Add legacy layout support to FUSE, enforce write.
The legacy internal layout places users at the top-level of the
filesystem, so handle with new PERM_LEGACY_PRE_ROOT when requested.
Mirror single OBB directory between all users without requiring fancy
bind mounts by letting a nodes graft in another part of the
underlying tree.
Move to everything having "sdcard_r" GID by default, and verify that
calling apps hold "sdcard_rw" when performing mutations. Determines
app group membership from new packages.list column.
Flag to optionally enable sdcard_pics/sdcard_av permissions
splitting. Flag to supply a default GID for all files. Ignore
attempts to access security sensitive files. Fix run-as to check for
new "package_info" GID.
Change-Id: Id5f3680779109141c65fb8fa1daf56597f49ea0d
diff --git a/run-as/package.c b/run-as/package.c
index 27fc1eb..4762c5f 100644
--- a/run-as/package.c
+++ b/run-as/package.c
@@ -111,7 +111,7 @@
goto EXIT;
/* Ensure that the file is owned by the system user */
- if ((st.st_uid != AID_SYSTEM) || (st.st_gid != AID_SYSTEM)) {
+ if ((st.st_uid != AID_SYSTEM) || (st.st_gid != AID_PACKAGE_INFO)) {
goto EXIT;
}
diff --git a/sdcard/sdcard.c b/sdcard/sdcard.c
index 377c008..4427415 100644
--- a/sdcard/sdcard.c
+++ b/sdcard/sdcard.c
@@ -126,14 +126,30 @@
/* Permission mode for a specific node. Controls how file permissions
* are derived for children nodes. */
typedef enum {
+ /* Nothing special; this node should just inherit from its parent. */
PERM_INHERIT,
+ /* This node is one level above a normal root; used for legacy layouts
+ * which use the first level to represent user_id. */
+ PERM_LEGACY_PRE_ROOT,
+ /* This node is "/" */
PERM_ROOT,
+ /* This node is "/Android" */
PERM_ANDROID,
+ /* This node is "/Android/data" */
PERM_ANDROID_DATA,
+ /* This node is "/Android/obb" */
PERM_ANDROID_OBB,
+ /* This node is "/Android/user" */
PERM_ANDROID_USER,
} perm_t;
+/* Permissions structure to derive */
+typedef enum {
+ DERIVE_NONE,
+ DERIVE_LEGACY,
+ DERIVE_UNIFIED,
+} derive_t;
+
struct handle {
int fd;
};
@@ -142,10 +158,6 @@
DIR *d;
};
-struct package {
- appid_t appid;
-};
-
struct node {
__u32 refcount;
__u64 nid;
@@ -170,6 +182,11 @@
* namelen for both fields.
*/
char *actual_name;
+
+ /* If non-null, an exact underlying path that should be grafted into this
+ * position. Used to support things like OBB. */
+ char* graft_path;
+ size_t graft_pathlen;
};
static int str_hash(void *key) {
@@ -180,17 +197,27 @@
return strcmp(keyA, keyB) == 0;
}
+static int int_hash(void *key) {
+ return (int) key;
+}
+
+static bool int_equals(void *keyA, void *keyB) {
+ return keyA == keyB;
+}
+
/* Global data structure shared by all fuse handlers. */
struct fuse {
pthread_mutex_t lock;
__u64 next_generation;
int fd;
- bool derive_perms;
+ derive_t derive;
+ bool split_perms;
struct node root;
- char rootpath[PATH_MAX];
+ char obbpath[PATH_MAX];
- Hashmap *package_to_appid;
+ Hashmap* package_to_appid;
+ Hashmap* appid_with_rw;
};
/* Private data used by a single fuse handler. */
@@ -275,15 +302,26 @@
* Populates 'buf' with the path and returns the length of the path on success,
* or returns -1 if the path is too long for the provided buffer.
*/
-static ssize_t get_node_path_locked(struct node* node, char* buf, size_t bufsize)
-{
- size_t namelen = node->namelen;
+static ssize_t get_node_path_locked(struct node* node, char* buf, size_t bufsize) {
+ const char* name;
+ size_t namelen;
+ if (node->graft_path) {
+ name = node->graft_path;
+ namelen = node->graft_pathlen;
+ } else if (node->actual_name) {
+ name = node->actual_name;
+ namelen = node->namelen;
+ } else {
+ name = node->name;
+ namelen = node->namelen;
+ }
+
if (bufsize < namelen + 1) {
return -1;
}
ssize_t pathlen = 0;
- if (node->parent) {
+ if (node->parent && node->graft_path == NULL) {
pathlen = get_node_path_locked(node->parent, buf, bufsize - namelen - 2);
if (pathlen < 0) {
return -1;
@@ -291,7 +329,6 @@
buf[pathlen++] = '/';
}
- const char* name = node->actual_name ? node->actual_name : node->name;
memcpy(buf + pathlen, name, namelen + 1); /* include trailing \0 */
return pathlen + namelen;
}
@@ -366,7 +403,7 @@
static void derive_permissions_locked(struct fuse* fuse, struct node *parent,
struct node *node) {
- struct package* package;
+ appid_t appid;
/* By default, each node inherits from its parent */
node->perm = PERM_INHERIT;
@@ -375,7 +412,7 @@
node->gid = parent->gid;
node->mode = parent->mode;
- if (!fuse->derive_perms) {
+ if (fuse->derive == DERIVE_NONE) {
return;
}
@@ -384,23 +421,30 @@
case PERM_INHERIT:
/* Already inherited above */
break;
+ case PERM_LEGACY_PRE_ROOT:
+ /* Legacy internal layout places users at top level */
+ node->perm = PERM_ROOT;
+ node->userid = strtoul(node->name, NULL, 10);
+ break;
case PERM_ROOT:
+ /* Assume masked off by default. */
+ node->mode = 0770;
if (!strcmp(node->name, "Android")) {
/* App-specific directories inside; let anyone traverse */
node->perm = PERM_ANDROID;
node->mode = 0771;
- } else if (!strcmp(node->name, "DCIM")
- || !strcmp(node->name, "Pictures")) {
- node->gid = AID_SDCARD_PICS;
- node->mode = 0770;
- } else if (!strcmp(node->name, "Alarms")
- || !strcmp(node->name, "Movies")
- || !strcmp(node->name, "Music")
- || !strcmp(node->name, "Notifications")
- || !strcmp(node->name, "Podcasts")
- || !strcmp(node->name, "Ringtones")) {
- node->gid = AID_SDCARD_AV;
- node->mode = 0770;
+ } else if (fuse->split_perms) {
+ if (!strcmp(node->name, "DCIM")
+ || !strcmp(node->name, "Pictures")) {
+ node->gid = AID_SDCARD_PICS;
+ } else if (!strcmp(node->name, "Alarms")
+ || !strcmp(node->name, "Movies")
+ || !strcmp(node->name, "Music")
+ || !strcmp(node->name, "Notifications")
+ || !strcmp(node->name, "Podcasts")
+ || !strcmp(node->name, "Ringtones")) {
+ node->gid = AID_SDCARD_AV;
+ }
}
break;
case PERM_ANDROID:
@@ -412,6 +456,9 @@
/* App-specific directories inside; let anyone traverse */
node->perm = PERM_ANDROID_OBB;
node->mode = 0771;
+ /* Single OBB directory is always shared */
+ node->graft_path = fuse->obbpath;
+ node->graft_pathlen = strlen(fuse->obbpath);
} else if (!strcmp(node->name, "user")) {
/* User directories must only be accessible to system, protected
* by sdcard_all. Zygote will bind mount the appropriate user-
@@ -423,22 +470,72 @@
break;
case PERM_ANDROID_DATA:
case PERM_ANDROID_OBB:
- package = hashmapGet(fuse->package_to_appid, node->name);
- if (package != NULL) {
- node->uid = multiuser_get_uid(parent->userid, package->appid);
+ appid = (appid_t) hashmapGet(fuse->package_to_appid, node->name);
+ if (appid != 0) {
+ node->uid = multiuser_get_uid(parent->userid, appid);
}
node->mode = 0770;
break;
case PERM_ANDROID_USER:
/* Root of a secondary user */
node->perm = PERM_ROOT;
- node->userid = atoi(node->name);
- node->gid = AID_SDCARD_RW;
+ node->userid = strtoul(node->name, NULL, 10);
+ node->gid = AID_SDCARD_R;
node->mode = 0771;
break;
}
}
+/* Kernel has already enforced everything we returned through
+ * derive_permissions_locked(), so this is used to lock down access
+ * even further, such as enforcing that apps hold sdcard_rw. */
+static bool check_caller_access_to_name(struct fuse* fuse,
+ const struct fuse_in_header *hdr, const struct node* parent_node,
+ const char* name, int mode) {
+ /* Always block security-sensitive files at root */
+ if (parent_node && parent_node->perm == PERM_ROOT) {
+ if (!strcmp(name, "autorun.inf")
+ || !strcmp(name, ".android_secure")
+ || !strcmp(name, "android_secure")) {
+ return false;
+ }
+ }
+
+ /* No additional permissions enforcement */
+ if (fuse->derive == DERIVE_NONE) {
+ return true;
+ }
+
+ /* Root or shell always have access */
+ if (hdr->uid == 0 || hdr->uid == AID_SHELL) {
+ return true;
+ }
+
+ /* If asking to write, verify that caller either owns the
+ * parent or holds sdcard_rw. */
+ if (mode & W_OK) {
+ if (parent_node && hdr->uid == parent_node->uid) {
+ return true;
+ }
+
+ appid_t appid = multiuser_get_app_id(hdr->uid);
+
+ pthread_mutex_lock(&fuse->lock);
+ bool hasRw = hashmapContainsKey(fuse->appid_with_rw, (void*) appid);
+ pthread_mutex_unlock(&fuse->lock);
+
+ return hasRw;
+ }
+
+ /* No extra permissions to enforce */
+ return true;
+}
+
+static bool check_caller_access_to_node(struct fuse* fuse,
+ const struct fuse_in_header *hdr, const struct node* node, int mode) {
+ return check_caller_access_to_name(fuse, hdr, node->parent, node->name, mode);
+}
+
struct node *create_node_locked(struct fuse* fuse,
struct node *parent, const char *name, const char* actual_name)
{
@@ -561,32 +658,53 @@
return child;
}
-static void fuse_init(struct fuse *fuse, int fd, const char *source_path, bool derive_perms)
-{
+static void fuse_init(struct fuse *fuse, int fd, const char *source_path,
+ gid_t fs_gid, derive_t derive, bool split_perms) {
pthread_mutex_init(&fuse->lock, NULL);
fuse->fd = fd;
fuse->next_generation = 0;
- fuse->derive_perms = derive_perms;
+ fuse->derive = derive;
+ fuse->split_perms = split_perms;
memset(&fuse->root, 0, sizeof(fuse->root));
fuse->root.nid = FUSE_ROOT_ID; /* 1 */
fuse->root.refcount = 2;
fuse->root.namelen = strlen(source_path);
fuse->root.name = strdup(source_path);
-
- fuse->root.perm = PERM_ROOT;
fuse->root.userid = 0;
fuse->root.uid = AID_ROOT;
- fuse->root.gid = AID_SDCARD_RW;
- if (derive_perms) {
- fuse->root.mode = 0771;
- } else {
- fuse->root.mode = 0775;
- }
- if (derive_perms) {
+ /* Set up root node for various modes of operation */
+ switch (derive) {
+ case DERIVE_NONE:
+ /* Traditional behavior that treats entire device as being accessible
+ * to sdcard_rw, and no permissions are derived. */
+ fuse->root.perm = PERM_ROOT;
+ fuse->root.mode = 0775;
+ fuse->root.gid = AID_SDCARD_RW;
+ break;
+ case DERIVE_LEGACY:
+ /* Legacy behavior used to support internal multiuser layout which
+ * places user_id at the top directory level, with the actual roots
+ * just below that. Shared OBB path is also at top level. */
+ fuse->root.perm = PERM_LEGACY_PRE_ROOT;
+ fuse->root.mode = 0771;
+ fuse->root.gid = fs_gid;
fuse->package_to_appid = hashmapCreate(256, str_hash, str_equals);
+ fuse->appid_with_rw = hashmapCreate(128, int_hash, int_equals);
+ snprintf(fuse->obbpath, sizeof(fuse->obbpath), "%s/obb", source_path);
+ break;
+ case DERIVE_UNIFIED:
+ /* Unified multiuser layout which places secondary user_id under
+ * /Android/user and shared OBB path under /Android/obb. */
+ fuse->root.perm = PERM_ROOT;
+ fuse->root.mode = 0771;
+ fuse->root.gid = fs_gid;
+ fuse->package_to_appid = hashmapCreate(256, str_hash, str_equals);
+ fuse->appid_with_rw = hashmapCreate(128, int_hash, int_equals);
+ snprintf(fuse->obbpath, sizeof(fuse->obbpath), "%s/Android/obb", source_path);
+ break;
}
}
@@ -637,7 +755,7 @@
TRACE("automatically creating %s\n", path);
pthread_mutex_lock(&fuse->lock);
- bool validPackage = hashmapContainsKey(fuse->package_to_appid, name);
+ bool validPackage = hashmapContainsKey(fuse->package_to_appid, (char*) name);
pthread_mutex_unlock(&fuse->lock);
if (!validPackage) {
@@ -713,6 +831,10 @@
child_path, sizeof(child_path), 1))) {
return -ENOENT;
}
+ if (!check_caller_access_to_name(fuse, hdr, parent_node, name, R_OK)) {
+ return -EACCES;
+ }
+
return fuse_reply_entry(fuse, hdr->unique, parent_node, name, actual_name, child_path);
}
@@ -750,6 +872,10 @@
if (!node) {
return -ENOENT;
}
+ if (!check_caller_access_to_node(fuse, hdr, node, R_OK)) {
+ return -EACCES;
+ }
+
return fuse_reply_attr(fuse, hdr->unique, node, path);
}
@@ -769,6 +895,9 @@
if (!node) {
return -ENOENT;
}
+ if (!check_caller_access_to_node(fuse, hdr, node, W_OK)) {
+ return -EACCES;
+ }
/* XXX: incomplete implementation on purpose.
* chmod/chown should NEVER be implemented.*/
@@ -830,6 +959,9 @@
child_path, sizeof(child_path), 1))) {
return -ENOENT;
}
+ if (!check_caller_access_to_name(fuse, hdr, parent_node, name, W_OK)) {
+ return -EACCES;
+ }
__u32 mode = (req->mode & (~0777)) | 0664;
if (mknod(child_path, mode, req->rdev) < 0) {
return -errno;
@@ -856,6 +988,9 @@
child_path, sizeof(child_path), 1))) {
return -ENOENT;
}
+ if (!check_caller_access_to_name(fuse, hdr, parent_node, name, W_OK)) {
+ return -EACCES;
+ }
__u32 mode = (req->mode & (~0777)) | 0775;
if (mkdir(child_path, mode) < 0) {
return -errno;
@@ -881,6 +1016,9 @@
child_path, sizeof(child_path), 1)) {
return -ENOENT;
}
+ if (!check_caller_access_to_name(fuse, hdr, parent_node, name, W_OK)) {
+ return -EACCES;
+ }
if (unlink(child_path) < 0) {
return -errno;
}
@@ -905,6 +1043,9 @@
child_path, sizeof(child_path), 1)) {
return -ENOENT;
}
+ if (!check_caller_access_to_name(fuse, hdr, parent_node, name, W_OK)) {
+ return -EACCES;
+ }
if (rmdir(child_path) < 0) {
return -errno;
}
@@ -938,6 +1079,14 @@
res = -ENOENT;
goto lookup_error;
}
+ if (!check_caller_access_to_name(fuse, hdr, old_parent_node, old_name, W_OK)) {
+ res = -EACCES;
+ goto lookup_error;
+ }
+ if (!check_caller_access_to_name(fuse, hdr, new_parent_node, new_name, W_OK)) {
+ res = -EACCES;
+ goto lookup_error;
+ }
child_node = lookup_child_by_name_locked(old_parent_node, old_name);
if (!child_node || get_node_path_locked(child_node,
old_child_path, sizeof(old_child_path)) < 0) {
@@ -983,6 +1132,17 @@
return res;
}
+static int open_flags_to_access_mode(int open_flags) {
+ if ((open_flags & O_ACCMODE) == O_RDONLY) {
+ return R_OK;
+ } else if ((open_flags & O_ACCMODE) == O_WRONLY) {
+ return W_OK;
+ } else {
+ /* Probably O_RDRW, but treat as default to be safe */
+ return R_OK | W_OK;
+ }
+}
+
static int handle_open(struct fuse* fuse, struct fuse_handler* handler,
const struct fuse_in_header* hdr, const struct fuse_open_in* req)
{
@@ -1000,6 +1160,9 @@
if (!node) {
return -ENOENT;
}
+ if (!check_caller_access_to_node(fuse, hdr, node, open_flags_to_access_mode(req->flags))) {
+ return -EACCES;
+ }
h = malloc(sizeof(*h));
if (!h) {
return -ENOMEM;
@@ -1144,6 +1307,9 @@
if (!node) {
return -ENOENT;
}
+ if (!check_caller_access_to_node(fuse, hdr, node, R_OK)) {
+ return -EACCES;
+ }
h = malloc(sizeof(*h));
if (!h) {
return -ENOMEM;
@@ -1389,18 +1555,24 @@
return NULL;
}
-static bool hashmap_remove(void *key, void *value, void *context) {
+static bool remove_str_to_int(void *key, void *value, void *context) {
Hashmap* map = context;
hashmapRemove(map, key);
free(key);
- free(value);
+ return true;
+}
+
+static bool remove_int_to_null(void *key, void *value, void *context) {
+ Hashmap* map = context;
+ hashmapRemove(map, key);
return true;
}
static int read_package_list(struct fuse *fuse) {
pthread_mutex_lock(&fuse->lock);
- hashmapForEach(fuse->package_to_appid, hashmap_remove, fuse->package_to_appid);
+ hashmapForEach(fuse->package_to_appid, remove_str_to_int, fuse->package_to_appid);
+ hashmapForEach(fuse->appid_with_rw, remove_int_to_null, fuse->appid_with_rw);
FILE* file = fopen(kPackagesListFile, "r");
if (!file) {
@@ -1413,20 +1585,26 @@
while (fgets(buf, sizeof(buf), file) != NULL) {
char package_name[512];
int appid;
- if (sscanf(buf, "%s %d", package_name, &appid) == 2) {
- char* package_name_dup = strdup(package_name);
- struct package* package = malloc(sizeof(struct package));
- if (!package_name_dup || !package) {
- ERROR("cannot allocate package details\n");
- return -ENOMEM;
- }
+ char gids[512];
- package->appid = appid;
- hashmapPut(fuse->package_to_appid, package_name_dup, package);
+ if (sscanf(buf, "%s %d %*d %*s %*s %s", package_name, &appid, gids) == 3) {
+ char* package_name_dup = strdup(package_name);
+ hashmapPut(fuse->package_to_appid, package_name_dup, (void*) appid);
+
+ char* token = strtok(gids, ",");
+ while (token != NULL) {
+ if (strtoul(token, NULL, 10) == AID_SDCARD_RW) {
+ hashmapPut(fuse->appid_with_rw, (void*) appid, (void*) 1);
+ break;
+ }
+ token = strtok(NULL, ",");
+ }
}
}
- TRACE("read_package_list: found %d packages\n", hashmapSize(fuse->package_to_appid));
+ TRACE("read_package_list: found %d packages, %d with sdcard_rw\n",
+ hashmapSize(fuse->package_to_appid),
+ hashmapSize(fuse->appid_with_rw));
fclose(file);
pthread_mutex_unlock(&fuse->lock);
return 0;
@@ -1512,7 +1690,7 @@
/* When deriving permissions, this thread is used to process inotify events,
* otherwise it becomes one of the FUSE handlers. */
- i = fuse->derive_perms ? 0 : 1;
+ i = (fuse->derive == DERIVE_NONE) ? 1 : 0;
for (; i < num_threads; i++) {
pthread_t thread;
int res = pthread_create(&thread, NULL, start_handler, &handlers[i]);
@@ -1522,10 +1700,10 @@
}
}
- if (fuse->derive_perms) {
- watch_package_list(fuse);
- } else {
+ if (fuse->derive == DERIVE_NONE) {
handle_fuse_requests(&handlers[0]);
+ } else {
+ watch_package_list(fuse);
}
ERROR("terminated prematurely\n");
@@ -1541,14 +1719,17 @@
ERROR("usage: sdcard [OPTIONS] <source_path> <dest_path>\n"
" -u: specify UID to run as\n"
" -g: specify GID to run as\n"
+ " -G: specify default GID for files (default sdcard_r, requires -d or -l)\n"
" -t: specify number of threads to use (default %d)\n"
" -d: derive file permissions based on path\n"
+ " -l: derive file permissions based on legacy internal layout\n"
+ " -s: split derived permissions for pics, av\n"
"\n", DEFAULT_NUM_THREADS);
return 1;
}
-static int run(const char* source_path, const char* dest_path, uid_t uid, gid_t gid,
- int num_threads, bool derive_perms) {
+static int run(const char* source_path, const char* dest_path, uid_t uid,
+ gid_t gid, gid_t fs_gid, int num_threads, derive_t derive, bool split_perms) {
int fd;
char opts[256];
int res;
@@ -1591,7 +1772,7 @@
goto error;
}
- fuse_init(&fuse, fd, source_path, derive_perms);
+ fuse_init(&fuse, fd, source_path, fs_gid, derive, split_perms);
umask(0);
res = ignite_fuse(&fuse, num_threads);
@@ -1611,13 +1792,15 @@
const char *dest_path = NULL;
uid_t uid = 0;
gid_t gid = 0;
+ gid_t fs_gid = AID_SDCARD_R;
int num_threads = DEFAULT_NUM_THREADS;
- bool derive_perms = false;
+ derive_t derive = DERIVE_NONE;
+ bool split_perms = false;
int i;
struct rlimit rlim;
int opt;
- while ((opt = getopt(argc, argv, "u:g:t:d")) != -1) {
+ while ((opt = getopt(argc, argv, "u:g:G:t:dls")) != -1) {
switch (opt) {
case 'u':
uid = strtoul(optarg, NULL, 10);
@@ -1625,11 +1808,20 @@
case 'g':
gid = strtoul(optarg, NULL, 10);
break;
+ case 'G':
+ fs_gid = strtoul(optarg, NULL, 10);
+ break;
case 't':
num_threads = strtoul(optarg, NULL, 10);
break;
case 'd':
- derive_perms = true;
+ derive = DERIVE_UNIFIED;
+ break;
+ case 'l':
+ derive = DERIVE_LEGACY;
+ break;
+ case 's':
+ split_perms = true;
break;
case '?':
default:
@@ -1669,6 +1861,10 @@
ERROR("number of threads must be at least 1\n");
return usage();
}
+ if (split_perms && derive == DERIVE_NONE) {
+ ERROR("cannot split permissions without deriving\n");
+ return usage();
+ }
rlim.rlim_cur = 8192;
rlim.rlim_max = 8192;
@@ -1676,6 +1872,6 @@
ERROR("Error setting RLIMIT_NOFILE, errno = %d\n", errno);
}
- res = run(source_path, dest_path, uid, gid, num_threads, derive_perms);
+ res = run(source_path, dest_path, uid, gid, fs_gid, num_threads, derive, split_perms);
return res < 0 ? 1 : 0;
}