| 25cc7e3c335947db9439671c28f06bab83d6a4af |
|
18-Apr-2016 |
John Cormie <jdcormie@google.com> |
Unmount public sdcard filesystems before killing the fuse process.
Avoids ENOTCONN during eject for sdcard users.
Change-Id: I7b89ccaad4bb7af3639dc0b702168030a2f88366
Bug: 28268676
/system/vold/PublicVolume.cpp
|
| 8aff854b940039cce5fa2a227b19e39de6787b20 |
|
31-Mar-2016 |
Jeff Sharkey <jsharkey@android.com> |
Kill apps using PublicVolume when unmounting.
Bug: 24863778
Change-Id: I86a482c6de78afe2e09ca91165000e1b10a42058
/system/vold/PublicVolume.cpp
|
| e0074f142b4c9b6bfc750abbcb4ee0786676d0df |
|
15-Dec-2015 |
Qin Chao <chao.qin@intel.com> |
Hide external storage from apps if it's not set as adoptable
If storage is not visible to apps and no need to spin up FUSE, it also
should not make FUSE mount point directory.
Change-Id: I6ecd2e5bf56b5dcf0e11834880256b156a62a9a0
Signed-off-by: Qin Chao <chao.qin@intel.com>
/system/vold/PublicVolume.cpp
|
| 7e128fbe212c64492afa98bfd6d7fab6f1956831 |
|
05-Dec-2015 |
Elliott Hughes <enh@google.com> |
Track rename from base/ to android-base/.
Change-Id: I3096cfa50afa395d8e9a8043ab69c1e390f86ccb
/system/vold/PublicVolume.cpp
|
| 1bd078fa7b5ca613cb3e793d67ccd86d2602787d |
|
06-Aug-2015 |
Jeff Sharkey <jsharkey@android.com> |
Protect runtime storage mount points.
We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.
This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.
Also add CTS tests to verify that we're protecting access to
internal mount points like this.
Bug: 22964288
Change-Id: I83f09f0423f4993e766273c50389dd29b1c50589
/system/vold/PublicVolume.cpp
|
| 8474ee323131fdadcc17f09eab25003a7ae934e0 |
|
31-Jul-2015 |
Jeff Sharkey <jsharkey@android.com> |
Return useful path when not visible.
This allows apps like ExternalStorageProvider to still read/write
files on transient storage devices which aren't mounted as visible.
Bug: 22545248
Change-Id: Idacb15f2233245a8e1861d9be977535a82b218ec
/system/vold/PublicVolume.cpp
|
| 20642ae71aa93ec2658d09c92a1ffc3844f5a555 |
|
28-Jul-2015 |
Jeff Sharkey <jsharkey@android.com> |
Give secondary users read-only physical cards.
Long ago, we mounted secondary physical cards as readable by all
users on the device, which enabled the use-case of loading media on
a card and viewing it from all users.
More recently, we started giving write access to these secondary
physical cards, but this created a one-directional channel for
communication across user boundaries; something that CDD disallows.
This change is designed to give us the best of both worlds: the
package-specific directories are writable for the user that mounted
the card, but access to those "Android" directories are blocked for
all other users. Other users remain able to read content elsewhere
on the card.
Bug: 22787184
Change-Id: I75dbd339f11402ae774c7e4b8f2b15ee216270e8
/system/vold/PublicVolume.cpp
|
| c7b5b570bd05ed3bc921b0c2dc346416a52b4e3e |
|
01-Jul-2015 |
Jeff Sharkey <jsharkey@android.com> |
Null-terminate readlink() result, full remount.
In order to compare results from readlink() calls, we need to null
terminate the read value, otherwise we can end up doing an infinitely
recursive remount in the root namespace.
When remounting inside a namespace, unmount all existing mounts before
mounting the new storage into place. This also means we need to mount
the user-specific symlinks back into place.
Skip spinning up the FUSE daemon when not visible, otherwise we get
stuck waiting for a daemon that never shows up.
Bug: 22192518, 22204412
Change-Id: Icc7db822354ab7ffc47c39cd0611f65edecc32e5
/system/vold/PublicVolume.cpp
|
| 66270a21df1058434e4d63691221f11ff5387a0f |
|
24-Jun-2015 |
Jeff Sharkey <jsharkey@android.com> |
Let's reinvent storage, yet again!
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
Bug: 21858077
Change-Id: Iade538e4bc7af979fe20095f74416e8a0f165a4a
/system/vold/PublicVolume.cpp
|
| c82c9ce18c2a9959530dd4b6121eb4521c751d81 |
|
24-Jun-2015 |
Makoto Onuki <omakoto@google.com> |
Make sure volume is vfat before fsck'ing.
Bug 21948137
Change-Id: I6843423fd8809d9e2f352059a810aa17dd83b3e3
/system/vold/PublicVolume.cpp
|
| d0640f6358041f7e2657167560b357078db73526 |
|
22-May-2015 |
Jeff Sharkey <jsharkey@android.com> |
Add f2fs support for private volumes.
When formatting volumes, pass along fsType string which can be "auto"
to let the volume select the best choice. For now, private volumes
assume that MMC devices (like SD cards) are best off using f2fs when
both kernel support and tools are present, otherwise fall back to
ext4. Use blkid when mounting to pick the right set of tools.
Move filesystem utility methods into namespaces and place in separate
directory to be more organized.
Bug: 20275581
Change-Id: Id5f82d8672dda2e9f68c35b075f28232b0b55ed4
/system/vold/PublicVolume.cpp
|
| 8d15cb9828f89709243b33c610b429694788c05d |
|
13-May-2015 |
Jeff Sharkey <jsharkey@android.com> |
Report internal path for public volumes.
Used by framework to bypass FUSE daemon overhead in some cases.
Bug: 21017105
Change-Id: I2f3ae70607417fc4cd2c970cb17cf3afa2f42613
/system/vold/PublicVolume.cpp
|
| f1b996df6f8283aac6953b22bd9e2496d8c30c86 |
|
18-Apr-2015 |
Jeff Sharkey <jsharkey@android.com> |
Volumes know parent disks; unsupported disks.
This is cleaner and more direct than the reverse of having the disk
publish child volume membership. Rename state constants to match
public API. Add state representing bad removal. Make it clear that
volume flags are related to mounting.
Send new unsupported disk event when we finish scanning an entire
disk and have no meaningful volumes.
Bug: 19993667
Change-Id: I08a91452ff561171a484d1da5745293ec893aec0
/system/vold/PublicVolume.cpp
|
| 48d81d3b58daa0514b86def4abaf1a5951246fea |
|
13-Apr-2015 |
Jeff Sharkey <jsharkey@android.com> |
Remember to tear down ASEC bind mount.
Bug: 19993667
Change-Id: I17093f0f9abe8762e5ee4f38ce99f9024e419dfc
/system/vold/PublicVolume.cpp
|
| ce6a913aeac7db94a41362c63bab74092767bb3e |
|
09-Apr-2015 |
Jeff Sharkey <jsharkey@android.com> |
Exclusive exec() path, format after partition.
Sadly setexeccon() is process global, so we need to carefully ensure
that all exec() are mutually exclusive to avoid transitioning into
unwanted domains. Also, because we have several threads floating
around, we need to guard all our FDs with O_CLOEXEC.
Format all newly created volumes immediately after partitioning,
but silence all events emitted from those volumes to prevent the
framework from getting all excited. Unify all notify events under a
single codepath to make them easy to silence.
Sent SIGINT before escalating to SIGTERM when unmounting.
Bug: 19993667
Change-Id: Idc6c806afc7919a004a93e2240b42884f6b52d6b
/system/vold/PublicVolume.cpp
|
| f0121c574ede0898e36eeba0a0e0affd0f8d81a7 |
|
06-Apr-2015 |
Jeff Sharkey <jsharkey@android.com> |
Updates for expanded storage.
Mount private volumes at /mnt/expand, which is where we have new
SELinux policy waiting for us. Also ensure that foundational
directories are ready when mounting.
Create local fs_prepare_dir() wrapper that sets SELinux context
based on path, avoiding the need for a later restorecon.
Use UUID as directory name for public volumes. Wait a few seconds
before issuing first signal when force unmounting.
Bug: 19993667
Change-Id: If22595380faaae321705b06c87d877419620da48
/system/vold/PublicVolume.cpp
|
| 95c87cce353ca2da79aa57a3a5336b45b6f1d018 |
|
01-Apr-2015 |
Jeff Sharkey <jsharkey@android.com> |
Different blkid and fsck execution domains.
vold works with two broad classes of block devices: untrusted devices
that come in from the wild, and trusted devices like PrivateVolume
which are encrypted.
When running blkid and fsck, we pick which SELinux execution domain
to use based on which class the device belongs to.
Bug: 19993667
Change-Id: I2695f028710a4863f0c3b2ed6da437f466401272
/system/vold/PublicVolume.cpp
|
| 9c48498f4529f623650c56d03e63324c8d813032 |
|
31-Mar-2015 |
Jeff Sharkey <jsharkey@android.com> |
Support for private (adopted) volumes.
This adds support for private volumes which is just a filesystem
wrapped in a dm-crypt layer. For now we're using the exact same
configuration as internal encryption (aes-cbc-essiv:sha256), but we
don't store any key material on the removable media. Instead, we
store the key on internal storage, and use the GPT partition GUID
to identify which key should be used.
This means that private external storage is effectively as secure as
the internal storage of the device. That is, if the internal storage
is encrypted, then our external storage key is also encrypted.
When partitioning disks, we now support a "private" mode which has
a PrivateVolume partition, and a currently unused 16MB metadata
partition reserved for future use. It also supports a "mixed" mode
which creates both a PublicVolume and PrivateVolume on the same
disk. Mixed mode is currently experimental.
For now, just add ext4 support to PrivateVolume; we'll look at f2fs
in a future change. Add VolumeBase lifecycle for setting up crypto
mappings, and extract blkid logic into shared method. Sprinkle some
more "static" around the cryptfs code to improve invariants.
Bug: 19993667
Change-Id: Ibd1df6250735b706959a1eb9d9f7219ea85912a0
/system/vold/PublicVolume.cpp
|
| 36801cccf27152c9eca5aab6ba3527221525110f |
|
14-Mar-2015 |
Jeff Sharkey <jsharkey@android.com> |
Progress towards dynamic storage support.
Wire up new Disk and VolumeBase objects and events to start replacing
older DirectVolume code. Use filesystem UUID as visible PublicVolume
name to be more deterministic.
When starting, create DiskSource instances based on fstab, and watch
for kernel devices to appear. Turn matching devices into Disk
objects, scan for partitions, and create any relevant VolumeBase
objects. Broadcast all of these events towards userspace so the
framework can decide what to mount.
Keep track of the primary VolumeBase, and update the new per-user
/storage/self/primary symlink for all started users.
Provide a reset command that framework uses to start from a known
state when runtime is restarted. When vold is unexpectedly killed,
try recovering by unmounting everything under /mnt and /storage
before moving forward.
Remove UMS sharing support for now, since no current devices support
it; MTP is the recommended solution going forward because it offers
better multi-user support.
Switch killProcessesWithOpenFiles() to directly take signal. Fix
one SOCK_CLOEXEC bug, but SELinux says there are more lurking.
Bug: 19993667
Change-Id: I2dad1303aa4667ec14c52f774e2a28b3c1c1ff6d
/system/vold/PublicVolume.cpp
|
| ae9e8903375e13028b140e86fcc68c6e152b6f43 |
|
16-Mar-2015 |
Dan Albert <danalbert@google.com> |
Update for libbase.
Change-Id: I23b1281a63031a7481ea7b33c9ddbdbe7d3d6174
/system/vold/PublicVolume.cpp
|
| deb240573754daf36fa8ea10a05240f9f31e7b2c |
|
03-Mar-2015 |
Jeff Sharkey <jsharkey@android.com> |
Checkpoint of better dynamic device support.
This is the first in a series of changes that are designed to
introduce better support for dynamic block devices.
It starts by defining a new Volume object which represents a storage
endpoint that knows how to mount, unmount, and format itself. This
could be a filesystem directly on a partition, or it could be an
emulated FUSE filesystem, an ASEC, or an OBB.
These new volumes can be "stacked" so that unmounting a volume will
also unmount any volumes stacked above it. Volumes that provide
shared storage can also be asked to present themselves (through bind
mounts) into user-specific mount areas.
This change also adds a Disk class which is created based on block
kernel netlink events. Instead of waiting for partition events from
the kernel, it uses gptfdisk to read partition details and creates
the relevant Volume objects.
Change-Id: I0e8bc1f8f9dcb24405f5e795c0658998e22ae2f7
/system/vold/PublicVolume.cpp
|