summaryrefslogtreecommitdiffstats
path: root/sdcard/sdcard.c
Commit message (Collapse)AuthorAgeFilesLines
* Re-derive permissions after package changes.Jeff Sharkey2015-12-161-0/+15
| | | | | | | | | | | | | | | When packages change, existing package-specific directories may have gained/lost a UID mapping, so we need to update the permissions for any in-memory nodes. This allows an app to deliver data for another package before that package is installed, which is the typical pattern of how OBB files are delivered. Also fix bug by re-deriving permissions when files are moved. Bug: 25399427 Change-Id: I06f38a24ad7dee5f5099ba81429aef03208e5683
* sdcard: use libpackageparserWilliam Roberts2015-10-221-29/+21
| | | | | | | | | | | Switch from the internal packages.list file parser implementation to a common parser library. See Change-Id: I87a406802f95d8e7bfd8ee85f723f80e9e6b6c0c for all of the details. Change-Id: I98924dce406b322e0d402bca7fdac51f6a1e6a4b Signed-off-by: William Roberts <william.c.roberts@intel.com>
* resolved conflicts for merge of b9f438ff to mnc-dev-plus-aospJeff Sharkey2015-08-061-4/+4
|\ | | | | | | Change-Id: I7103bacb1b2d7dc29b4f8d9dddb2fec1feb869d3
| * Protect runtime storage mount points.Jeff Sharkey2015-08-061-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have a bunch of magic that mounts the correct view of storage access based on the runtime permissions of an app, but we forgot to protect the real underlying data sources; oops. This series of changes just bumps the directory heirarchy one level to give us /mnt/runtime which we can mask off as 0700 to prevent people from jumping to the exposed internals. Also add CTS tests to verify that we're protecting access to internal mount points like this. Bug: 22964288 Change-Id: I32068e63a3362b37e8ebca1418f900bb8537b498
* | am d57125af: Merge "Give secondary users read-only physical cards." into mnc-devJeff Sharkey2015-07-291-25/+46
|\| | | | | | | | | * commit 'd57125af1a81f34b162ecd5de81e6f1365aff588': Give secondary users read-only physical cards.
| * Give secondary users read-only physical cards.Jeff Sharkey2015-07-281-25/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Long ago, we mounted secondary physical cards as readable by all users on the device, which enabled the use-case of loading media on a card and viewing it from all users. More recently, we started giving write access to these secondary physical cards, but this created a one-directional channel for communication across user boundaries; something that CDD disallows. This change is designed to give us the best of both worlds: the package-specific directories are writable for the user that mounted the card, but access to those "Android" directories are blocked for all other users. Other users remain able to read content elsewhere on the card. Bug: 22787184 Change-Id: I4a04a1a857a65becf5fd37d775d927af022b40ca
* | am 07bed194: am 87998c07: Merge "Move sdcard off PAGESIZE and onto PAGE_SIZE."Elliott Hughes2015-07-291-3/+3
|\ \ | |/ |/| | | | | * commit '07bed1941f902c1d65a410e49d33882e0da7b5ed': Move sdcard off PAGESIZE and onto PAGE_SIZE.
| * Move sdcard off PAGESIZE and onto PAGE_SIZE.Elliott Hughes2015-07-281-3/+3
| | | | | | | | | | | | | | Only sdcard is using PAGESIZE, and glibc doesn't have it. Bug: http://b/22735893 Change-Id: Ib8af14a2e99d98881a79f21ad1a695499c7d74bd
* | Use single tree for multiple storage views.Jeff Sharkey2015-07-161-71/+140
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of having each view build and maintain its own tree representing the underlying storage, switch to building a single tree that each view augments with GID/mode specific behavior. This has the nice property of a single file always having the same node ID when presented across multiple views, giving us a firm handle that we can use to invalidate kernel caches. Specifically, when a file is deleted through one view, we now tell the kernel to invalidate that file in the other two views. Bug: 22477678, 22375891 Change-Id: I3ff041d549d41040839cde9773504719a508219f
* | Gracefully handle ENODEV in sdcard daemon (part deux)Mark Salyzyn2015-07-061-5/+3
| | | | | | | | | | | | | | | | reorder to handle errno correctly and remove log stutter Bug: 22197797 Bug: 22241640 Change-Id: I81e6b2ff15b6ea6e5e780bd3599bf1019ff36f26
* | Permission to view shared storage for all users.Jeff Sharkey2015-07-061-1/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Typical apps are restricted so they can only view shared storage belonging to the user they're running as. However, a handful of system components need access to shared storage across all users, such as DefaultContainerService and SystemUI. Since WRITE_MEDIA_STORAGE already offers this functionality by bypassing any FUSE emulation, reuse it to grant the "sdcard_rw" GID which is no longer handed out to third-party apps. Then we change the FUSE daemon to allow the "sdcard_rw" GID to see shared storage of all users. Bug: 19995822 Change-Id: Id2fe846aefbf13fc050e9b00ddef120021e817f4
* | Gracefully handle ENODEV in sdcard daemon.Jeff Sharkey2015-06-301-0/+4
| | | | | | | | | | | | | | | | When someone force-unmounts our target endpoint, gracefully handle by terminating, instead of looping on the same errno forever. Bug: 22197797 Change-Id: I7e71632f69d47152ea78a94431c23ae69aba9b93
* | Remove unused methods to fix build.Jeff Sharkey2015-06-261-14/+0
| | | | | | | | Change-Id: I6e1f85a7cc3428d558460737da3b3193d035b73e
* | Let's reinvent storage, yet again!Jeff Sharkey2015-06-251-360/+218
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now that we're treating storage as a runtime permission, we need to grant read/write access without killing the app. This is really tricky, since we had been using GIDs for access control, and they're set in stone once Zygote drops privileges. The only thing left that can change dynamically is the filesystem itself, so let's do that. This means changing the FUSE daemon to present itself as three different views: /mnt/runtime_default/foo - view for apps with no access /mnt/runtime_read/foo - view for apps with read access /mnt/runtime_write/foo - view for apps with write access There is still a single location for all the backing files, and filesystem permissions are derived the same way for each view, but the file modes are masked off differently for each mountpoint. During Zygote fork, it wires up the appropriate storage access into an isolated mount namespace based on the current app permissions. When the app is granted permissions dynamically at runtime, the system asks vold to jump into the existing mount namespace and bind mount the newly granted access model into place. Bug: 21858077 Change-Id: I5a016f0958a92fd390c02b5ae159f8008bd4f4b7
* | am 3d671000: am 28693983: am 1a39a994: Merge "Correct magic number on umount2"Elliott Hughes2015-04-241-1/+1
|\| | | | | | | | | * commit '3d671000c7268fcfcaf5445734b88428af26c294': Correct magic number on umount2
| * Correct magic number on umount2William Roberts2015-04-241-1/+1
| | | | | | | | | | | | | | The umount2 call was using the magic constant 2 which is has a defined and proper macro in mount.h as MNT_DETATCH. Change-Id: I4ca4a6d31cbf5495c545088e3d90a8894a9f912f
* | am 03c0adab: am 6a99ff0a: am 3a4aedfc: Merge "sdcard: Properly handle ↵Elliott Hughes2015-04-041-1/+19
|\| | | | | | | | | | | | | deleted nodes" * commit '03c0adab88fcb91393f934f213f953c1f23762d5': sdcard: Properly handle deleted nodes
| * Merge "sdcard: Properly handle deleted nodes"Elliott Hughes2015-04-041-1/+19
| |\
| | * sdcard: Properly handle deleted nodesKrzysztof Adamski2015-02-201-1/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sdcard fuse deamon is not properly handling deleted nodes that are still in use (opened by some process). Typically Linux filesystems makes it possible to open a file, unlink it and then still use it. In case of a storage emulated by sdcard deamon this does not work as expected - other process are not able to recreate file/dir with the same name until all references to deleted file are closed. The easiest way to trigger this problem is: process1: mkdir /sdcard/test1; cd /sdcard/test1 process2: rm -r /sdcard/test1 process2: mkdir /sdcard/test1 After that, process2 will get an error: mkdir failed for /sdcard/test1, Device or resource busy There is exactly the same problem with files as directories. This may case issues for example with directories that are automatically recreated when they are missing (like DCIM directory). If some process holds file opened inside of such directory but that directory is removed, process trying to recreate the directory will get EBUSY error and possibly crash. Verified on the Z Ultra GPE. Change-Id: I1cbf0bec135e6aaafba0ce8e5bb594e3639e0007
* | | am d71b0943: am 2d4a347e: am fad9b3eb: Merge "sdcard: Turn on noatime for ↵Elliott Hughes2015-04-021-1/+2
|\| | | | | | | | | | | | | | | | | | | | fuse mounted sdcard" * commit 'd71b0943de271d308ec1aeb1fa834dd35fedee50': sdcard: Turn on noatime for fuse mounted sdcard
| * | sdcard: Turn on noatime for fuse mounted sdcardJohan Redestig2015-01-251-1/+2
| |/ | | | | | | | | | | | | This provides symmetry with /data and /cache that are typically mounted with noatime. Change-Id: I6fe1bead368b52632424b03b50d4081852824cdb
| * sdcard : inode numbers must be fully representable as uint32_t.Narayan Kamath2015-01-151-1/+34
| | | | | | | | | | | | | | | | | | | | | | This works around a bug on on 64 bit kernels + sdcard daemons where we were using memory addresses as inode numbers. bug: 19012244 (cherry picked from commit faa0935ffb772759f795d6b29c6db6f83e8531c4) Change-Id: Idbf9e285e507e702e04e7461a10153df68ef2322
* | Progress towards dynamic storage support.Jeff Sharkey2015-03-301-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To support external storage devices that are dynamically added and removed at runtime, we're changing /mnt and /storage to be tmpfs that are managed by vold. To support primary storage being inserted/ejected at runtime in a multi-user environment, we can no longer bind-mount each user into place. Instead, we have a new /storage/self/primary symlink which is resolved through /mnt/user/n/primary, and which vold updates at runtime. Fix small mode bugs in FUSE daemon so it can be safely mounted visible to all users on device. Bug: 19993667 Change-Id: I0ebf4d10aba03d73d9a6fa37d4d43766be8a173b
* | Fix bug blocking access to secondary users.Jeff Sharkey2015-03-241-1/+0
| | | | | | | | Change-Id: I97ce510b6bc705488b9bea3340a72fb5449f8134
* | Fix build, missed refactoring.Jeff Sharkey2015-03-231-1/+1
| | | | | | | | Change-Id: I17337133d8ca6a421e12c0834f42655f1a10197e
* | Add multi-user GIDs to SD card daemon.Jeff Sharkey2015-03-231-33/+29
| | | | | | | | | | | | | | This will eventually allow us to have a single unified filesystem instead of requiring zygote to use bind mounts. Change-Id: I1fc4ada4874698a00e7e0b8800617732e69348f0
* | am 0f86444b: Merge "sdcard : inode numbers must be fully representable as ↵Narayan Kamath2015-01-151-1/+34
|\ \ | |/ |/| | | | | | | | | uint32_t." into lmp-mr1-dev * commit '0f86444b3912cadb4227755f3b80d2ff74841575': sdcard : inode numbers must be fully representable as uint32_t.
| * sdcard : inode numbers must be fully representable as uint32_t.Narayan Kamath2015-01-141-1/+34
| | | | | | | | | | | | | | | | | | This works around a bug on on 64 bit kernels + sdcard daemons where we were using memory addresses as inode numbers. bug: 19012244 Change-Id: Ia63c5b33b4212bf03ff92fa2faff0bb76e48791c
| * sdcard: mount sdcard with the noexec optionDaisuke Okitsu2014-11-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Vold mounts the sdcard with noexec, but the fuse deamon mounts with exec, so it is still possible to execute binaries: /dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime, user_id=1023,group_id=1023,default_permissions,allow_other 0 0 /dev/block/vold/179:65 /mnt/media_rw/sdcard1 vfat rw,dirsync, nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007, dmask=0007,allow_utime=0020,codepage=cp437,iocharset=iso8859-1, shortname=mixed,utf8,errors=remount-ro 0 0 With this change both vold and fuse mounts with noexec. (cherry picked from commit f777d6694eecf6e61d9859df2090199863050017) Change-Id: I66cbfc3a3a89a26958f83577f5e7a5e27f99184e
| * Fix sdcard truncates.Elliott Hughes2014-07-311-1/+1
| | | | | | | | | | | | | | Use truncate64 instead of truncate so we don't truncate (ho ho) the offset. Bug: https://code.google.com/p/android/issues/detail?id=74039 Change-Id: I63711ccd299e3ebc475563b1999817d1919571ab
* | Merge "Allow updates for open file descriptors"Marco Nelissen2014-12-101-1/+3
|\ \
| * | Allow updates for open file descriptorsMarco Nelissen2014-12-101-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | even if the calling process itself would not be able to open the file. Bug: 18688419 Change-Id: I640db19f19c1a677735fd0c14b7e2e38977d0f4d
* | | sdcard: mount sdcard with the noexec optionDaisuke Okitsu2014-11-241-1/+1
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Vold mounts the sdcard with noexec, but the fuse deamon mounts with exec, so it is still possible to execute binaries: /dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime, user_id=1023,group_id=1023,default_permissions,allow_other 0 0 /dev/block/vold/179:65 /mnt/media_rw/sdcard1 vfat rw,dirsync, nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007, dmask=0007,allow_utime=0020,codepage=cp437,iocharset=iso8859-1, shortname=mixed,utf8,errors=remount-ro 0 0 With this change both vold and fuse mounts with noexec. Change-Id: I66cbfc3a3a89a26958f83577f5e7a5e27f99184e
* | Sdcard: Initialize the padding output valueDaisuke Okitsu2014-11-131-0/+1
| | | | | | | | | | | | | | | | | | | | Add initialization of the output value in handle_write. This value is referred to in FUSE so initialization is necessary. See also handle_open and handle_opendir. Change-Id: I6507f113da9f6823fbfa459624d6594fc20afa51
* | bionic's struct stat is now POSIX-compliant.Elliott Hughes2014-11-101-6/+6
| | | | | | | | | | | | | | | | Right now we still have the kernel names, but they're only there by "virtue" of macro namespace pollution, so I'd like to get rid of them. Bug: 18298106 Change-Id: Ifed0b3a9238c79a99d8a2b62e0f5897c50a725d1
* | am f37bfb32: am 23aeeff5: Merge "Use the correct fuse_init_out structure size."Christopher Ferris2014-09-161-2/+28
|\ \ | | | | | | | | | | | | * commit 'f37bfb32eb82393d14e339684c9f508cea3b0ab4': Use the correct fuse_init_out structure size.
| * | Use the correct fuse_init_out structure size.Christopher Ferris2014-09-151-2/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Kernel 2.6.16 is the first stable kernel with struct fuse_init_out defined (fuse version 7.6). The structure is the same from 7.6 through 7.22. Beginning with 7.23, the structure increased in size and added new parameters. If the kernel only works on minor revs older than or equal to 22, then use the older structure size since this code only uses the 7.22 version of the structure. Change-Id: If2507a02ad674fcf02869a325221339ae1ace64d
* | | am 33a5575a: am 39a8ade7: Merge "Fix sdcard truncates."Elliott Hughes2014-07-311-1/+1
|\| | | |/ |/| | | | | * commit '33a5575a585bdc4000be06f96554309b5d3471ff': Fix sdcard truncates.
| * Fix sdcard truncates.Elliott Hughes2014-07-311-1/+1
| | | | | | | | | | | | | | | | | | Use truncate64 instead of truncate so we don't truncate (ho ho) the offset. (cherrypick of 4568565e85bf2e1ea11b2e09d72e244088c05dbc.) Bug: https://code.google.com/p/android/issues/detail?id=74039 Change-Id: I63711ccd299e3ebc475563b1999817d1919571ab
| * sdcard: ensure installd fs upgrade has completedNick Kralevich2014-07-251-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | Before running the sdcard daemon, make sure that installd has completed all upgrades to /data that it needs to complete. This avoids race conditions between installd and the sdcard daemon. Maybe fixes bug 16329437. (cherrypicked from commit 8d28fa71fce6a5623488614250970ce78551a924) Bug: 16329437 Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
| * Correction to TRACE format stringsMarcus Oakland2014-07-241-16/+17
| | | | | | | | | | | | | | | | | | | | When built with "#define FUSE_TRACE 1" numerous TRACE statements failed to compile because of mismatches between format strings and types (uint64_t and size_t). These have been corrected by using the format strings from the inttype.h header file, or %zu. Change-Id: I36cd6f8da0790f1218d7dbaaa5b3bbfa4df7fdee Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>
* | Merge "sdcard: ensure installd fs upgrade has completed" into lmp-devNick Kralevich2014-07-241-0/+6
|\ \
| * | sdcard: ensure installd fs upgrade has completedNick Kralevich2014-07-241-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before running the sdcard daemon, make sure that installd has completed all upgrades to /data that it needs to complete. This avoids race conditions between installd and the sdcard daemon. Maybe fixes bug 16329437. Bug: 16329437 Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
* | | Correction to TRACE format stringsMarcus Oakland2014-07-241-16/+17
|/ / | | | | | | | | | | | | | | | | | | | | | | | | When built with "#define FUSE_TRACE 1" numerous TRACE statements failed to compile because of mismatches between format strings and types (uint64_t and size_t). These have been corrected by using the format strings from the inttype.h header file, or %zu. Signed-off-by: Marcus Oakland <marcus.oakland@arm.com> (cherry picked from commit d33308752fb7cecac751f20f4651aec05fc889db) Change-Id: I550b422a6b7c92ea903b4dd8f5e4aec5637cdf67
* | am f043f061: am 060b6ecb: am 6e141aea: Merge "Fix sdcard\'s FUSE_FSYNCDIR ↵Elliott Hughes2014-07-091-7/+16
|\| | | | | | | | | | | | | handling." * commit 'f043f061295a787aca42186fe9ab87c24d393b92': Fix sdcard's FUSE_FSYNCDIR handling.
| * Fix sdcard's FUSE_FSYNCDIR handling.Elliott Hughes2014-07-081-7/+16
| | | | | | | | | | | | | | | | | | | | For a file the FUSE fh is a struct handle containing an int fd; for a directory it's a struct dirhandle containing a DIR*. Fix handle_fsync to extract the file descriptor appropriately in both cases. Bug: 14613980 Change-Id: I45515cff6638e27a99b849e6fc639d355dbb4d27
* | am 94645665: am f8acdcbe: am 75b7171f: Merge "Make sdcard log to the log ↵Elliott Hughes2014-07-091-2/+5
|\| | | | | | | | | | | | | rather than stderr." * commit '9464566580559b7353e6e2c898da79ffbbf993aa': Make sdcard log to the log rather than stderr.
| * Make sdcard log to the log rather than stderr.Elliott Hughes2014-07-081-2/+5
| | | | | | | | Change-Id: I9c78941184c5e364055bfac766e1e542d3c23c87
* | Per-app media directories on external storage.Jeff Sharkey2014-05-301-0/+7
|/ | | | | | | | | | This change defines per-app directories on external storage that will be scanned and included in MediaStore. This gives apps a way to write content to secondary shared storage in a way that can easily be surfaced to other apps. Bug: 14382377 Change-Id: I6f03d8076a9391d8b9eb8421ec3fc93669b3ba0d
* Use bionic's <linux/fuse.h>.Elliott Hughes2014-05-071-16/+15
| | | | | | No need for an out-of-date copy of a uapi header. Change-Id: Iec68c6ceb2bceca1ceef0c57e0b45a89a139e292