ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "Extract the FUSE implementation from the main sdcard.c file."

Browse source
This commit is contained in:
Treehugger Robot 2016-07-13 18:48:05 +00:00 committed by Gerrit Code Review
commit 1b9b27351a
4 changed files with 625 additions and 564 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
sdcard/Android.mk
View file

@ -2,7 +2,7 @@ LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS) include $(CLEAR_VARS)
LOCAL_SRC_FILES := sdcard.c LOCAL_SRC_FILES := sdcard.cpp fuse.c
LOCAL_MODULE := sdcard LOCAL_MODULE := sdcard
LOCAL_CFLAGS := -Wall -Wno-unused-parameter -Werror LOCAL_CFLAGS := -Wall -Wno-unused-parameter -Werror
LOCAL_SHARED_LIBRARIES := liblog libcutils libpackagelistparser LOCAL_SHARED_LIBRARIES := liblog libcutils libpackagelistparser

566
sdcard/sdcard.c → sdcard/fuse.c
View file

@ -16,238 +16,14 @@
#define LOG_TAG "sdcard" #define LOG_TAG "sdcard"
#include <ctype.h> #include "fuse.h"
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <inttypes.h>
#include <limits.h>
#include <linux/fuse.h>
#include <pthread.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/mount.h>
#include <sys/param.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/statfs.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <cutils/fs.h>
#include <cutils/hashmap.h>
#include <cutils/log.h>
#include <cutils/multiuser.h>
#include <packagelistparser/packagelistparser.h>
#include <private/android_filesystem_config.h>
/* README
*
* What is this?
*
* sdcard is a program that uses FUSE to emulate FAT-on-sdcard style
* directory permissions (all files are given fixed owner, group, and
* permissions at creation, owner, group, and permissions are not
* changeable, symlinks and hardlinks are not createable, etc.
*
* See usage() for command line options.
*
* It must be run as root, but will drop to requested UID/GID as soon as it
* mounts a filesystem. It will refuse to run if requested UID/GID are zero.
*
* Things I believe to be true:
*
* - ops that return a fuse_entry (LOOKUP, MKNOD, MKDIR, LINK, SYMLINK,
* CREAT) must bump that node's refcount
* - don't forget that FORGET can forget multiple references (req->nlookup)
* - if an op that returns a fuse_entry fails writing the reply to the
* kernel, you must rollback the refcount to reflect the reference the
* kernel did not actually acquire
*
* This daemon can also derive custom filesystem permissions based on directory
* structure when requested. These custom permissions support several features:
*
* - Apps can access their own files in /Android/data/com.example/ without
* requiring any additional GIDs.
* - Separate permissions for protecting directories like Pictures and Music.
* - Multi-user separation on the same physical device.
*/
#define FUSE_TRACE 0
#if FUSE_TRACE
#define TRACE(x...) ALOGD(x)
#else
#define TRACE(x...) do {} while (0)
#endif
#define ERROR(x...) ALOGE(x)
#define FUSE_UNKNOWN_INO 0xffffffff #define FUSE_UNKNOWN_INO 0xffffffff
/* Maximum number of bytes to write in one request. */
#define MAX_WRITE (256 * 1024)
/* Maximum number of bytes to read in one request. */
#define MAX_READ (128 * 1024)
/* Largest possible request.
* The request size is bounded by the maximum size of a FUSE_WRITE request because it has
* the largest possible data payload. */
#define MAX_REQUEST_SIZE (sizeof(struct fuse_in_header) + sizeof(struct fuse_write_in) + MAX_WRITE)
/* Pseudo-error constant used to indicate that no fuse status is needed /* Pseudo-error constant used to indicate that no fuse status is needed
* or that a reply has already been written. */ * or that a reply has already been written. */
#define NO_STATUS 1 #define NO_STATUS 1
/* Supplementary groups to execute with */
static const gid_t kGroups[1] = { AID_PACKAGE_INFO };
/* Permission mode for a specific node. Controls how file permissions
* are derived for children nodes. */
typedef enum {
/* Nothing special; this node should just inherit from its parent. */
PERM_INHERIT,
/* This node is one level above a normal root; used for legacy layouts
* which use the first level to represent user_id. */
PERM_PRE_ROOT,
/* This node is "/" */
PERM_ROOT,
/* This node is "/Android" */
PERM_ANDROID,
/* This node is "/Android/data" */
PERM_ANDROID_DATA,
/* This node is "/Android/obb" */
PERM_ANDROID_OBB,
/* This node is "/Android/media" */
PERM_ANDROID_MEDIA,
} perm_t;
struct handle {
int fd;
};
struct dirhandle {
DIR *d;
};
struct node {
__u32 refcount;
__u64 nid;
__u64 gen;
/*
* The inode number for this FUSE node. Note that this isn't stable across
* multiple invocations of the FUSE daemon.
*/
__u32 ino;
/* State derived based on current position in hierarchy. */
perm_t perm;
userid_t userid;
uid_t uid;
bool under_android;
struct node *next; /* per-dir sibling list */
struct node *child; /* first contained file by this dir */
struct node *parent; /* containing directory */
size_t namelen;
char *name;
/* If non-null, this is the real name of the file in the underlying storage.
* This may differ from the field "name" only by case.
* strlen(actual_name) will always equal strlen(name), so it is safe to use
* namelen for both fields.
*/
char *actual_name;
/* If non-null, an exact underlying path that should be grafted into this
* position. Used to support things like OBB. */
char* graft_path;
size_t graft_pathlen;
bool deleted;
};
static int str_hash(void *key) {
return hashmapHash(key, strlen(key));
}
/** Test if two string keys are equal ignoring case */
static bool str_icase_equals(void *keyA, void *keyB) {
return strcasecmp(keyA, keyB) == 0;
}
/* Global data for all FUSE mounts */
struct fuse_global {
pthread_mutex_t lock;
uid_t uid;
gid_t gid;
bool multi_user;
char source_path[PATH_MAX];
char obb_path[PATH_MAX];
Hashmap* package_to_appid;
__u64 next_generation;
struct node root;
/* Used to allocate unique inode numbers for fuse nodes. We use
* a simple counter based scheme where inode numbers from deleted
* nodes aren't reused. Note that inode allocations are not stable
* across multiple invocation of the sdcard daemon, but that shouldn't
* be a huge problem in practice.
*
* Note that we restrict inodes to 32 bit unsigned integers to prevent
* truncation on 32 bit processes when unsigned long long stat.st_ino is
* assigned to an unsigned long ino_t type in an LP32 process.
*
* Also note that fuse_attr and fuse_dirent inode values are 64 bits wide
* on both LP32 and LP64, but the fuse kernel code doesn't squash 64 bit
* inode numbers into 32 bit values on 64 bit kernels (see fuse_squash_ino
* in fs/fuse/inode.c).
*
* Accesses must be guarded by |lock|.
*/
__u32 inode_ctr;
struct fuse* fuse_default;
struct fuse* fuse_read;
struct fuse* fuse_write;
};
/* Single FUSE mount */
struct fuse {
struct fuse_global* global;
char dest_path[PATH_MAX];
int fd;
gid_t gid;
mode_t mask;
};
/* Private data used by a single FUSE handler */
struct fuse_handler {
struct fuse* fuse;
int token;
/* To save memory, we never use the contents of the request buffer and the read
* buffer at the same time. This allows us to share the underlying storage. */
union {
__u8 request_buffer[MAX_REQUEST_SIZE];
__u8 read_buffer[MAX_READ + PAGE_SIZE];
};
};
static inline void *id_to_ptr(__u64 nid) static inline void *id_to_ptr(__u64 nid)
{ {
return (void *) (uintptr_t) nid; return (void *) (uintptr_t) nid;
@ -507,7 +283,7 @@ static void derive_permissions_locked(struct fuse* fuse, struct node *parent,
} }
} }
static void derive_permissions_recursive_locked(struct fuse* fuse, struct node *parent) { void derive_permissions_recursive_locked(struct fuse* fuse, struct node *parent) {
struct node *node; struct node *node;
for (node = parent->child; node; node = node->next) { for (node = parent->child; node; node = node->next) {
derive_permissions_locked(fuse, parent, node); derive_permissions_locked(fuse, parent, node);
@ -1608,7 +1384,7 @@ static int handle_fuse_request(struct fuse *fuse, struct fuse_handler* handler,
} }
} }
static void handle_fuse_requests(struct fuse_handler* handler) void handle_fuse_requests(struct fuse_handler* handler)
{ {
struct fuse* fuse = handler->fuse; struct fuse* fuse = handler->fuse;
for (;;) { for (;;) {
@ -1651,339 +1427,3 @@ static void handle_fuse_requests(struct fuse_handler* handler)
} }
} }
} }
static void* start_handler(void* data)
{
struct fuse_handler* handler = data;
handle_fuse_requests(handler);
return NULL;
}
static bool remove_str_to_int(void *key, void *value, void *context) {
Hashmap* map = context;
hashmapRemove(map, key);
free(key);
return true;
}
static bool package_parse_callback(pkg_info *info, void *userdata) {
struct fuse_global *global = (struct fuse_global *)userdata;
char* name = strdup(info->name);
hashmapPut(global->package_to_appid, name, (void*) (uintptr_t) info->uid);
packagelist_free(info);
return true;
}
static bool read_package_list(struct fuse_global* global) {
pthread_mutex_lock(&global->lock);
hashmapForEach(global->package_to_appid, remove_str_to_int, global->package_to_appid);
bool rc = packagelist_parse(package_parse_callback, global);
TRACE("read_package_list: found %zu packages\n",
hashmapSize(global->package_to_appid));
/* Regenerate ownership details using newly loaded mapping */
derive_permissions_recursive_locked(global->fuse_default, &global->root);
pthread_mutex_unlock(&global->lock);
return rc;
}
static void watch_package_list(struct fuse_global* global) {
struct inotify_event *event;
char event_buf[512];
int nfd = inotify_init();
if (nfd < 0) {
ERROR("inotify_init failed: %s\n", strerror(errno));
return;
}
bool active = false;
while (1) {
if (!active) {
int res = inotify_add_watch(nfd, PACKAGES_LIST_FILE, IN_DELETE_SELF);
if (res == -1) {
if (errno == ENOENT || errno == EACCES) {
/* Framework may not have created yet, sleep and retry */
ERROR("missing \"%s\"; retrying\n", PACKAGES_LIST_FILE);
sleep(3);
continue;
} else {
ERROR("inotify_add_watch failed: %s\n", strerror(errno));
return;
}
}
/* Watch above will tell us about any future changes, so
* read the current state. */
if (read_package_list(global) == false) {
ERROR("read_package_list failed\n");
return;
}
active = true;
}
int event_pos = 0;
int res = read(nfd, event_buf, sizeof(event_buf));
if (res < (int) sizeof(*event)) {
if (errno == EINTR)
continue;
ERROR("failed to read inotify event: %s\n", strerror(errno));
return;
}
while (res >= (int) sizeof(*event)) {
int event_size;
event = (struct inotify_event *) (event_buf + event_pos);
TRACE("inotify event: %08x\n", event->mask);
if ((event->mask & IN_IGNORED) == IN_IGNORED) {
/* Previously watched file was deleted, probably due to move
* that swapped in new data; re-arm the watch and read. */
active = false;
}
event_size = sizeof(*event) + event->len;
res -= event_size;
event_pos += event_size;
}
}
}
static int usage() {
ERROR("usage: sdcard [OPTIONS] <source_path> <label>\n"
" -u: specify UID to run as\n"
" -g: specify GID to run as\n"
" -U: specify user ID that owns device\n"
" -m: source_path is multi-user\n"
" -w: runtime write mount has full write access\n"
"\n");
return 1;
}
static int fuse_setup(struct fuse* fuse, gid_t gid, mode_t mask) {
char opts[256];
fuse->fd = open("/dev/fuse", O_RDWR);
if (fuse->fd == -1) {
ERROR("failed to open fuse device: %s\n", strerror(errno));
return -1;
}
umount2(fuse->dest_path, MNT_DETACH);
snprintf(opts, sizeof(opts),
"fd=%i,rootmode=40000,default_permissions,allow_other,user_id=%d,group_id=%d",
fuse->fd, fuse->global->uid, fuse->global->gid);
if (mount("/dev/fuse", fuse->dest_path, "fuse", MS_NOSUID | MS_NODEV | MS_NOEXEC |
MS_NOATIME, opts) != 0) {
ERROR("failed to mount fuse filesystem: %s\n", strerror(errno));
return -1;
}
fuse->gid = gid;
fuse->mask = mask;
return 0;
}
static void run(const char* source_path, const char* label, uid_t uid,
gid_t gid, userid_t userid, bool multi_user, bool full_write) {
struct fuse_global global;
struct fuse fuse_default;
struct fuse fuse_read;
struct fuse fuse_write;
struct fuse_handler handler_default;
struct fuse_handler handler_read;
struct fuse_handler handler_write;
pthread_t thread_default;
pthread_t thread_read;
pthread_t thread_write;
memset(&global, 0, sizeof(global));
memset(&fuse_default, 0, sizeof(fuse_default));
memset(&fuse_read, 0, sizeof(fuse_read));
memset(&fuse_write, 0, sizeof(fuse_write));
memset(&handler_default, 0, sizeof(handler_default));
memset(&handler_read, 0, sizeof(handler_read));
memset(&handler_write, 0, sizeof(handler_write));
pthread_mutex_init(&global.lock, NULL);
global.package_to_appid = hashmapCreate(256, str_hash, str_icase_equals);
global.uid = uid;
global.gid = gid;
global.multi_user = multi_user;
global.next_generation = 0;
global.inode_ctr = 1;
memset(&global.root, 0, sizeof(global.root));
global.root.nid = FUSE_ROOT_ID; /* 1 */
global.root.refcount = 2;
global.root.namelen = strlen(source_path);
global.root.name = strdup(source_path);
global.root.userid = userid;
global.root.uid = AID_ROOT;
global.root.under_android = false;
strcpy(global.source_path, source_path);
if (multi_user) {
global.root.perm = PERM_PRE_ROOT;
snprintf(global.obb_path, sizeof(global.obb_path), "%s/obb", source_path);
} else {
global.root.perm = PERM_ROOT;
snprintf(global.obb_path, sizeof(global.obb_path), "%s/Android/obb", source_path);
}
fuse_default.global = &global;
fuse_read.global = &global;
fuse_write.global = &global;
global.fuse_default = &fuse_default;
global.fuse_read = &fuse_read;
global.fuse_write = &fuse_write;
snprintf(fuse_default.dest_path, PATH_MAX, "/mnt/runtime/default/%s", label);
snprintf(fuse_read.dest_path, PATH_MAX, "/mnt/runtime/read/%s", label);
snprintf(fuse_write.dest_path, PATH_MAX, "/mnt/runtime/write/%s", label);
handler_default.fuse = &fuse_default;
handler_read.fuse = &fuse_read;
handler_write.fuse = &fuse_write;
handler_default.token = 0;
handler_read.token = 1;
handler_write.token = 2;
umask(0);
if (multi_user) {
/* Multi-user storage is fully isolated per user, so "other"
* permissions are completely masked off. */
if (fuse_setup(&fuse_default, AID_SDCARD_RW, 0006)
|| fuse_setup(&fuse_read, AID_EVERYBODY, 0027)
|| fuse_setup(&fuse_write, AID_EVERYBODY, full_write ? 0007 : 0027)) {
ERROR("failed to fuse_setup\n");
exit(1);
}
} else {
/* Physical storage is readable by all users on device, but
* the Android directories are masked off to a single user
* deep inside attr_from_stat(). */
if (fuse_setup(&fuse_default, AID_SDCARD_RW, 0006)
|| fuse_setup(&fuse_read, AID_EVERYBODY, full_write ? 0027 : 0022)
|| fuse_setup(&fuse_write, AID_EVERYBODY, full_write ? 0007 : 0022)) {
ERROR("failed to fuse_setup\n");
exit(1);
}
}
/* Drop privs */
if (setgroups(sizeof(kGroups) / sizeof(kGroups[0]), kGroups) < 0) {
ERROR("cannot setgroups: %s\n", strerror(errno));
exit(1);
}
if (setgid(gid) < 0) {
ERROR("cannot setgid: %s\n", strerror(errno));
exit(1);
}
if (setuid(uid) < 0) {
ERROR("cannot setuid: %s\n", strerror(errno));
exit(1);
}
if (multi_user) {
fs_prepare_dir(global.obb_path, 0775, uid, gid);
}
if (pthread_create(&thread_default, NULL, start_handler, &handler_default)
|| pthread_create(&thread_read, NULL, start_handler, &handler_read)
|| pthread_create(&thread_write, NULL, start_handler, &handler_write)) {
ERROR("failed to pthread_create\n");
exit(1);
}
watch_package_list(&global);
ERROR("terminated prematurely\n");
exit(1);
}
int main(int argc, char **argv) {
const char *source_path = NULL;
const char *label = NULL;
uid_t uid = 0;
gid_t gid = 0;
userid_t userid = 0;
bool multi_user = false;
bool full_write = false;
int i;
struct rlimit rlim;
int fs_version;
int opt;
while ((opt = getopt(argc, argv, "u:g:U:mw")) != -1) {
switch (opt) {
case 'u':
uid = strtoul(optarg, NULL, 10);
break;
case 'g':
gid = strtoul(optarg, NULL, 10);
break;
case 'U':
userid = strtoul(optarg, NULL, 10);
break;
case 'm':
multi_user = true;
break;
case 'w':
full_write = true;
break;
case '?':
default:
return usage();
}
}
for (i = optind; i < argc; i++) {
char* arg = argv[i];
if (!source_path) {
source_path = arg;
} else if (!label) {
label = arg;
} else {
ERROR("too many arguments\n");
return usage();
}
}
if (!source_path) {
ERROR("no source path specified\n");
return usage();
}
if (!label) {
ERROR("no label specified\n");
return usage();
}
if (!uid || !gid) {
ERROR("uid and gid must be nonzero\n");
return usage();
}
rlim.rlim_cur = 8192;
rlim.rlim_max = 8192;
if (setrlimit(RLIMIT_NOFILE, &rlim)) {
ERROR("Error setting RLIMIT_NOFILE, errno = %d\n", errno);
}
while ((fs_read_atomic_int("/data/.layout_version", &fs_version) == -1) || (fs_version < 3)) {
ERROR("installd fs upgrade not yet complete. Waiting...\n");
sleep(1);
}
run(source_path, label, uid, gid, userid, multi_user, full_write);
return 1;
}

203
sdcard/fuse.h Normal file
View file

@ -0,0 +1,203 @@
/*
* Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef FUSE_H_
#define FUSE_H_
#include <dirent.h>
#include <fcntl.h>
#include <linux/fuse.h>
#include <pthread.h>
#include <stdbool.h>
#include <stdlib.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/statfs.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <cutils/fs.h>
#include <cutils/hashmap.h>
#include <cutils/log.h>
#include <cutils/multiuser.h>
#include <packagelistparser/packagelistparser.h>
#include <private/android_filesystem_config.h>
#ifdef __cplusplus
extern "C" {
#endif
#define FUSE_TRACE 0
#if FUSE_TRACE
#define TRACE(x...) ALOGD(x)
#else
#define TRACE(x...) do {} while (0)
#endif
#define ERROR(x...) ALOGE(x)
/* Maximum number of bytes to write in one request. */
#define MAX_WRITE (256 * 1024)
/* Maximum number of bytes to read in one request. */
#define MAX_READ (128 * 1024)
/* Largest possible request.
* The request size is bounded by the maximum size of a FUSE_WRITE request because it has
* the largest possible data payload. */
#define MAX_REQUEST_SIZE (sizeof(struct fuse_in_header) + sizeof(struct fuse_write_in) + MAX_WRITE)
/* Permission mode for a specific node. Controls how file permissions
* are derived for children nodes. */
typedef enum {
/* Nothing special; this node should just inherit from its parent. */
PERM_INHERIT,
/* This node is one level above a normal root; used for legacy layouts
* which use the first level to represent user_id. */
PERM_PRE_ROOT,
/* This node is "/" */
PERM_ROOT,
/* This node is "/Android" */
PERM_ANDROID,
/* This node is "/Android/data" */
PERM_ANDROID_DATA,
/* This node is "/Android/obb" */
PERM_ANDROID_OBB,
/* This node is "/Android/media" */
PERM_ANDROID_MEDIA,
} perm_t;
struct handle {
int fd;
};
struct dirhandle {
DIR *d;
};
struct node {
__u32 refcount;
__u64 nid;
__u64 gen;
/*
* The inode number for this FUSE node. Note that this isn't stable across
* multiple invocations of the FUSE daemon.
*/
__u32 ino;
/* State derived based on current position in hierarchy. */
perm_t perm;
userid_t userid;
uid_t uid;
bool under_android;
struct node *next; /* per-dir sibling list */
struct node *child; /* first contained file by this dir */
struct node *parent; /* containing directory */
size_t namelen;
char *name;
/* If non-null, this is the real name of the file in the underlying storage.
* This may differ from the field "name" only by case.
* strlen(actual_name) will always equal strlen(name), so it is safe to use
* namelen for both fields.
*/
char *actual_name;
/* If non-null, an exact underlying path that should be grafted into this
* position. Used to support things like OBB. */
char* graft_path;
size_t graft_pathlen;
bool deleted;
};
/* Global data for all FUSE mounts */
struct fuse_global {
pthread_mutex_t lock;
uid_t uid;
gid_t gid;
bool multi_user;
char source_path[PATH_MAX];
char obb_path[PATH_MAX];
Hashmap* package_to_appid;
__u64 next_generation;
struct node root;
/* Used to allocate unique inode numbers for fuse nodes. We use
* a simple counter based scheme where inode numbers from deleted
* nodes aren't reused. Note that inode allocations are not stable
* across multiple invocation of the sdcard daemon, but that shouldn't
* be a huge problem in practice.
*
* Note that we restrict inodes to 32 bit unsigned integers to prevent
* truncation on 32 bit processes when unsigned long long stat.st_ino is
* assigned to an unsigned long ino_t type in an LP32 process.
*
* Also note that fuse_attr and fuse_dirent inode values are 64 bits wide
* on both LP32 and LP64, but the fuse kernel code doesn't squash 64 bit
* inode numbers into 32 bit values on 64 bit kernels (see fuse_squash_ino
* in fs/fuse/inode.c).
*
* Accesses must be guarded by |lock|.
*/
__u32 inode_ctr;
struct fuse* fuse_default;
struct fuse* fuse_read;
struct fuse* fuse_write;
};
/* Single FUSE mount */
struct fuse {
struct fuse_global* global;
char dest_path[PATH_MAX];
int fd;
gid_t gid;
mode_t mask;
};
/* Private data used by a single FUSE handler */
struct fuse_handler {
struct fuse* fuse;
int token;
/* To save memory, we never use the contents of the request buffer and the read
* buffer at the same time. This allows us to share the underlying storage. */
union {
__u8 request_buffer[MAX_REQUEST_SIZE];
__u8 read_buffer[MAX_READ + PAGE_SIZE];
};
};
void handle_fuse_requests(struct fuse_handler* handler);
void derive_permissions_recursive_locked(struct fuse* fuse, struct node *parent);
#ifdef __cplusplus
}; /* extern "C" */
#endif
#endif /* FUSE_H_ */

418
sdcard/sdcard.cpp Normal file
View file

@ -0,0 +1,418 @@
// Copyright (C) 2016 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#define LOG_TAG "sdcard"
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/fuse.h>
#include <pthread.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/mount.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <cutils/fs.h>
#include <cutils/hashmap.h>
#include <cutils/log.h>
#include <cutils/multiuser.h>
#include <packagelistparser/packagelistparser.h>
#include <private/android_filesystem_config.h>
/* README
*
* What is this?
*
* sdcard is a program that uses FUSE to emulate FAT-on-sdcard style
* directory permissions (all files are given fixed owner, group, and
* permissions at creation, owner, group, and permissions are not
* changeable, symlinks and hardlinks are not createable, etc.
*
* See usage() for command line options.
*
* It must be run as root, but will drop to requested UID/GID as soon as it
* mounts a filesystem. It will refuse to run if requested UID/GID are zero.
*
* Things I believe to be true:
*
* - ops that return a fuse_entry (LOOKUP, MKNOD, MKDIR, LINK, SYMLINK,
* CREAT) must bump that node's refcount
* - don't forget that FORGET can forget multiple references (req->nlookup)
* - if an op that returns a fuse_entry fails writing the reply to the
* kernel, you must rollback the refcount to reflect the reference the
* kernel did not actually acquire
*
* This daemon can also derive custom filesystem permissions based on directory
* structure when requested. These custom permissions support several features:
*
* - Apps can access their own files in /Android/data/com.example/ without
* requiring any additional GIDs.
* - Separate permissions for protecting directories like Pictures and Music.
* - Multi-user separation on the same physical device.
*/
#include "fuse.h"
/* Supplementary groups to execute with. */
static const gid_t kGroups[1] = { AID_PACKAGE_INFO };
static int str_hash(void *key) {
return hashmapHash(key, strlen(static_cast<const char*>(key)));
}
/* Tests if two string keys are equal ignoring case. */
static bool str_icase_equals(void *keyA, void *keyB) {
return strcasecmp(static_cast<const char*>(keyA), static_cast<const char*>(keyB)) == 0;
}
static bool remove_str_to_int(void *key, void *value, void *context) {
Hashmap* map = static_cast<Hashmap*>(context);
hashmapRemove(map, key);
free(key);
return true;
}
static bool package_parse_callback(pkg_info *info, void *userdata) {
struct fuse_global *global = (struct fuse_global *)userdata;
char* name = strdup(info->name);
hashmapPut(global->package_to_appid, name, (void*) (uintptr_t) info->uid);
packagelist_free(info);
return true;
}
static bool read_package_list(struct fuse_global* global) {
pthread_mutex_lock(&global->lock);
hashmapForEach(global->package_to_appid, remove_str_to_int, global->package_to_appid);
bool rc = packagelist_parse(package_parse_callback, global);
TRACE("read_package_list: found %zu packages\n",
hashmapSize(global->package_to_appid));
/* Regenerate ownership details using newly loaded mapping */
derive_permissions_recursive_locked(global->fuse_default, &global->root);
pthread_mutex_unlock(&global->lock);
return rc;
}
static void watch_package_list(struct fuse_global* global) {
struct inotify_event *event;
char event_buf[512];
int nfd = inotify_init();
if (nfd < 0) {
ERROR("inotify_init failed: %s\n", strerror(errno));
return;
}
bool active = false;
while (1) {
if (!active) {
int res = inotify_add_watch(nfd, PACKAGES_LIST_FILE, IN_DELETE_SELF);
if (res == -1) {
if (errno == ENOENT || errno == EACCES) {
/* Framework may not have created yet, sleep and retry */
ERROR("missing \"%s\"; retrying\n", PACKAGES_LIST_FILE);
sleep(3);
continue;
} else {
ERROR("inotify_add_watch failed: %s\n", strerror(errno));
return;
}
}
/* Watch above will tell us about any future changes, so
* read the current state. */
if (read_package_list(global) == false) {
ERROR("read_package_list failed\n");
return;
}
active = true;
}
int event_pos = 0;
int res = read(nfd, event_buf, sizeof(event_buf));
if (res < (int) sizeof(*event)) {
if (errno == EINTR)
continue;
ERROR("failed to read inotify event: %s\n", strerror(errno));
return;
}
while (res >= (int) sizeof(*event)) {
int event_size;
event = (struct inotify_event *) (event_buf + event_pos);
TRACE("inotify event: %08x\n", event->mask);
if ((event->mask & IN_IGNORED) == IN_IGNORED) {
/* Previously watched file was deleted, probably due to move
* that swapped in new data; re-arm the watch and read. */
active = false;
}
event_size = sizeof(*event) + event->len;
res -= event_size;
event_pos += event_size;
}
}
}
static int fuse_setup(struct fuse* fuse, gid_t gid, mode_t mask) {
char opts[256];
fuse->fd = open("/dev/fuse", O_RDWR);
if (fuse->fd == -1) {
ERROR("failed to open fuse device: %s\n", strerror(errno));
return -1;
}
umount2(fuse->dest_path, MNT_DETACH);
snprintf(opts, sizeof(opts),
"fd=%i,rootmode=40000,default_permissions,allow_other,user_id=%d,group_id=%d",
fuse->fd, fuse->global->uid, fuse->global->gid);
if (mount("/dev/fuse", fuse->dest_path, "fuse", MS_NOSUID | MS_NODEV | MS_NOEXEC |
MS_NOATIME, opts) != 0) {
ERROR("failed to mount fuse filesystem: %s\n", strerror(errno));
return -1;
}
fuse->gid = gid;
fuse->mask = mask;
return 0;
}
static void* start_handler(void* data) {
struct fuse_handler* handler = static_cast<fuse_handler*>(data);
handle_fuse_requests(handler);
return NULL;
}
static void run(const char* source_path, const char* label, uid_t uid,
gid_t gid, userid_t userid, bool multi_user, bool full_write) {
struct fuse_global global;
struct fuse fuse_default;
struct fuse fuse_read;
struct fuse fuse_write;
struct fuse_handler handler_default;
struct fuse_handler handler_read;
struct fuse_handler handler_write;
pthread_t thread_default;
pthread_t thread_read;
pthread_t thread_write;
memset(&global, 0, sizeof(global));
memset(&fuse_default, 0, sizeof(fuse_default));
memset(&fuse_read, 0, sizeof(fuse_read));
memset(&fuse_write, 0, sizeof(fuse_write));
memset(&handler_default, 0, sizeof(handler_default));
memset(&handler_read, 0, sizeof(handler_read));
memset(&handler_write, 0, sizeof(handler_write));
pthread_mutex_init(&global.lock, NULL);
global.package_to_appid = hashmapCreate(256, str_hash, str_icase_equals);
global.uid = uid;
global.gid = gid;
global.multi_user = multi_user;
global.next_generation = 0;
global.inode_ctr = 1;
memset(&global.root, 0, sizeof(global.root));
global.root.nid = FUSE_ROOT_ID; /* 1 */
global.root.refcount = 2;
global.root.namelen = strlen(source_path);
global.root.name = strdup(source_path);
global.root.userid = userid;
global.root.uid = AID_ROOT;
global.root.under_android = false;
strcpy(global.source_path, source_path);
if (multi_user) {
global.root.perm = PERM_PRE_ROOT;
snprintf(global.obb_path, sizeof(global.obb_path), "%s/obb", source_path);
} else {
global.root.perm = PERM_ROOT;
snprintf(global.obb_path, sizeof(global.obb_path), "%s/Android/obb", source_path);
}
fuse_default.global = &global;
fuse_read.global = &global;
fuse_write.global = &global;
global.fuse_default = &fuse_default;
global.fuse_read = &fuse_read;
global.fuse_write = &fuse_write;
snprintf(fuse_default.dest_path, PATH_MAX, "/mnt/runtime/default/%s", label);
snprintf(fuse_read.dest_path, PATH_MAX, "/mnt/runtime/read/%s", label);
snprintf(fuse_write.dest_path, PATH_MAX, "/mnt/runtime/write/%s", label);
handler_default.fuse = &fuse_default;
handler_read.fuse = &fuse_read;
handler_write.fuse = &fuse_write;
handler_default.token = 0;
handler_read.token = 1;
handler_write.token = 2;
umask(0);
if (multi_user) {
/* Multi-user storage is fully isolated per user, so "other"
* permissions are completely masked off. */
if (fuse_setup(&fuse_default, AID_SDCARD_RW, 0006)
|| fuse_setup(&fuse_read, AID_EVERYBODY, 0027)
|| fuse_setup(&fuse_write, AID_EVERYBODY, full_write ? 0007 : 0027)) {
ERROR("failed to fuse_setup\n");
exit(1);
}
} else {
/* Physical storage is readable by all users on device, but
* the Android directories are masked off to a single user
* deep inside attr_from_stat(). */
if (fuse_setup(&fuse_default, AID_SDCARD_RW, 0006)
|| fuse_setup(&fuse_read, AID_EVERYBODY, full_write ? 0027 : 0022)
|| fuse_setup(&fuse_write, AID_EVERYBODY, full_write ? 0007 : 0022)) {
ERROR("failed to fuse_setup\n");
exit(1);
}
}
/* Drop privs */
if (setgroups(sizeof(kGroups) / sizeof(kGroups[0]), kGroups) < 0) {
ERROR("cannot setgroups: %s\n", strerror(errno));
exit(1);
}
if (setgid(gid) < 0) {
ERROR("cannot setgid: %s\n", strerror(errno));
exit(1);
}
if (setuid(uid) < 0) {
ERROR("cannot setuid: %s\n", strerror(errno));
exit(1);
}
if (multi_user) {
fs_prepare_dir(global.obb_path, 0775, uid, gid);
}
if (pthread_create(&thread_default, NULL, start_handler, &handler_default)
|| pthread_create(&thread_read, NULL, start_handler, &handler_read)
|| pthread_create(&thread_write, NULL, start_handler, &handler_write)) {
ERROR("failed to pthread_create\n");
exit(1);
}
watch_package_list(&global);
ERROR("terminated prematurely\n");
exit(1);
}
static int usage() {
ERROR("usage: sdcard [OPTIONS] <source_path> <label>\n"
" -u: specify UID to run as\n"
" -g: specify GID to run as\n"
" -U: specify user ID that owns device\n"
" -m: source_path is multi-user\n"
" -w: runtime write mount has full write access\n"
"\n");
return 1;
}
int main(int argc, char **argv) {
const char *source_path = NULL;
const char *label = NULL;
uid_t uid = 0;
gid_t gid = 0;
userid_t userid = 0;
bool multi_user = false;
bool full_write = false;
int i;
struct rlimit rlim;
int fs_version;
int opt;
while ((opt = getopt(argc, argv, "u:g:U:mw")) != -1) {
switch (opt) {
case 'u':
uid = strtoul(optarg, NULL, 10);
break;
case 'g':
gid = strtoul(optarg, NULL, 10);
break;
case 'U':
userid = strtoul(optarg, NULL, 10);
break;
case 'm':
multi_user = true;
break;
case 'w':
full_write = true;
break;
case '?':
default:
return usage();
}
}
for (i = optind; i < argc; i++) {
char* arg = argv[i];
if (!source_path) {
source_path = arg;
} else if (!label) {
label = arg;
} else {
ERROR("too many arguments\n");
return usage();
}
}
if (!source_path) {
ERROR("no source path specified\n");
return usage();
}
if (!label) {
ERROR("no label specified\n");
return usage();
}
if (!uid || !gid) {
ERROR("uid and gid must be nonzero\n");
return usage();
}
rlim.rlim_cur = 8192;
rlim.rlim_max = 8192;
if (setrlimit(RLIMIT_NOFILE, &rlim)) {
ERROR("Error setting RLIMIT_NOFILE, errno = %d\n", errno);
}
while ((fs_read_atomic_int("/data/.layout_version", &fs_version) == -1) || (fs_version < 3)) {
ERROR("installd fs upgrade not yet complete. Waiting...\n");
sleep(1);
}
run(source_path, label, uid, gid, userid, multi_user, full_write);
return 1;
}