Making FUSE request from vold is risky because the FUSE daemon may be
down and vold could get wedged.
Additionally, the FUSE daemon only responds to requests with matching
user id paths, i.e requests on /mnt/user/0/emulated/10 will fail.
So if vold (running as user 0) makes a request on
/storage/emulated/10, it really means /mnt/user/0/emulated/10
which will fail if it gets to the FUSE daemon.
TODO: Fix the lower filesystem paths to support devices without
sdcardfs
Bug: 141540368
Change-Id: I90d698f6aecd114d75b6d578ad08620988da7d7d
atest: atest android.appsecurity.cts.ExternalStorageHostTest#testMediaSandboxedFull
Public and private volumes can be discovered before user 0 is up and
running; when using FUSE however, we can't mount these disks yet,
because we depend on the user to become unlocked before we can start the
FUSE daemon (which is the MediaProvider application process). So besides
waiting for any secure keyguard to be dismissed, also wait for user 0 to
be started.
Bug: 146419093
Test: Boot cuttlefish with a fake public volume; is available after
repeated boots.
Change-Id: I06fe4d336d1baec3a49886c3cf12d844a1d0eb26
vold historically offerred functionality to create directories on behalf
of others. This functionality was purely used to create app-specific
data/obb/media dirs. Make this more explicit by renaming the method to
indicate this.
Additionally, in the past, we never needed to care about the UID set on
these directories, because sdcardfs would take care of that for us
automatically. But with sdcardfs going away, we need to make sure the
UID of the app-specific directories is set correctly. Allow the caller
to pass this in as an argument.
Bug: 146419093
Test: atest FuseDaemonHostTest
Change-Id: Ibeb5fdc91b40d53583bc0960ee11c4d640549c34
If vold's view of /storage is FUSE, it means that creation of
directories in Android/ will go through FUSE as well. The implementation
of fs_mkdirs() tries to opendir() individual parts of the entire path;
so for a path "/storage/emulated/0/Android", it will try to opendir()
"/storage", "/storage/emulated", etc.
By default, "/storage/emulated" is created with 711 permissions; while
vold itself is root, access to /storage/emulated is routed through
MediaProvider (because of FUSE), and MediaProvider doesn't run as root,
nor does it have the capabilities to bypass the ACL. This means that
fs_mkdirs() as it is will fail, because opendir("/storage/emulated")
will fail from MediaProvider.
To prevent this, route these accesses directly to the lower filesystem
(currently, sdcardfs), by renaming the paths.
Bug: 146189163
Test: atest AdoptableHostTest
Change-Id: Idbb41b9ffad9713f3b255c51bd4de16f4d090223
With the newly added flag for Settings developer options, which is now
used to change the state of FUSE, PROP_FUSE now acts as the snapshot
feature flag for the current boot.
Bug: 145391093
Test: atest AdoptableHostTest
Change-Id: I22363b088e88c764294cbd61c6d94160c907fae3
We want to be sure we're not allocating memory, holding locks
or otherwise preventing the child process from making progress.
This is a temporary fix of limited scope. In the medium term, it
would be preferable to exec a binary that performs this work for us
as soon as we fork.
Test: manual
Bug: 141678467
Change-Id: I57dbd9b3c887aa27e2dd609abf0ad43c66f4ef2a
It's the responsibility of the StorageManagerService to send down
started users after a reset(); and with the latest multi-user FUSE
changes, the manual start is no longer necessary.
Bug: 135341433
Test: atest AdoptableHostTest
Change-Id: I3c9c1d7c25ad10787212d7902fa3f1878ee5f896
Ifabaa12368e5a591fbcdce4ee71c83ff35fdac6b introduced individual
emulated volumes for each Android user. The change however didn't
create the volumes for the secondary users on user start in vold
without the persist.sys.fuse flag
Now we always create the volumes but only mount sdcardfs volumes
for user 0 because the sdcardfs mount paths do not change with for
different users unlike the FUSE mount paths.
Bug: 144473552
Test: atest AdoptableHostTest
Test: Start a guest user in Settings and launch chrome browser in that
user, verify that chrome does not crash
Change-Id: I89f3591d0197d86267f0e3934f496273e2f9fd7e
Up until now, the FUSE mount logic has made two assumptions:
1. The primary external volume is an emulated volume on /data/media
2. Only the primary user is running, as user zero
These assumptions are fixed by the following changes
creating an EmulatedVolume per Android user and changing the
VolumeBase id format to append the user to the id, so
s/emulated/emulated-0/. This allows us mount separate volumes per user
Some additional refactorings to re-use/clean up code.
Test: adb shell sm set-virtual-disk and partition disk operations work
even after setting up a work profile
Bug: 135341433
Change-Id: Ifabaa12368e5a591fbcdce4ee71c83ff35fdac6b
This will allow us to receive values from server flags and store them in
persist.sys.fuse without risking flag consistency during a boot.
Test: manual - flip persist.sys.fuse both ways and make sure FuseDaemon
works as expected.
Bug: 140803239
Change-Id: I839a1973c98b4eda982226d20be48d1c08e7464a
When mounting a FUSE device on /mnt/user/<userid>/<vol>,
bind mount the correspoinding lower filesystem path to
/mnt/pass_through/<userid>/<vol>. At Zygote fork time, an
app with the right privilege will have the pass_through path
bind mounted into /storage instead of the /mnt/user path.
This provides such an app direct access to the lower filesystem
without going through FUSE.
Bug: 140064376
Test: mount(8) shows /mnt/pass_through/0/emulated is a bind
mount of the lower fs
Change-Id: I32c3cad64138910fcec9fb8f66b206706b5fd139
On user unlock when persist.sys.fuse property is set,
StorageManagerService calls into vold to link the primary
volumes. Because this involves accessing a FUSE path that
has not been initialized, vold should offload this work
from the binder thread, otherwise it would wedge and the
system server would wedge causing a Watchdog trigger.
This fixes a bug where we 'link primary' twice and vold
gets wedged on system server restarts.
Bug: 140064376
Test: with the FUSE property set:
adb shell stop && adb shell start && adb shell ls /sdcard
Change-Id: I0eb86f8ba256c385c916e2a0389a4f7482fc3775
Since system_server cannot mount devices by itself,
add a binder interface to vold that system_server
can call to initiate this mount when required.
BUG: 135341433
Test: manual
Test: atest --test-mapping packages/providers/MediaProvider
Test: ExternalStorageHostTest DownloadProviderTests
Change-Id: If4fd02a1f1a8d921a3f96783d8c73e085c5b7ca1
Motivation:
Early processes launched before the runtime APEX - that hosts the bionic
libs - is activated can't use the bionic libs from the APEX, but from the
system partition (which we call the bootstrap bionic). Other processes
after the APEX activation should use the bionic libs from the APEX.
In order to let both types of processes to access the bionic libs via
the same standard paths /system/lib/{libc|libdl|libm}.so, some mount
namespace magic is used.
To be specific, when the device boots, the init initially bind-mounts
the bootstrap bionic libs to the standard paths with MS_PRIVATE. Early
processes are then executed with their own mount namespaces (via
unshare(CLONE_NEWNS)). After the runtime APEX is activated, init
bind-mounts the bionic libs in the APEX to the same standard paths.
Processes launched thereafter use the bionic libs from the APEX (which
can be updated.)
Important thing is that, since the propagation type of the mount points
(the standard paths) is 'private', the new bind-mount events for the
updated bionic libs should not affect the early processes. Otherwise,
they would experience sudden change of bionic libs at runtime. However,
other mount/unmounts events outside of the private mount points are
still shared across early/late processes as before. This is made possible
because the propagation type of / is 'shared' .
Problem:
vold uses the equality of the mount namespace to filter-out processes
that share the global mount namespace (the namespace of the init). However,
due to the aforementioned change, the early processes are not filtered
out because they have different mount namespaces. As a result,
umount2("/storage/") is executed on them and this unmount event
becomes visible to the global mount namespace (because as mentioned before /
is 'shared').
Solution:
Fiter-out the early processes by skipping a native (non-Java) process
whose UID is < AID_APP. The former condition is because all early
processes are native ones; i.e., zygote is started after the runtime
APEX is activated. The latter condition is to not filter-out native
processes created locally by apps.
Bug: 120266448
Test: m; device boots
Change-Id: I054deedc4af8421854cf35be84e14995523a259a
Currently, we pass down visisble volumes for a user to zygote so that
it can set up appropriate bind mounts after forking. This method has
atleast a couple of race conditions, so instead make zygote just
look under /mnt/user/<userId>/package for volumes that need to be
handled for a particular user.
Bug: 126069494
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*
Change-Id: If996cde24d9fc158729fcc8a8bdb17ca952a518e
We need this to stay mounted at /storage.
Bug: 124466384
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*
Change-Id: I0cc835471ced2822d83d7056bec53d62ddc682f0
Some of the pkg specific dirs could be created by zygote
and vold in parallel, so ignore any EEXIST errors while
creating these dirs.
Bug: 118185801
Test: manual
Change-Id: Ifaa9998131764304867ac027af335414dbfc291c
We've been dogfooding the isolated storage feature for many months
on various internal groups, and we're ready to enable it globally.
Bug: 112545973
Test: executed entire CTS suite using forrest
Change-Id: I612b6aba4f08dc0ac13f4f94b03c4bddd6de12df
Update vold to only create package sandboxes and not do any bind mounts.
After zygote forks, all the necessary bind mounts will be setup for
the process.
Bug: 124009234
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest DownloadProviderTests
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest MediaProviderTests
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*
Change-Id: Ia42209cb74cbc423bb09c1c51cb7a164f7c568da
Apps that are already installed on the device before isolated_storage
feature is enabled will be granted MOUNT_EXTERNAL_LEGACY mode. In this
mode, /mnt/runtime/write will be mounted at /storage giving them same
level of access as in P.
A new mount directory /mnt/runtime/full is also created which will be
used for mounting at /storage for apps started with MOUNT_EXTERNAL_FULL
mode. This will allow apps with WRITE_MEDIA_STORAGE permission to
read/write anywhere on the secondary devices without needing to bypass
sdcardfs.
Bug: 121277410
Test: manual
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Change-Id: Icc1ff9da35545692daedef7173d7c89290dd2766
StorageManager.hasIsolatedStorage() has already been updated to use
this, so most callers are already using this sys prop. Now, updating
remaining callers to use it as well.
Bug: 122559151
Test: manual
Change-Id: I6982a84b737a1d329f397b8182b7b7cdc5a8897f
We make some of the C++ member functions 'const', to reflect how
they (don't) affect the state of the class.
Test: TreeHugger
Change-Id: Iec1c2801bfe721e2741406ed1ac0ef95662840a6
Merged-In: Iec1c2801bfe721e2741406ed1ac0ef95662840a6
We make some of the C++ member functions 'const', to reflect how
they (don't) affect the state of the class.
Test: TreeHugger
Change-Id: Iec1c2801bfe721e2741406ed1ac0ef95662840a6
std::remove will only move the matching items to the end, there
should be an erase call after that to actually get rid of those
items from the container.
Test: manual
Change-Id: I7d3b48f77fa5fab703fb10cf429d8c183322ed29
When an app is started, it's mountmode is dependent on
OP_REQUEST_INSTALL_PACKAGES. If user changes the appop grant of an app,
we need to update the mounts of any processes running in that app.
Bug: 121099965
Test: atest android.appsecurity.cts.ExternalStorageHostTest#testExternalStorageObbGifts
Change-Id: I87fee492891d33ccc9fc9e2548114f67d90cc759
New external storage mount mode for installers so
that they can access obb dirs of all apps.
Bug: 111789719
Test: atest android.appsecurity.cts#testExternalStorageObbGifts
Change-Id: Iab112f0273806f8f812f14d6691bbe71dff42d83
Previously, AppFuse is mounted in system_server's mount namespace. This
CL moves the mount location to vold namespace.
Relanding this since it fails to be merged on ag/5521004 (blocked by
Presubmit, seems to be caused by temporary state) - this one now
passes presubmit without any changes.
Bug: 110379912
Test: testOpenProxyFileDescriptor passes
Change-Id: Id93c26d5a98842c78f27850c83e15df619cec1ab
Previously, AppFuse is mounted in system_server's mount namespace. This
CL moves the mount location to vold namespace.
Bug: 110379912
Test: testOpenProxyFileDescriptor passes
Change-Id: Id93c26d5a98842c78f27850c83e15df619cec1ab
StubVolume is a Volume that is maintained by external party such as the
ChromeOS processes in ARC++.
Bug: 110380403
Test: Tested on ARC++
Change-Id: I3198bd7283d5f60a524da3707dea7385ffec599d
We support file-based encryption on both ext4 and f2fs now, and the
kernel API is the same. So rename things appropriately in vold:
e4crypt => fscrypt
ext4enc => fscrypt
Ext4Crypt => FsCrypt
EXT4_* => FS_*
ext4_encryption_key => fscrypt_key
Additionally, the common functions shared by 'vold' and 'init' are now
in libfscrypt rather than ext4_utils. So update vold to link to
libfscrypt and include the renamed headers.
Note: there's a chance of 'fscrypt' being confused with the dm-crypt
based encryption code in vold which is called 'cryptfs'. However,
fscrypt is the name used in the kernel for ext4/f2fs/ubifs encryption,
and it's preferable to use the same name in userspace.
Test: built, booted device with f2fs encryption
Change-Id: I2a46a49f30d9c0b73d6f6fe09e4a4904d4138ff6
Instead of maintaining local copy of all appIds and sandboxIds,
StorageManagerService will just get required packages info
from PackageManagerService when an user starts and passes it
to vold.
Bug: 117988901
Test: manual
Change-Id: Idab274529e843784c8804929e920c3af63032690
Sandboxes for apps with sharedUserIds will live
at Android/shared:sharedUserId/ instead of
Android/shared/sharedUserId/.
Bug: 117573457
Test: manual
Change-Id: I7ab920814b501b9cdd4c58fefe81c53162b318f3
Also, clear packages state stored for the user being stopped.
Bug: 117329171
Bug: 111890351
Test: manual
Change-Id: Ida48fcec851830dbb756e329c20c322c631ad264
On userdebug protect /mnt/scratch. On user builds ensure that
/mnt/scratch is considered a stale mount so it can not be used.
vold runs before ro.debuggable is set, so this must be a compile
time decision.
Minor technical debt cleanup associated with using android::base.
Test: compile
Bug: 109821005
Change-Id: I8efdbedfe850dd24daecf03a37aea61de47edc7d
Merged-In: I8efdbedfe850dd24daecf03a37aea61de47edc7d
On userdebug protect /mnt/scratch. On user builds ensure that
/mnt/scratch is considered a stale mount so it can not be used.
vold runs before ro.debuggable is set, so this must be a compile
time decision.
Minor technical debt cleanup associated with using android::base.
Test: compile
Bug: 109821005
Change-Id: I8efdbedfe850dd24daecf03a37aea61de47edc7d
This is not needed anymore since everything else is updated
to use android::vold::UnmountTree.
Bug: 111890351
Test: manual
Change-Id: Idb574469763fa3438fbfc40d6da786d87ac63c38
- Also update vold to create sandboxes for secondary storage devices.
- Since bind mounts are created in the process specific namespaces, we
don't need /mnt/storage anymore which we were using it to prevent
some bind mounts from propagating onto /mnt/runtime/write.
- Create bind mounts for {media,obb} dirs similar to data dir in
per process namespace.
- Also fix a bug where we are not passing correct packages to vold when
a new user starts.
Bug: 111890351
Test: manual
Change-Id: I7849efc4fbf3c654606fa30de7ab2de0236d766f
This will allow adding lots of verbose logs which can be enabled
only during local testing/debugging. Update the existing verbose
level logs to debug level since we want those to be logged by
default.
Test: manual
Change-Id: Ib05e2b6efa71308458d49affb6ed81d3975b28ab
Apply clang-format to fix the remaining files not fixed by
change I23cde3f0bbcac13bef555d13514e922c79d5ad48
Test: Format-only changes; treehugger suffices.
Change-Id: I1bfd5c8d68d298596875d5edae26cdfe27c03489
Create a new slave bind mount at /mnt/storage and use this for
creating package sandboxes. This will help prevent package
specific data directories from getting duplicated and also make
handling bind mounts for packages with sharedUserIds easier.
Bug: 111890351
Test: manual
Change-Id: I0f590cc99a379d93f6db85bf56e8d274e3ea7488
For apps with sharedUserIds, sandbox/shared:<shared-user-id> is
currently used as sandbox root. Given that <shared-user-id> can
be upto 255 characters, adding "shared:" might tip over the
filename limit on ext4 filesystems. So, instead use
sandbox/shared/<shared-user-id> as the sandbox root.
Bug: 111890351
Test: manual
Change-Id: Iba437b3eed59f9eb3094a823e8bf2a5a58410fd7
This is same as what we are doing as of P, symlinking
"/mnt/user/<user-id>/primary" to primary volume path.
Bug: 111890351
Test: manual
Change-Id: I3bc538401bf56fd6243ce7eca424cc4c9b585974
Vold is updated to create package specific sandboxes for primary
volume and mount them at
"/mnt/user/<user-id>/package/<package-name>/<primary-label>".
This will later be mounted at /storage when a new process starts.
Bug: 111890351
Test: Manually verified that a package has access to "/sdcard" and
"/storage/emulated/0", both of which are just the package specific
sandboxes and the package doesn't have access to other sandboxes
and can't see other package names.
Change-Id: I72dc8ae9eb2260a298159c5de18387dad2f9de48
Bug: 111890351
Test: n/a
Change-Id: Ia24f15112f9a4ee4994688ff8fedf786cbf479b7
Exempt-From-Owner-Approval: This was approved as part of http://ag/4494673
Bug: 110808288
Test: Boot a device and checks /mnt/product/foo mounted in early mount
isn't unmounted.
Change-Id: Ide411cd78565505bc72ed57e79f3d31b6392b27c
We've tried our best to protect against malicious storage devices
with limited SELinux domains, but let's be even more paranoid and
refuse to look at disks inserted while a secure keyguard is
showing. We'll gladly scan them right away once the user confirms
their credentials.
Test: builds, boots, manual testing
Bug: 68054513
Change-Id: I37fd6c25bbd6631fa4ba3f84e19384d746a22498
Remove lots of "extern C" and "ifdef __cplusplus" which are no longer
needed now all of vold is C++. Also turn on the cert-err58-cpp warning
we once had to disable.
Bug: 67041047
Test: compiles, boots
Change-Id: I8c6f9dd486f2409e0deed7bb648d959677465b21
FDE keys are indexed using the partition GUID, while FBE keys will be
indexed using the filesystem UUID, so pass both of those identifiers
along when forgetting a volume.
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 25861755
Change-Id: I6e239d5ba67a01c9a848d705f6167da00f975924
Prevents selinux denials for folders in /proc that do not have the
default /proc label.
Bug: 68146208
Test: no selinux denials for vold attempting to read proc_asound dir.
Merged-In: I7cdd3bbe8e687e078372012773e9a34a5c76e0f8
Change-Id: I7cdd3bbe8e687e078372012773e9a34a5c76e0f8
Prevents selinux denials for folders in /proc that do not have the
default /proc label.
Bug: 68146208
Test: no selinux denials for vold attempting to read proc_asound dir.
Change-Id: I7cdd3bbe8e687e078372012773e9a34a5c76e0f8
I want to use Utils in another executable, so breaking this link.
Bug: 25861755
Test: compiles (and boots, though that doesn't exercise changed code)
Change-Id: I6bb447453bb370fefb7f2f3aceb459428bdee6a7
Moves away from crufty char* operations to std::string utility
methods, including android::base methods for splitting/parsing.
Rewrite of how Process handles scanning procfs for filesystem
references; now uses fts(3) for more sane traversal.
Replace sscanf() with new FindValue() method, also has unit tests.
Remove some unused methods. Switch almost everyone over to using
modern logging library.
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 67041047
Change-Id: I70dc512f21459d1e25b187f24289002b2c7bc7af
Instead of blindly looping across 4096 possible devices, use
readdir() to only look at valid devices. This speeds up destroyAll()
from 40ms to 0.7ms.
Add tracing information in several places.
Test: external/chromium-trace/systrace.py -b 128768 sched freq am pm ss core_services binder_driver -a system_server,installd,vold
Bug: 65634729, 65737446
Change-Id: If581de47fb55850c0fcd6e25bf33ed246e1b079d
Now that we've moved to Binder, we only have a few lingering atoi()
usages that are cleaned up in this CL.
Rewrite match_multi_entry() entirely, with tests to verify both old
and new implementations.
Test: adb shell /data/nativetest/vold_tests/vold_tests
Bug: 36655947
Change-Id: Ib79dc1ddc2366db4d5b4e1a1e2ed9456a06a983e
