History log of /system/core/sdcard/sdcard.c
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
b9f438ff841f87c8ffbca85b13a533718a18e15f 06-Aug-2015 Jeff Sharkey <jsharkey@android.com> Protect runtime storage mount points.

We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.

This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.

Also add CTS tests to verify that we're protecting access to
internal mount points like this.

Bug: 22964288
Change-Id: I32068e63a3362b37e8ebca1418f900bb8537b498
/system/core/sdcard/sdcard.c
10a239b971d737b15a5d0652a441994e5c02ad88 28-Jul-2015 Jeff Sharkey <jsharkey@android.com> Give secondary users read-only physical cards.

Long ago, we mounted secondary physical cards as readable by all
users on the device, which enabled the use-case of loading media on
a card and viewing it from all users.

More recently, we started giving write access to these secondary
physical cards, but this created a one-directional channel for
communication across user boundaries; something that CDD disallows.

This change is designed to give us the best of both worlds: the
package-specific directories are writable for the user that mounted
the card, but access to those "Android" directories are blocked for
all other users. Other users remain able to read content elsewhere
on the card.

Bug: 22787184
Change-Id: I4a04a1a857a65becf5fd37d775d927af022b40ca
/system/core/sdcard/sdcard.c
ed2fe57c2509d0d784ba7dbce1deef21afb2a612 16-Jul-2015 Jeff Sharkey <jsharkey@android.com> Use single tree for multiple storage views.

Instead of having each view build and maintain its own tree
representing the underlying storage, switch to building a single tree
that each view augments with GID/mode specific behavior.

This has the nice property of a single file always having the same
node ID when presented across multiple views, giving us a firm handle
that we can use to invalidate kernel caches.

Specifically, when a file is deleted through one view, we now tell
the kernel to invalidate that file in the other two views.

Bug: 22477678, 22375891
Change-Id: I3ff041d549d41040839cde9773504719a508219f
/system/core/sdcard/sdcard.c
6b6c1bd996be7b7b640ef9b074435620f73eecac 06-Jul-2015 Mark Salyzyn <salyzyn@google.com> Gracefully handle ENODEV in sdcard daemon (part deux)

reorder to handle errno correctly and remove log stutter

Bug: 22197797
Bug: 22241640
Change-Id: I81e6b2ff15b6ea6e5e780bd3599bf1019ff36f26
/system/core/sdcard/sdcard.c
25aabb9edeb9203e52758d307b8a94ec8c64d338 06-Jul-2015 Jeff Sharkey <jsharkey@android.com> Permission to view shared storage for all users.

Typical apps are restricted so they can only view shared storage
belonging to the user they're running as. However, a handful of
system components need access to shared storage across all users,
such as DefaultContainerService and SystemUI.

Since WRITE_MEDIA_STORAGE already offers this functionality by
bypassing any FUSE emulation, reuse it to grant the "sdcard_rw" GID
which is no longer handed out to third-party apps. Then we change
the FUSE daemon to allow the "sdcard_rw" GID to see shared storage
of all users.

Bug: 19995822
Change-Id: Id2fe846aefbf13fc050e9b00ddef120021e817f4
/system/core/sdcard/sdcard.c
4a4858185177616707dda7ab562f45a0a8494e3f 01-Jul-2015 Jeff Sharkey <jsharkey@android.com> Gracefully handle ENODEV in sdcard daemon.

When someone force-unmounts our target endpoint, gracefully handle by
terminating, instead of looping on the same errno forever.

Bug: 22197797
Change-Id: I7e71632f69d47152ea78a94431c23ae69aba9b93
/system/core/sdcard/sdcard.c
169944afdfa328351a327cb3862dca2252d6a3f9 26-Jun-2015 Jeff Sharkey <jsharkey@android.com> Remove unused methods to fix build.

Change-Id: I6e1f85a7cc3428d558460737da3b3193d035b73e
/system/core/sdcard/sdcard.c
f38f29c87d97cea45d04b783bddbd969234b1030 23-Jun-2015 Jeff Sharkey <jsharkey@android.com> Let's reinvent storage, yet again!

Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

Bug: 21858077
Change-Id: I5a016f0958a92fd390c02b5ae159f8008bd4f4b7
/system/core/sdcard/sdcard.c
dac7f85d16c5bee79b6d944e0635fa1b6bceebb8 24-Apr-2015 Elliott Hughes <enh@google.com> am 3d671000: am 28693983: am 1a39a994: Merge "Correct magic number on umount2"

* commit '3d671000c7268fcfcaf5445734b88428af26c294':
Correct magic number on umount2
4555b69f266513025aed94c901af09bf13923286 24-Apr-2015 William Roberts <bill.c.roberts@gmail.com> Correct magic number on umount2

The umount2 call was using the magic constant 2 which is
has a defined and proper macro in mount.h as MNT_DETATCH.

Change-Id: I4ca4a6d31cbf5495c545088e3d90a8894a9f912f
/system/core/sdcard/sdcard.c
c5f37661f9143d3b90996a9241a798ae0651c727 04-Apr-2015 Elliott Hughes <enh@google.com> am 03c0adab: am 6a99ff0a: am 3a4aedfc: Merge "sdcard: Properly handle deleted nodes"

* commit '03c0adab88fcb91393f934f213f953c1f23762d5':
sdcard: Properly handle deleted nodes
3a4aedfcd3354b903aa48a836cb55ee01db9f896 04-Apr-2015 Elliott Hughes <enh@google.com> Merge "sdcard: Properly handle deleted nodes"
bfe72ddb2001b52c28540ab63be6b908ce595b47 02-Apr-2015 Elliott Hughes <enh@google.com> am d71b0943: am 2d4a347e: am fad9b3eb: Merge "sdcard: Turn on noatime for fuse mounted sdcard"

* commit 'd71b0943de271d308ec1aeb1fa834dd35fedee50':
sdcard: Turn on noatime for fuse mounted sdcard
fc0004894a3ff93382493688bb9ab9af83b74ea4 16-Mar-2015 Jeff Sharkey <jsharkey@android.com> Progress towards dynamic storage support.

To support external storage devices that are dynamically added and
removed at runtime, we're changing /mnt and /storage to be tmpfs that
are managed by vold.

To support primary storage being inserted/ejected at runtime in a
multi-user environment, we can no longer bind-mount each user into
place. Instead, we have a new /storage/self/primary symlink which
is resolved through /mnt/user/n/primary, and which vold updates at
runtime.

Fix small mode bugs in FUSE daemon so it can be safely mounted
visible to all users on device.

Bug: 19993667
Change-Id: I0ebf4d10aba03d73d9a6fa37d4d43766be8a173b
/system/core/sdcard/sdcard.c
6c161fa7d85b3191476d12220c94cfd974c0afa9 24-Mar-2015 Jeff Sharkey <jsharkey@android.com> Fix bug blocking access to secondary users.

Change-Id: I97ce510b6bc705488b9bea3340a72fb5449f8134
/system/core/sdcard/sdcard.c
05edf7a5a9ee03f9b026320ebad7b018edba9543 24-Mar-2015 Jeff Sharkey <jsharkey@android.com> Fix build, missed refactoring.

Change-Id: I17337133d8ca6a421e12c0834f42655f1a10197e
/system/core/sdcard/sdcard.c
a140afe454319e5c5fc78b4498fc6c2ca6d5ad31 24-Mar-2015 Jeff Sharkey <jsharkey@android.com> Add multi-user GIDs to SD card daemon.

This will eventually allow us to have a single unified filesystem
instead of requiring zygote to use bind mounts.

Change-Id: I1fc4ada4874698a00e7e0b8800617732e69348f0
/system/core/sdcard/sdcard.c
c5353126bec17f8c43f2c4ca5b5e55cd6b3ed41c 16-Jul-2014 Krzysztof Adamski <krzysztof.adamski@sonymobile.com> sdcard: Properly handle deleted nodes

The sdcard fuse deamon is not properly handling deleted nodes that are
still in use (opened by some process). Typically Linux filesystems makes
it possible to open a file, unlink it and then still use it. In case of a
storage emulated by sdcard deamon this does not work as expected - other
process are not able to recreate file/dir with the same name until all
references to deleted file are closed.

The easiest way to trigger this problem is:

process1: mkdir /sdcard/test1; cd /sdcard/test1
process2: rm -r /sdcard/test1
process2: mkdir /sdcard/test1

After that, process2 will get an error:
mkdir failed for /sdcard/test1, Device or resource busy

There is exactly the same problem with files as directories.
This may case issues for example with directories that are
automatically recreated when they are missing (like DCIM directory). If
some process holds file opened inside of such directory but that
directory is removed, process trying to recreate the directory will get
EBUSY error and possibly crash.

Verified on the Z Ultra GPE.

Change-Id: I1cbf0bec135e6aaafba0ce8e5bb594e3639e0007
/system/core/sdcard/sdcard.c
55cc5e52175c0ab1aec2cdb878096d9ea2307a9f 24-Jan-2015 Johan Redestig <johan.redestig@sonymobile.com> sdcard: Turn on noatime for fuse mounted sdcard

This provides symmetry with /data and /cache that are
typically mounted with noatime.

Change-Id: I6fe1bead368b52632424b03b50d4081852824cdb
/system/core/sdcard/sdcard.c
5aadceb56ff2f5ef74b3bbc004a802edbeda6f6d 13-Jan-2015 Narayan Kamath <narayan@google.com> sdcard : inode numbers must be fully representable as uint32_t.

This works around a bug on on 64 bit kernels + sdcard daemons
where we were using memory addresses as inode numbers.

bug: 19012244

(cherry picked from commit faa0935ffb772759f795d6b29c6db6f83e8531c4)

Change-Id: Idbf9e285e507e702e04e7461a10153df68ef2322
/system/core/sdcard/sdcard.c
4b69d15c03a091878a459936e3f5cefece57d0f4 15-Jan-2015 Narayan Kamath <narayan@google.com> am 0f86444b: Merge "sdcard : inode numbers must be fully representable as uint32_t." into lmp-mr1-dev

* commit '0f86444b3912cadb4227755f3b80d2ff74841575':
sdcard : inode numbers must be fully representable as uint32_t.
faa0935ffb772759f795d6b29c6db6f83e8531c4 13-Jan-2015 Narayan Kamath <narayan@google.com> sdcard : inode numbers must be fully representable as uint32_t.

This works around a bug on on 64 bit kernels + sdcard daemons
where we were using memory addresses as inode numbers.

bug: 19012244

Change-Id: Ia63c5b33b4212bf03ff92fa2faff0bb76e48791c
/system/core/sdcard/sdcard.c
5eb431180bcc0fb153d2c821c6735aadcda02ae5 10-Dec-2014 Marco Nelissen <marcone@google.com> Merge "Allow updates for open file descriptors"
a80f0986bb39ae03ba9014bf4974fc26ae48da70 10-Dec-2014 Marco Nelissen <marcone@google.com> Allow updates for open file descriptors

even if the calling process itself would not be able to open the file.

Bug: 18688419

Change-Id: I640db19f19c1a677735fd0c14b7e2e38977d0f4d
/system/core/sdcard/sdcard.c
a5a4e9e0cad383f0c14dbe92a60b7d8150ae6b1f 24-Nov-2014 Daisuke Okitsu <daisuke.x.okitsu@sonyericsson.com> sdcard: mount sdcard with the noexec option

Vold mounts the sdcard with noexec, but the fuse deamon
mounts with exec, so it is still possible to execute
binaries:

/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,
user_id=1023,group_id=1023,default_permissions,allow_other 0 0

/dev/block/vold/179:65 /mnt/media_rw/sdcard1 vfat rw,dirsync,
nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,
dmask=0007,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,
shortname=mixed,utf8,errors=remount-ro 0 0

With this change both vold and fuse mounts with noexec.

(cherry picked from commit f777d6694eecf6e61d9859df2090199863050017)

Change-Id: I66cbfc3a3a89a26958f83577f5e7a5e27f99184e
/system/core/sdcard/sdcard.c
00690852b4a8a02bf76a3ab15555cda11c860493 24-Nov-2014 Daisuke Okitsu <daisuke.x.okitsu@sonyericsson.com> sdcard: mount sdcard with the noexec option

Vold mounts the sdcard with noexec, but the fuse deamon
mounts with exec, so it is still possible to execute
binaries:

/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,
user_id=1023,group_id=1023,default_permissions,allow_other 0 0

/dev/block/vold/179:65 /mnt/media_rw/sdcard1 vfat rw,dirsync,
nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,
dmask=0007,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,
shortname=mixed,utf8,errors=remount-ro 0 0

With this change both vold and fuse mounts with noexec.

Change-Id: I66cbfc3a3a89a26958f83577f5e7a5e27f99184e
/system/core/sdcard/sdcard.c
19ec8860c1d80836b176dbf3dc434a94182094b7 04-Aug-2013 Daisuke Okitsu <daisuke.x.okitsu@sonymobile.com> Sdcard: Initialize the padding output value

Add initialization of the output value in handle_write.
This value is referred to in FUSE so initialization is
necessary.

See also handle_open and handle_opendir.

Change-Id: I6507f113da9f6823fbfa459624d6594fc20afa51
/system/core/sdcard/sdcard.c
f1df854e5857f6dd8fa64b185f8b7cf007463f81 10-Nov-2014 Elliott Hughes <enh@google.com> bionic's struct stat is now POSIX-compliant.

Right now we still have the kernel names, but they're only there by
"virtue" of macro namespace pollution, so I'd like to get rid of them.

Bug: 18298106
Change-Id: Ifed0b3a9238c79a99d8a2b62e0f5897c50a725d1
/system/core/sdcard/sdcard.c
9d859fee5ebd5eda19c3a1c4e1c320903c679d43 16-Sep-2014 Christopher Ferris <cferris@google.com> am f37bfb32: am 23aeeff5: Merge "Use the correct fuse_init_out structure size."

* commit 'f37bfb32eb82393d14e339684c9f508cea3b0ab4':
Use the correct fuse_init_out structure size.
ff649ea5ab6a83910e414841fd02997cf9d54e60 13-Sep-2014 Christopher Ferris <cferris@google.com> Use the correct fuse_init_out structure size.

Kernel 2.6.16 is the first stable kernel with struct fuse_init_out
defined (fuse version 7.6). The structure is the same from 7.6 through
7.22. Beginning with 7.23, the structure increased in size and added
new parameters.

If the kernel only works on minor revs older than or equal to 22,
then use the older structure size since this code only uses the 7.22
version of the structure.

Change-Id: If2507a02ad674fcf02869a325221339ae1ace64d
/system/core/sdcard/sdcard.c
787a2cce94d61cfc2f2e87a71c3d0f9bb00fc088 01-Aug-2014 Elliott Hughes <enh@google.com> am 33a5575a: am 39a8ade7: Merge "Fix sdcard truncates."

* commit '33a5575a585bdc4000be06f96554309b5d3471ff':
Fix sdcard truncates.
853574ddc766da725dd114fe1d1102c59f713f3b 31-Jul-2014 Elliott Hughes <enh@google.com> Fix sdcard truncates.

Use truncate64 instead of truncate so we don't truncate (ho ho) the offset.

(cherrypick of 4568565e85bf2e1ea11b2e09d72e244088c05dbc.)

Bug: https://code.google.com/p/android/issues/detail?id=74039
Change-Id: I63711ccd299e3ebc475563b1999817d1919571ab
/system/core/sdcard/sdcard.c
4568565e85bf2e1ea11b2e09d72e244088c05dbc 31-Jul-2014 Elliott Hughes <enh@google.com> Fix sdcard truncates.

Use truncate64 instead of truncate so we don't truncate (ho ho) the offset.

Bug: https://code.google.com/p/android/issues/detail?id=74039
Change-Id: I63711ccd299e3ebc475563b1999817d1919571ab
/system/core/sdcard/sdcard.c
504b4e9cc93abbcd115c72e7b2707d73df442090 25-Jul-2014 Nick Kralevich <nnk@google.com> Merge "sdcard: ensure installd fs upgrade has completed" into lmp-dev
8d28fa71fce6a5623488614250970ce78551a924 25-Jul-2014 Nick Kralevich <nnk@google.com> sdcard: ensure installd fs upgrade has completed

Before running the sdcard daemon, make sure that installd has
completed all upgrades to /data that it needs to complete.
This avoids race conditions between installd and the sdcard daemon.

Maybe fixes bug 16329437.

Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
/system/core/sdcard/sdcard.c
e43b99a0741dd481aacf76c3dc0f5102864a6857 23-Jul-2014 Marcus Oakland <marcus.oakland@arm.com> Correction to TRACE format strings

When built with "#define FUSE_TRACE 1" numerous TRACE statements
failed to compile because of mismatches between format strings and
types (uint64_t and size_t). These have been corrected by using the
format strings from the inttype.h header file, or %zu.

Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>

(cherry picked from commit d33308752fb7cecac751f20f4651aec05fc889db)

Change-Id: I550b422a6b7c92ea903b4dd8f5e4aec5637cdf67
/system/core/sdcard/sdcard.c
506edb5f7ca1cc6e26cd136177d37cbd5c66a1e1 25-Jul-2014 Nick Kralevich <nnk@google.com> sdcard: ensure installd fs upgrade has completed

Before running the sdcard daemon, make sure that installd has
completed all upgrades to /data that it needs to complete.
This avoids race conditions between installd and the sdcard daemon.

Maybe fixes bug 16329437.

(cherrypicked from commit 8d28fa71fce6a5623488614250970ce78551a924)

Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
/system/core/sdcard/sdcard.c
d33308752fb7cecac751f20f4651aec05fc889db 23-Jul-2014 Marcus Oakland <marcus.oakland@arm.com> Correction to TRACE format strings

When built with "#define FUSE_TRACE 1" numerous TRACE statements
failed to compile because of mismatches between format strings and
types (uint64_t and size_t). These have been corrected by using the
format strings from the inttype.h header file, or %zu.

Change-Id: I36cd6f8da0790f1218d7dbaaa5b3bbfa4df7fdee
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>
/system/core/sdcard/sdcard.c
6ebab06dc4e7149b4deb5032518c64b881801259 09-Jul-2014 Elliott Hughes <enh@google.com> am f043f061: am 060b6ecb: am 6e141aea: Merge "Fix sdcard\'s FUSE_FSYNCDIR handling."

* commit 'f043f061295a787aca42186fe9ab87c24d393b92':
Fix sdcard's FUSE_FSYNCDIR handling.
40372e5b4ed1027418485a66d80e48748eedc07f 09-Jul-2014 Elliott Hughes <enh@google.com> am 94645665: am f8acdcbe: am 75b7171f: Merge "Make sdcard log to the log rather than stderr."

* commit '9464566580559b7353e6e2c898da79ffbbf993aa':
Make sdcard log to the log rather than stderr.
300d5649800744b3f5eab478f2bd7921f584b07d 08-Jul-2014 Elliott Hughes <enh@google.com> Make sdcard log to the log rather than stderr.

Change-Id: I9c78941184c5e364055bfac766e1e542d3c23c87
/system/core/sdcard/sdcard.c
f6d6737529ea164fd2ea79f02cc78a46bb9260f5 08-Jul-2014 Elliott Hughes <enh@google.com> Fix sdcard's FUSE_FSYNCDIR handling.

For a file the FUSE fh is a struct handle containing an int fd;
for a directory it's a struct dirhandle containing a DIR*. Fix
handle_fsync to extract the file descriptor appropriately in
both cases.

Bug: 14613980
Change-Id: I45515cff6638e27a99b849e6fc639d355dbb4d27
/system/core/sdcard/sdcard.c
2e7d80d10acf95076dfb1f2727455432091de65f 31-May-2014 Jeff Sharkey <jsharkey@android.com> Per-app media directories on external storage.

This change defines per-app directories on external storage that
will be scanned and included in MediaStore. This gives apps a way
to write content to secondary shared storage in a way that can
easily be surfaced to other apps.

Bug: 14382377
Change-Id: I6f03d8076a9391d8b9eb8421ec3fc93669b3ba0d
/system/core/sdcard/sdcard.c
60281d556ded9fed3df770befb58990f7ae2e04f 07-May-2014 Elliott Hughes <enh@google.com> Use bionic's <linux/fuse.h>.

No need for an out-of-date copy of a uapi header.

Change-Id: Iec68c6ceb2bceca1ceef0c57e0b45a89a139e292
/system/core/sdcard/sdcard.c
b2831a2db9e0370c5f797c037c135108025f2522 17-Feb-2014 Daisuke Okitsu <daisuke.x.okitsu@sonymobile.com> Handle FUSE_FSYNCDIR as FUSE_FSYNC

There have been issues with sdcard data corruption even after
successfully calling fsync for /sdcard. This is caused by
the sdcard daemon doing nothing in this case.

Change-Id: I48149ceabdac79ac535b35c2598bb1fbb5410883
/system/core/sdcard/sdcard.c
49e9344bddca3699c04f3da8c689d0f2b1a338b6 18-Feb-2014 Arpad Horvath <secracon@gmail.com> sdcard: direct I/O file access write buffer alignment

It is not enough to align the read buffer only, because
consequent writes might still fail with EINVAL. The write
buffer should be also aligned according to the write(2)
manual page.

Change-Id: I7547dec5208732c56f4466c1b0c88f36dabacf5b
/system/core/sdcard/sdcard.c
80b435a3f35795600654e9705f4b3fbbcc427a9d 15-Feb-2014 Arpad Horvath <secracon@gmail.com> sdcard: direct I/O file access fix

If a file is opened in direct I/O mode (with O_DIRECT flag),
the read buffer addess must be aligned to memory page size
boundary. The Direct I/O is not needed for normal files,
however, some special hardware access (e.g. smart SD cards)
will not work without it.

Change-Id: I42babeee86dba1880fd23e2592fddd7060da3e20
/system/core/sdcard/sdcard.c
5d9fe779c8ec2705865a23061834ad8cdbee5b82 06-Feb-2014 Elliott Hughes <enh@google.com> system/core LP64 cleanup.

Fixes -Wint-to-pointer and -Wpointer-to-int warnings, plus various -Wformat
warnings.

Change-Id: I6c5eea6b4273d82d28b8e5d2925f3e5457511b17
/system/core/sdcard/sdcard.c
e93a0517f4c88310066ac39c6b268ebfcceef44e 08-Oct-2013 Jeff Sharkey <jsharkey@android.com> Set GID required to write, media_rw mount point.

Add sdcard FUSE daemon flag to specify the GID required for a package
to have write access. Normally sdcard_rw, but it will be media_rw
for secondary external storage devices, so DefaultContainerService
can still clean up package directories after uninstall.

Create /mnt/media_rw which is where vold will mount raw secondary
external storage devices before wrapping them in a FUSE instance.

Bug: 10330128, 10330229
Change-Id: I4385c36fd9035cdf56892aaf7b36ef4b81f4418a
/system/core/sdcard/sdcard.c
44d6342caa0db1f613809e9ba1ea8d9af0183b74 12-Sep-2013 Jeff Sharkey <jsharkey@android.com> Remove mkdir() side effect, add .nomedia, utils.

Before this change, FUSE lookup() would have the side effect of
creating the directory on behalf of apps. This resulted in most
directories being created just by Settings trying to measure disk
space. Instead, we're switching to have vold do directory creation
when an app doesn't have enough permissions.

Create fs_mkdirs() utility to create all parent directories in a
path as needed. Allow traversal (+x) into /storage directories.

Fix FUSE derived permissions to be case insensitive. Mark well-known
directories as .nomedia when created.

Bug: 10577808, 10330221
Change-Id: I53114f2e63ffbe6de4ba6a72d94a232523231cad
/system/core/sdcard/sdcard.c
39ff0ae0f66d7bc1499b30c9f75e187d329382ec 30-Aug-2013 Jeff Sharkey <jsharkey@android.com> Only check caller when deriving permissions.

Bug: 10547597
Change-Id: Ied909f9047c2567e93dde0f4658d6e4b9ff161ab
/system/core/sdcard/sdcard.c
aa04e818a4904b193e00d603785c93e888eab174 30-Aug-2013 Jeff Sharkey <jsharkey@android.com> Fix recursive locking bug.

handle_rename() would end up acquiring the lock twice. Change to
always derive has_rw inside earlier locks (instead of acquiring a
second time), and pass the value into check_caller_access_to_name().

Bug: 10547597
Change-Id: If5744d6d226a4785676c19d0f7fdf1c05060ed76
/system/core/sdcard/sdcard.c
57d4b4ea6fc7d8014ebdf691ae8fbe204c67881b 15-Aug-2013 Ken Sumrall <ksumrall@android.com> Merge "Fix handle_opendir() in the sdcard daemon" into klp-dev
3a8768804ce4b4797359d5df03ec8897fe43de90 15-Aug-2013 Ken Sumrall <ksumrall@android.com> Fix handle_opendir() in the sdcard daemon

The fuse_open_out structure returned to the kernel by handle_opendir()
was not properly initializing all the fields. The symptom was recursive
ls (ls -R) failing on the emulated sdcard filesystem, because rewinddir(3)
was failing with ESPIPE.

Bug: 7168594
Change-Id: I56ddfd3453e6aac34fe6e001e88c4c46fb2eb271
/system/core/sdcard/sdcard.c
977a9f3b1a05e6168e8245a1e2061225b68b2b41 13-Aug-2013 Jeff Sharkey <jsharkey@android.com> Add legacy layout support to FUSE, enforce write.

The legacy internal layout places users at the top-level of the
filesystem, so handle with new PERM_LEGACY_PRE_ROOT when requested.

Mirror single OBB directory between all users without requiring fancy
bind mounts by letting a nodes graft in another part of the
underlying tree.

Move to everything having "sdcard_r" GID by default, and verify that
calling apps hold "sdcard_rw" when performing mutations. Determines
app group membership from new packages.list column.

Flag to optionally enable sdcard_pics/sdcard_av permissions
splitting. Flag to supply a default GID for all files. Ignore
attempts to access security sensitive files. Fix run-as to check for
new "package_info" GID.

Change-Id: Id5f3680779109141c65fb8fa1daf56597f49ea0d
/system/core/sdcard/sdcard.c
dfe0cbab3f9039f34af1dc9e31faf8155737ec2d 04-Jul-2013 Jeff Sharkey <jsharkey@android.com> Richer SD card permissions through FUSE.

Changes the FUSE daemon to synthesize an Android-specific set of
filesystem permissions, even when the underlying media storage is
permissionless. This is designed to support several features:

First, apps can access their own files in /Android/data/com.example/
without requiring any external storage permissions. This is enabled
by allowing o+x on parent directories, and assigning the UID owner
based on the directory name (package name). The mapping from package
to appId is parsed from packages.list, which is updated when apps are
added/removed. Changes are observed through inotify. It creates
missing package name directories when requested and valid.

Second, support for separate permissions for photos and audio/video
content on the device through new GIDs which are assigned based on
top-level directory names.

Finally, support for multi-user separation on the same physical media
through new /Android/user/ directory, which will be bind-mounted
into place. It recursively applies the above rules to each secondary
user.

rwxrwx--x root:sdcard_rw /
rwxrwx--- root:sdcard_pics /Pictures
rwxrwx--- root:sdcard_av /Music

rwxrwx--x root:sdcard_rw /Android
rwxrwx--x root:sdcard_rw /Android/data
rwxrwx--- u0_a12:sdcard_rw /Android/data/com.example
rwxrwx--x root:sdcard_rw /Android/obb/
rwxrwx--- u0_a12:sdcard_rw /Android/obb/com.example

rwxrwx--- root:sdcard_all /Android/user
rwxrwx--x root:sdcard_rw /Android/user/10
rwxrwx--- u10_a12:sdcard_rw /Android/user/10/Android/data/com.example

These derived permissions are disabled by default. Switched option
parsing to getopt().

Change-Id: I21bf5d79d13f0f07a6a116122b16395f4f97505b
/system/core/sdcard/sdcard.c
2fd72cc22171cc23e67206db795fc5025d4f7ac6 09-Feb-2013 Ken Sumrall <ksumrall@android.com> Raise the max file open limit in sdcard

The default is 1024 files, and in some testing, the limit has been
hit. This raises the limit to 8192. Going higher starts to cause
performance issues (I started to notice that around 16K open files
in my testing) as sdcard does linear searches. If a higher max
is needed, then the sdcard daemon will need some optimizations.

Bug: 7442187

Change-Id: I7aba7f4556ed70651f36244294a6756f3d6b8963
/system/core/sdcard/sdcard.c
e92372ba9eaa04eb4ed7eb9417ee2be3515bd972 15-Aug-2012 Jean-Baptiste Queru <jbq@google.com> resolved conflicts for merge of 2237ca4c to jb-mr1-dev

Change-Id: I04982ff2b092274b940a621b238c2246349aa85e
29bdc876e498a193f61ea3bdadce5bf8a35cb250 27-Jul-2012 Edwin Vane <edwin.vane@intel.com> Fixing signed/unsigned comparison warnings

Clang turned up some signed/unsigned comparison warnings. These warnings
have been fixed by cleaning up sdcard slightly:
- Don't use negative numbers for invalid gid/uid.
- sdcard takes a fixed number of arguments now so assert on that instead
of using a for loop.
- Also fixed usage string to reflect this fact.

Change-Id: Iee58a8e9aaedb3d40ad7dfeef63d8cd1fe1cd248
Author: Edwin Vane <edwin.vane@intel.com>
Reviewed-by: Kevin P Schoedel <kevin.p.schoedel@intel.com>
/system/core/sdcard/sdcard.c
e169bd05ec70f68c0db5e61c93b71e1746eb6c56 14-Aug-2012 Jeff Sharkey <jsharkey@android.com> Source and destination paths for sdcard.

Enables init.rc to provide both paths, instead of hard-coding the
destination.

Bug: 6925012
Change-Id: I666cde710baad965b98619b68fcbcbb104973da3
/system/core/sdcard/sdcard.c
6249b9009f44f2127670eda4d5aa6d5fd3e26e02 26-May-2012 Jeff Brown <jeffbrown@google.com> Make sdcard daemon multi-threaded.

The essential idea here is that a handler thread only needs to
hold a lock on the global node table while it is manipulating
nodes. The actual I/O operation is then performed without
holding any locks.

By default, we use 2 threads but this can be configured on the
command-line. Work is sheduled somewhat arbitrarily by the
handler threads. Whichever thread happens to read() the next
request first wins the right process it. This policy is very
simple but potentially wastes threads when there isn't much
work to be done. We can always improve this later if needed.

Change-Id: Id27a27c2c9b40d4f8e35a6bef9dd84f0dfacf337
/system/core/sdcard/sdcard.c
fc1e1a0ab48a88dc7e9a93f65da5e6458de622af 26-May-2012 Jeff Brown <jeffbrown@google.com> Refactor request opcode handlers.

This is mostly a structural change. The handlers have been moved
into individual functions, which will help with upcoming changes.

Change-Id: I774739d859e177d6b5d4186d2771444166b734fa
/system/core/sdcard/sdcard.c
7729d2450faeb1a02c72b29f48efc208de1cb444 26-May-2012 Jeff Brown <jeffbrown@google.com> Move buffers into a handler structure.

Also use PATH_MAX instead of PATH_BUFFER to determine the
maximum path length.

Change-Id: Ic78f731d339a2a97766d29d222dd27cac4e620ce
/system/core/sdcard/sdcard.c
6fd921ae03a0fa17acfe118753ecd76d25f02e10 26-May-2012 Jeff Brown <jeffbrown@google.com> Implement FUSE_FSYNC request.

This request is needed for application correctness, without which
data corruption may result.

Bug: 6488845
Change-Id: I3d676c2e40f6e6b37d5d270c7cb40f1bf8c1fa47
/system/core/sdcard/sdcard.c
847158476c1b7662eeec77808d8ecdbb329e6f28 25-May-2012 Jeff Brown <jeffbrown@google.com> More code cleanup.

Use constants to specify MAX_READ and MAX_WRITE buffer sizes and
use that to determine the size of the buffers that we need.

Be more careful about how the request header and data payload are
extracted. For example, the old code did len -= hdr->len, but
since len == hdr->len, this value was always 0. It turns out we
didn't use len thereafter, but we might want to for sanity checking
incoming requests.

Use const to make it clearer what data is coming out of the request.

Removed spurious error reply from FUSE_WRITE. It serves no purpose
and is ignored by the kernel.

Bug: 6488845
Change-Id: Ia328532979868f0aaea43744a49662f2f4511bfe
/system/core/sdcard/sdcard.c
2656735f515a41cf131c87be5f40550b6538ce80 25-May-2012 Jeff Brown <jeffbrown@google.com> Code cleanup.

Removed references to unsupported command-line arguments.

Fixed compiler warnings.

Bug: 6488845
Change-Id: I50cb865609ea0fa5824ae2741b831cd886033055
/system/core/sdcard/sdcard.c
e5d32128b0f1373822b02b2a2e69c6b199e0f805 09-Feb-2012 Sundar Raman <sunds@ti.com> sdcard: use FUSE_BIG_WRITES for FUSE writes

Slightly optimizes the writes used by sdcard to increase
throughput and decrease cpu load. Update the read
size to 256 x 1024 + 128 from current 8192 bytes since
writes can go as high as that.

Change-Id: I3bad425f31d4aa6f44f546e3d31439fd5bdca9ea
Signed-off-by: Sundar Raman <sunds@ti.com>
/system/core/sdcard/sdcard.c
cfa9f650266621fee963fe18084a39602aa8fcc6 10-Apr-2012 Jeff Sharkey <jsharkey@android.com> Migrate emulated SD card to /storage/sdcard.

Bug: 6131916
Change-Id: Iab4d2a36b1dd979f7a9a0583d51dca3c5e38e681
/system/core/sdcard/sdcard.c
2fc9fc7c8e26a35059ad39fe35ed256bfadb2891 22-Jul-2011 Yuncheol Heo <ycheo@google.com> Fix returning errno values which should be negative.

Change-Id: Id6464b127678ca1d9f4afa7c99fcfce361f4ad4a
/system/core/sdcard/sdcard.c
ca1030ae42edfbeaedef5ea02a2c279bbb3b10cf 25-Mar-2011 Ken Sumrall <ksumrall@android.com> am b26662c0: am c3e69903: am 97919656: Add support for the utime(2) family of system calls to the sdcard fuse filesystem.

* commit 'b26662c0a2876767b2c06cb740f07b1010f91548':
Add support for the utime(2) family of system calls to the sdcard fuse filesystem.
97919656803126c6b28ea6070fc86d124ac4ef4b 18-Mar-2011 Ken Sumrall <ksumrall@android.com> Add support for the utime(2) family of system calls to the sdcard fuse filesystem.

Add support for the utime(2) family of system calls to change the modify
and access time of files. Requires an updated bionic with support for
the utimensat(2) system call.

Change-Id: I8cc0c0e6671c5708849752f47e4c3d4be2858b61
/system/core/sdcard/sdcard.c
8349cce829388503fae67d454aff6a544ccd36aa 16-Mar-2011 Terry Heo (Woncheol) <terryheo@google.com> Fix uninitialized variable bug in sdcard emulator
- Following members were not initialized in fuse_init().
fuse->root.actual_name
fuse->root.gen
- Initialize fuse->root with memset().

Change-Id: I4bce754ace608b526961f59049b2d780fd99756f
/system/core/sdcard/sdcard.c
75e17a8908d52e32f5de85b90b74e156265c60c6 26-Jan-2011 Mike Lockwood <lockwood@android.com> sdcard: Fix readdir implementation so rewinddir will work correctly

Fixes problem with "ls -R" in /mnt/sdcard

BUG: 3309556

Change-Id: Ie2246585439116de3cb40f4005f3b44a0439f54c
Signed-off-by: Mike Lockwood <lockwood@android.com>
/system/core/sdcard/sdcard.c
575a2bbee30d70a1940077a5b699aaf93cb4e2cd 23-Jan-2011 Mike Lockwood <lockwood@android.com> sdcard: Remove lower case squashing of file names

sdcard daemon will now create new files and directories using
the actual name passed in by the client.
For existing files, sdcard will do case insensitive matching
when case sensitive lookup fails.

Change-Id: I89f995ea01beb2c63a9b36943dbcfaa16e7cd972
Signed-off-by: Mike Lockwood <lockwood@android.com>
/system/core/sdcard/sdcard.c
b94d320b1e7e2a3493147f6763cd2825b111a4d8 18-Jan-2011 Mike Lockwood <lockwood@android.com> sdcard: Fix lower case squashing for case insensitivity support.

The fuse layer in the kernel does not support case insensitive file systems.
But the sdcard daemon's fuse_lookup was returning the same file object for
different file names, which caused problems in the kernel fuse layer's dcache,
resulting in EBUSY errors if the same directory was opened twice under different
names differing only by case.

To fix this, the sdcard daemon will return different file objects for files or directories
that differ only by case. Now the squashing occurs only in the interaction between
the sdcard daemon and the underlying file system in /data/media, and sdcard maintains
the illusion for the kernel fuse layer that there are two separate files.

Example: Suppose both /mnt/sdcard/foo.txt and /mnt/sdcard/FOO.TXT are opened.
Previously, the sdcard would squash this to a single node, and return the same
node to the kernel fuse implementation twice, and would open the underlying file
/data/media/foo.txt only once. Now sdcard will create two separate nodes will open
/data/media/foo.txt twice, once for mnt/sdcard/foo.txt and again for /mnt/sdcard/FOO.TXT.

Change-Id: I70e36b7822142750d3eeeb75edd6464ec7c79f2a
Signed-off-by: Mike Lockwood <lockwood@android.com>
/system/core/sdcard/sdcard.c
1bedb73f9fc239b69d958cbabc50c7ba382bacbc 13-Jan-2011 Mike Lockwood <lockwood@android.com> sdcard: Have the -f option fix user/group permissions as well as file name case

Change-Id: I280ded6ce79fb11752c89ebafa663d7ee29edebc
Signed-off-by: Mike Lockwood <lockwood@android.com>
/system/core/sdcard/sdcard.c
4f35e623a2359789406772009078d1a6ca7af6b3 12-Jan-2011 Mike Lockwood <lockwood@android.com> sdcard: Add command line options for lowercase file name squashing:

-l squash all file names to lower case when creating new files
-f rename existing files to make them lower case

Change-Id: I3245deb690228cf577bdc9bd4b0fcf0306ea3e16
Signed-off-by: Mike Lockwood <lockwood@android.com>
/system/core/sdcard/sdcard.c
51b3a2d77a3361f6088172a4a68a0111058d3aab 12-Jan-2011 Mike Lockwood <lockwood@android.com> sdcard: Force file names to lower case in order to provide case insensitivity

Change-Id: I2cdb12c7e296e1c28b66e32c7037dce060eecd67
Signed-off-by: Mike Lockwood <lockwood@android.com>
/system/core/sdcard/sdcard.c
90749774edd0c0cab327b62ce43cb4dfd33e897d 12-Jan-2011 Kenny Root <kroot@google.com> Use pread64/pwrite64 instead of pread/pwrite

>2GB files were failing strangely when pread was used instead of
pread64. Also writing to files should use pwrite64 in case they grow
over 2GB.

Bug: 3205336
Change-Id: I0c9619de35680093d7777ca132ce488eae502216
/system/core/sdcard/sdcard.c
77085c570e7db2ea4a52e3a0fec5100687c31b46 05-Jan-2011 Paul Eastham <eastham@google.com> Fix refcounting in the rename case.

Change-Id: I59dbac8c92bda450e6d89f7f180241fd4b5bbae6
/system/core/sdcard/sdcard.c
11ccdb3be67b22f677065715ace68aabf371acc7 14-Oct-2010 Paul Eastham <eastham@google.com> Properly reflect RENAME ops in FUSE internal state

In response to a RENAME, we actually need to rename and move the virtual
node. To support this, filenames are now allocated separately, as reallocing
the whole node to accommodate a longer filename would break the direct
mapping of fhs and inodes to fuse pointers.

Change-Id: I71e5a965f875dedc5f58f9d182156734b29ca179
/system/core/sdcard/sdcard.c
f43219e0b1022b257499289ceb951f6a1a44bf9c 22-Sep-2010 Paul Eastham <eastham@google.com> Partially implement SETATTR for sdcard/FUSE

Handle truncate cases within SETATTR so that truncate() and ftruncate() call
will work.

Change-Id: I5a9862dcaa6ca7b5e9115cb5d3bfed88787fa7ac
Signed-off-by: Paul Eastham <eastham@google.com>
/system/core/sdcard/sdcard.c
fc1a13bfdd9f7acd36bd4ae8f87cd57aa298f5ac 20-Aug-2010 Mike Lockwood <lockwood@android.com> sdcard: Add support for the O_TRUNC open() flag

BUG: 2935163

Change-Id: I9f76b24147b2f87ddb7869bb72baac03e86ef7e6
Signed-off-by: Mike Lockwood <lockwood@android.com>
/system/core/sdcard/sdcard.c
4553b08d7555a103fdbe8623a9cbd826a7e413ff 16-Aug-2010 Mike Lockwood <lockwood@android.com> sdcard: Implement statfs, stat time values and change mount point to /mnt/sdcard

Change-Id: Iac2c4ec47af7d47d76a82916866ad36782caf25c
Signed-off-by: Mike Lockwood <lockwood@android.com>
/system/core/sdcard/sdcard.c
b14a2c6e34b197870433386fb809d34b58b30fc0 13-Aug-2010 Brian Swetland <swetland@google.com> fix up permissions

Change-Id: I93c828ebc755ad2a2055066c8af65dfde7dc7b2e
/system/core/sdcard/sdcard.c
03ee9479a4ed67689b9bbccda20c60800a38b178 13-Aug-2010 Brian Swetland <swetland@google.com> sdcard: a program to create a "virtual" /sdcard pointed at a path

sdcard is a program that uses FUSE to emulate FAT-on-sdcard style
directory permissions (all files are given fixed owner, group, and
permissions at creation, owner, group, and permissions are not
changeable, symlinks and hardlinks are not createable, etc.

usage: sdcard <path> <uid> <gid>

It must be run as root, but will change to uid/gid as soon as it
mounts a filesystem on /sdcard. It will refuse to run if uid or
gid are zero.

Change-Id: I9a5d2e5daaebeee632f8470172cbb77b7fa689f8
Signed-off-by: Brian Swetland <swetland@google.com>
/system/core/sdcard/sdcard.c