Extract the FUSE implementation from the main sdcard.c file.
sdcard.c is a *really* big file. This makes it hard to do things like
improving priv dropping or adding more sandboxing. Extract all
FUSE-related code to a separate unit, fuse.{h|c}, which exports only
two functions. Convert the rest of sdcard.c to C++ as sdcard.cpp.
fuse.c is kept as C (at least for now) since interacting with the FUSE
API is realistically easier from C.
Bug: 30110940
Change-Id: I188bfdc21c184742117e07539adb09090d4d747c
diff --git a/sdcard/sdcard.cpp b/sdcard/sdcard.cpp
new file mode 100644
index 0000000..00dcaf9
--- /dev/null
+++ b/sdcard/sdcard.cpp
@@ -0,0 +1,418 @@
+// Copyright (C) 2016 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#define LOG_TAG "sdcard"
+
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/fuse.h>
+#include <pthread.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/inotify.h>
+#include <sys/mount.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <cutils/fs.h>
+#include <cutils/hashmap.h>
+#include <cutils/log.h>
+#include <cutils/multiuser.h>
+#include <packagelistparser/packagelistparser.h>
+
+#include <private/android_filesystem_config.h>
+
+/* README
+ *
+ * What is this?
+ *
+ * sdcard is a program that uses FUSE to emulate FAT-on-sdcard style
+ * directory permissions (all files are given fixed owner, group, and
+ * permissions at creation, owner, group, and permissions are not
+ * changeable, symlinks and hardlinks are not createable, etc.
+ *
+ * See usage() for command line options.
+ *
+ * It must be run as root, but will drop to requested UID/GID as soon as it
+ * mounts a filesystem. It will refuse to run if requested UID/GID are zero.
+ *
+ * Things I believe to be true:
+ *
+ * - ops that return a fuse_entry (LOOKUP, MKNOD, MKDIR, LINK, SYMLINK,
+ * CREAT) must bump that node's refcount
+ * - don't forget that FORGET can forget multiple references (req->nlookup)
+ * - if an op that returns a fuse_entry fails writing the reply to the
+ * kernel, you must rollback the refcount to reflect the reference the
+ * kernel did not actually acquire
+ *
+ * This daemon can also derive custom filesystem permissions based on directory
+ * structure when requested. These custom permissions support several features:
+ *
+ * - Apps can access their own files in /Android/data/com.example/ without
+ * requiring any additional GIDs.
+ * - Separate permissions for protecting directories like Pictures and Music.
+ * - Multi-user separation on the same physical device.
+ */
+
+#include "fuse.h"
+
+/* Supplementary groups to execute with. */
+static const gid_t kGroups[1] = { AID_PACKAGE_INFO };
+
+static int str_hash(void *key) {
+ return hashmapHash(key, strlen(static_cast<const char*>(key)));
+}
+
+/* Tests if two string keys are equal ignoring case. */
+static bool str_icase_equals(void *keyA, void *keyB) {
+ return strcasecmp(static_cast<const char*>(keyA), static_cast<const char*>(keyB)) == 0;
+}
+
+static bool remove_str_to_int(void *key, void *value, void *context) {
+ Hashmap* map = static_cast<Hashmap*>(context);
+ hashmapRemove(map, key);
+ free(key);
+ return true;
+}
+
+static bool package_parse_callback(pkg_info *info, void *userdata) {
+ struct fuse_global *global = (struct fuse_global *)userdata;
+
+ char* name = strdup(info->name);
+ hashmapPut(global->package_to_appid, name, (void*) (uintptr_t) info->uid);
+ packagelist_free(info);
+ return true;
+}
+
+static bool read_package_list(struct fuse_global* global) {
+ pthread_mutex_lock(&global->lock);
+
+ hashmapForEach(global->package_to_appid, remove_str_to_int, global->package_to_appid);
+
+ bool rc = packagelist_parse(package_parse_callback, global);
+ TRACE("read_package_list: found %zu packages\n",
+ hashmapSize(global->package_to_appid));
+
+ /* Regenerate ownership details using newly loaded mapping */
+ derive_permissions_recursive_locked(global->fuse_default, &global->root);
+
+ pthread_mutex_unlock(&global->lock);
+
+ return rc;
+}
+
+static void watch_package_list(struct fuse_global* global) {
+ struct inotify_event *event;
+ char event_buf[512];
+
+ int nfd = inotify_init();
+ if (nfd < 0) {
+ ERROR("inotify_init failed: %s\n", strerror(errno));
+ return;
+ }
+
+ bool active = false;
+ while (1) {
+ if (!active) {
+ int res = inotify_add_watch(nfd, PACKAGES_LIST_FILE, IN_DELETE_SELF);
+ if (res == -1) {
+ if (errno == ENOENT || errno == EACCES) {
+ /* Framework may not have created yet, sleep and retry */
+ ERROR("missing \"%s\"; retrying\n", PACKAGES_LIST_FILE);
+ sleep(3);
+ continue;
+ } else {
+ ERROR("inotify_add_watch failed: %s\n", strerror(errno));
+ return;
+ }
+ }
+
+ /* Watch above will tell us about any future changes, so
+ * read the current state. */
+ if (read_package_list(global) == false) {
+ ERROR("read_package_list failed\n");
+ return;
+ }
+ active = true;
+ }
+
+ int event_pos = 0;
+ int res = read(nfd, event_buf, sizeof(event_buf));
+ if (res < (int) sizeof(*event)) {
+ if (errno == EINTR)
+ continue;
+ ERROR("failed to read inotify event: %s\n", strerror(errno));
+ return;
+ }
+
+ while (res >= (int) sizeof(*event)) {
+ int event_size;
+ event = (struct inotify_event *) (event_buf + event_pos);
+
+ TRACE("inotify event: %08x\n", event->mask);
+ if ((event->mask & IN_IGNORED) == IN_IGNORED) {
+ /* Previously watched file was deleted, probably due to move
+ * that swapped in new data; re-arm the watch and read. */
+ active = false;
+ }
+
+ event_size = sizeof(*event) + event->len;
+ res -= event_size;
+ event_pos += event_size;
+ }
+ }
+}
+
+static int fuse_setup(struct fuse* fuse, gid_t gid, mode_t mask) {
+ char opts[256];
+
+ fuse->fd = open("/dev/fuse", O_RDWR);
+ if (fuse->fd == -1) {
+ ERROR("failed to open fuse device: %s\n", strerror(errno));
+ return -1;
+ }
+
+ umount2(fuse->dest_path, MNT_DETACH);
+
+ snprintf(opts, sizeof(opts),
+ "fd=%i,rootmode=40000,default_permissions,allow_other,user_id=%d,group_id=%d",
+ fuse->fd, fuse->global->uid, fuse->global->gid);
+ if (mount("/dev/fuse", fuse->dest_path, "fuse", MS_NOSUID | MS_NODEV | MS_NOEXEC |
+ MS_NOATIME, opts) != 0) {
+ ERROR("failed to mount fuse filesystem: %s\n", strerror(errno));
+ return -1;
+ }
+
+ fuse->gid = gid;
+ fuse->mask = mask;
+
+ return 0;
+}
+
+static void* start_handler(void* data) {
+ struct fuse_handler* handler = static_cast<fuse_handler*>(data);
+ handle_fuse_requests(handler);
+ return NULL;
+}
+
+static void run(const char* source_path, const char* label, uid_t uid,
+ gid_t gid, userid_t userid, bool multi_user, bool full_write) {
+ struct fuse_global global;
+ struct fuse fuse_default;
+ struct fuse fuse_read;
+ struct fuse fuse_write;
+ struct fuse_handler handler_default;
+ struct fuse_handler handler_read;
+ struct fuse_handler handler_write;
+ pthread_t thread_default;
+ pthread_t thread_read;
+ pthread_t thread_write;
+
+ memset(&global, 0, sizeof(global));
+ memset(&fuse_default, 0, sizeof(fuse_default));
+ memset(&fuse_read, 0, sizeof(fuse_read));
+ memset(&fuse_write, 0, sizeof(fuse_write));
+ memset(&handler_default, 0, sizeof(handler_default));
+ memset(&handler_read, 0, sizeof(handler_read));
+ memset(&handler_write, 0, sizeof(handler_write));
+
+ pthread_mutex_init(&global.lock, NULL);
+ global.package_to_appid = hashmapCreate(256, str_hash, str_icase_equals);
+ global.uid = uid;
+ global.gid = gid;
+ global.multi_user = multi_user;
+ global.next_generation = 0;
+ global.inode_ctr = 1;
+
+ memset(&global.root, 0, sizeof(global.root));
+ global.root.nid = FUSE_ROOT_ID; /* 1 */
+ global.root.refcount = 2;
+ global.root.namelen = strlen(source_path);
+ global.root.name = strdup(source_path);
+ global.root.userid = userid;
+ global.root.uid = AID_ROOT;
+ global.root.under_android = false;
+
+ strcpy(global.source_path, source_path);
+
+ if (multi_user) {
+ global.root.perm = PERM_PRE_ROOT;
+ snprintf(global.obb_path, sizeof(global.obb_path), "%s/obb", source_path);
+ } else {
+ global.root.perm = PERM_ROOT;
+ snprintf(global.obb_path, sizeof(global.obb_path), "%s/Android/obb", source_path);
+ }
+
+ fuse_default.global = &global;
+ fuse_read.global = &global;
+ fuse_write.global = &global;
+
+ global.fuse_default = &fuse_default;
+ global.fuse_read = &fuse_read;
+ global.fuse_write = &fuse_write;
+
+ snprintf(fuse_default.dest_path, PATH_MAX, "/mnt/runtime/default/%s", label);
+ snprintf(fuse_read.dest_path, PATH_MAX, "/mnt/runtime/read/%s", label);
+ snprintf(fuse_write.dest_path, PATH_MAX, "/mnt/runtime/write/%s", label);
+
+ handler_default.fuse = &fuse_default;
+ handler_read.fuse = &fuse_read;
+ handler_write.fuse = &fuse_write;
+
+ handler_default.token = 0;
+ handler_read.token = 1;
+ handler_write.token = 2;
+
+ umask(0);
+
+ if (multi_user) {
+ /* Multi-user storage is fully isolated per user, so "other"
+ * permissions are completely masked off. */
+ if (fuse_setup(&fuse_default, AID_SDCARD_RW, 0006)
+ || fuse_setup(&fuse_read, AID_EVERYBODY, 0027)
+ || fuse_setup(&fuse_write, AID_EVERYBODY, full_write ? 0007 : 0027)) {
+ ERROR("failed to fuse_setup\n");
+ exit(1);
+ }
+ } else {
+ /* Physical storage is readable by all users on device, but
+ * the Android directories are masked off to a single user
+ * deep inside attr_from_stat(). */
+ if (fuse_setup(&fuse_default, AID_SDCARD_RW, 0006)
+ || fuse_setup(&fuse_read, AID_EVERYBODY, full_write ? 0027 : 0022)
+ || fuse_setup(&fuse_write, AID_EVERYBODY, full_write ? 0007 : 0022)) {
+ ERROR("failed to fuse_setup\n");
+ exit(1);
+ }
+ }
+
+ /* Drop privs */
+ if (setgroups(sizeof(kGroups) / sizeof(kGroups[0]), kGroups) < 0) {
+ ERROR("cannot setgroups: %s\n", strerror(errno));
+ exit(1);
+ }
+ if (setgid(gid) < 0) {
+ ERROR("cannot setgid: %s\n", strerror(errno));
+ exit(1);
+ }
+ if (setuid(uid) < 0) {
+ ERROR("cannot setuid: %s\n", strerror(errno));
+ exit(1);
+ }
+
+ if (multi_user) {
+ fs_prepare_dir(global.obb_path, 0775, uid, gid);
+ }
+
+ if (pthread_create(&thread_default, NULL, start_handler, &handler_default)
+ || pthread_create(&thread_read, NULL, start_handler, &handler_read)
+ || pthread_create(&thread_write, NULL, start_handler, &handler_write)) {
+ ERROR("failed to pthread_create\n");
+ exit(1);
+ }
+
+ watch_package_list(&global);
+ ERROR("terminated prematurely\n");
+ exit(1);
+}
+
+static int usage() {
+ ERROR("usage: sdcard [OPTIONS] <source_path> <label>\n"
+ " -u: specify UID to run as\n"
+ " -g: specify GID to run as\n"
+ " -U: specify user ID that owns device\n"
+ " -m: source_path is multi-user\n"
+ " -w: runtime write mount has full write access\n"
+ "\n");
+ return 1;
+}
+
+int main(int argc, char **argv) {
+ const char *source_path = NULL;
+ const char *label = NULL;
+ uid_t uid = 0;
+ gid_t gid = 0;
+ userid_t userid = 0;
+ bool multi_user = false;
+ bool full_write = false;
+ int i;
+ struct rlimit rlim;
+ int fs_version;
+
+ int opt;
+ while ((opt = getopt(argc, argv, "u:g:U:mw")) != -1) {
+ switch (opt) {
+ case 'u':
+ uid = strtoul(optarg, NULL, 10);
+ break;
+ case 'g':
+ gid = strtoul(optarg, NULL, 10);
+ break;
+ case 'U':
+ userid = strtoul(optarg, NULL, 10);
+ break;
+ case 'm':
+ multi_user = true;
+ break;
+ case 'w':
+ full_write = true;
+ break;
+ case '?':
+ default:
+ return usage();
+ }
+ }
+
+ for (i = optind; i < argc; i++) {
+ char* arg = argv[i];
+ if (!source_path) {
+ source_path = arg;
+ } else if (!label) {
+ label = arg;
+ } else {
+ ERROR("too many arguments\n");
+ return usage();
+ }
+ }
+
+ if (!source_path) {
+ ERROR("no source path specified\n");
+ return usage();
+ }
+ if (!label) {
+ ERROR("no label specified\n");
+ return usage();
+ }
+ if (!uid || !gid) {
+ ERROR("uid and gid must be nonzero\n");
+ return usage();
+ }
+
+ rlim.rlim_cur = 8192;
+ rlim.rlim_max = 8192;
+ if (setrlimit(RLIMIT_NOFILE, &rlim)) {
+ ERROR("Error setting RLIMIT_NOFILE, errno = %d\n", errno);
+ }
+
+ while ((fs_read_atomic_int("/data/.layout_version", &fs_version) == -1) || (fs_version < 3)) {
+ ERROR("installd fs upgrade not yet complete. Waiting...\n");
+ sleep(1);
+ }
+
+ run(source_path, label, uid, gid, userid, multi_user, full_write);
+ return 1;
+}