Revert "Change mounting storage data and obb flag to on by default"
Revert "Remove storage app data isolation checking in CTS"
Revert submission 14325408-enable_storage_iso_2
Reason for revert: b/187939590
Reverted Changes:
I6391b7381:Change mounting storage data and obb flag to on by...
Ic2f3d1be2:Remove storage app data isolation checking in CTS
Iffa8339b1:Change mounting storage data and obb flag to on by...
Bug: 187939590
Bug: 148049767
Change-Id: I8ef3e6fe0210bdf58e1292605ac1cc33a2eaafea
Otherwise, when system removes user's volume, it will hang
as there are mounts (obb and data mounts) still remain mounted in system.
Bug: 187122943
Test: atest UserLifecycleTests#managedProfileUnlock_stopped, it's not blocked anymore
Change-Id: Ic37985f98e6cbfe4fa38b981d3332c4dfc40c5b8
Originally it kills all the apps with obb and data mounted.
Due to recent changes, all apps will have obb and data dirs mounted
in default root namespace. Hence all apps will be killed by
by KillProcessesWithMounts().
To fix this, we also check if the dir is mounted as tmpfs,
as the default namespace one is bind mounted to lowerfs,
which app data isolation is mounted as tmpfs, so we only
kill the process that have obb dir mounted as tmpfs.
Bug: 148049767
Test: Able to boot without warnings
Change-Id: I5f862ad6f64f5df739b68ea7c9815352bae3be5c
Merged-In: I45d9a63ed47cbc27aebb63357a43f51ad62275db
Originally it kills all the apps with obb and data mounted.
Due to recent changes, all apps will have obb and data dirs mounted
in default root namespace. Hence all apps will be killed by
by KillProcessesWithMounts().
To fix this, we also check if the dir is mounted as tmpfs,
as the default namespace one is bind mounted to lowerfs,
which app data isolation is mounted as tmpfs, so we only
kill the process that have obb dir mounted as tmpfs.
Bug: 148049767
Test: Able to boot without warnings / errors
Ignore-AOSP-First: Merge it along with other CLs, will cherry-pick to
AOSP afterwards.
Change-Id: I45d9a63ed47cbc27aebb63357a43f51ad62275db
Change mounting storage data and obb flag to on by default
Test: unbundled/launcher/nexus_unit_test_multi_device_platform
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Test: atest AdoptableHostTest
Test: pass cts/cts_postsubmit_cf_stable-cloud-tf
Bug: 148049767
Ignore-AOSP-First: Merge it along with other CLs, will cherry-pick to
AOSP afterwards.
Change-Id: I6391b7381699b4ffdbf715b67938bc3f79a5210c
So shell / root will always access to them directly not via fuse.
And zygote will be unmount these directories to prevent them being
abused for leaking app visibility.
Also, /mnt/androidwritable is not very useful now as it's the same as
/mnt/installer, but we should make shell / root to access /mnt/androidwritable
later and /mnt/installer should only access obb but not data dir.
Bug: 182997439
Test: Able to boot without errors
Test: df on /sdcard/Android/data shows it's no on fuse.
Change-Id: I2ad10b1e80c135f637d37ddf502ee010f89f4946
The new flag is used to indicate that a stub volume (external storage
volume shared with Chrome OS) is visible to Android apps.
Bug: 123377807
Bug: 142684760
Bug: 132796154
Test: Check logcat logs for StorageManagerService.mount() when the
Test: visibility setting of a removable device is toggled in Chrome OS.
Test: Confirm that the visibility setting is properly set.
Test: (Tested in R)
Change-Id: Ica69110d5667837a72a5c8693ff3bccc0f09a82d
Since Android R, the FUSE prop is always on and FUSE-off is no longer
supported
Test: m
Bug: 160159282
Merged-In: Ic4414b850511fe3b4fc6df3f8b736d21335db820
Change-Id: I5a7643f9ca2f37cd7f264331df76b42df31988d5
We previously only set +F for /data/media, but adopted storage needs
this as well. Instead we add support for adding attrs to PrepareDir.
Bug: 163453310
Test: sm set-virtual-disk true
follow UI setup and confirm +F on /mnt/expand/*/media
Change-Id: I08f13b57a4de3538e88b38eb95b0ac115a5a5ce8
Merged-In: I08f13b57a4de3538e88b38eb95b0ac115a5a5ce8
The name "pre_gki_level" is causing some confusion because not all
devices launching with Android R are subject to the GKI requirement.
(See b/161563110#comment11.) E.g., devices that use a 4.14-based kernel
are exempt from GKI. However, the encryption requirements still apply.
Just use __ANDROID_API_Q__ directly instead.
No change in behavior.
Change-Id: Id02ae1140845ac1ae7cf78be4e57fe34da028abf
By default FUSE filesystems have a max_ratio of 1%, meaning only 1% of
dirty pages on the system can belong to a FUSE filesystem before we
start writing back pages (and throttling, if writeback can't keep up).
This limit is useful for untrusted filesystems, but in our case, we
trust the FUSE filesystem. Since FUSE writes result in writes to the
lower filesystem, FUSE should take at most 50%. Let's start with
changing max_ratio to 40%, to avoid needless throttling.
Bug: 159254170
Bug: 159770752
Test: inspect /sys/class/bdi manually after boot
Change-Id: I467e3770fc4afba0a08fa480c0b86aa054c8b875
Sometimes, during early boot, a public volume may be created before
the user is unlocked and the mount may fail. This mount failure does
not revert the lower fs mounts (sdcardfs and vfat). Subsequent
mount attempts will then fail because we'd attempt to mount vfat on
already mounted /mnt/media_rw/<volname>
Bug: 158489548
Test: Resilient to an artificial sleep in
StorageManagerService#completeUnlockUser to
delay user unlock longer than public volume mount
Change-Id: I9a1574596434a2eb6b2553c0c9220c2118c7e4fd
For fuse read ahead can be configured by writing a value to the
/sys/class/bdi/{MAJOR}:{MINOR}/read_ahead_kb file.
There are several different ways of getting {MAJOR}:{MINOR} values of
the filesystem:
* Look at st_dev of stat("/mnt/user/0/emulated").
* Parse /proc/self/mountinfo.
Stat'ing approach is used since it's easier to implement.
Bug: 157982297
Test: atest vold_tests
Test: adb shell cat /proc/self/mountinfo to get MAJOR:MINOR
Test: adb shell cat /sys/class/bdi/{MAJOR}:{MINOR}/read_ahead_kb
Test: created public volume, checked it's read_ahead_kb is also 256
Change-Id: Id0c149c4af1ceabf3afc33b4100563a512b38316
This allows devices that have sdcardfs enabled in the kernel to not use
it. When external_storage.sdcardfs.enabled=0, sdcardfs will not be
mounted. This is treated as default true to not affect upgrading
devices. It does not use the old ro.sys.sdcardfs as that has been
repurposed over time and no longer can be relied on to turn off
sdcardfs. This is included within emulated_storage.mk
Bug: 155222498
Test: mount|grep "type sdcardfs" should find nothing after boot complete
if external_storage.sdcardfs.enabled=0
Change-Id: I23d75fb1225aeabbcb1a035ad62fd042b6b3c7b5
When the vold core decides if a device is SD or USB, it checks for MMC
or virtio, however when the filesystem type is decided, it does not
check for virtio, only MMC. This causes virtio SD cards to be formatted
with ext4 unconditionally.
This fix is independently correct, but it incidentally gets adopted
storage working on cuttlefish (and Android Emulator) because f2fs can
support fscrypt and casefolding at the same time; ext4 currently cannot.
Bug: 156286088
Change-Id: I0b41670d5f76b2506dad437917c2276f8e0aaccf
Merged-In: I0b41670d5f76b2506dad437917c2276f8e0aaccf
When the vold core decides if a device is SD or USB, it checks for MMC
or virtio, however when the filesystem type is decided, it does not
check for virtio, only MMC. This causes virtio SD cards to be formatted
with ext4 unconditionally.
This fix is independently correct, but it incidentally gets adopted
storage working on cuttlefish (and Android Emulator) because f2fs can
support fscrypt and casefolding at the same time; ext4 currently cannot.
Bug: 156286088
Change-Id: I0b41670d5f76b2506dad437917c2276f8e0aaccf
The Android Emulator isn't the only virtual device the virtio-block
detection code is useful for, and those platforms might not set any
discriminating properties to indicate that they are virtual.
Rework the virtio-block major detection to use /proc/devices instead
of hardcoding the assumption that any virtual platform can have
virtio-block at any experimental major; the new code permits only the
exact experimental major assigned to virtio-block.
The new code runs everywhere, but it will only run once and could be
expanded later to detect dynamic or experimental majors.
Bug: 156286088
Change-Id: Ieae805d08fddd0124a397636f04d99194a9ef7e5
Merged-In: Ieae805d08fddd0124a397636f04d99194a9ef7e5
The Android Emulator isn't the only virtual device the virtio-block
detection code is useful for, and those platforms might not set any
discriminating properties to indicate that they are virtual.
Rework the virtio-block major detection to use /proc/devices instead
of hardcoding the assumption that any virtual platform can have
virtio-block at any experimental major; the new code permits only the
exact experimental major assigned to virtio-block.
The new code runs everywhere, but it will only run once and could be
expanded later to detect dynamic or experimental majors.
Bug: 156286088
Change-Id: Ieae805d08fddd0124a397636f04d99194a9ef7e5
When we're mounting a private volume, we create stacked emulated volumes
on top of it. Due to the ordering there, we would broadcast the emulated
volumes being created *before* the "mounted" status update. This in turn
could cause us to try and mount these emulated volumes before the
underlying private volume is really mounted. This is problematic in
particular on devices that support a filesystem keyring, where we need
to do some additional setup before the devices can be used.
While we could modify StorageManagerService to delay the mount, a safer
fix at this stage of the release is to just fix the ordering of these
events. To achieve that, add a simple postMount() helper, that is called
after a succesful mount. This allows us to setup the volume properly
before trying to mount any stacked volumes.
Bug: 151079464
Test: atest AdoptableHostTest
Change-Id: I2cc4113d4d71d89aa629bb9c0fa9be441355c079
To improvement performance, and also making them able to list
the dirs.
This should also be fine under b/151055432, as the whole obb
directory is mounted, renameTo() from installer to apps should be
a move not copy.
Bug: 153422990
Bug: 153540919
Test: atest AdoptableHostTest
Change-Id: Ia18fd4393db14a0f11d6e5b947dd716515bdeeef
Because we want all other paths (in particular Android/media) to go
through FUSE.
Also use scope_guard to make unwinding some failures easier.
Bug: 151272568
Test: atest AdoptableHostTest
Change-Id: Ib487b9071b5b212c7bb12ce54f80c96d98acaef5
In EmulatedVolume#doMount, if some operations fail, we call
EmulatedVolume#doUnmount.
During this unmount we try to unmount Android/ causing a FUSE_LOOKUP
on the FUSE mount. If the FUSE mount is not up, this can hang.
Now we introduce a new state to prevent unmounting Android/ if it
wasn't mounted.
Test: atest AdoptableHostTest
Bug: 151685786
Change-Id: I6246d3910c352034d2a4fb09ad9c1e7fd91cba5e
Also, use the pids provided by system server to remount all existing
processes, so we don't need to do the heavy and unreliable scanning in
/proc anymore.
Bug: 149548518
Test: atest AdoptableHostTest
Change-Id: Ifb5b79a3bc5438f36e0d61ec8aec96bdbc60ca13
Since ext4 currently doesn't have the required kernel patches in place
on cuttlefish.
Bug: 150935323
Test: sm set-virtual-disk true
sm partition disk:7,xyz private
inspect mount output
Change-Id: Ief5bd9ace9d39bdfbae8d3857044a2143801f6be
We should mount Android/data also, not only Android/obb.
Test: After flag is enabled, AdoptableHostTest still pass.
Bug: 148049767
Bug: 150584566
Change-Id: I26dc3756aa5843b85565495e9c2698130113f49a
Merged-In: I26dc3756aa5843b85565495e9c2698130113f49a
(cherry picked from commit d88e090098)
- Remove bind mounting Android/ code as we want to bind mount obb dir
for each process instead.
- Set property "vold.vold.fuse_running_users" as an array of user id
for which fuse is ready to use.
- After fuse is ready for a user, fork a background process in vold
to bind mount all direct boot apps for that user so its direct boot
apps obb dir will be mounted to lower fs for imporoved performance.
Bug: 148049767
Bug: 137890172
Test: After flag is enabled, AdoptableHostTest still pass.
Change-Id: I90079fbeed1c91f9780ca71e37b0012884680b7c
The dm-crypt solution requires a kernel patch that won't be present in
the GKI kernel, while the new metadata encryption system in the GKI
kernel solves this problem in a much cleaner way.
Test: create private volume on Cuttlefish, setting property both ways.
Bug: 147814592
Change-Id: Ie02bd647c38d8101af2bbc47637f65845d312cea
For some reason this can be racy; until we understand the root cause,
retry to unblock AdoptableHostTest.
Bug: 149396179
Test: atest AdoptableHostTest no longer hangs
Change-Id: I162ff8ad305535e7a4fab3d88f38b687b50cf4a3
Abolish cryptfs_revert_ext_volume, handle in caller. This allows us to
use DeleteDeviceIfExists, avoiding a spurious error message.
Test: create private volume on Cuttlefish, eject, check logs
Bug: 147814592
Change-Id: I836d8bd11b29e32da0863aaa75144543bb9cab9c
Not for security, but for consistency with the way we handle other
keys, and to move the length check to where it belongs.
Test: create private volume on Cuttlefish
Bug: 147814592
Change-Id: I10fc4896183d050ce25ff174faf78f525cf62930
StubVolume is a volume type for ARC++ external storage. Named StubVolume
because it is managed from outside Android (not through Android kernel).
Previously, StubVolume is a diskless volume. However, as mentioned in
jsharkey@ email, a disk is needed for StubVolume to hold "kInternal"
(external storage type that is "external" from Android perspective,
but is "internal" to the device. For example shared directory from
ChromeOS to Android) and "kIndexable" (whether or not a disk should be
indexed by MediaStore).
The addition of disk means we could expose the createStubVolume API to
add a disk flags, which is also introduced in this CL.
Both kInternal and kIndexable will be introduced in separate CL.
Bug: 132796154
Test: Mount/unmount ARC++ removable device in ChromeOS.
Change-Id: I8b77fa1cf50ab38a2892272154dafdb78f079378
Normally sdcardfs takes care of setting up these directories on-demand,
for example when an app requests its private data directory to be
created. On devices without sdcardfs however, we ourselves need to make
sure to setup the UID/GID of these directories correctly.
Introduce a new PrepareAndroidDirs() function which sets the dirs up
correctly. On devices without sdcardfs, that means:
Path UID GID mode
/Android media_rw media_rw 771
/Android/data media_rw ext_data_rw 771
/Android/obb media_rw ext_obb_rw 771
Bug: 146419093
Test: wipe Android/, reboot, with and without sdcardfs, verify
contents
Change-Id: I3a879089422c7fc449b6a3e6f1c4b386b86687a4
When we're asked to create an app directory, find the corresponding
volume, and use the raw path of that volume to create the directory.
This ensures this will continue working on devices that don't have
sdcardfs.
Bug: 146419093
Test: manual test on cuttlefish
Change-Id: I91d735c1adbcca171e5af73aca0abd7ef396d0b7
PublicVolumes are mounted on /mnt/media_rw/<volume>. Two categories of
apps need access to the mounts. Fortunately, they need access in
mutually exclusive scenarios.
1. The FUSE daemon needs access when serving content from app requests on
/storage/<volume>.
2. File managers (MANAGE_EXTERNAL_STORAGE permission) need access to
ureliable (USB OTG) volumes that are only available on the
/mnt/media_rw paths, i.e, they are not bind mounted into /storage
for apps.
Additionally, we want to ensure that file managers cannot access
/mnt/media_rw when there's a stacked FUSE volume on it. To do this,
we selectively change the mount gid of the /mnt/media_rw/<volume>
path:
-media_rw if it's a reliable volume, ie there's a stacked FUSE volume
-external_storage if it's an unreliable volume.
This ensures that file managers with their external_storage gid can
access unreliable volumes from /mnt/media_rw and cannot interfere with
the FUSE daemon when it's a reliable volume.
Test: adb shell sm set-force-adoptable [on|off] to set reliable or
unreliable volumes && mounting public volumes shows the correct
ACL on /mnt/media_rw/<volume>
Bug: 144914977
Change-Id: Iecf1a422d39e5137105b5a4946704858ce902a8a