GitLab

The expression otherwise overflows for large devices.
It's fsblkcnt_t -> unsigned long, which is 32 bit on ARMv7.

Bug: 25162062
Change-Id: I46c5e00558b7dbd6abd50fae4727396079044df2

When unmounting an emulated volume, look for apps with open files
using the final published volume path.

Without this change, we were only looking at the internal paths
used for runtime permissions, which apps never use directly.  This
meant we'd always fail to unmount the volume if apps didn't respect
the EJECTING broadcast, and volume migration would end up wedged
until the device rebooted.

Bug: 24863778
Change-Id: Ibda484e66ab95744c304c344b226caa5b10b7e2e

The device mapper storage device node can take some time to be
created; so retry.

Bug: 23024596
Change-Id: Ieeb3b697f9cef72d4ea9d106750696901f0a224d

When formatting media as a public volume, we write an MBR, but we
might leave a stale GPT floating around.  Some devices are configured
to aggressively prefer GPT when detected, even if the checksums
between primary/secondary don't match.

To work around this, nuke both MBR and GPT tables from the media
before we lay down our new MBR.

Bug: 24112219
Change-Id: Ibf1be466a6877cbab925a24db5e5dbab0613bea7

The framework can request that a benchmark be run after an fstrim,
but it was disabled due to a kernel bug on certain devices.  That bug
has long been fixed, so it should be safe to enable this again.

Bug: 23942769
Change-Id: Ibe967a75856d0cbad45e2f8f3120f1970caf36d0

Bug: 22989588
Change-Id: I21403233d84031869d929c46c3c7b2ebefb3caff

Bug: 23395513
Change-Id: I3d76b77339f995103c0aec09c6de77b3c8cdc0dd

* commit 'eddf9bd6':
  Request specific tags from blkid.

Otherwise blkid can emit tags like SEC_TYPE which mess with the value
extraction code.

Bug: 23069906
Change-Id: Id2a588ff43a538747d1e44cd8218c96ebd0192c2

* commit '1bd078fa':
  Protect runtime storage mount points.

We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.

This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.

Also add CTS tests to verify that we're protecting access to
internal mount points like this.

Bug: 22964288
Change-Id: I83f09f0423f4993e766273c50389dd29b1c50589

* commit '8474ee32':
  Return useful path when not visible.

This allows apps like ExternalStorageProvider to still read/write
files on transient storage devices which aren't mounted as visible.

Bug: 22545248
Change-Id: Idacb15f2233245a8e1861d9be977535a82b218ec

* commit 'd46687ee':
  Use random data for benchmark instead of zeros.

If we always write zeros, we're leaving a giant pile of known
plaintext at an almost deterministic location on newly formatted
volumes.  To avoid this, repeat a 64K chunk of random data.

Bug: 22816936
Change-Id: Iedc067a519bd676a93b9d74ea4f9f77c84c8461c

* commit '20642ae7':
  Give secondary users read-only physical cards.

Long ago, we mounted secondary physical cards as readable by all
users on the device, which enabled the use-case of loading media on
a card and viewing it from all users.

More recently, we started giving write access to these secondary
physical cards, but this created a one-directional channel for
communication across user boundaries; something that CDD disallows.

This change is designed to give us the best of both worlds: the
package-specific directories are writable for the user that mounted
the card, but access to those "Android" directories are blocked for
all other users.  Other users remain able to read content elsewhere
on the card.

Bug: 22787184
Change-Id: I75dbd339f11402ae774c7e4b8f2b15ee216270e8

* commit '32679a82':
  Create user directory on emulated storage.

When mounting a primary external storage device that is multi-user
aware, ensure that the user-specific directory actually exists before
moving forward.

Bug: 22472026
Change-Id: I33c8eed261a9c0d5acedd5be6133ed9990679d08

Change-Id: I9eef440a1f406c2c73c859f5ae7cee35f6a36ca4

Bug: 19706593

(cherry picked from commit 747e1f7a)

Change-Id: I9a605c736a2fa909cd4999e1e8d022d49a562767

Bug: 19706593

(cherry-picked from commit 8d0cd7ffd903a753c6bb5c6f33987a7a66621cef)

Change-Id: Ieea73da233fe53767b5adcdb4d49f9bb00fedac1

Bug: 19706593

(based on work in commit 8d0cd7ffd903a753c6bb5c6f33987a7a66621cef)

Change-Id: I9699275a63f2d0a110435bd4a725d7dfcce4ed90

Bug: 19706593

(cherry-picked from commit eebf4456)

Change-Id: I50dc4c39595c06bf0016d6a490130bbbc25de91b

directories

Bug: 19704432

(cherry-picked from commit 75a5202d)

Change-Id: I733e8745ec21f8e53c2cc6d8a98313275db7d897

non-master keys.

Bug: 19704432
(cherry-picked from commit 1da96dc5)

Change-Id: I762e8f6c927db3a337fa8ce6bd428262d9e05c7a

Bug: 22329642
Change-Id: I58dac4dba8e65c7015d50ca0c3575f77f550a215

We really only support a single emulated volume on the device at a
time, either on internal storage, or moved to a private volume.  To
avoid kicking off a giant rescan of all media when moved, keep all
the paths the same when mounted as primary.

Also ensure we have /data/media/0 ready on private volumes.

Bug: 20275423
Change-Id: I0c102f430b865ca7536772b1fae56d8c9660a97a

Refactor fstrim code to be encapsulated in unique task object, and
give it option of benchmarking when finished.  Trimming now includes
both storage from fstab and adopted private volumes.  Cleaner timing
stats are logged for each unique volume.

Add wakelock during ongoing async move tasks.  Push disk sysfs path
to framework so it can parse any SD card registers as desired.

Bug: 21831325
Change-Id: I76577685f5cae4929c251ad314ffdaeb5eb1c8bf

In order to compare results from readlink() calls, we need to null
terminate the read value, otherwise we can end up doing an infinitely
recursive remount in the root namespace.

When remounting inside a namespace, unmount all existing mounts before
mounting the new storage into place.  This also means we need to mount
the user-specific symlinks back into place.

Skip spinning up the FUSE daemon when not visible, otherwise we get
stuck waiting for a daemon that never shows up.

Bug: 22192518, 22204412
Change-Id: Icc7db822354ab7ffc47c39cd0611f65edecc32e5

Some storage devices can be formatted as bare partitions, without an
MBR or GPT header.  If we found no partitions, try poking at the raw
disk, and treat it as a public volume if we found a valid filesystem.

Bug: 20503551
Change-Id: I80304e1ad865435321c341b667c0daf2daf4d56c

Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app.  This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that.  This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions.  When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

Bug: 21858077
Change-Id: Iade538e4bc7af979fe20095f74416e8a0f165a4a

Bug 21948137

Change-Id: I6843423fd8809d9e2f352059a810aa17dd83b3e3

Also remove the app ID and additional padding and digest options.

Bug: 22009890
Change-Id: Ibff9bbd0e0c11d651d11fac85d4ac907588f1cd2

Report both the disk and the partition GUID for private volumes to
userspace, and offer to forget the encryption key for a given
partition GUID.

Bug: 21782268
Change-Id: Ie77a3a58e47bf3563cdb3e4b0edfab1de4d0e6b4

Note that this CL depends on cl 712195, which must be submitted first.

Bug: 21607106
Change-Id: Iafc42d1c8a1145a31ea252b33b404044f92ec62b

Bug: 21607106
Change-Id: I498141b90888d4f0652912413b04519f61886935