543 lines
19 KiB
C++
543 lines
19 KiB
C++
// Copyright (C) 2016 The Android Open Source Project
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
#define LOG_TAG "sdcard"
|
|
|
|
#include <dirent.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <linux/fuse.h>
|
|
#include <pthread.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/inotify.h>
|
|
#include <sys/mount.h>
|
|
#include <sys/resource.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
|
|
#include <android-base/file.h>
|
|
#include <android-base/logging.h>
|
|
#include <android-base/macros.h>
|
|
#include <android-base/stringprintf.h>
|
|
#include <android-base/strings.h>
|
|
|
|
#include <cutils/fs.h>
|
|
#include <cutils/multiuser.h>
|
|
#include <cutils/properties.h>
|
|
|
|
#include <packagelistparser/packagelistparser.h>
|
|
|
|
#include <libminijail.h>
|
|
#include <scoped_minijail.h>
|
|
|
|
#include <private/android_filesystem_config.h>
|
|
|
|
// README
|
|
//
|
|
// What is this?
|
|
//
|
|
// sdcard is a program that uses FUSE to emulate FAT-on-sdcard style
|
|
// directory permissions (all files are given fixed owner, group, and
|
|
// permissions at creation, owner, group, and permissions are not
|
|
// changeable, symlinks and hardlinks are not createable, etc.
|
|
//
|
|
// See usage() for command line options.
|
|
//
|
|
// It must be run as root, but will drop to requested UID/GID as soon as it
|
|
// mounts a filesystem. It will refuse to run if requested UID/GID are zero.
|
|
//
|
|
// Things I believe to be true:
|
|
//
|
|
// - ops that return a fuse_entry (LOOKUP, MKNOD, MKDIR, LINK, SYMLINK,
|
|
// CREAT) must bump that node's refcount
|
|
// - don't forget that FORGET can forget multiple references (req->nlookup)
|
|
// - if an op that returns a fuse_entry fails writing the reply to the
|
|
// kernel, you must rollback the refcount to reflect the reference the
|
|
// kernel did not actually acquire
|
|
//
|
|
// This daemon can also derive custom filesystem permissions based on directory
|
|
// structure when requested. These custom permissions support several features:
|
|
//
|
|
// - Apps can access their own files in /Android/data/com.example/ without
|
|
// requiring any additional GIDs.
|
|
// - Separate permissions for protecting directories like Pictures and Music.
|
|
// - Multi-user separation on the same physical device.
|
|
|
|
#include "fuse.h"
|
|
|
|
#define PROP_SDCARDFS_DEVICE "ro.sys.sdcardfs"
|
|
#define PROP_SDCARDFS_USER "persist.sys.sdcardfs"
|
|
|
|
/* Supplementary groups to execute with. */
|
|
static const gid_t kGroups[1] = { AID_PACKAGE_INFO };
|
|
|
|
static bool package_parse_callback(pkg_info *info, void *userdata) {
|
|
struct fuse_global *global = (struct fuse_global *)userdata;
|
|
bool res = global->package_to_appid->emplace(info->name, info->uid).second;
|
|
packagelist_free(info);
|
|
return res;
|
|
}
|
|
|
|
static bool read_package_list(struct fuse_global* global) {
|
|
pthread_mutex_lock(&global->lock);
|
|
|
|
global->package_to_appid->clear();
|
|
bool rc = packagelist_parse(package_parse_callback, global);
|
|
DLOG(INFO) << "read_package_list: found " << global->package_to_appid->size() << " packages";
|
|
|
|
// Regenerate ownership details using newly loaded mapping.
|
|
derive_permissions_recursive_locked(global->fuse_default, &global->root);
|
|
|
|
pthread_mutex_unlock(&global->lock);
|
|
|
|
return rc;
|
|
}
|
|
|
|
static void watch_package_list(struct fuse_global* global) {
|
|
struct inotify_event *event;
|
|
char event_buf[512];
|
|
|
|
int nfd = inotify_init();
|
|
if (nfd == -1) {
|
|
PLOG(ERROR) << "inotify_init failed";
|
|
return;
|
|
}
|
|
|
|
bool active = false;
|
|
while (1) {
|
|
if (!active) {
|
|
int res = inotify_add_watch(nfd, PACKAGES_LIST_FILE, IN_DELETE_SELF);
|
|
if (res == -1) {
|
|
if (errno == ENOENT || errno == EACCES) {
|
|
/* Framework may not have created the file yet, sleep and retry. */
|
|
LOG(ERROR) << "missing \"" << PACKAGES_LIST_FILE << "\"; retrying...";
|
|
sleep(3);
|
|
continue;
|
|
} else {
|
|
PLOG(ERROR) << "inotify_add_watch failed";
|
|
return;
|
|
}
|
|
}
|
|
|
|
/* Watch above will tell us about any future changes, so
|
|
* read the current state. */
|
|
if (read_package_list(global) == false) {
|
|
LOG(ERROR) << "read_package_list failed";
|
|
return;
|
|
}
|
|
active = true;
|
|
}
|
|
|
|
int event_pos = 0;
|
|
ssize_t res = TEMP_FAILURE_RETRY(read(nfd, event_buf, sizeof(event_buf)));
|
|
if (res == -1) {
|
|
PLOG(ERROR) << "failed to read inotify event";
|
|
return;
|
|
} else if (static_cast<size_t>(res) < sizeof(*event)) {
|
|
LOG(ERROR) << "failed to read inotify event: read " << res << " expected "
|
|
<< sizeof(event_buf);
|
|
return;
|
|
}
|
|
|
|
while (res >= static_cast<ssize_t>(sizeof(*event))) {
|
|
int event_size;
|
|
event = reinterpret_cast<struct inotify_event*>(event_buf + event_pos);
|
|
|
|
DLOG(INFO) << "inotify event: " << std::hex << event->mask << std::dec;
|
|
if ((event->mask & IN_IGNORED) == IN_IGNORED) {
|
|
/* Previously watched file was deleted, probably due to move
|
|
* that swapped in new data; re-arm the watch and read. */
|
|
active = false;
|
|
}
|
|
|
|
event_size = sizeof(*event) + event->len;
|
|
res -= event_size;
|
|
event_pos += event_size;
|
|
}
|
|
}
|
|
}
|
|
|
|
static int fuse_setup(struct fuse* fuse, gid_t gid, mode_t mask) {
|
|
char opts[256];
|
|
|
|
fuse->fd = TEMP_FAILURE_RETRY(open("/dev/fuse", O_RDWR | O_CLOEXEC));
|
|
if (fuse->fd == -1) {
|
|
PLOG(ERROR) << "failed to open fuse device";
|
|
return -1;
|
|
}
|
|
|
|
umount2(fuse->dest_path, MNT_DETACH);
|
|
|
|
snprintf(opts, sizeof(opts),
|
|
"fd=%i,rootmode=40000,default_permissions,allow_other,user_id=%d,group_id=%d",
|
|
fuse->fd, fuse->global->uid, fuse->global->gid);
|
|
if (mount("/dev/fuse", fuse->dest_path, "fuse", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_NOATIME,
|
|
opts) == -1) {
|
|
PLOG(ERROR) << "failed to mount fuse filesystem";
|
|
return -1;
|
|
}
|
|
|
|
fuse->gid = gid;
|
|
fuse->mask = mask;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void drop_privs(uid_t uid, gid_t gid) {
|
|
ScopedMinijail j(minijail_new());
|
|
minijail_set_supplementary_gids(j.get(), arraysize(kGroups), kGroups);
|
|
minijail_change_gid(j.get(), gid);
|
|
minijail_change_uid(j.get(), uid);
|
|
/* minijail_enter() will abort if priv-dropping fails. */
|
|
minijail_enter(j.get());
|
|
}
|
|
|
|
static void* start_handler(void* data) {
|
|
struct fuse_handler* handler = static_cast<fuse_handler*>(data);
|
|
handle_fuse_requests(handler);
|
|
return NULL;
|
|
}
|
|
|
|
static void run(const char* source_path, const char* label, uid_t uid,
|
|
gid_t gid, userid_t userid, bool multi_user, bool full_write) {
|
|
struct fuse_global global;
|
|
struct fuse fuse_default;
|
|
struct fuse fuse_read;
|
|
struct fuse fuse_write;
|
|
struct fuse_handler handler_default;
|
|
struct fuse_handler handler_read;
|
|
struct fuse_handler handler_write;
|
|
pthread_t thread_default;
|
|
pthread_t thread_read;
|
|
pthread_t thread_write;
|
|
|
|
memset(&global, 0, sizeof(global));
|
|
memset(&fuse_default, 0, sizeof(fuse_default));
|
|
memset(&fuse_read, 0, sizeof(fuse_read));
|
|
memset(&fuse_write, 0, sizeof(fuse_write));
|
|
memset(&handler_default, 0, sizeof(handler_default));
|
|
memset(&handler_read, 0, sizeof(handler_read));
|
|
memset(&handler_write, 0, sizeof(handler_write));
|
|
|
|
pthread_mutex_init(&global.lock, NULL);
|
|
global.package_to_appid = new AppIdMap;
|
|
global.uid = uid;
|
|
global.gid = gid;
|
|
global.multi_user = multi_user;
|
|
global.next_generation = 0;
|
|
global.inode_ctr = 1;
|
|
|
|
memset(&global.root, 0, sizeof(global.root));
|
|
global.root.nid = FUSE_ROOT_ID; /* 1 */
|
|
global.root.refcount = 2;
|
|
global.root.namelen = strlen(source_path);
|
|
global.root.name = strdup(source_path);
|
|
global.root.userid = userid;
|
|
global.root.uid = AID_ROOT;
|
|
global.root.under_android = false;
|
|
|
|
// Clang static analyzer think strcpy potentially overwrites other fields
|
|
// in global. Use snprintf() to mute the false warning.
|
|
snprintf(global.source_path, sizeof(global.source_path), "%s", source_path);
|
|
|
|
if (multi_user) {
|
|
global.root.perm = PERM_PRE_ROOT;
|
|
snprintf(global.obb_path, sizeof(global.obb_path), "%s/obb", source_path);
|
|
} else {
|
|
global.root.perm = PERM_ROOT;
|
|
snprintf(global.obb_path, sizeof(global.obb_path), "%s/Android/obb", source_path);
|
|
}
|
|
|
|
fuse_default.global = &global;
|
|
fuse_read.global = &global;
|
|
fuse_write.global = &global;
|
|
|
|
global.fuse_default = &fuse_default;
|
|
global.fuse_read = &fuse_read;
|
|
global.fuse_write = &fuse_write;
|
|
|
|
snprintf(fuse_default.dest_path, PATH_MAX, "/mnt/runtime/default/%s", label);
|
|
snprintf(fuse_read.dest_path, PATH_MAX, "/mnt/runtime/read/%s", label);
|
|
snprintf(fuse_write.dest_path, PATH_MAX, "/mnt/runtime/write/%s", label);
|
|
|
|
handler_default.fuse = &fuse_default;
|
|
handler_read.fuse = &fuse_read;
|
|
handler_write.fuse = &fuse_write;
|
|
|
|
handler_default.token = 0;
|
|
handler_read.token = 1;
|
|
handler_write.token = 2;
|
|
|
|
umask(0);
|
|
|
|
if (multi_user) {
|
|
/* Multi-user storage is fully isolated per user, so "other"
|
|
* permissions are completely masked off. */
|
|
if (fuse_setup(&fuse_default, AID_SDCARD_RW, 0006)
|
|
|| fuse_setup(&fuse_read, AID_EVERYBODY, 0027)
|
|
|| fuse_setup(&fuse_write, AID_EVERYBODY, full_write ? 0007 : 0027)) {
|
|
PLOG(FATAL) << "failed to fuse_setup";
|
|
}
|
|
} else {
|
|
/* Physical storage is readable by all users on device, but
|
|
* the Android directories are masked off to a single user
|
|
* deep inside attr_from_stat(). */
|
|
if (fuse_setup(&fuse_default, AID_SDCARD_RW, 0006)
|
|
|| fuse_setup(&fuse_read, AID_EVERYBODY, full_write ? 0027 : 0022)
|
|
|| fuse_setup(&fuse_write, AID_EVERYBODY, full_write ? 0007 : 0022)) {
|
|
PLOG(FATAL) << "failed to fuse_setup";
|
|
}
|
|
}
|
|
|
|
// Will abort if priv-dropping fails.
|
|
drop_privs(uid, gid);
|
|
|
|
if (multi_user) {
|
|
fs_prepare_dir(global.obb_path, 0775, uid, gid);
|
|
}
|
|
|
|
if (pthread_create(&thread_default, NULL, start_handler, &handler_default)
|
|
|| pthread_create(&thread_read, NULL, start_handler, &handler_read)
|
|
|| pthread_create(&thread_write, NULL, start_handler, &handler_write)) {
|
|
LOG(FATAL) << "failed to pthread_create";
|
|
}
|
|
|
|
watch_package_list(&global);
|
|
LOG(FATAL) << "terminated prematurely";
|
|
}
|
|
|
|
static bool sdcardfs_setup(const std::string& source_path, const std::string& dest_path,
|
|
uid_t fsuid, gid_t fsgid, bool multi_user, userid_t userid, gid_t gid,
|
|
mode_t mask, bool derive_gid) {
|
|
std::string opts = android::base::StringPrintf(
|
|
"fsuid=%d,fsgid=%d,%s%smask=%d,userid=%d,gid=%d", fsuid, fsgid,
|
|
multi_user ? "multiuser," : "", derive_gid ? "derive_gid," : "", mask, userid, gid);
|
|
|
|
if (mount(source_path.c_str(), dest_path.c_str(), "sdcardfs",
|
|
MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_NOATIME, opts.c_str()) == -1) {
|
|
if (derive_gid) {
|
|
PLOG(ERROR) << "trying to mount sdcardfs filesystem without derive_gid";
|
|
/* Maybe this isn't supported on this kernel. Try without. */
|
|
opts = android::base::StringPrintf("fsuid=%d,fsgid=%d,%smask=%d,userid=%d,gid=%d",
|
|
fsuid, fsgid, multi_user ? "multiuser," : "", mask,
|
|
userid, gid);
|
|
if (mount(source_path.c_str(), dest_path.c_str(), "sdcardfs",
|
|
MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_NOATIME, opts.c_str()) == -1) {
|
|
PLOG(ERROR) << "failed to mount sdcardfs filesystem";
|
|
return false;
|
|
}
|
|
} else {
|
|
PLOG(ERROR) << "failed to mount sdcardfs filesystem";
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
static bool sdcardfs_setup_bind_remount(const std::string& source_path, const std::string& dest_path,
|
|
gid_t gid, mode_t mask) {
|
|
std::string opts = android::base::StringPrintf("mask=%d,gid=%d", mask, gid);
|
|
|
|
if (mount(source_path.c_str(), dest_path.c_str(), nullptr,
|
|
MS_BIND, nullptr) != 0) {
|
|
PLOG(ERROR) << "failed to bind mount sdcardfs filesystem";
|
|
return false;
|
|
}
|
|
|
|
if (mount(source_path.c_str(), dest_path.c_str(), "none",
|
|
MS_REMOUNT | MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_NOATIME, opts.c_str()) != 0) {
|
|
PLOG(ERROR) << "failed to mount sdcardfs filesystem";
|
|
if (umount2(dest_path.c_str(), MNT_DETACH))
|
|
PLOG(WARNING) << "Failed to unmount bind";
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static void run_sdcardfs(const std::string& source_path, const std::string& label, uid_t uid,
|
|
gid_t gid, userid_t userid, bool multi_user, bool full_write,
|
|
bool derive_gid) {
|
|
std::string dest_path_default = "/mnt/runtime/default/" + label;
|
|
std::string dest_path_read = "/mnt/runtime/read/" + label;
|
|
std::string dest_path_write = "/mnt/runtime/write/" + label;
|
|
|
|
umask(0);
|
|
if (multi_user) {
|
|
// Multi-user storage is fully isolated per user, so "other"
|
|
// permissions are completely masked off.
|
|
if (!sdcardfs_setup(source_path, dest_path_default, uid, gid, multi_user, userid,
|
|
AID_SDCARD_RW, 0006, derive_gid) ||
|
|
!sdcardfs_setup_bind_remount(dest_path_default, dest_path_read, AID_EVERYBODY, 0027) ||
|
|
!sdcardfs_setup_bind_remount(dest_path_default, dest_path_write, AID_EVERYBODY,
|
|
full_write ? 0007 : 0027)) {
|
|
LOG(FATAL) << "failed to sdcardfs_setup";
|
|
}
|
|
} else {
|
|
// Physical storage is readable by all users on device, but
|
|
// the Android directories are masked off to a single user
|
|
// deep inside attr_from_stat().
|
|
if (!sdcardfs_setup(source_path, dest_path_default, uid, gid, multi_user, userid,
|
|
AID_SDCARD_RW, 0006, derive_gid) ||
|
|
!sdcardfs_setup_bind_remount(dest_path_default, dest_path_read, AID_EVERYBODY,
|
|
full_write ? 0027 : 0022) ||
|
|
!sdcardfs_setup_bind_remount(dest_path_default, dest_path_write, AID_EVERYBODY,
|
|
full_write ? 0007 : 0022)) {
|
|
LOG(FATAL) << "failed to sdcardfs_setup";
|
|
}
|
|
}
|
|
|
|
// Will abort if priv-dropping fails.
|
|
drop_privs(uid, gid);
|
|
|
|
if (multi_user) {
|
|
std::string obb_path = source_path + "/obb";
|
|
fs_prepare_dir(obb_path.c_str(), 0775, uid, gid);
|
|
}
|
|
|
|
exit(0);
|
|
}
|
|
|
|
static bool supports_sdcardfs(void) {
|
|
std::string filesystems;
|
|
if (!android::base::ReadFileToString("/proc/filesystems", &filesystems)) {
|
|
PLOG(ERROR) << "Could not read /proc/filesystems";
|
|
return false;
|
|
}
|
|
for (const auto& fs : android::base::Split(filesystems, "\n")) {
|
|
if (fs.find("sdcardfs") != std::string::npos) return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static bool should_use_sdcardfs(void) {
|
|
char property[PROPERTY_VALUE_MAX];
|
|
|
|
// Allow user to have a strong opinion about state
|
|
property_get(PROP_SDCARDFS_USER, property, "");
|
|
if (!strcmp(property, "force_on")) {
|
|
LOG(WARNING) << "User explicitly enabled sdcardfs";
|
|
return supports_sdcardfs();
|
|
} else if (!strcmp(property, "force_off")) {
|
|
LOG(WARNING) << "User explicitly disabled sdcardfs";
|
|
return false;
|
|
}
|
|
|
|
// Fall back to device opinion about state
|
|
if (property_get_bool(PROP_SDCARDFS_DEVICE, true)) {
|
|
LOG(WARNING) << "Device explicitly enabled sdcardfs";
|
|
return supports_sdcardfs();
|
|
} else {
|
|
LOG(WARNING) << "Device explicitly disabled sdcardfs";
|
|
return false;
|
|
}
|
|
}
|
|
|
|
static int usage() {
|
|
LOG(ERROR) << "usage: sdcard [OPTIONS] <source_path> <label>"
|
|
<< " -u: specify UID to run as"
|
|
<< " -g: specify GID to run as"
|
|
<< " -U: specify user ID that owns device"
|
|
<< " -m: source_path is multi-user"
|
|
<< " -w: runtime write mount has full write access"
|
|
<< " -P preserve owners on the lower file system";
|
|
return 1;
|
|
}
|
|
|
|
int main(int argc, char **argv) {
|
|
const char *source_path = NULL;
|
|
const char *label = NULL;
|
|
uid_t uid = 0;
|
|
gid_t gid = 0;
|
|
userid_t userid = 0;
|
|
bool multi_user = false;
|
|
bool full_write = false;
|
|
bool derive_gid = false;
|
|
int i;
|
|
struct rlimit rlim;
|
|
int fs_version;
|
|
|
|
int opt;
|
|
while ((opt = getopt(argc, argv, "u:g:U:mwG")) != -1) {
|
|
switch (opt) {
|
|
case 'u':
|
|
uid = strtoul(optarg, NULL, 10);
|
|
break;
|
|
case 'g':
|
|
gid = strtoul(optarg, NULL, 10);
|
|
break;
|
|
case 'U':
|
|
userid = strtoul(optarg, NULL, 10);
|
|
break;
|
|
case 'm':
|
|
multi_user = true;
|
|
break;
|
|
case 'w':
|
|
full_write = true;
|
|
break;
|
|
case 'G':
|
|
derive_gid = true;
|
|
break;
|
|
case '?':
|
|
default:
|
|
return usage();
|
|
}
|
|
}
|
|
|
|
for (i = optind; i < argc; i++) {
|
|
char* arg = argv[i];
|
|
if (!source_path) {
|
|
source_path = arg;
|
|
} else if (!label) {
|
|
label = arg;
|
|
} else {
|
|
LOG(ERROR) << "too many arguments";
|
|
return usage();
|
|
}
|
|
}
|
|
|
|
if (!source_path) {
|
|
LOG(ERROR) << "no source path specified";
|
|
return usage();
|
|
}
|
|
if (!label) {
|
|
LOG(ERROR) << "no label specified";
|
|
return usage();
|
|
}
|
|
if (!uid || !gid) {
|
|
LOG(ERROR) << "uid and gid must be nonzero";
|
|
return usage();
|
|
}
|
|
|
|
rlim.rlim_cur = 8192;
|
|
rlim.rlim_max = 8192;
|
|
if (setrlimit(RLIMIT_NOFILE, &rlim) == -1) {
|
|
PLOG(ERROR) << "setting RLIMIT_NOFILE failed";
|
|
}
|
|
|
|
while ((fs_read_atomic_int("/data/.layout_version", &fs_version) == -1) || (fs_version < 3)) {
|
|
LOG(ERROR) << "installd fs upgrade not yet complete; waiting...";
|
|
sleep(1);
|
|
}
|
|
|
|
if (should_use_sdcardfs()) {
|
|
run_sdcardfs(source_path, label, uid, gid, userid, multi_user, full_write, derive_gid);
|
|
} else {
|
|
run(source_path, label, uid, gid, userid, multi_user, full_write);
|
|
}
|
|
return 1;
|
|
}
|