66270a21df
Now that we're treating storage as a runtime permission, we need to grant read/write access without killing the app. This is really tricky, since we had been using GIDs for access control, and they're set in stone once Zygote drops privileges. The only thing left that can change dynamically is the filesystem itself, so let's do that. This means changing the FUSE daemon to present itself as three different views: /mnt/runtime_default/foo - view for apps with no access /mnt/runtime_read/foo - view for apps with read access /mnt/runtime_write/foo - view for apps with write access There is still a single location for all the backing files, and filesystem permissions are derived the same way for each view, but the file modes are masked off differently for each mountpoint. During Zygote fork, it wires up the appropriate storage access into an isolated mount namespace based on the current app permissions. When the app is granted permissions dynamically at runtime, the system asks vold to jump into the existing mount namespace and bind mount the newly granted access model into place. Bug: 21858077 Change-Id: Iade538e4bc7af979fe20095f74416e8a0f165a4a
83 lines
2.2 KiB
C++
83 lines
2.2 KiB
C++
/*
|
|
* Copyright (C) 2015 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#ifndef ANDROID_VOLD_PUBLIC_VOLUME_H
|
|
#define ANDROID_VOLD_PUBLIC_VOLUME_H
|
|
|
|
#include "VolumeBase.h"
|
|
|
|
#include <cutils/multiuser.h>
|
|
|
|
namespace android {
|
|
namespace vold {
|
|
|
|
/*
|
|
* Shared storage provided by public (vfat) partition.
|
|
*
|
|
* Knows how to mount itself and then spawn a FUSE daemon to synthesize
|
|
* permissions. AsecVolume and ObbVolume can be stacked above it.
|
|
*
|
|
* This volume is not inherently multi-user aware, so it has two possible
|
|
* modes of operation:
|
|
* 1. If primary storage for the device, it only binds itself to the
|
|
* owner user.
|
|
* 2. If secondary storage, it binds itself for all users, but masks
|
|
* away the Android directory for secondary users.
|
|
*/
|
|
class PublicVolume : public VolumeBase {
|
|
public:
|
|
explicit PublicVolume(dev_t device);
|
|
virtual ~PublicVolume();
|
|
|
|
protected:
|
|
status_t doCreate() override;
|
|
status_t doDestroy() override;
|
|
status_t doMount() override;
|
|
status_t doUnmount() override;
|
|
status_t doFormat(const std::string& fsType) override;
|
|
|
|
status_t readMetadata();
|
|
status_t initAsecStage();
|
|
|
|
private:
|
|
/* Kernel device representing partition */
|
|
dev_t mDevice;
|
|
/* Block device path */
|
|
std::string mDevPath;
|
|
/* Mount point of raw partition */
|
|
std::string mRawPath;
|
|
|
|
std::string mFuseDefault;
|
|
std::string mFuseRead;
|
|
std::string mFuseWrite;
|
|
|
|
/* PID of FUSE wrapper */
|
|
pid_t mFusePid;
|
|
|
|
/* Filesystem type */
|
|
std::string mFsType;
|
|
/* Filesystem UUID */
|
|
std::string mFsUuid;
|
|
/* User-visible filesystem label */
|
|
std::string mFsLabel;
|
|
|
|
DISALLOW_COPY_AND_ASSIGN(PublicVolume);
|
|
};
|
|
|
|
} // namespace vold
|
|
} // namespace android
|
|
|
|
#endif
|