Commit graph

94 commits

Author SHA1 Message Date
Martijn Coenen
0a7e9925a6 Automatically use correct lower paths for setupAppDir.
When we're asked to create an app directory, find the corresponding
volume, and use the raw path of that volume to create the directory.
This ensures this will continue working on devices that don't have
sdcardfs.

Bug: 146419093
Test: manual test on cuttlefish
Change-Id: I91d735c1adbcca171e5af73aca0abd7ef396d0b7
2020-01-27 14:00:29 +01:00
Martijn Coenen
cf5916f3fa Also delay creating found disks until user 0 is started.
Public and private volumes can be discovered before user 0 is up and
running; when using FUSE however, we can't mount these disks yet,
because we depend on the user to become unlocked before we can start the
FUSE daemon (which is the MediaProvider application process). So besides
waiting for any secure keyguard to be dismissed, also wait for user 0 to
be started.

Bug: 146419093
Test: Boot cuttlefish with a fake public volume; is available after
repeated boots.

Change-Id: I06fe4d336d1baec3a49886c3cf12d844a1d0eb26
2020-01-03 16:32:20 +01:00
Martijn Coenen
13ff668775 Replace mkdirs() with setupAppDir().
vold historically offerred functionality to create directories on behalf
of others. This functionality was purely used to create app-specific
data/obb/media dirs. Make this more explicit by renaming the method to
indicate this.

Additionally, in the past, we never needed to care about the UID set on
these directories, because sdcardfs would take care of that for us
automatically. But with sdcardfs going away, we need to make sure the
UID of the app-specific directories is set correctly. Allow the caller
to pass this in as an argument.

Bug: 146419093
Test: atest FuseDaemonHostTest
Change-Id: Ibeb5fdc91b40d53583bc0960ee11c4d640549c34
2019-12-31 15:58:41 +01:00
Martijn Coenen
745e0a9acb Use a regular set for started users.
We want started users to be an ordered set; eg user 0 should always go
first. This is because volumes for users other than 0 depend on user 0
coming up first, because the volume for user 0 is the one mounting
sdcardfs.

Bug: 13789012
Test: atest AdoptableHostTest
Change-Id: Ic9119f0a24bd261e5362019836ac240b90c681c0
2019-12-10 16:49:16 +01:00
Zim
a438b24368 Fix multi-user and multi-storage with FUSE
Up until now, the FUSE mount logic has made two assumptions:
1. The primary external volume is an emulated volume on /data/media
2. Only the primary user is running, as user zero

These assumptions are fixed by the following changes
creating an EmulatedVolume per Android user and changing the
VolumeBase id format to append the user to the id, so
s/emulated/emulated-0/. This allows us mount separate volumes per user

Some additional refactorings to re-use/clean up code.

Test: adb shell sm set-virtual-disk and partition disk operations work
even after setting up a work profile
Bug: 135341433

Change-Id: Ifabaa12368e5a591fbcdce4ee71c83ff35fdac6b
2019-11-11 20:24:49 +00:00
Sudheer Shanka
4112c12cb6 Remove storage sandboxes related code.
Bug: 131115422
Test: manual
Test: atest --test-mapping packages/providers/MediaProvider
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest DownloadProviderTests
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/app/DownloadManagerLegacyTest/src/android/app/cts/DownloadManagerLegacyTest.java
Test: atest cts/tests/app/DownloadManagerApi28Test/src/android/app/cts/DownloadManagerApi28Test.java
Change-Id: Ib3272a47a901ed106474039e72f123b11f5443ff
2019-05-07 10:47:03 -07:00
Sudheer Shanka
727c5fad41 Avoid creating /mnt/user/<userId>/package/<packageName> for all pkgs.
Bug: 124466384
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*
Change-Id: I678e199ef03805bb85a8a7ad9f1f7bae0a9fc56a
2019-02-21 15:12:42 -08:00
Sudheer Shanka
f9b38a58e1 Revert "Revert "Ensure necessary external storage dirs while creating sandboxes.""
This reverts commit 88114b2a56.

Reason for revert: blocking issue in b/124345887 is resolved

Change-Id: Ie34843c12b7a471d2384b64ad049ede63aed09e8
2019-02-14 19:11:20 +00:00
Jeff Sharkey
88114b2a56 Revert "Ensure necessary external storage dirs while creating sandboxes."
This reverts commit 083377e593.

Reason for revert: b/124345887

Change-Id: I388d45fab68b611917464a204269a48bf771ac57
2019-02-14 15:41:28 +00:00
Sudheer Shanka
083377e593 Ensure necessary external storage dirs while creating sandboxes.
Bug: 124058579
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore*

Change-Id: I0e62de38e9ceff80df75e253443af69d4391a49e
2019-02-13 18:16:50 -08:00
Sudheer Shanka
5504901bf0 Create a new MOUNT_EXTERNAL_LEGACY storage mode.
Apps that are already installed on the device before isolated_storage
feature is enabled will be granted MOUNT_EXTERNAL_LEGACY mode. In this
mode, /mnt/runtime/write will be mounted at /storage giving them same
level of access as in P.

A new mount directory /mnt/runtime/full is also created which will be
used for mounting at /storage for apps started with MOUNT_EXTERNAL_FULL
mode. This will allow apps with WRITE_MEDIA_STORAGE permission to
read/write anywhere on the secondary devices without needing to bypass
sdcardfs.

Bug: 121277410
Test: manual
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Change-Id: Icc1ff9da35545692daedef7173d7c89290dd2766
2019-01-18 18:48:55 -08:00
TreeHugger Robot
37fd66f19d Merge "vold: const-ify some of the API" 2018-12-20 21:19:55 +00:00
Greg Kaiser
2bc201e6bb vold: const-ify some of the API
We make some of the C++ member functions 'const', to reflect how
they (don't) affect the state of the class.

Test: TreeHugger
Change-Id: Iec1c2801bfe721e2741406ed1ac0ef95662840a6
2018-12-20 10:30:17 -08:00
Sudheer Shanka
817b911ca4 Update process mount points when appop gets updated.
When an app is started, it's mountmode is dependent on
OP_REQUEST_INSTALL_PACKAGES. If user changes the appop grant of an app,
we need to update the mounts of any processes running in that app.

Bug: 121099965
Test: atest android.appsecurity.cts.ExternalStorageHostTest#testExternalStorageObbGifts
Change-Id: I87fee492891d33ccc9fc9e2548114f67d90cc759
2018-12-16 16:02:14 -08:00
Sudheer Shanka
03992e3741 Create a new mount mode for installer packages.
New external storage mount mode for installers so
that they can access obb dirs of all apps.

Bug: 111789719
Test: atest android.appsecurity.cts#testExternalStorageObbGifts
Change-Id: Iab112f0273806f8f812f14d6691bbe71dff42d83
2018-12-12 19:04:52 -08:00
Risan
1271b90560 Merge "Extract AppFuse as a util" am: 7be8a7ee1d am: d04a16cbd5
am: 9f7af4b6e3

Change-Id: I92a3fa8828e983df876d42637913737e2b31fd4f
2018-11-30 01:17:08 -08:00
Risan
8f6198d299 Change AppFuse mount location to vold namespace
Previously, AppFuse is mounted in system_server's mount namespace. This
CL moves the mount location to vold namespace.

Relanding this since it fails to be merged on ag/5521004 (blocked by
Presubmit, seems to be caused by temporary state) - this one now
passes presubmit without any changes.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes
Change-Id: Id93c26d5a98842c78f27850c83e15df619cec1ab
2018-11-26 15:30:01 +00:00
Risan
ac02a4863f Extract AppFuse as a util
Bug: 110379912
Test: testOpenProxyFileDescriptor
Change-Id: I0429a498d7b54682efe9b05815f3470e8745609e
2018-11-14 07:28:06 +00:00
Risan
5f53cd3b79 Change AppFuse mount location to vold namespace
Previously, AppFuse is mounted in system_server's mount namespace. This
CL moves the mount location to vold namespace.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes
Change-Id: Id93c26d5a98842c78f27850c83e15df619cec1ab
2018-11-13 22:46:23 +00:00
Risan
4d8ba07231 Merge "StubVolume as first class Volume in Vold" am: dcbce84fed am: 14955896e5
am: a294e197b4

Change-Id: Iaec41c8ffe6feaa59163987c914fa21edc7ae2cd
2018-11-13 12:13:23 -08:00
Risan
8c9f33242f StubVolume as first class Volume in Vold
StubVolume is a Volume that is maintained by external party such as the
ChromeOS processes in ARC++.

Bug: 110380403
Test: Tested on ARC++

Change-Id: I3198bd7283d5f60a524da3707dea7385ffec599d
2018-11-08 07:40:43 +00:00
Sudheer Shanka
69bc40f9a9 Update StorageManagerService handling of packages info.
Instead of maintaining local copy of all appIds and sandboxIds,
StorageManagerService will just get required packages info
from PackageManagerService when an user starts and passes it
to vold.

Bug: 117988901
Test: manual
Change-Id: Idab274529e843784c8804929e920c3af63032690
2018-10-25 11:58:43 -07:00
Sudheer Shanka
fa6a174a05 Delete package sandbox data when it is uninstalled.
Bug: 111890351
Test: manual
Change-Id: I989d507f3352959e824b161a94c0eaad6eed9bba
2018-10-09 11:12:52 -07:00
Sudheer Shanka
40ab6742a7 Bind mount pkg specific dirs in the zygote child namespaces.
- Also update vold to create sandboxes for secondary storage devices.
- Since bind mounts are created in the process specific namespaces, we
  don't need /mnt/storage anymore which we were using it to prevent
  some bind mounts from propagating onto /mnt/runtime/write.
- Create bind mounts for {media,obb} dirs similar to data dir in
  per process namespace.
- Also fix a bug where we are not passing correct packages to vold when
  a new user starts.

Bug: 111890351
Test: manual
Change-Id: I7849efc4fbf3c654606fa30de7ab2de0236d766f
2018-09-27 15:50:26 -07:00
Paul Crowley
8915d62847 clang-format the rest of the files
Apply clang-format to fix the remaining files not fixed by
change I23cde3f0bbcac13bef555d13514e922c79d5ad48

Test: Format-only changes; treehugger suffices.
Change-Id: I1bfd5c8d68d298596875d5edae26cdfe27c03489
Merged-In: I1bfd5c8d68d298596875d5edae26cdfe27c03489
2018-09-20 06:27:22 -07:00
Paul Crowley
edf7a4eb95 clang-format the rest of the files
Apply clang-format to fix the remaining files not fixed by
change I23cde3f0bbcac13bef555d13514e922c79d5ad48

Test: Format-only changes; treehugger suffices.
Change-Id: I1bfd5c8d68d298596875d5edae26cdfe27c03489
2018-09-19 19:45:27 -07:00
Sudheer Shanka
c756209b89 Create sandboxes for newly installed apps.
Bug: 111890351
Test: manual
Change-Id: I1b7f5bd25e04f9f4a61d0d4f64bbbb0ca6157fa5
2018-08-24 12:35:56 -07:00
Sudheer Shanka
3a7ee5c2ae Use /mnt/storage for bind mounting package sandboxes.
Create a new slave bind mount at /mnt/storage and use this for
creating package sandboxes. This will help prevent package
specific data directories from getting duplicated and also make
handling bind mounts for packages with sharedUserIds easier.

Bug: 111890351
Test: manual
Change-Id: I0f590cc99a379d93f6db85bf56e8d274e3ea7488
2018-08-23 21:40:07 -07:00
Sudheer Shanka
53947a3662 Update vold to prepare package sandboxes for primary volume.
Vold is updated to create package specific sandboxes for primary
volume and mount them at
"/mnt/user/<user-id>/package/<package-name>/<primary-label>".
This will later be mounted at /storage when a new process starts.

Bug: 111890351
Test: Manually verified that a package has access to "/sdcard" and
      "/storage/emulated/0", both of which are just the package specific
      sandboxes and the package doesn't have access to other sandboxes
      and can't see other package names.

Change-Id: I72dc8ae9eb2260a298159c5de18387dad2f9de48
2018-08-01 10:24:13 -07:00
Sudheer Shanka
62bbb2b1d2 Update vold to handle package info from StorageManagerService.
Bug: 111890351
Test: n/a
Change-Id: I098ad4bc15fae843909d97dad5d301a4e53d51bc
2018-08-01 01:23:15 -07:00
Sudheer Shanka
ebaad1c848 Update IVold interface to take packageNames when a user starts.
Bug: 111890351
Test: n/a
Change-Id: Ia24f15112f9a4ee4994688ff8fedf786cbf479b7
Exempt-From-Owner-Approval: This was approved as part of http://ag/4494673
2018-08-01 07:16:28 +00:00
Sudheer Shanka
d484aa9dad Add APIs for pushing package info to vold.
Bug: 111890351
Test: n/a
Change-Id: I3194a88a9ce612a2e4f2c7ea9e3392e0f8020fc1
2018-07-31 10:07:34 -07:00
Jeff Sharkey
401b260351 Delay touching disks when secure keyguard showing.
We've tried our best to protect against malicious storage devices
with limited SELinux domains, but let's be even more paranoid and
refuse to look at disks inserted while a secure keyguard is
showing.  We'll gladly scan them right away once the user confirms
their credentials.

Test: builds, boots, manual testing
Bug: 68054513
Change-Id: I37fd6c25bbd6631fa4ba3f84e19384d746a22498
2017-12-15 13:44:55 -07:00
Paul Crowley
b64933a502 Be even more C++. Switch on a warning.
Remove lots of "extern C" and "ifdef __cplusplus" which are no longer
needed now all of vold is C++. Also turn on the cert-err58-cpp warning
we once had to disable.

Bug: 67041047
Test: compiles, boots
Change-Id: I8c6f9dd486f2409e0deed7bb648d959677465b21
2017-10-31 08:40:23 -07:00
Jeff Sharkey
3ce18256a1 Pass both partition GUID and filesystem UUID.
FDE keys are indexed using the partition GUID, while FBE keys will be
indexed using the filesystem UUID, so pass both of those identifiers
along when forgetting a volume.

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 25861755
Change-Id: I6e239d5ba67a01c9a848d705f6167da00f975924
2017-10-24 12:19:47 -06:00
Paul Crowley
56292ef119 Undo Utils dependency on VolumeManager
I want to use Utils in another executable, so breaking this link.

Bug: 25861755
Test: compiles (and boots, though that doesn't exercise changed code)
Change-Id: I6bb447453bb370fefb7f2f3aceb459428bdee6a7
2017-10-20 10:05:36 -07:00
Jeff Sharkey
3472e52fc2 Move to modern utility methods from android::base.
Moves away from crufty char* operations to std::string utility
methods, including android::base methods for splitting/parsing.

Rewrite of how Process handles scanning procfs for filesystem
references; now uses fts(3) for more sane traversal.

Replace sscanf() with new FindValue() method, also has unit tests.

Remove some unused methods.  Switch almost everyone over to using
modern logging library.

Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 67041047
Change-Id: I70dc512f21459d1e25b187f24289002b2c7bc7af
2017-10-17 12:40:51 -06:00
Jeff Sharkey
cbe69fc060 Destroy vold socket interface completely.
Long live Binder.

Test: yes
Bug: 13758960
Change-Id: If6be379b5a873f1b0c66dd1522b87413ad10fc46
2017-09-18 16:00:14 -06:00
Jeff Sharkey
52f7a91934 Move long-running calls to async with listeners.
Now that we're using Binder, we can have callers provide explicit
listeners for every request instead of trying to squeeze them all
into unsolicited socket events.

Move benchmarking to be async to avoid blocking other commands for
up to several minutes.  Remove post-trim benchmarking flag, since
benchmarking now requires a separate callback.  Will bring back in
a future CL.

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Test: adb shell sm fstrim
Bug: 62201209, 13758960
Change-Id: I0f2ebf1ac3b4252ecd6b44303f2887adfdb58e86
2017-09-15 14:18:00 -06:00
Jeff Sharkey
814e9d308e Move unsolicited vold events to Binder.
Create IVoldListener and move most unsolicited vold events over to
this new interface.  The remaining events will be routed through
method-specific listeners instead of a global one.

Move to upstream DISALLOW_COPY_AND_ASSIGN macro.

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.DirectBootHostTest
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Bug: 13758960
Change-Id: Ib9293487db2d525a76b9b9c2e9ac18d98601c6cf
2017-09-13 11:52:53 -06:00
Jeff Sharkey
83b559ced4 Move all crypto commands over to Binder.
Prefix FDE related commands with "fde" to make it clear which devices
they apply to.  This will also make it easier to remove once FDE
is fully deprecated in a future release.

To emulate the single-threaded nature of the old socket, introduce a
lock that is acquired for all encryption related methods.

Sprinkle some "const" around older files to make C++ happy.

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.DirectBootHostTest
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Bug: 13758960
Change-Id: I0a6ec6e3660bbddc61424c344ff6ac6da953ccf0
2017-09-12 17:24:06 -06:00
Jeff Sharkey
11c2d380a7 Move even more vold commands over to Binder.
This moves fstrim, obb and appfuse commands over to the new Binder
interface.  This change also separates creating/destroying and
mounting/unmounting of OBB volumes, which means they finally flow
nicely into the modern VolumeInfo/VolumeBase design.

We now generate unique identifiers for all OBB volumes, instead of
using a shady MD5 hash.

Change all "loop" and "dm" devices to tag the kernel resources with
a vold-specific prefix so that we can clean them up if vold crashes;
there are new destroyAll() methods that handle this cleanup.

Move appfuse mounting/unmounting into VolumeManager so it can be
shared.  Move various model objects into a separate directory to
tidy things up.

Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t android.os.storage.cts.StorageManagerTest
Bug: 13758960
Change-Id: I7294e32b3fb6efe07cb3b77bd20166e70b66958f
2017-09-11 18:44:17 -06:00
Jeff Sharkey
9462bdd512 Move "volume" commands over to Binder.
Keep the old socket-based commands intact for awhile so we can
rapidly disable this change using the ENABLE_BINDER feature flag.

Define constants in AIDL to keep Java and C++ in sync.

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.ExternalStorageHostTest
Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 13758960
Change-Id: I0d6f82cbebe67f671b60949fd727409aeb1fdc0d
2017-09-07 15:27:30 -06:00
Keun-young Park
375ac25773 do not sleep if it is shutting down
- Various sleep(5) for vold shutdown can increase shutdown time a lot.
- If it is shutting down, do not sleep at all. init will take care of
  active partitions if not unmounted.

bug: 64143519
Test: reboot and check logs from vold, check if "ShutdownThread: Shutdown wait timed out" happens.
Change-Id: I7cb91427ad2205fe23a054d255caf7ffdfd9f6c3
2017-08-02 17:45:48 -07:00
Jeff Sharkey
fa1c677c1a Add a new "virtual disk" feature.
It's extremely difficult to test storage related logic on devices
that don't have physical SD card slots.  So to support better
debugging and testing, add a new "virtual disk" feature which mounts
a 512MB file through loop device.

It relies on the kernel having the "loop.max_part" value set to
something other than 0 via the boot command line, since that allows
all the existing partition logic to fall into place.

Bug: 34903607
Test: builds, boots, virtual disk works
Change-Id: I04c5b33e37319d867542985a56b7999a9b7cf35d
2017-03-25 23:25:14 -06:00
Chih-Hung Hsieh
aae793802b Fix misc-macro-parentheses warnings in system/vold.
Add parentheses around macro arguments used beside operators.
Bug: 28705665

Change-Id: I44e954f15bf6b8279d0f857d5417b7cb457da779
2016-06-10 14:15:18 -07:00
Mateusz Nowak
a4f48d0f44 vold: fix 64 bit ioctl error
Changing the num_sectors used in ioctl with BLKGETSIZE because
the kernel expects an unsigned long type and then changes 64 bits
with a 64 bits userspace. This overwrites what's located close to
the parameter location if any.

Change-Id: I78fd61a1084de2741f39b926aa436462518709a0
Signed-off-by: Mateusz Nowak <mateusz.nowak@intel.com>
Signed-off-by: Zhiquan Liu <zhiquan.liu@intel.com>
2015-10-21 11:16:19 +08:00
Jeff Sharkey
c86ab6f538 Trim both internal and adopted private storage.
Refactor fstrim code to be encapsulated in unique task object, and
give it option of benchmarking when finished.  Trimming now includes
both storage from fstab and adopted private volumes.  Cleaner timing
stats are logged for each unique volume.

Add wakelock during ongoing async move tasks.  Push disk sysfs path
to framework so it can parse any SD card registers as desired.

Bug: 21831325
Change-Id: I76577685f5cae4929c251ad314ffdaeb5eb1c8bf
2015-07-01 15:53:51 -07:00
Jeff Sharkey
66270a21df Let's reinvent storage, yet again!
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app.  This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that.  This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions.  When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

Bug: 21858077
Change-Id: Iade538e4bc7af979fe20095f74416e8a0f165a4a
2015-06-25 22:40:08 -07:00
Jeff Sharkey
bc40cc8f07 Add method to forget private partition keys.
Report both the disk and the partition GUID for private volumes to
userspace, and offer to forget the encryption key for a given
partition GUID.

Bug: 21782268
Change-Id: Ie77a3a58e47bf3563cdb3e4b0edfab1de4d0e6b4
2015-06-22 14:04:54 -07:00