We've tried our best to protect against malicious storage devices
with limited SELinux domains, but let's be even more paranoid and
refuse to look at disks inserted while a secure keyguard is
showing. We'll gladly scan them right away once the user confirms
their credentials.
Test: builds, boots, manual testing
Bug: 68054513
Change-Id: I37fd6c25bbd6631fa4ba3f84e19384d746a22498
Remove lots of "extern C" and "ifdef __cplusplus" which are no longer
needed now all of vold is C++. Also turn on the cert-err58-cpp warning
we once had to disable.
Bug: 67041047
Test: compiles, boots
Change-Id: I8c6f9dd486f2409e0deed7bb648d959677465b21
FDE keys are indexed using the partition GUID, while FBE keys will be
indexed using the filesystem UUID, so pass both of those identifiers
along when forgetting a volume.
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 25861755
Change-Id: I6e239d5ba67a01c9a848d705f6167da00f975924
I want to use Utils in another executable, so breaking this link.
Bug: 25861755
Test: compiles (and boots, though that doesn't exercise changed code)
Change-Id: I6bb447453bb370fefb7f2f3aceb459428bdee6a7
Moves away from crufty char* operations to std::string utility
methods, including android::base methods for splitting/parsing.
Rewrite of how Process handles scanning procfs for filesystem
references; now uses fts(3) for more sane traversal.
Replace sscanf() with new FindValue() method, also has unit tests.
Remove some unused methods. Switch almost everyone over to using
modern logging library.
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 67041047
Change-Id: I70dc512f21459d1e25b187f24289002b2c7bc7af
Now that we're using Binder, we can have callers provide explicit
listeners for every request instead of trying to squeeze them all
into unsolicited socket events.
Move benchmarking to be async to avoid blocking other commands for
up to several minutes. Remove post-trim benchmarking flag, since
benchmarking now requires a separate callback. Will bring back in
a future CL.
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Test: adb shell sm fstrim
Bug: 62201209, 13758960
Change-Id: I0f2ebf1ac3b4252ecd6b44303f2887adfdb58e86
Create IVoldListener and move most unsolicited vold events over to
this new interface. The remaining events will be routed through
method-specific listeners instead of a global one.
Move to upstream DISALLOW_COPY_AND_ASSIGN macro.
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.DirectBootHostTest
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Bug: 13758960
Change-Id: Ib9293487db2d525a76b9b9c2e9ac18d98601c6cf
Prefix FDE related commands with "fde" to make it clear which devices
they apply to. This will also make it easier to remove once FDE
is fully deprecated in a future release.
To emulate the single-threaded nature of the old socket, introduce a
lock that is acquired for all encryption related methods.
Sprinkle some "const" around older files to make C++ happy.
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.DirectBootHostTest
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Bug: 13758960
Change-Id: I0a6ec6e3660bbddc61424c344ff6ac6da953ccf0
This moves fstrim, obb and appfuse commands over to the new Binder
interface. This change also separates creating/destroying and
mounting/unmounting of OBB volumes, which means they finally flow
nicely into the modern VolumeInfo/VolumeBase design.
We now generate unique identifiers for all OBB volumes, instead of
using a shady MD5 hash.
Change all "loop" and "dm" devices to tag the kernel resources with
a vold-specific prefix so that we can clean them up if vold crashes;
there are new destroyAll() methods that handle this cleanup.
Move appfuse mounting/unmounting into VolumeManager so it can be
shared. Move various model objects into a separate directory to
tidy things up.
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Bug: 13758960
Change-Id: I7294e32b3fb6efe07cb3b77bd20166e70b66958f
Keep the old socket-based commands intact for awhile so we can
rapidly disable this change using the ENABLE_BINDER feature flag.
Define constants in AIDL to keep Java and C++ in sync.
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.ExternalStorageHostTest
Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 13758960
Change-Id: I0d6f82cbebe67f671b60949fd727409aeb1fdc0d
- Various sleep(5) for vold shutdown can increase shutdown time a lot.
- If it is shutting down, do not sleep at all. init will take care of
active partitions if not unmounted.
bug: 64143519
Test: reboot and check logs from vold, check if "ShutdownThread: Shutdown wait timed out" happens.
Change-Id: I7cb91427ad2205fe23a054d255caf7ffdfd9f6c3
It's extremely difficult to test storage related logic on devices
that don't have physical SD card slots. So to support better
debugging and testing, add a new "virtual disk" feature which mounts
a 512MB file through loop device.
It relies on the kernel having the "loop.max_part" value set to
something other than 0 via the boot command line, since that allows
all the existing partition logic to fall into place.
Bug: 34903607
Test: builds, boots, virtual disk works
Change-Id: I04c5b33e37319d867542985a56b7999a9b7cf35d
Changing the num_sectors used in ioctl with BLKGETSIZE because
the kernel expects an unsigned long type and then changes 64 bits
with a 64 bits userspace. This overwrites what's located close to
the parameter location if any.
Change-Id: I78fd61a1084de2741f39b926aa436462518709a0
Signed-off-by: Mateusz Nowak <mateusz.nowak@intel.com>
Signed-off-by: Zhiquan Liu <zhiquan.liu@intel.com>
Refactor fstrim code to be encapsulated in unique task object, and
give it option of benchmarking when finished. Trimming now includes
both storage from fstab and adopted private volumes. Cleaner timing
stats are logged for each unique volume.
Add wakelock during ongoing async move tasks. Push disk sysfs path
to framework so it can parse any SD card registers as desired.
Bug: 21831325
Change-Id: I76577685f5cae4929c251ad314ffdaeb5eb1c8bf
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
Bug: 21858077
Change-Id: Iade538e4bc7af979fe20095f74416e8a0f165a4a
Report both the disk and the partition GUID for private volumes to
userspace, and offer to forget the encryption key for a given
partition GUID.
Bug: 21782268
Change-Id: Ie77a3a58e47bf3563cdb3e4b0edfab1de4d0e6b4
vold will eventually use the serial numbers to clean up stale user
directories when mounting private storage devices.
Bug: 20275572
Change-Id: Ia29cb5da23e969f3087bb5caa5dc8f4e88f07613
Now that we're offering to store private app data on adopted storage
devices, the performance of those devices is much more important to
overall user experience.
To help set user expectations, this change offers to execute a
real-world benchmark on a storage device, returning a metric that can
be used to compare internal and external storage. The benchmark is
generated from the strace-instrumented storage access patterns of
typical apps.
A typical device completes the benchmark in under two seconds on
internal storage, a UHS-3 SD card is even faster (!), but a very slow
Class 4 SD card takes about 30 seconds to complete, giving us a clear
signal.
The measured benchmark numbers are logged along with information
about the storage device, such as manufacturer, model, etc. Card
serial numbers are scrubbed from output.
Bug: 21172095
Change-Id: I9b2713dafdfdfcf5d97bf1bc21841f39409a7e54
We eventually should move back to per-disk locks, but use a giant
lock to keep development rolling forward. Also move force adoptable
flag to framework since, since encrypted devices don't have persisted
properties loaded early during boot.
Bug: 19993667
Change-Id: Ifa3016ef41b038f8f71fc30bc81596cfd21dcd2a
This is cleaner and more direct than the reverse of having the disk
publish child volume membership. Rename state constants to match
public API. Add state representing bad removal. Make it clear that
volume flags are related to mounting.
Send new unsupported disk event when we finish scanning an entire
disk and have no meaningful volumes.
Bug: 19993667
Change-Id: I08a91452ff561171a484d1da5745293ec893aec0
This adds support for private volumes which is just a filesystem
wrapped in a dm-crypt layer. For now we're using the exact same
configuration as internal encryption (aes-cbc-essiv:sha256), but we
don't store any key material on the removable media. Instead, we
store the key on internal storage, and use the GPT partition GUID
to identify which key should be used.
This means that private external storage is effectively as secure as
the internal storage of the device. That is, if the internal storage
is encrypted, then our external storage key is also encrypted.
When partitioning disks, we now support a "private" mode which has
a PrivateVolume partition, and a currently unused 16MB metadata
partition reserved for future use. It also supports a "mixed" mode
which creates both a PublicVolume and PrivateVolume on the same
disk. Mixed mode is currently experimental.
For now, just add ext4 support to PrivateVolume; we'll look at f2fs
in a future change. Add VolumeBase lifecycle for setting up crypto
mappings, and extract blkid logic into shared method. Sprinkle some
more "static" around the cryptfs code to improve invariants.
Bug: 19993667
Change-Id: Ibd1df6250735b706959a1eb9d9f7219ea85912a0
Wire up new Disk and VolumeBase objects and events to start replacing
older DirectVolume code. Use filesystem UUID as visible PublicVolume
name to be more deterministic.
When starting, create DiskSource instances based on fstab, and watch
for kernel devices to appear. Turn matching devices into Disk
objects, scan for partitions, and create any relevant VolumeBase
objects. Broadcast all of these events towards userspace so the
framework can decide what to mount.
Keep track of the primary VolumeBase, and update the new per-user
/storage/self/primary symlink for all started users.
Provide a reset command that framework uses to start from a known
state when runtime is restarted. When vold is unexpectedly killed,
try recovering by unmounting everything under /mnt and /storage
before moving forward.
Remove UMS sharing support for now, since no current devices support
it; MTP is the recommended solution going forward because it offers
better multi-user support.
Switch killProcessesWithOpenFiles() to directly take signal. Fix
one SOCK_CLOEXEC bug, but SELinux says there are more lurking.
Bug: 19993667
Change-Id: I2dad1303aa4667ec14c52f774e2a28b3c1c1ff6d
Resize is no-op when sector count is unchanged; the caller can't
anticipate how vold does its sector calculations.
After resizing, we need to mount the container read-write, so allow
the caller to request "ro" or "rw" mode.
Handle ENOTSUP when trying to fallocate() on some filesystems
Bug: 16514385
Change-Id: I0d3a378280d4c36d14f8108ff428102283d583fa
Sometimes when an sdcard is already mounted,
some info like uuid and label are not re-broadcast to new listeners.
The extra argument to list allows late listeners to catch up by asking
volume list to broadcast that info again.
Bug: 16253597
Bug: 16306775
Change-Id: Ie7d0c1132c22d307a5b2a0e50075a3716138d00b
Signed-off-by: Benson Huang <benson.huang@mediatek.com>
(cherry picked from commit 85f4700f44170b772697e627b3075dcb9137e1b7)
ASECs formatted as ext4 can now be resized using vdc asec resize.
Refactored some common code.
Requires resize2fs.
Change-Id: Ie78bb6015114a7bc4af42b16d1f299322ffc1e2a
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Apps without sdcard_r or sdcard_rw need to have someone create
package-specific directories on their behalf. If apps have trouble
creating on their own, they now delegate through system to have
vold create the paths.
Requires that the requested path is actually managed by vold.
Bug: 10577808
Change-Id: I6835fc8f52240f9de07f89742a426a153e3ca32a
The new wipe option to the vold format command will invoke BLKDISCARD
on the partition before invoking newfs_msdos. This will be used whenever
a full wipe of the device is wanted, as this is more secure than just
doing newfs_msdos.
Bug: 9392982
Change-Id: Ie106f1b9cc70abc61206006d1821641c27c7ccae
Any ASEC or OBB files were unmounted when USB storage was set to UMS
mode. This changes it so only ASEC files on external storage and OBB
files mounted from external storage are unmounted.
Bug: 6948035
Change-Id: I91bc09ee5b792970b0eef895f6886f3ffad00e8f
Now that forward locked apps are stored on /data as asec image files
that are mounted, they need to be unmounted before /data can be unmounted
so it can be encrypted.
Change-Id: I7c87deb52aaed21c8ad8ce8aceb7c15c2338620a
Now forward locked applications will be in ASEC containers both internal
to the system and externally.
This change adds support for putting applications in ext4-based ASECs.
Change-Id: I8d6765b72dd2606e429c067b47a2dbcaa8bef37d
Add the force_and_revert option to the unmount command which will force
the unmount, and revert a crypto mapping. This is used during factory
reset so that when the internal sdcard volume is formatted, it formats
the raw device, not the encrypted mapping.
Change-Id: I36b6ff9bb54863b121de635472a303bf4a2334a9
Mounting was already not allowed, but also unshare before starting
encryption, and don't allow sharing or formatting to be initiated
during encrytion.
Change-Id: Ida188d81f025739ba4dd90492b3e66088735991e
Add support for keeping the keys in a separate file on another partition,
for devices with no space reserved for a footer after the userdata filesystem.
Add support for encrypting the volumes managed by vold, if they meet certain
criteria, namely being marked as nonremovable and encryptable in vold.fstab.
A bit of trickiness is required to keep vold happy.
Change-Id: Idf0611f74b56c1026c45742ca82e0c26e58828fe
Improves UI responsiveness when copying large amount of data to the device.
BUG: 3131847
Change-Id: I4aa5ade7e2cd7e5110c8f0f7ee43bdc57577e11d
Signed-off-by: Mike Lockwood <lockwood@google.com>
OBB and ASEC are tracked in the same active container list, but when it
comes time to unmount everything, it was trying to unmount the OBBs
according to ASEC rules. This led to the OBB not being unmounted and the
volume unmount failing.
Change-Id: I12c1d4d387b8022185d552b63edd61a50b9c0fc3
* Rename all functions dealing with OBB files to mention Obb
* Add 'path' and 'list' functionality to OBB commands
* Store hashed filename in loop's lo_crypt_name and keep lo_file_name
for the real source filename. That way we can recover it later with an
ioctl call.
Change-Id: I29e468265988bfb931d981532d86d7be7b3adfc8
Allow the mounting of OBB filesystem images if they're encrypted with
twofish and in FAT filesystem format.
Change-Id: I54804e598f46b1f3a784ffe517ebd9d7626de7aa
The usb_mass_storage switch no longer exists in our 2.6.35 kernel.
Instead we will consider mass storage to be available if both USB is connected
and the USB mass storage function is enable.
Change-Id: I730d1b3cb3cac664fc2abcdc36cd39856a08404a
Signed-off-by: Mike Lockwood <lockwood@android.com>
Fixes bug: http://b/issue?id=2567572
Note: The framework will still likely restart since the system_server
is holding references to assets on the card which are mmaped, but
at least now storage will be available when a new card is re-inserted.
Change-Id: I4e195c0c666426b93da47198fa826a6f58d855a9
Signed-off-by: San Mehat <san@google.com>
