9cb0990df254b7a12a80
2023-02-27 21:01:25 +00:00
Eric Biggers
481a5367a3 Merge "Fix logspam when user removed before CE storage prepared" 2023-02-24 22:40:59 +00:00
Eric Biggers
629c63414e Fix logspam when user removed before CE storage prepared
Due to frameworks/base commit 5c65b1ee1023 ("Don't prepare CE storage on
user creation") (http://ag/20241697), removing a user immediately after
creating it causes the user's directories to be destroyed before CE
storage was prepared.

Functionally this works fine; however, it causes some error messages to
be spammed to the log because 'vold_prepare_subdirs destroy' doesn't
like that /data/misc_ce/$userId and /data/vendor_ce/$userId don't exist.
vold_prepare_subdirs logs two error messages itself, but it also exits
with a failure status, which bubbles up and causes a Slog.wtf with a
stack trace in StorageManagerService.

Fix this by making rmrf_contents() simply return true if the directory
doesn't exist.

Bug: 232452368
Test: 'pm create-user 10 && pm remove-user 10' and check logcat
Change-Id: I867a915f4b25e1a5f0603fbd84680b673ff5eb96
2023-02-24 22:38:06 +00:00
Nathan Huckleberry
eee1149800 Merge "Clean up potential busy files after key eviction." 2023-02-24 08:18:07 +00:00
Nathan Huckleberry
a21962b207 Clean up potential busy files after key eviction.
There is a race condition between key eviction and killing user
processes.  The race condition is difficult to properly fix without
significantly degrading UI performance.

If the race condition occurs, decrypted filesystem data is left in
various kernel caches.  To mitigate, we try to ensure the caches are
flushed by evicting the keys again in a worker thread.

Test: Checked that the correct log messages appear when evicting a
user's keys
Bug: 140762419

Change-Id: I9e39e5bb0f5190284552bcd252b6213a22a51e91
2023-02-23 21:44:24 +00:00
Treehugger Robot
c2b0578e19 Merge "MetadataCrypt: extend timeout for low performance device" 2023-02-17 16:50:01 +00:00
Pawan Wagh
e0a722a05f Merge "Adding fuzzer for VoldNativeService" 2023-02-14 16:14:27 +00:00
Pawan
be70861242 Adding fuzzer for VoldNativeService
vold_native_service_fuzzer is added to fuzz VoldNativeService.

BUG: 232439428
Test: m vold_native_service_fuzzer
Test: adb sync && adb shell data/fuzz/x86_64/vold_native_service_fuzzer/vold_native_service_fuzzer
Change-Id: I2bf33f68e2a51b4ac390b5a5ad47d07260e94122
2023-02-13 19:01:09 +00:00
Masaya Takahashi
5ed64b246a MetadataCrypt: extend timeout for low performance device
Some devices isolate CPUs under low battery. It causes
low performance and 5 sec timeout is soemtimes too short
for dm device ready.

Bug: 267989884

Change-Id: I52e1140b961ac42401a409e3264a5facc0f60cc4
Signed-off-by: Masaya Takahashi <masaya.a.takahashi@sony.com>
2023-02-06 19:43:52 +09:00
Treehugger Robot
9355e48aaa Merge "Revert "Add NTFS support in vold"" 2023-02-03 12:34:55 +00:00
Alfred Piccioni
fc4934feb4 Revert "Add NTFS support in vold"
This reverts commit 564f6c649a.

Reason for revert: Un-backporting.

Note: This is not a direct revert. We should keep the minor refactoring
in PublicVolume.cpp; no point making the code worse.

Test: Revert.
Change-Id: Ic03ed25ad15a2da974921542a20cd27224347f68
2023-02-02 11:12:25 +01:00
Alfred Piccioni
c9579dc1a6 Merge "Add NTFS support in vold" 2023-01-24 09:44:18 +00:00
Alfred Piccioni
564f6c649a Add NTFS support in vold
This CR, when paired with a functional NTFS implementation and the
corresponding SEPolicy updates, will allow NTFS USB drives to be mounted
on Android.

Bug: 254407246

Test: Extensive testing with an ADT-4 and NTFS USB drives.

Merged-In: If4197c4c588866c611cd6ba3483707d3cb0e0cf8
Change-Id: If4197c4c588866c611cd6ba3483707d3cb0e0cf8
2023-01-23 11:10:38 +01:00
Treehugger Robot
9e3f17a57e Merge "Do not delete all keys after creating a first crypt device" 2023-01-19 00:03:53 +00:00
Jaegeuk Kim
fb9aadaf48 Do not delete all keys after creating a first crypt device
We should not delete keys, once the first one was created.

Bug: 197782466
Change-Id: Ia895c140aa16553b422748531b01931737a0ea94
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
2023-01-18 14:56:46 -08:00
Treehugger Robot
45a3d47fd5 Merge "Do not reboot with commit failure when ext4 userdata is wiped" 2023-01-08 21:27:12 +00:00
Nikita Ioffe
d0c81a283b Merge "Revert "vold: explicitly specify capabilities"" 2023-01-06 16:45:49 +00:00
David Saff
dca3714425 Revert "vold: explicitly specify capabilities"
This reverts commit a4c5f57f63.

Reason for revert: Appears to be a culprit at https://android-build.googleplex.com/builds/tests/view?invocationId=I73600010121524618&testResultId=TR49128446350696862

Change-Id: Ia575a77e22547f93f4de8f5409649abbdf5e5883
2023-01-05 21:10:37 +00:00
faqiang.zhu
dd20dc3128 Do not reboot with commit failure when ext4 userdata is wiped
When userdata partition is the type of ext4, checkpoint and metadata
encryption are enabled, boot up the images, if the slot currently
in use is not marked as "successful" and userdata is wiped, a reboot
will be triggered because of "Checkpoint commit failed"

In this patch, do not create checkpoint when the preceding condition
occurs, otherwise "dm-default-key" sits below "dm-bow".

Because cp_needsCheckpoint(), cp_prepareCheckpoint() and cp_commitChanges()
are always executed when the system boots up, and now there is a condition
that BOW device is not created while the slot in use is not marked as
"successful", set "isBow" to be "false" if BOW state fails to be set to
1, if "isBow" is false, then there is no need to commit the checkpoint,
and the system won't automatically reboot.

Bug: 193457319
Test: i.MX 8M Plus EVK, images flashed to board, misc and userdata
      partitions are wiped, checkpoint and metadata encryption are
      enabled for ext4 userdata partition.
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
Change-Id: I4ad47a9504f1be0407f0fd196001a0e96919be33
2023-01-04 21:06:00 +00:00
Nikita Ioffe
4af861b631 Merge "vold: explicitly specify capabilities" 2023-01-03 13:18:36 +00:00
Nikita Ioffe
a4c5f57f63 vold: explicitly specify capabilities
If a service doesn't specify any capabilities in it's definition in the
.rc file, then it will inherit all the capabilities from the init.
Although whether a process can use capabilities is actually controlled
by selinux (so inheriting all the init capabilities is not actually a
security vulnerability), it's better for defense-in-depth and just
bookkeeping to explicitly specify the capabilities that vold needs.

The list of capabilities that vold is allowed to use was obtained via:
```
$ adb pull /sys/fs/selinux/policy /tmp/selinux.policy
$ sesearch --allow -s vold -c capability,capability2 /tmp/selinux.policy
allow vold vold:capability { chown dac_override dac_read_search fowner fsetid kill mknod net_admin sys_admin sys_chroot sys_nice sys_ptrace };
allow vold vold:capability2 block_suspend
```

In addition, since vold execs the /system/bin/sdcard, which transitions
into sdcardd domain, we also need to add capabilities that are required
by /system/bin/sdcard:

```
sesearch --allow -s sdcardd -c capability,capability2 /tmp/selinux.policy
allow sdcardd sdcardd:capability { dac_override dac_read_search setgid setuid sys_admin sys_resource };
```

vold can also transform into the following domains which don't seem to
need any capabilities: blkid, blkid_untrusted, fsck, fsck_untrusted

vold can also transform into sgdisk domain, which only needs
CAP_SYS_ADMIN:

```
sesearch --allow -s sgdisk -c capability,capability2 /tmp/selinux.policy
allow sgdisk sgdisk:capability sys_admin
```

Bug: 249796710
Test: device boots
Test: prebumit
Change-Id: Ic2a35fd62d6ed8c7b305c23607e6c24b197cf6bc
2022-12-29 18:34:33 +00:00
Treehugger Robot
0777c5d604 Merge "Use sleep_for for fsck timeout" 2022-12-17 00:28:27 +00:00
Daniel Rosenberg
8cd81faa71 Use sleep_for for fsck timeout
sleep may exit early due to interupts.
This ensures the full expected time elapses before timing out.

Bug: 258348748
Test: Mount removable storage with ~30K folders,
      observe timeout in logs
Change-Id: I8092d4be43b85c9a53e8bb2658316159ab93bfc2
2022-12-16 22:30:57 +00:00
Paul Lawrence
c4bc218452 Merge "Add persist.sys.fuse.bpf.override" 2022-12-16 16:49:54 +00:00
David Anderson
1bb7a963c0 Merge "Skip new userdata pre-create logic on kernels < 5.15." 2022-12-15 17:26:59 +00:00
David Anderson
223c1b2499 Skip new userdata pre-create logic on kernels < 5.15.
Bug: 259328366
Test: table is not populated on 5.4
Change-Id: Idbf6aa11f25d5b9ba6b02917ae358f750da5fa48
2022-12-14 21:57:58 -08:00
Paul Lawrence
a688c4f1b2 Add persist.sys.fuse.bpf.override
Allows for easy override of fuse-bpf for testing without a rebuild

Test: Set this property with ro.fuse.bpf.enabled both true and false
      Make sure ro.fuse.bpf.is_running is expected result
Bug: 219958836
Change-Id: I589511ea5cda76db1d55bdc2124fb546907d8acd
2022-12-14 15:00:20 -08:00
Treehugger Robot
1edb6550ab Merge "Add ro.fuse.bpf.is_running" 2022-12-13 15:22:48 +00:00
Paul Lawrence
8c250754a9 Add ro.fuse.bpf.is_running
s_running flag signals to tests whether fuse-bpf is running

Test: Builds, runs, ro.fuse.bpf.is_running is correct, fuse-bpf works
Bug: 202785178
Change-Id: I2b967567092da2fab90e44c44ff2e51b372b85ed
2022-12-12 17:08:42 -08:00
David Anderson
3937b479bd Merge "Populate the dm table of the early userdata device." 2022-12-12 18:38:05 +00:00
Martijn Coenen
1968bd5a1b Merge "Support bind mounting volumes into other volume's mountpoint." am: 35eb1ae88a
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2189643

Change-Id: I3e0528ff7a114971a8b6da9cc939c3de0de9fd4f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-12-09 08:03:52 +00:00
Martijn Coenen
35eb1ae88a Merge "Support bind mounting volumes into other volume's mountpoint." 2022-12-09 07:42:00 +00:00
David Anderson
7b769bc5b1 Populate the dm table of the early userdata device.
DM_DEV_CREATE no longer creates sysfs nodes as of Linux kernel 5.15. It
is now necessary to DM_TABLE_LOAD as well.

Bug: 259328366
Test: userdata mounts
Change-Id: I0f88afdf95a97d44eb365e4302bbfdc7c28c0bcb
2022-12-08 16:23:45 -08:00
Martijn Coenen
73e3010a25 Support bind mounting volumes into other volume's mountpoint.
With the way the FUSE mount point are currently setup for emulated
volumes, there can be multiple paths that serve the same files on the
lower filesystem; eg

* /mnt/user/0/emulated/0/Android
* /mnt/user/10/emulated/0/Android

both refer to the same file on the lower filesystem:
* /data/media/0/Android

this is normally not a problem, because cross-user file access is not
allowed, and so the FUSE daemon won't serve files for other users.

With clone profiles this is no longer true however, as their volumes
are accessible by each other.

So, it can happen that an app running in clone profile 10 accesses
"/mnt/user/10/emulated/0/Android", which would be served by the FUSE
daemon for the user 10 filesystem.

At the same time, an app running in the owner profile 0 accesses
"mnt/user/0/emulated/0/Android", which would be served by the FUSE
daemon for the user 0 filesystem.

This can cause page cache inconsistencies, because multiple FUSE daemons
can be running on top of the same entries in the lower filesystem.

To prevent this, use bind mounts to make sure that cross-profile
accesses actually end up in the FUSE daemon to which the volume
belongs: "/mnt/user/10/emulated/0" is bind-mounted to
"/mnt/user/0/emulated/0", and vice-versa.

Bug: 228271997
Test: manual
Change-Id: Iefcbc813670628b329a1a5d408b6126b84991e09
2022-12-07 09:01:27 +00:00
Treehugger Robot
c63d77bc61 Merge "Ignore DE retrieveKey failure for non-user-0" am: 1cb65f9de5
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2242642

Change-Id: Iecab2ad6f570e4083c1ad8dc8b432c56125befa4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-11-29 02:17:11 +00:00
Treehugger Robot
1cb65f9de5 Merge "Ignore DE retrieveKey failure for non-user-0" 2022-11-29 01:19:25 +00:00
liulvping
69b048507f Ignore DE retrieveKey failure for non-user-0
retrieveKey can fail in load_all_de_keys if a user
is partially removed, i.e. cases where
fscrypt_destroy_user_key() got interrupted. So just
ignore the failure, else could reboot into recovery.

Test: pm create-user foo
      pm remove-user 10
      adb reboot && check device not enter recovery

Signed-off-by: liulvping <liulvping@xiaomi.com>
Change-Id: Iba9d53a0833524d00e65d0427ab03002c5d8d509
2022-11-25 00:59:14 +00:00
Paul Crowley
3589e76deb Merge "Fix unhandled exception when FUSE disabled" am: 20b1532b85
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2282933

Change-Id: Iaceb4670a0032ac31bfe330e3f879b06fa351050
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-11-09 14:09:34 +00:00
Paul Crowley
20b1532b85 Merge "Fix unhandled exception when FUSE disabled" 2022-11-09 13:42:39 +00:00
Oleg Lyovin
667de184ed Fix unhandled exception when FUSE disabled
When running on kernel without FUSE, fs::directory_iterator
throws exception since /sys/fs/fuse/connections is missing.

This patch uses non-throwing fs::directory_iterator
and adds explicit error check.

Test: vold doesn't fail with FUSE disabled
Signed-off-by: Oleg Lyovin <ovlevin@sberdevices.ru>
Change-Id: I51b68363edf75033fcec3ce5623f419d5a68c991
2022-11-08 18:49:18 +03:00
Eric Biggers
20695553e1 Merge "Stop using the "stretching" file" am: b0a170136c
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2252876

Change-Id: Idc5c0d3e11e9091e4c83d34188d961d5531718e3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-10-13 20:17:14 +00:00
Eric Biggers
b0a170136c Merge "Stop using the "stretching" file" 2022-10-13 19:46:32 +00:00
Eric Biggers
f187f05110 Stop using the "stretching" file
As a small optimization and code simplification, stop reading and
writing the "stretching" file alongside each stored key.  vold never
does key stretching anymore.

There was one special case in the code where if the stretching file
existed and contained "nopassword", then the secret was ignored.
However, this didn't seem to be of any use, especially since it didn't
cause Keystore to be used, so it did *not* allow a key stored with no
secret to be read if a secret was unexpectedly provided.

Bug: 232452368
Bug: 251131631
Bug: 251147505
Change-Id: I5a7cbba7492526e51c451f222b9413d9fae6bce5
2022-10-13 04:11:27 +00:00
Eric Biggers
da999d55e5 Merge "Don't use a secdiscardable file for keys encrypted by SP" am: 7cc31eb7b0
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2242561

Change-Id: Id6c2f7797065a1bdec29996ef8433b8721bacfa7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-10-10 16:55:00 +00:00
Eric Biggers
7cc31eb7b0 Merge "Don't use a secdiscardable file for keys encrypted by SP" 2022-10-10 16:26:26 +00:00
Eric Biggers
08f4bdfe98 Don't use a secdiscardable file for keys encrypted by SP
Storage keys that are encrypted by the user's synthetic password don't
need to be securely deletable by vold, since secure deletion is already
implemented at a higher level: the synthetic password protectors managed
by LockSettingsService.  Therefore, remove the use of the secdiscardable
file by vold in this case to improve performance.

Bug: 232452368
Bug: 251131631
Bug: 251147505
Change-Id: I847d6cd3b289dbeb1ca2760d6e261a78c179cad0
2022-10-07 16:26:29 +00:00