GitLab

We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.

This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.

Also add CTS tests to verify that we're protecting access to
internal mount points like this.

Bug: 22964288
Change-Id: I83f09f0423f4993e766273c50389dd29b1c50589

When mounting a primary external storage device that is multi-user
aware, ensure that the user-specific directory actually exists before
moving forward.

Bug: 22472026
Change-Id: I33c8eed261a9c0d5acedd5be6133ed9990679d08

Refactor fstrim code to be encapsulated in unique task object, and
give it option of benchmarking when finished.  Trimming now includes
both storage from fstab and adopted private volumes.  Cleaner timing
stats are logged for each unique volume.

Add wakelock during ongoing async move tasks.  Push disk sysfs path
to framework so it can parse any SD card registers as desired.

Bug: 21831325
Change-Id: I76577685f5cae4929c251ad314ffdaeb5eb1c8bf

In order to compare results from readlink() calls, we need to null
terminate the read value, otherwise we can end up doing an infinitely
recursive remount in the root namespace.

When remounting inside a namespace, unmount all existing mounts before
mounting the new storage into place.  This also means we need to mount
the user-specific symlinks back into place.

Skip spinning up the FUSE daemon when not visible, otherwise we get
stuck waiting for a daemon that never shows up.

Bug: 22192518, 22204412
Change-Id: Icc7db822354ab7ffc47c39cd0611f65edecc32e5

Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app.  This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that.  This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions.  When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

Bug: 21858077
Change-Id: Iade538e4bc7af979fe20095f74416e8a0f165a4a

Report both the disk and the partition GUID for private volumes to
userspace, and offer to forget the encryption key for a given
partition GUID.

Bug: 21782268
Change-Id: Ie77a3a58e47bf3563cdb3e4b0edfab1de4d0e6b4

vold will eventually use the serial numbers to clean up stale user
directories when mounting private storage devices.

Bug: 20275572
Change-Id: Ia29cb5da23e969f3087bb5caa5dc8f4e88f07613

When formatting volumes, pass along fsType string which can be "auto"
to let the volume select the best choice.  For now, private volumes
assume that MMC devices (like SD cards) are best off using f2fs when
both kernel support and tools are present, otherwise fall back to
ext4.  Use blkid when mounting to pick the right set of tools.

Move filesystem utility methods into namespaces and place in separate
directory to be more organized.

Bug: 20275581
Change-Id: Id5f82d8672dda2e9f68c35b075f28232b0b55ed4

Now that we're offering to store private app data on adopted storage
devices, the performance of those devices is much more important to
overall user experience.

To help set user expectations, this change offers to execute a
real-world benchmark on a storage device, returning a metric that can
be used to compare internal and external storage.  The benchmark is
generated from the strace-instrumented storage access patterns of
typical apps.

A typical device completes the benchmark in under two seconds on
internal storage, a UHS-3 SD card is even faster (!), but a very slow
Class 4 SD card takes about 30 seconds to complete, giving us a clear
signal.

The measured benchmark numbers are logged along with information
about the storage device, such as manufacturer, model, etc.  Card
serial numbers are scrubbed from output.

Bug: 21172095
Change-Id: I9b2713dafdfdfcf5d97bf1bc21841f39409a7e54

Since otherwise we might have a stale path.

Bug: 19993667
Change-Id: I099e3dc0c5aa9ab6820cded4f2ae7fd6bf18ea40

The VolumeManager::mountObb() creates a mapping between
a loopback device and a dm device. However the device-mapper
carries it out asynchronously, so there is a possibility that
Vold accesses to the dm device which is being built. Added
waiting for completion of the mapping in that function, like
mountAsec().

To verify install FrameworksCoreTests.apk and do:

  adb shell am instrument -r -w -e class android.os.storage.\
  StorageManagerIntegrationTest#testMountTwoEncryptedObb \
  com.android.frameworks.coretests/android.test.\
  InstrumentationTestRunner

Change-Id: If42f4b7494bb2f8a8b72d106ad84b3e3bf91fd9b

We eventually should move back to per-disk locks, but use a giant
lock to keep development rolling forward.  Also move force adoptable
flag to framework since, since encrypted devices don't have persisted
properties loaded early during boot.

Bug: 19993667
Change-Id: Ifa3016ef41b038f8f71fc30bc81596cfd21dcd2a

Bug: 19993667
Change-Id: I47099c262686127f82dd376570d49cf0ad119842

This is cleaner and more direct than the reverse of having the disk
publish child volume membership.  Rename state constants to match
public API.  Add state representing bad removal.  Make it clear that
volume flags are related to mounting.

Send new unsupported disk event when we finish scanning an entire
disk and have no meaningful volumes.

Bug: 19993667
Change-Id: I08a91452ff561171a484d1da5745293ec893aec0

Otherwise we get really excited and trip over ourselves while
partitions are still being created.

Bug: 19993667
Change-Id: I034e56b3063a71d73f9311a945c05ea2ae255f7d

When a private volume is mounted, create an emulated volume above it
hosted at the /media path on that device.  That emulated volume is
automatically torn down when unmounting the private volume.

Add "removed" state for volume, which signals to framework that
media has left the building, send when the volume is destroyed.

Bug: 19993667
Change-Id: I1f82b51de578ac5cfcc5d7b9a6fb44f6f25c775c

Sadly setexeccon() is process global, so we need to carefully ensure
that all exec() are mutually exclusive to avoid transitioning into
unwanted domains.  Also, because we have several threads floating
around, we need to guard all our FDs with O_CLOEXEC.

Format all newly created volumes immediately after partitioning,
but silence all events emitted from those volumes to prevent the
framework from getting all excited.  Unify all notify events under a
single codepath to make them easy to silence.

Sent SIGINT before escalating to SIGTERM when unmounting.

Bug: 19993667
Change-Id: Idc6c806afc7919a004a93e2240b42884f6b52d6b

Bug: 19993667
Change-Id: I1f6519655c5a366eca25e2329e1bf95d81b3bf8c

This adds support for private volumes which is just a filesystem
wrapped in a dm-crypt layer.  For now we're using the exact same
configuration as internal encryption (aes-cbc-essiv:sha256), but we
don't store any key material on the removable media.  Instead, we
store the key on internal storage, and use the GPT partition GUID
to identify which key should be used.

This means that private external storage is effectively as secure as
the internal storage of the device.  That is, if the internal storage
is encrypted, then our external storage key is also encrypted.

When partitioning disks, we now support a "private" mode which has
a PrivateVolume partition, and a currently unused 16MB metadata
partition reserved for future use.  It also supports a "mixed" mode
which creates both a PublicVolume and PrivateVolume on the same
disk.  Mixed mode is currently experimental.

For now, just add ext4 support to PrivateVolume; we'll look at f2fs
in a future change.  Add VolumeBase lifecycle for setting up crypto
mappings, and extract blkid logic into shared method.  Sprinkle some
more "static" around the cryptfs code to improve invariants.

Bug: 19993667
Change-Id: Ibd1df6250735b706959a1eb9d9f7219ea85912a0

Wire up new Disk and VolumeBase objects and events to start replacing
older DirectVolume code.  Use filesystem UUID as visible PublicVolume
name to be more deterministic.

When starting, create DiskSource instances based on fstab, and watch
for kernel devices to appear.  Turn matching devices into Disk
objects, scan for partitions, and create any relevant VolumeBase
objects.  Broadcast all of these events towards userspace so the
framework can decide what to mount.

Keep track of the primary VolumeBase, and update the new per-user
/storage/self/primary symlink for all started users.

Provide a reset command that framework uses to start from a known
state when runtime is restarted.  When vold is unexpectedly killed,
try recovering by unmounting everything under /mnt and /storage
before moving forward.

Remove UMS sharing support for now, since no current devices support
it; MTP is the recommended solution going forward because it offers
better multi-user support.

Switch killProcessesWithOpenFiles() to directly take signal.  Fix
one SOCK_CLOEXEC bug, but SELinux says there are more lurking.

Bug: 19993667
Change-Id: I2dad1303aa4667ec14c52f774e2a28b3c1c1ff6d

ioctl(BLKGETSIZE) expects unsigned long
(8 bytes on 64 bit environment).

This is fixing fails in android.os.storage.StorageManagerIntegrationTest
(in FrameworkCoreTests).

To verify, install FrameworksCoreTests.apk and do:

adb shell am instrument -r -w -e class android.os.storage.\
StorageManagerIntegrationTest#testMountSingleEncryptedObb \
com.android.frameworks.coretests/android.test.InstrumentationTestRunner

Change-Id: Ib6d5c7490c02521c93f107c35ad0aac49f6a3f1a

Don't use faccessat(AT_SYMLINK_NOFOLLOW). In Android, AT_SYMLINK_NOFOLLOW
is ignored. In glibc, it returns counter intuitive results when a
symbolic link is encountered, returning true all the time even though
an open(O_NOFOLLOW) will eventually fail.

Instead, stat the file and check to see if it's a regular file,
not a directory or symlink or some other weirdness.

In addition, fix a bug where isAsecInDirectory would return
true ("-1") if the asec directory didn't exist. It should return
false.

Bug: 18867827
Change-Id: I33d90e9095fad36ce0f83fde105b70f72e4eaef4

Bug: 18887435
Change-Id: Ibcb446fac954d9c42ebdfc4b684e6f3503337ab4

-Wno-missing-field-initializers is used as well, but that is an
overzealous warning from initializing structs with {0} and not a
real warning.

bug 18736778 and 16868177

Change-Id: Iffde89cd7200d9a11193e1614f1819f9fcace30a

Previously this would fail if the framework wasn't stopped. The failure
would then stop full disk encryption. The fact that the unmount worked,
however, would then stop the second attempt from achieving anything.

Fix in line with current retry philosophy

We still need to figure out why Devmapper::destroy() fails at first.

Bug: 17301843
Change-Id: I405a36c832ccdebf2d904bef77f15eea174a6bfb

Resize is no-op when sector count is unchanged; the caller can't
anticipate how vold does its sector calculations.

After resizing, we need to mount the container read-write, so allow
the caller to request "ro" or "rw" mode.

Handle ENOTSUP when trying to fallocate() on some filesystems

Bug: 16514385
Change-Id: I0d3a378280d4c36d14f8108ff428102283d583fa

Sometimes when an sdcard is already mounted,
some info like uuid and label are not re-broadcast to new listeners.
The extra argument to list allows late listeners to catch up by asking
volume list to broadcast that info again.

Bug: 16253597
Bug: 16306775
Change-Id: Ie7d0c1132c22d307a5b2a0e50075a3716138d00b
Signed-off-by: Benson Huang <benson.huang@mediatek.com>
(cherry picked from commit 85f4700f44170b772697e627b3075dcb9137e1b7)

From Shawn Heo's patch:

Ext4 introduced reserved clusters to prevent costly zeroout, or
unexpected ENOSPC. The size is 2% or 4096 clusters, whichever
is smaller (http://lwn.net/Articles/546473/).

So, we need to allocate additionally this amount of free space
to asecs when vold create asec images. This is required when
Android runs on Linux kernel 3.10 or later.

see: https://android-review.git.corp.google.com/#/c/96160



Change-Id: Iacff16b8cf0314493c355fa741bcfa519f744d6c
Signed-off-by: Daniel Rosenberg <drosen@google.com>

ASECs formatted as ext4 can now be resized using vdc asec resize.
Refactored some common code.
Requires resize2fs.

Change-Id: Ie78bb6015114a7bc4af42b16d1f299322ffc1e2a
Signed-off-by: Daniel Rosenberg <drosen@google.com>

Changed ext4 to be 4kb aligned, and fat to be 32kb aligned.
Fixed issue that could potentially cause unencrypted ext4
ASECS to overwrite the ASEC super block when filled.

Change-Id: I890426c82ac9cbc65add85a8e3f5063504193c31
Signed-off-by: Daniel Rosenberg <drosen@google.com>

Must limit vold calls to fs_mkdirs() only when the volume is mounted.
If NOT, it will trigger selinux warning as follows.
audit(1398835637.785:8): avc:  denied  { write } for  pid=137 comm="vold" name="sdcard0" dev="rootfs" ino=3191 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=dir

Change-Id: I1113fc961cbdd8bbd2fcbf740c2f504628c8399d
Signed-off-by: Cylen Yao <cylen.yao@mediatek.com>

This will allow fine-grained labeling of the
contents of ASEC containers. Some of the contents
need to be world readable and thus should be
distinguishable in policy.
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

(cherry picked from commit b9e3ba56)

Change-Id: I4614af139991aa086ac14a06c70fe425888a16a1

libselinux selinux_android_restorecon API is changing to the more
general interface with flags and dropping the older variants.

Also get rid of the old, no longer used selinux_android_setfilecon API
and rename selinux_android_setfilecon2 to it as it is the only API in use.

Change-Id: I1e71ec398ccdc24cac4ec76f1b858d0f680f4925
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Fix errors exposed by adding compile-time checking to disabled ALOGVs.

Change-Id: I29bd6e9a7648ccca02e0e9a96b79ee0ea7b5cfc6

This will allow fine-grained labeling of the
contents of ASEC containers. Some of the contents
need to be world readable and thus should be
distinguishable in policy.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Make sure asec names only contain alphanumeric, underscores,
dots, or dashes. Don't allow double dots.

Bug: 12504045

(cherry picked from commit 66962609)

Change-Id: Ia9d04f373aa95878b2e81584c4167dc2d4aa0c78

Make sure asec names only contain alphanumeric, underscores,
dots, or dashes. Don't allow double dots.

Bug: 12504045
Change-Id: I3dd0350c79327dc91a5a10d5724d85d99814e769

Replace MINOR(dev_t) and MAJOR(dev_t) with minor and major,
which cast to int.
Cast int to uintptr_t before casting to pointer

Change-Id: I59375518f15d27f400fcd4f8a8dfe5ebdd8350e6

When physical devices are unsafely removed, unmountAllAsecsInDir()
fails to find any ASECs, and leaves them all mounted, preventing the
rest of volume from going down.

Now we examine all ASEC containers, and remove when on external
storage, or when the storage media is no longer found.

Bug: 11175082
Change-Id: Iffa38ea43f7e5ad78b598374ebeb60a8727d99fd

b/11239345

Change-Id: I46a8d6b38e3c093e20e1e5c4f01efc13d1960ad4