1 // Copyright (C) 2019 The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #define ATRACE_TAG ATRACE_TAG_APP
16 #define LOG_TAG "FuseDaemon"
17 #define LIBFUSE_LOG_TAG "libfuse"
18
19 #include "FuseDaemon.h"
20 #include "android-base/strings.h"
21
22 #include <android-base/logging.h>
23 #include <android-base/properties.h>
24 #include <android/log.h>
25 #include <android/trace.h>
26 #include <ctype.h>
27 #include <dirent.h>
28 #include <errno.h>
29 #include <fcntl.h>
30 #include <fuse_i.h>
31 #include <fuse_log.h>
32 #include <fuse_lowlevel.h>
33 #include <inttypes.h>
34 #include <limits.h>
35 #include <linux/fuse.h>
36 #include <stdbool.h>
37 #include <stdio.h>
38 #include <stdlib.h>
39 #include <string.h>
40 #include <sys/inotify.h>
41 #include <sys/mman.h>
42 #include <sys/mount.h>
43 #include <sys/param.h>
44 #include <sys/resource.h>
45 #include <sys/stat.h>
46 #include <sys/statfs.h>
47 #include <sys/statvfs.h>
48 #include <sys/time.h>
49 #include <sys/types.h>
50 #include <sys/uio.h>
51 #include <unistd.h>
52
53 #include <iostream>
54 #include <list>
55 #include <map>
56 #include <mutex>
57 #include <queue>
58 #include <regex>
59 #include <thread>
60 #include <unordered_map>
61 #include <unordered_set>
62 #include <vector>
63
64 #include "MediaProviderWrapper.h"
65 #include "libfuse_jni/FuseUtils.h"
66 #include "libfuse_jni/ReaddirHelper.h"
67 #include "libfuse_jni/RedactionInfo.h"
68 #include "node-inl.h"
69
70 using mediaprovider::fuse::DirectoryEntry;
71 using mediaprovider::fuse::dirhandle;
72 using mediaprovider::fuse::handle;
73 using mediaprovider::fuse::node;
74 using mediaprovider::fuse::RedactionInfo;
75 using std::list;
76 using std::string;
77 using std::vector;
78
79 // logging macros to avoid duplication.
80 #define TRACE_NODE(__node, __req) \
81 LOG(VERBOSE) << __FUNCTION__ << " : " << #__node << " = [" << get_name(__node) \
82 << "] (uid=" << (__req)->ctx.uid << ") "
83
84 #define ATRACE_NAME(name) ScopedTrace ___tracer(name)
85 #define ATRACE_CALL() ATRACE_NAME(__FUNCTION__)
86
87 class ScopedTrace {
88 public:
ScopedTrace(const char * name)89 explicit inline ScopedTrace(const char *name) {
90 ATrace_beginSection(name);
91 }
92
~ScopedTrace()93 inline ~ScopedTrace() {
94 ATrace_endSection();
95 }
96 };
97
98 const bool IS_OS_DEBUGABLE = android::base::GetIntProperty("ro.debuggable", 0);
99
100 #define FUSE_UNKNOWN_INO 0xffffffff
101
102 // Stolen from: android_filesystem_config.h
103 #define AID_APP_START 10000
104
105 constexpr size_t MAX_READ_SIZE = 128 * 1024;
106 // Stolen from: UserHandle#getUserId
107 constexpr int PER_USER_RANGE = 100000;
108
109 // Stolen from: UserManagerService
110 constexpr int MAX_USER_ID = UINT32_MAX / PER_USER_RANGE;
111
112 const int MY_UID = getuid();
113 const int MY_USER_ID = MY_UID / PER_USER_RANGE;
114 const std::string MY_USER_ID_STRING(std::to_string(MY_UID / PER_USER_RANGE));
115
116 // Regex copied from FileUtils.java in MediaProvider, but without media directory.
117 const std::regex PATTERN_OWNED_PATH(
118 "^/storage/[^/]+/(?:[0-9]+/)?Android/(?:data|obb)/([^/]+)(/?.*)?",
119 std::regex_constants::icase);
120
121 static constexpr char TRANSFORM_SYNTHETIC_DIR[] = "synthetic";
122 static constexpr char TRANSFORM_TRANSCODE_DIR[] = "transcode";
123
124 /*
125 * In order to avoid double caching with fuse, call fadvise on the file handles
126 * in the underlying file system. However, if this is done on every read/write,
127 * the fadvises cause a very significant slowdown in tests (specifically fio
128 * seq_write). So call fadvise on the file handles with the most reads/writes
129 * only after a threshold is passed.
130 */
131 class FAdviser {
132 public:
FAdviser()133 FAdviser() : thread_(MessageLoop, this), total_size_(0) {}
134
~FAdviser()135 ~FAdviser() {
136 SendMessage(Message::quit);
137 thread_.join();
138 }
139
Record(int fd,size_t size)140 void Record(int fd, size_t size) { SendMessage(Message::record, fd, size); }
141
Close(int fd)142 void Close(int fd) { SendMessage(Message::close, fd); }
143
144 private:
145 struct Message {
146 enum Type { record, close, quit };
147 Type type;
148 int fd;
149 size_t size;
150 };
151
RecordImpl(int fd,size_t size)152 void RecordImpl(int fd, size_t size) {
153 total_size_ += size;
154
155 // Find or create record in files_
156 // Remove record from sizes_ if it exists, adjusting size appropriately
157 auto file = files_.find(fd);
158 if (file != files_.end()) {
159 auto old_size = file->second;
160 size += old_size->first;
161 sizes_.erase(old_size);
162 } else {
163 file = files_.insert(Files::value_type(fd, sizes_.end())).first;
164 }
165
166 // Now (re) insert record in sizes_
167 auto new_size = sizes_.insert(Sizes::value_type(size, fd));
168 file->second = new_size;
169
170 if (total_size_ < threshold_) return;
171
172 LOG(INFO) << "Threshold exceeded - fadvising " << total_size_;
173 while (!sizes_.empty() && total_size_ > target_) {
174 auto size = --sizes_.end();
175 total_size_ -= size->first;
176 posix_fadvise(size->second, 0, 0, POSIX_FADV_DONTNEED);
177 files_.erase(size->second);
178 sizes_.erase(size);
179 }
180 LOG(INFO) << "Threshold now " << total_size_;
181 }
182
CloseImpl(int fd)183 void CloseImpl(int fd) {
184 auto file = files_.find(fd);
185 if (file == files_.end()) return;
186
187 total_size_ -= file->second->first;
188 sizes_.erase(file->second);
189 files_.erase(file);
190 }
191
MessageLoopImpl()192 void MessageLoopImpl() {
193 while (1) {
194 Message message;
195
196 {
197 std::unique_lock<std::mutex> lock(mutex_);
198 cv_.wait(lock, [this] { return !queue_.empty(); });
199 message = queue_.front();
200 queue_.pop();
201 }
202
203 switch (message.type) {
204 case Message::record:
205 RecordImpl(message.fd, message.size);
206 break;
207
208 case Message::close:
209 CloseImpl(message.fd);
210 break;
211
212 case Message::quit:
213 return;
214 }
215 }
216 }
217
MessageLoop(FAdviser * ptr)218 static int MessageLoop(FAdviser* ptr) {
219 ptr->MessageLoopImpl();
220 return 0;
221 }
222
SendMessage(Message::Type type,int fd=-1,size_t size=0)223 void SendMessage(Message::Type type, int fd = -1, size_t size = 0) {
224 {
225 std::unique_lock<std::mutex> lock(mutex_);
226 Message message = {type, fd, size};
227 queue_.push(message);
228 }
229 cv_.notify_one();
230 }
231
232 std::mutex mutex_;
233 std::condition_variable cv_;
234 std::queue<Message> queue_;
235 std::thread thread_;
236
237 typedef std::multimap<size_t, int> Sizes;
238 typedef std::map<int, Sizes::iterator> Files;
239
240 Files files_;
241 Sizes sizes_;
242 size_t total_size_;
243
244 const size_t threshold_ = 64 * 1024 * 1024;
245 const size_t target_ = 32 * 1024 * 1024;
246 };
247
248 /* Single FUSE mount */
249 struct fuse {
fusefuse250 explicit fuse(const std::string& _path, ino_t _ino)
251 : path(_path),
252 tracker(mediaprovider::fuse::NodeTracker(&lock)),
253 root(node::CreateRoot(_path, &lock, _ino, &tracker)),
254 mp(0),
255 zero_addr(0),
256 disable_dentry_cache(false),
257 passthrough(false) {}
258
IsRootfuse259 inline bool IsRoot(const node* node) const { return node == root; }
260
GetEffectiveRootPathfuse261 inline string GetEffectiveRootPath() {
262 if (android::base::StartsWith(path, "/storage/emulated")) {
263 return path + "/" + MY_USER_ID_STRING;
264 }
265 return path;
266 }
267
GetTransformsDirfuse268 inline string GetTransformsDir() { return GetEffectiveRootPath() + "/.transforms"; }
269
270 // Note that these two (FromInode / ToInode) conversion wrappers are required
271 // because fuse_lowlevel_ops documents that the root inode is always one
272 // (see FUSE_ROOT_ID in fuse_lowlevel.h). There are no particular requirements
273 // on any of the other inodes in the FS.
FromInodefuse274 inline node* FromInode(__u64 inode) {
275 if (inode == FUSE_ROOT_ID) {
276 return root;
277 }
278
279 return node::FromInode(inode, &tracker);
280 }
281
ToInodefuse282 inline __u64 ToInode(node* node) const {
283 if (IsRoot(node)) {
284 return FUSE_ROOT_ID;
285 }
286
287 return node::ToInode(node);
288 }
289
290 std::recursive_mutex lock;
291 const string path;
292 // The Inode tracker associated with this FUSE instance.
293 mediaprovider::fuse::NodeTracker tracker;
294 node* const root;
295 struct fuse_session* se;
296
297 /*
298 * Used to make JNI calls to MediaProvider.
299 * Responsibility of freeing this object falls on corresponding
300 * FuseDaemon object.
301 */
302 mediaprovider::fuse::MediaProviderWrapper* mp;
303
304 /*
305 * Points to a range of zeroized bytes, used by pf_read to represent redacted ranges.
306 * The memory is read only and should never be modified.
307 */
308 /* const */ char* zero_addr;
309
310 FAdviser fadviser;
311
312 std::atomic_bool* active;
313 std::atomic_bool disable_dentry_cache;
314 std::atomic_bool passthrough;
315 // FUSE device id.
316 std::atomic_uint dev;
317 };
318
319 enum class FuseOp { lookup, readdir, mknod, mkdir, create };
320
get_name(node * n)321 static inline string get_name(node* n) {
322 if (n) {
323 std::string name = IS_OS_DEBUGABLE ? "real_path: " + n->BuildPath() + " " : "";
324 name += "node_path: " + n->BuildSafePath();
325 return name;
326 }
327 return "?";
328 }
329
ptr_to_id(void * ptr)330 static inline __u64 ptr_to_id(void* ptr) {
331 return (__u64)(uintptr_t) ptr;
332 }
333
334 /*
335 * Set an F_RDLCK or F_WRLCKK on fd with fcntl(2).
336 *
337 * This is called before the MediaProvider returns fd from the lower file
338 * system to an app over the ContentResolver interface. This allows us
339 * check with is_file_locked if any reference to that fd is still open.
340 */
set_file_lock(int fd,bool for_read,const std::string & path)341 static int set_file_lock(int fd, bool for_read, const std::string& path) {
342 std::string lock_str = (for_read ? "read" : "write");
343
344 struct flock fl{};
345 fl.l_type = for_read ? F_RDLCK : F_WRLCK;
346 fl.l_whence = SEEK_SET;
347
348 int res = fcntl(fd, F_OFD_SETLK, &fl);
349 if (res) {
350 PLOG(WARNING) << "Failed to set lock: " << lock_str;
351 return res;
352 }
353 return res;
354 }
355
356 /*
357 * Check if an F_RDLCK or F_WRLCK is set on fd with fcntl(2).
358 *
359 * This is used to determine if the MediaProvider has given an fd to the lower fs to an app over
360 * the ContentResolver interface. Before that happens, we always call set_file_lock on the file
361 * allowing us to know if any reference to that fd is still open here.
362 *
363 * Returns true if fd may have a lock, false otherwise
364 */
is_file_locked(int fd,const std::string & path)365 static bool is_file_locked(int fd, const std::string& path) {
366 struct flock fl{};
367 fl.l_type = F_WRLCK;
368 fl.l_whence = SEEK_SET;
369
370 int res = fcntl(fd, F_OFD_GETLK, &fl);
371 if (res) {
372 PLOG(WARNING) << "Failed to check lock";
373 // Assume worst
374 return true;
375 }
376 bool locked = fl.l_type != F_UNLCK;
377 return locked;
378 }
379
get_fuse(fuse_req_t req)380 static struct fuse* get_fuse(fuse_req_t req) {
381 return reinterpret_cast<struct fuse*>(fuse_req_userdata(req));
382 }
383
is_package_owned_path(const string & path,const string & fuse_path)384 static bool is_package_owned_path(const string& path, const string& fuse_path) {
385 if (path.rfind(fuse_path, 0) != 0) {
386 return false;
387 }
388 return std::regex_match(path, PATTERN_OWNED_PATH);
389 }
390
391 // See fuse_lowlevel.h fuse_lowlevel_notify_inval_entry for how to call this safetly without
392 // deadlocking the kernel
fuse_inval(fuse_session * se,fuse_ino_t parent_ino,fuse_ino_t child_ino,const string & child_name,const string & path)393 static void fuse_inval(fuse_session* se, fuse_ino_t parent_ino, fuse_ino_t child_ino,
394 const string& child_name, const string& path) {
395 if (mediaprovider::fuse::containsMount(path, MY_USER_ID_STRING)) {
396 LOG(WARNING) << "Ignoring attempt to invalidate dentry for FUSE mounts";
397 return;
398 }
399
400 if (fuse_lowlevel_notify_inval_entry(se, parent_ino, child_name.c_str(), child_name.size())) {
401 // Invalidating the dentry can fail if there's no dcache entry, however, there may still
402 // be cached attributes, so attempt to invalidate those by invalidating the inode
403 fuse_lowlevel_notify_inval_inode(se, child_ino, 0, 0);
404 }
405 }
406
get_entry_timeout(const string & path,node * node,struct fuse * fuse)407 static double get_entry_timeout(const string& path, node* node, struct fuse* fuse) {
408 string media_path = fuse->GetEffectiveRootPath() + "/Android/media";
409 if (fuse->disable_dentry_cache || node->ShouldInvalidate() ||
410 is_package_owned_path(path, fuse->path) || android::base::StartsWith(path, media_path)) {
411 // We set dentry timeout to 0 for the following reasons:
412 // 1. The dentry cache was completely disabled
413 // 2.1 Case-insensitive lookups need to invalidate other case-insensitive dentry matches
414 // 2.2 Nodes supporting transforms need to be invalidated, so that subsequent lookups by a
415 // uid requiring a transform is guaranteed to come to the FUSE daemon.
416 // 3. With app data isolation enabled, app A should not guess existence of app B from the
417 // Android/{data,obb}/<package> paths, hence we prevent the kernel from caching that
418 // information.
419 // 4. Installd might delete Android/media/<package> dirs when app data is cleared.
420 // This can leave a stale entry in the kernel dcache, and break subsequent creation of the
421 // dir via FUSE.
422 return 0;
423 }
424 return std::numeric_limits<double>::max();
425 }
426
get_path(node * node)427 static std::string get_path(node* node) {
428 const string& io_path = node->GetIoPath();
429 return io_path.empty() ? node->BuildPath() : io_path;
430 }
431
432 // Returns true if the path resides under .transforms/synthetic.
433 // NOTE: currently only file paths corresponding to redacted URIs reside under this folder. The path
434 // itself never exists and just a link for transformation.
is_synthetic_path(const string & path,struct fuse * fuse)435 static inline bool is_synthetic_path(const string& path, struct fuse* fuse) {
436 return android::base::StartsWithIgnoreCase(
437 path, fuse->GetTransformsDir() + "/" + TRANSFORM_SYNTHETIC_DIR);
438 }
439
is_transcode_supported_path(const string & path,struct fuse * fuse)440 static inline bool is_transcode_supported_path(const string& path, struct fuse* fuse) {
441 // Keep in sync with MediaProvider#supportsTranscode
442 return android::base::EndsWithIgnoreCase(path, ".mp4") &&
443 android::base::StartsWithIgnoreCase(path,
444 fuse->GetEffectiveRootPath() + "/dcim/camera/");
445 }
446
is_transforms_dir_path(const string & path,struct fuse * fuse)447 static inline bool is_transforms_dir_path(const string& path, struct fuse* fuse) {
448 return android::base::StartsWithIgnoreCase(path, fuse->GetTransformsDir());
449 }
450
validate_node_path(const std::string & path,const std::string & name,fuse_req_t req,int * error_code,struct fuse_entry_param * e,const FuseOp op)451 static std::unique_ptr<mediaprovider::fuse::FileLookupResult> validate_node_path(
452 const std::string& path, const std::string& name, fuse_req_t req, int* error_code,
453 struct fuse_entry_param* e, const FuseOp op) {
454 struct fuse* fuse = get_fuse(req);
455 const struct fuse_ctx* ctx = fuse_req_ctx(req);
456 memset(e, 0, sizeof(*e));
457
458 const bool synthetic_path = is_synthetic_path(path, fuse);
459 if (lstat(path.c_str(), &e->attr) < 0 && !(op == FuseOp::lookup && synthetic_path)) {
460 *error_code = errno;
461 return nullptr;
462 }
463
464 if (is_transforms_dir_path(path, fuse)) {
465 if (op == FuseOp::lookup) {
466 // Lookups are only allowed under .transforms/synthetic dir
467 if (!(android::base::EqualsIgnoreCase(path, fuse->GetTransformsDir()) ||
468 android::base::StartsWithIgnoreCase(
469 path, fuse->GetTransformsDir() + "/" + TRANSFORM_SYNTHETIC_DIR))) {
470 *error_code = ENONET;
471 return nullptr;
472 }
473 } else {
474 // user-code is only allowed to make lookups under .transforms dir, and that too only
475 // under .transforms/synthetic dir
476 *error_code = ENOENT;
477 return nullptr;
478 }
479 }
480
481 if (S_ISDIR(e->attr.st_mode)) {
482 // now that we have reached this point, ops on directories are safe and require no
483 // transformation.
484 return std::make_unique<mediaprovider::fuse::FileLookupResult>(0, 0, 0, true, false, "");
485 }
486
487 if (!synthetic_path && !is_transcode_supported_path(path, fuse)) {
488 // Transforms are only supported for synthetic or transcode-supported paths
489 return std::make_unique<mediaprovider::fuse::FileLookupResult>(0, 0, 0, true, false, "");
490 }
491
492 // Handle potential file transforms
493 std::unique_ptr<mediaprovider::fuse::FileLookupResult> file_lookup_result =
494 fuse->mp->FileLookup(path, req->ctx.uid, req->ctx.pid);
495
496 if (!file_lookup_result) {
497 // Fail lookup if we can't fetch FileLookupResult for path
498 LOG(WARNING) << "Failed to fetch FileLookupResult for " << path;
499 *error_code = ENOENT;
500 return nullptr;
501 }
502
503 const string& io_path = file_lookup_result->io_path;
504 // Update size with io_path size if io_path is not same as path
505 if (!io_path.empty() && (io_path != path) && (lstat(io_path.c_str(), &e->attr) < 0)) {
506 *error_code = errno;
507 return nullptr;
508 }
509
510 return file_lookup_result;
511 }
512
make_node_entry(fuse_req_t req,node * parent,const string & name,const string & path,struct fuse_entry_param * e,int * error_code,const FuseOp op)513 static node* make_node_entry(fuse_req_t req, node* parent, const string& name, const string& path,
514 struct fuse_entry_param* e, int* error_code, const FuseOp op) {
515 struct fuse* fuse = get_fuse(req);
516 const struct fuse_ctx* ctx = fuse_req_ctx(req);
517 node* node;
518
519 memset(e, 0, sizeof(*e));
520
521 std::unique_ptr<mediaprovider::fuse::FileLookupResult> file_lookup_result =
522 validate_node_path(path, name, req, error_code, e, op);
523 if (!file_lookup_result) {
524 // Fail lookup if we can't validate |path, |errno| would have already been set
525 return nullptr;
526 }
527
528 const bool should_invalidate = file_lookup_result->transforms_supported;
529 const bool transforms_complete = file_lookup_result->transforms_complete;
530 const int transforms = file_lookup_result->transforms;
531 const int transforms_reason = file_lookup_result->transforms_reason;
532 const string& io_path = file_lookup_result->io_path;
533
534 node = parent->LookupChildByName(name, true /* acquire */, transforms);
535 if (!node) {
536 ino_t ino = e->attr.st_ino;
537 node = ::node::Create(parent, name, io_path, should_invalidate, transforms_complete,
538 transforms, transforms_reason, &fuse->lock, ino, &fuse->tracker);
539 } else if (!mediaprovider::fuse::containsMount(path, std::to_string(getuid() / PER_USER_RANGE))) {
540 // Only invalidate a path if it does not contain mount.
541 // Invalidate both names to ensure there's no dentry left in the kernel after the following
542 // operations:
543 // 1) touch foo, touch FOO, unlink *foo*
544 // 2) touch foo, touch FOO, unlink *FOO*
545 // Invalidating lookup_name fixes (1) and invalidating node_name fixes (2)
546 // SetShouldInvalidate invalidates lookup_name by using 0 timeout below and we explicitly
547 // invalidate node_name if different case
548 // Note that we invalidate async otherwise we will deadlock the kernel
549 if (name != node->GetName()) {
550 // Record that we have made a case insensitive lookup, this allows us invalidate nodes
551 // correctly on subsequent lookups for the case of |node|
552 node->SetShouldInvalidate();
553
554 // Make copies of the node name and path so we're not attempting to acquire
555 // any node locks from the invalidation thread. Depending on timing, we may end
556 // up invalidating the wrong inode but that shouldn't result in correctness issues.
557 const fuse_ino_t parent_ino = fuse->ToInode(parent);
558 const fuse_ino_t child_ino = fuse->ToInode(node);
559 const std::string& node_name = node->GetName();
560 std::thread t([=]() { fuse_inval(fuse->se, parent_ino, child_ino, node_name, path); });
561 t.detach();
562 }
563
564 // This updated value allows us correctly decide if to keep_cache and use direct_io during
565 // FUSE_OPEN. Between the last lookup and this lookup, we might have deleted a cached
566 // transcoded file on the lower fs. A subsequent transcode at FUSE_READ should ensure we
567 // don't reuse any stale transcode page cache content.
568 node->SetTransformsComplete(transforms_complete);
569 }
570 TRACE_NODE(node, req);
571
572 // This FS is not being exported via NFS so just a fixed generation number
573 // for now. If we do need this, we need to increment the generation ID each
574 // time the fuse daemon restarts because that's what it takes for us to
575 // reuse inode numbers.
576 e->generation = 0;
577 e->ino = fuse->ToInode(node);
578 e->entry_timeout = get_entry_timeout(path, node, fuse);
579 e->attr_timeout = std::numeric_limits<double>::max();
580 return node;
581 }
582
is_requesting_write(int flags)583 static inline bool is_requesting_write(int flags) {
584 return flags & (O_WRONLY | O_RDWR);
585 }
586
587 namespace mediaprovider {
588 namespace fuse {
589
590 /**
591 * Function implementations
592 *
593 * These implement the various functions in fuse_lowlevel_ops
594 *
595 */
596
pf_init(void * userdata,struct fuse_conn_info * conn)597 static void pf_init(void* userdata, struct fuse_conn_info* conn) {
598 struct fuse* fuse = reinterpret_cast<struct fuse*>(userdata);
599
600 // We don't want a getattr request with every read request
601 conn->want &= ~FUSE_CAP_AUTO_INVAL_DATA & ~FUSE_CAP_READDIRPLUS_AUTO;
602 unsigned mask = (FUSE_CAP_SPLICE_WRITE | FUSE_CAP_SPLICE_MOVE | FUSE_CAP_SPLICE_READ |
603 FUSE_CAP_ASYNC_READ | FUSE_CAP_ATOMIC_O_TRUNC | FUSE_CAP_WRITEBACK_CACHE |
604 FUSE_CAP_EXPORT_SUPPORT | FUSE_CAP_FLOCK_LOCKS);
605
606 bool disable_splice_write = false;
607 if (fuse->passthrough) {
608 if (conn->capable & FUSE_CAP_PASSTHROUGH) {
609 mask |= FUSE_CAP_PASSTHROUGH;
610
611 // SPLICE_WRITE seems to cause linux kernel cache corruption with passthrough enabled.
612 // It is still under investigation but while running
613 // ScopedStorageDeviceTest#testAccessMediaLocationInvalidation, we notice test flakes
614 // of about 1/20 for the following reason:
615 // 1. App without ACCESS_MEDIA_LOCATION permission reads redacted bytes via FUSE cache
616 // 2. App with ACCESS_MEDIA_LOCATION permission reads non-redacted bytes via passthrough
617 // cache
618 // (2) fails because bytes from (1) sneak into the passthrough cache??
619 // To workaround, we disable splice for write when passthrough is enabled.
620 // This shouldn't have any performance regression if comparing passthrough devices to
621 // no-passthrough devices for the following reasons:
622 // 1. No-op for no-passthrough devices
623 // 2. Passthrough devices
624 // a. Files not requiring redaction use passthrough which bypasses FUSE_READ entirely
625 // b. Files requiring redaction are still faster than no-passthrough devices that use
626 // direct_io
627 disable_splice_write = true;
628 } else {
629 LOG(WARNING) << "Passthrough feature not supported by the kernel";
630 fuse->passthrough = false;
631 }
632 }
633
634 conn->want |= conn->capable & mask;
635 if (disable_splice_write) {
636 conn->want &= ~FUSE_CAP_SPLICE_WRITE;
637 }
638
639 conn->max_read = MAX_READ_SIZE;
640
641 fuse->active->store(true, std::memory_order_release);
642 }
643
pf_destroy(void * userdata)644 static void pf_destroy(void* userdata) {
645 struct fuse* fuse = reinterpret_cast<struct fuse*>(userdata);
646 LOG(INFO) << "DESTROY " << fuse->path;
647
648 node::DeleteTree(fuse->root);
649 }
650
651 // Return true if the path is accessible for that uid.
is_app_accessible_path(MediaProviderWrapper * mp,const string & path,uid_t uid)652 static bool is_app_accessible_path(MediaProviderWrapper* mp, const string& path, uid_t uid) {
653 if (uid < AID_APP_START || uid == MY_UID) {
654 return true;
655 }
656
657 if (path == "/storage/emulated") {
658 // Apps should never refer to /storage/emulated - they should be using the user-spcific
659 // subdirs, eg /storage/emulated/0
660 return false;
661 }
662
663 std::smatch match;
664 if (std::regex_match(path, match, PATTERN_OWNED_PATH)) {
665 const std::string& pkg = match[1];
666 // .nomedia is not a valid package. .nomedia always exists in /Android/data directory,
667 // and it's not an external file/directory of any package
668 if (pkg == ".nomedia") {
669 return true;
670 }
671 if (android::base::StartsWith(path, "/storage/emulated")) {
672 // Emulated storage bind-mounts app-private data directories, and so these
673 // should not be accessible through FUSE anyway.
674 LOG(WARNING) << "Rejected access to app-private dir on FUSE: " << path
675 << " from uid: " << uid;
676 return false;
677 }
678 if (!mp->isUidAllowedAccessToDataOrObbPath(uid, path)) {
679 PLOG(WARNING) << "Invalid other package file access from " << uid << "(: " << path;
680 return false;
681 }
682 }
683 return true;
684 }
685
686 static std::regex storage_emulated_regex("^\\/storage\\/emulated\\/([0-9]+)");
do_lookup(fuse_req_t req,fuse_ino_t parent,const char * name,struct fuse_entry_param * e,int * error_code,const FuseOp op)687 static node* do_lookup(fuse_req_t req, fuse_ino_t parent, const char* name,
688 struct fuse_entry_param* e, int* error_code, const FuseOp op) {
689 struct fuse* fuse = get_fuse(req);
690 node* parent_node = fuse->FromInode(parent);
691 if (!parent_node) {
692 *error_code = ENOENT;
693 return nullptr;
694 }
695 string parent_path = parent_node->BuildPath();
696 // We should always allow lookups on the root, because failing them could cause
697 // bind mounts to be invalidated.
698 if (!fuse->IsRoot(parent_node) && !is_app_accessible_path(fuse->mp, parent_path, req->ctx.uid)) {
699 *error_code = ENOENT;
700 return nullptr;
701 }
702
703 TRACE_NODE(parent_node, req);
704
705 const string child_path = parent_path + "/" + name;
706 std::smatch match;
707 std::regex_search(child_path, match, storage_emulated_regex);
708
709 // Ensure the FuseDaemon user id matches the user id or cross-user lookups are allowed in
710 // requested path
711 if (match.size() == 2 && MY_USER_ID_STRING != match[1].str()) {
712 // If user id mismatch, check cross-user lookups
713 long userId = strtol(match[1].str().c_str(), nullptr, 10);
714 if (userId < 0 || userId > MAX_USER_ID ||
715 !fuse->mp->ShouldAllowLookup(req->ctx.uid, userId)) {
716 *error_code = EACCES;
717 return nullptr;
718 }
719 }
720
721 return make_node_entry(req, parent_node, name, child_path, e, error_code, op);
722 }
723
pf_lookup(fuse_req_t req,fuse_ino_t parent,const char * name)724 static void pf_lookup(fuse_req_t req, fuse_ino_t parent, const char* name) {
725 ATRACE_CALL();
726 struct fuse_entry_param e;
727
728 int error_code = 0;
729 if (do_lookup(req, parent, name, &e, &error_code, FuseOp::lookup)) {
730 fuse_reply_entry(req, &e);
731 } else {
732 CHECK(error_code != 0);
733 fuse_reply_err(req, error_code);
734 }
735 }
736
do_forget(fuse_req_t req,struct fuse * fuse,fuse_ino_t ino,uint64_t nlookup)737 static void do_forget(fuse_req_t req, struct fuse* fuse, fuse_ino_t ino, uint64_t nlookup) {
738 node* node = fuse->FromInode(ino);
739 TRACE_NODE(node, req);
740 if (node) {
741 // This is a narrowing conversion from an unsigned 64bit to a 32bit value. For
742 // some reason we only keep 32 bit refcounts but the kernel issues
743 // forget requests with a 64 bit counter.
744 node->Release(static_cast<uint32_t>(nlookup));
745 }
746 }
747
pf_forget(fuse_req_t req,fuse_ino_t ino,uint64_t nlookup)748 static void pf_forget(fuse_req_t req, fuse_ino_t ino, uint64_t nlookup) {
749 // Always allow to forget so no need to check is_app_accessible_path()
750 ATRACE_CALL();
751 node* node;
752 struct fuse* fuse = get_fuse(req);
753
754 do_forget(req, fuse, ino, nlookup);
755 fuse_reply_none(req);
756 }
757
pf_forget_multi(fuse_req_t req,size_t count,struct fuse_forget_data * forgets)758 static void pf_forget_multi(fuse_req_t req,
759 size_t count,
760 struct fuse_forget_data* forgets) {
761 ATRACE_CALL();
762 struct fuse* fuse = get_fuse(req);
763
764 for (int i = 0; i < count; i++) {
765 do_forget(req, fuse, forgets[i].ino, forgets[i].nlookup);
766 }
767 fuse_reply_none(req);
768 }
769
pf_fallocate(fuse_req_t req,fuse_ino_t ino,int mode,off_t offset,off_t length,fuse_file_info * fi)770 static void pf_fallocate(fuse_req_t req, fuse_ino_t ino, int mode, off_t offset, off_t length,
771 fuse_file_info* fi) {
772 ATRACE_CALL();
773 struct fuse* fuse = get_fuse(req);
774
775 handle* h = reinterpret_cast<handle*>(fi->fh);
776 auto err = fallocate(h->fd, mode, offset, length);
777 fuse_reply_err(req, err ? errno : 0);
778 }
779
pf_getattr(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)780 static void pf_getattr(fuse_req_t req,
781 fuse_ino_t ino,
782 struct fuse_file_info* fi) {
783 ATRACE_CALL();
784 struct fuse* fuse = get_fuse(req);
785 node* node = fuse->FromInode(ino);
786 if (!node) {
787 fuse_reply_err(req, ENOENT);
788 return;
789 }
790 const string& path = get_path(node);
791 if (!is_app_accessible_path(fuse->mp, path, req->ctx.uid)) {
792 fuse_reply_err(req, ENOENT);
793 return;
794 }
795 TRACE_NODE(node, req);
796
797 struct stat s;
798 memset(&s, 0, sizeof(s));
799 if (lstat(path.c_str(), &s) < 0) {
800 fuse_reply_err(req, errno);
801 } else {
802 fuse_reply_attr(req, &s, std::numeric_limits<double>::max());
803 }
804 }
805
pf_setattr(fuse_req_t req,fuse_ino_t ino,struct stat * attr,int to_set,struct fuse_file_info * fi)806 static void pf_setattr(fuse_req_t req,
807 fuse_ino_t ino,
808 struct stat* attr,
809 int to_set,
810 struct fuse_file_info* fi) {
811 ATRACE_CALL();
812 struct fuse* fuse = get_fuse(req);
813 node* node = fuse->FromInode(ino);
814 if (!node) {
815 fuse_reply_err(req, ENOENT);
816 return;
817 }
818 const string& path = get_path(node);
819 if (!is_app_accessible_path(fuse->mp, path, req->ctx.uid)) {
820 fuse_reply_err(req, ENOENT);
821 return;
822 }
823
824 int fd = -1;
825 if (fi) {
826 // If we have a file_info, setattr was called with an fd so use the fd instead of path
827 handle* h = reinterpret_cast<handle*>(fi->fh);
828 fd = h->fd;
829 } else {
830 const struct fuse_ctx* ctx = fuse_req_ctx(req);
831 std::unique_ptr<FileOpenResult> result = fuse->mp->OnFileOpen(
832 path, path, ctx->uid, ctx->pid, node->GetTransformsReason(), true /* for_write */,
833 false /* redact */, false /* log_transforms_metrics */);
834
835 if (!result) {
836 fuse_reply_err(req, EFAULT);
837 return;
838 }
839
840 if (result->status) {
841 fuse_reply_err(req, EACCES);
842 return;
843 }
844 }
845 struct timespec times[2];
846 TRACE_NODE(node, req);
847
848 /* XXX: incomplete implementation on purpose.
849 * chmod/chown should NEVER be implemented.*/
850
851 if ((to_set & FUSE_SET_ATTR_SIZE)) {
852 int res = 0;
853 if (fd == -1) {
854 res = truncate64(path.c_str(), attr->st_size);
855 } else {
856 res = ftruncate64(fd, attr->st_size);
857 }
858
859 if (res < 0) {
860 fuse_reply_err(req, errno);
861 return;
862 }
863 }
864
865 /* Handle changing atime and mtime. If FATTR_ATIME_and FATTR_ATIME_NOW
866 * are both set, then set it to the current time. Else, set it to the
867 * time specified in the request. Same goes for mtime. Use utimensat(2)
868 * as it allows ATIME and MTIME to be changed independently, and has
869 * nanosecond resolution which fuse also has.
870 */
871 if (to_set & (FATTR_ATIME | FATTR_MTIME)) {
872 times[0].tv_nsec = UTIME_OMIT;
873 times[1].tv_nsec = UTIME_OMIT;
874 if (to_set & FATTR_ATIME) {
875 if (to_set & FATTR_ATIME_NOW) {
876 times[0].tv_nsec = UTIME_NOW;
877 } else {
878 times[0] = attr->st_atim;
879 }
880 }
881
882 if (to_set & FATTR_MTIME) {
883 if (to_set & FATTR_MTIME_NOW) {
884 times[1].tv_nsec = UTIME_NOW;
885 } else {
886 times[1] = attr->st_mtim;
887 }
888 }
889
890 TRACE_NODE(node, req);
891 int res = 0;
892 if (fd == -1) {
893 res = utimensat(-1, path.c_str(), times, 0);
894 } else {
895 res = futimens(fd, times);
896 }
897
898 if (res < 0) {
899 fuse_reply_err(req, errno);
900 return;
901 }
902 }
903
904 lstat(path.c_str(), attr);
905 fuse_reply_attr(req, attr, std::numeric_limits<double>::max());
906 }
907
pf_canonical_path(fuse_req_t req,fuse_ino_t ino)908 static void pf_canonical_path(fuse_req_t req, fuse_ino_t ino)
909 {
910 struct fuse* fuse = get_fuse(req);
911 node* node = fuse->FromInode(ino);
912 const string& path = node ? get_path(node) : "";
913
914 if (node && is_app_accessible_path(fuse->mp, path, req->ctx.uid)) {
915 // TODO(b/147482155): Check that uid has access to |path| and its contents
916 fuse_reply_canonical_path(req, path.c_str());
917 return;
918 }
919 fuse_reply_err(req, ENOENT);
920 }
921
pf_mknod(fuse_req_t req,fuse_ino_t parent,const char * name,mode_t mode,dev_t rdev)922 static void pf_mknod(fuse_req_t req,
923 fuse_ino_t parent,
924 const char* name,
925 mode_t mode,
926 dev_t rdev) {
927 ATRACE_CALL();
928 struct fuse* fuse = get_fuse(req);
929 node* parent_node = fuse->FromInode(parent);
930 if (!parent_node) {
931 fuse_reply_err(req, ENOENT);
932 return;
933 }
934 string parent_path = parent_node->BuildPath();
935 if (!is_app_accessible_path(fuse->mp, parent_path, req->ctx.uid)) {
936 fuse_reply_err(req, ENOENT);
937 return;
938 }
939
940 TRACE_NODE(parent_node, req);
941
942 const string child_path = parent_path + "/" + name;
943
944 mode = (mode & (~0777)) | 0664;
945 if (mknod(child_path.c_str(), mode, rdev) < 0) {
946 fuse_reply_err(req, errno);
947 return;
948 }
949
950 int error_code = 0;
951 struct fuse_entry_param e;
952 if (make_node_entry(req, parent_node, name, child_path, &e, &error_code, FuseOp::mknod)) {
953 fuse_reply_entry(req, &e);
954 } else {
955 CHECK(error_code != 0);
956 fuse_reply_err(req, error_code);
957 }
958 }
959
pf_mkdir(fuse_req_t req,fuse_ino_t parent,const char * name,mode_t mode)960 static void pf_mkdir(fuse_req_t req,
961 fuse_ino_t parent,
962 const char* name,
963 mode_t mode) {
964 ATRACE_CALL();
965 struct fuse* fuse = get_fuse(req);
966 node* parent_node = fuse->FromInode(parent);
967 if (!parent_node) {
968 fuse_reply_err(req, ENOENT);
969 return;
970 }
971 const struct fuse_ctx* ctx = fuse_req_ctx(req);
972 const string parent_path = parent_node->BuildPath();
973 if (!is_app_accessible_path(fuse->mp, parent_path, ctx->uid)) {
974 fuse_reply_err(req, ENOENT);
975 return;
976 }
977
978 TRACE_NODE(parent_node, req);
979
980 const string child_path = parent_path + "/" + name;
981
982 int status = fuse->mp->IsCreatingDirAllowed(child_path, ctx->uid);
983 if (status) {
984 fuse_reply_err(req, status);
985 return;
986 }
987
988 mode = (mode & (~0777)) | 0775;
989 if (mkdir(child_path.c_str(), mode) < 0) {
990 fuse_reply_err(req, errno);
991 return;
992 }
993
994 int error_code = 0;
995 struct fuse_entry_param e;
996 if (make_node_entry(req, parent_node, name, child_path, &e, &error_code, FuseOp::mkdir)) {
997 fuse_reply_entry(req, &e);
998 } else {
999 CHECK(error_code != 0);
1000 fuse_reply_err(req, error_code);
1001 }
1002 }
1003
pf_unlink(fuse_req_t req,fuse_ino_t parent,const char * name)1004 static void pf_unlink(fuse_req_t req, fuse_ino_t parent, const char* name) {
1005 ATRACE_CALL();
1006 struct fuse* fuse = get_fuse(req);
1007 node* parent_node = fuse->FromInode(parent);
1008 if (!parent_node) {
1009 fuse_reply_err(req, ENOENT);
1010 return;
1011 }
1012 const struct fuse_ctx* ctx = fuse_req_ctx(req);
1013 const string parent_path = parent_node->BuildPath();
1014 if (!is_app_accessible_path(fuse->mp, parent_path, ctx->uid)) {
1015 fuse_reply_err(req, ENOENT);
1016 return;
1017 }
1018
1019 TRACE_NODE(parent_node, req);
1020
1021 const string child_path = parent_path + "/" + name;
1022
1023 int status = fuse->mp->DeleteFile(child_path, ctx->uid);
1024 if (status) {
1025 fuse_reply_err(req, status);
1026 return;
1027 }
1028
1029 // TODO(b/169306422): Log each deleted node
1030 parent_node->SetDeletedForChild(name);
1031 fuse_reply_err(req, 0);
1032 }
1033
pf_rmdir(fuse_req_t req,fuse_ino_t parent,const char * name)1034 static void pf_rmdir(fuse_req_t req, fuse_ino_t parent, const char* name) {
1035 ATRACE_CALL();
1036 struct fuse* fuse = get_fuse(req);
1037 node* parent_node = fuse->FromInode(parent);
1038 if (!parent_node) {
1039 fuse_reply_err(req, ENOENT);
1040 return;
1041 }
1042 const string parent_path = parent_node->BuildPath();
1043 if (!is_app_accessible_path(fuse->mp, parent_path, req->ctx.uid)) {
1044 fuse_reply_err(req, ENOENT);
1045 return;
1046 }
1047
1048 if (is_transforms_dir_path(parent_path, fuse)) {
1049 // .transforms is a special daemon controlled dir so apps shouldn't be able to see it via
1050 // readdir, and any dir operations attempted on it should fail
1051 fuse_reply_err(req, ENOENT);
1052 return;
1053 }
1054
1055 TRACE_NODE(parent_node, req);
1056
1057 const string child_path = parent_path + "/" + name;
1058
1059 int status = fuse->mp->IsDeletingDirAllowed(child_path, req->ctx.uid);
1060 if (status) {
1061 fuse_reply_err(req, status);
1062 return;
1063 }
1064
1065 if (rmdir(child_path.c_str()) < 0) {
1066 fuse_reply_err(req, errno);
1067 return;
1068 }
1069
1070 node* child_node = parent_node->LookupChildByName(name, false /* acquire */);
1071 TRACE_NODE(child_node, req);
1072 if (child_node) {
1073 child_node->SetDeleted();
1074 }
1075
1076 fuse_reply_err(req, 0);
1077 }
1078 /*
1079 static void pf_symlink(fuse_req_t req, const char* link, fuse_ino_t parent,
1080 const char* name)
1081 {
1082 cout << "TODO:" << __func__;
1083 }
1084 */
do_rename(fuse_req_t req,fuse_ino_t parent,const char * name,fuse_ino_t new_parent,const char * new_name,unsigned int flags)1085 static int do_rename(fuse_req_t req, fuse_ino_t parent, const char* name, fuse_ino_t new_parent,
1086 const char* new_name, unsigned int flags) {
1087 ATRACE_CALL();
1088 struct fuse* fuse = get_fuse(req);
1089
1090 if (flags != 0) {
1091 return EINVAL;
1092 }
1093
1094 node* old_parent_node = fuse->FromInode(parent);
1095 if (!old_parent_node) return ENOENT;
1096 const struct fuse_ctx* ctx = fuse_req_ctx(req);
1097 const string old_parent_path = old_parent_node->BuildPath();
1098 if (!is_app_accessible_path(fuse->mp, old_parent_path, ctx->uid)) {
1099 return ENOENT;
1100 }
1101
1102 if (is_transforms_dir_path(old_parent_path, fuse)) {
1103 // .transforms is a special daemon controlled dir so apps shouldn't be able to see it via
1104 // readdir, and any dir operations attempted on it should fail
1105 return ENOENT;
1106 }
1107
1108 node* new_parent_node = fuse->FromInode(new_parent);
1109 if (!new_parent_node) return ENOENT;
1110 const string new_parent_path = new_parent_node->BuildPath();
1111 if (!is_app_accessible_path(fuse->mp, new_parent_path, ctx->uid)) {
1112 return ENOENT;
1113 }
1114
1115 if (!old_parent_node || !new_parent_node) {
1116 return ENOENT;
1117 } else if (parent == new_parent && name == new_name) {
1118 // No rename required.
1119 return 0;
1120 }
1121
1122 TRACE_NODE(old_parent_node, req);
1123 TRACE_NODE(new_parent_node, req);
1124
1125 const string old_child_path = old_parent_path + "/" + name;
1126 const string new_child_path = new_parent_path + "/" + new_name;
1127
1128 if (android::base::EqualsIgnoreCase(fuse->GetEffectiveRootPath() + "/android", old_child_path)) {
1129 // Prevent renaming Android/ dir since it contains bind-mounts on the primary volume
1130 return EACCES;
1131 }
1132
1133 // TODO(b/147408834): Check ENOTEMPTY & EEXIST error conditions before JNI call.
1134 const int res = fuse->mp->Rename(old_child_path, new_child_path, req->ctx.uid);
1135 // TODO(b/145663158): Lookups can go out of sync if file/directory is actually moved but
1136 // EFAULT/EIO is reported due to JNI exception.
1137 if (res == 0) {
1138 // TODO(b/169306422): Log each renamed node
1139 old_parent_node->RenameChild(name, new_name, new_parent_node);
1140 }
1141 return res;
1142 }
1143
pf_rename(fuse_req_t req,fuse_ino_t parent,const char * name,fuse_ino_t new_parent,const char * new_name,unsigned int flags)1144 static void pf_rename(fuse_req_t req, fuse_ino_t parent, const char* name, fuse_ino_t new_parent,
1145 const char* new_name, unsigned int flags) {
1146 int res = do_rename(req, parent, name, new_parent, new_name, flags);
1147 fuse_reply_err(req, res);
1148 }
1149
1150 /*
1151 static void pf_link(fuse_req_t req, fuse_ino_t ino, fuse_ino_t new_parent,
1152 const char* new_name)
1153 {
1154 cout << "TODO:" << __func__;
1155 }
1156 */
1157
create_handle_for_node(struct fuse * fuse,const string & path,int fd,uid_t uid,uid_t transforms_uid,node * node,const RedactionInfo * ri,int * keep_cache)1158 static handle* create_handle_for_node(struct fuse* fuse, const string& path, int fd, uid_t uid,
1159 uid_t transforms_uid, node* node, const RedactionInfo* ri,
1160 int* keep_cache) {
1161 std::lock_guard<std::recursive_mutex> guard(fuse->lock);
1162
1163 bool redaction_needed = ri->isRedactionNeeded();
1164 handle* handle = nullptr;
1165 int transforms = node->GetTransforms();
1166 bool transforms_complete = node->IsTransformsComplete();
1167 if (transforms_uid > 0) {
1168 CHECK(transforms);
1169 }
1170
1171 if (fuse->passthrough) {
1172 *keep_cache = transforms_complete;
1173 // We only enabled passthrough iff these 2 conditions hold
1174 // 1. Redaction is not needed
1175 // 2. Node transforms are completed, e.g transcoding.
1176 // (2) is important because we transcode lazily (on the first read) and with passthrough,
1177 // we will never get a read into the FUSE daemon, so passthrough would have returned
1178 // arbitrary bytes the first time around. However, if we ensure that transforms are
1179 // completed, then it's safe to use passthrough. Additionally, transcoded nodes never
1180 // require redaction so (2) implies (1)
1181 handle = new struct handle(fd, ri, true /* cached */,
1182 !redaction_needed && transforms_complete /* passthrough */, uid,
1183 transforms_uid);
1184 } else {
1185 // Without fuse->passthrough, we don't want to use the FUSE VFS cache in two cases:
1186 // 1. When redaction is needed because app A with EXIF access might access
1187 // a region that should have been redacted for app B without EXIF access, but app B on
1188 // a subsequent read, will be able to see the EXIF data because the read request for
1189 // that region will be served from cache and not get to the FUSE daemon
1190 // 2. When the file has a read or write lock on it. This means that the MediaProvider
1191 // has given an fd to the lower file system to an app. There are two cases where using
1192 // the cache in this case can be a problem:
1193 // a. Writing to a FUSE fd with caching enabled will use the write-back cache and a
1194 // subsequent read from the lower fs fd will not see the write.
1195 // b. Reading from a FUSE fd with caching enabled may not see the latest writes using
1196 // the lower fs fd because those writes did not go through the FUSE layer and reads from
1197 // FUSE after that write may be served from cache
1198 bool has_redacted = node->HasRedactedCache();
1199 bool is_redaction_change =
1200 (redaction_needed && !has_redacted) || (!redaction_needed && has_redacted);
1201 bool is_cached_file_open = node->HasCachedHandle();
1202 bool direct_io = (is_cached_file_open && is_redaction_change) || is_file_locked(fd, path);
1203
1204 if (!is_cached_file_open && is_redaction_change) {
1205 node->SetRedactedCache(redaction_needed);
1206 // Purges stale page cache before open
1207 *keep_cache = 0;
1208 } else {
1209 *keep_cache = transforms_complete;
1210 }
1211 handle = new struct handle(fd, ri, !direct_io /* cached */, false /* passthrough */, uid,
1212 transforms_uid);
1213 }
1214
1215 node->AddHandle(handle);
1216 return handle;
1217 }
1218
do_passthrough_enable(fuse_req_t req,struct fuse_file_info * fi,unsigned int fd)1219 bool do_passthrough_enable(fuse_req_t req, struct fuse_file_info* fi, unsigned int fd) {
1220 int passthrough_fh = fuse_passthrough_enable(req, fd);
1221
1222 if (passthrough_fh <= 0) {
1223 return false;
1224 }
1225
1226 fi->passthrough_fh = passthrough_fh;
1227 return true;
1228 }
1229
pf_open(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)1230 static void pf_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info* fi) {
1231 ATRACE_CALL();
1232 struct fuse* fuse = get_fuse(req);
1233 node* node = fuse->FromInode(ino);
1234 if (!node) {
1235 fuse_reply_err(req, ENOENT);
1236 return;
1237 }
1238 const struct fuse_ctx* ctx = fuse_req_ctx(req);
1239 const string& io_path = get_path(node);
1240 const string& build_path = node->BuildPath();
1241 if (!is_app_accessible_path(fuse->mp, io_path, ctx->uid)) {
1242 fuse_reply_err(req, ENOENT);
1243 return;
1244 }
1245
1246 bool for_write = is_requesting_write(fi->flags);
1247
1248 if (for_write && node->GetTransforms()) {
1249 TRACE_NODE(node, req) << "write with transforms";
1250 } else {
1251 TRACE_NODE(node, req) << (for_write ? "write" : "read");
1252 }
1253
1254 if (fi->flags & O_DIRECT) {
1255 fi->flags &= ~O_DIRECT;
1256 fi->direct_io = true;
1257 }
1258
1259 // Force permission check with the build path because the MediaProvider database might not be
1260 // aware of the io_path
1261 // We don't redact if the caller was granted write permission for this file
1262 std::unique_ptr<FileOpenResult> result = fuse->mp->OnFileOpen(
1263 build_path, io_path, ctx->uid, ctx->pid, node->GetTransformsReason(), for_write,
1264 !for_write /* redact */, true /* log_transforms_metrics */);
1265 if (!result) {
1266 fuse_reply_err(req, EFAULT);
1267 return;
1268 }
1269
1270 if (result->status) {
1271 fuse_reply_err(req, result->status);
1272 return;
1273 }
1274
1275 // With the writeback cache enabled, FUSE may generate READ requests even for files that
1276 // were opened O_WRONLY; so make sure we open it O_RDWR instead.
1277 int open_flags = fi->flags;
1278 if (open_flags & O_WRONLY) {
1279 open_flags &= ~O_WRONLY;
1280 open_flags |= O_RDWR;
1281 }
1282
1283 if (open_flags & O_APPEND) {
1284 open_flags &= ~O_APPEND;
1285 }
1286
1287 const int fd = open(io_path.c_str(), open_flags);
1288 if (fd < 0) {
1289 fuse_reply_err(req, errno);
1290 return;
1291 }
1292
1293 int keep_cache = 1;
1294 handle* h = create_handle_for_node(fuse, io_path, fd, result->uid, result->transforms_uid, node,
1295 result->redaction_info.release(), &keep_cache);
1296 fi->fh = ptr_to_id(h);
1297 fi->keep_cache = keep_cache;
1298 fi->direct_io = !h->cached;
1299
1300 // TODO(b/173190192) ensuring that h->cached must be enabled in order to
1301 // user FUSE passthrough is a conservative rule and might be dropped as
1302 // soon as demonstrated its correctness.
1303 if (h->passthrough) {
1304 if (!do_passthrough_enable(req, fi, fd)) {
1305 // TODO: Should we crash here so we can find errors easily?
1306 PLOG(ERROR) << "Passthrough OPEN failed for " << io_path;
1307 fuse_reply_err(req, EFAULT);
1308 return;
1309 }
1310 }
1311
1312 fuse_reply_open(req, fi);
1313 }
1314
do_read(fuse_req_t req,size_t size,off_t off,struct fuse_file_info * fi)1315 static void do_read(fuse_req_t req, size_t size, off_t off, struct fuse_file_info* fi) {
1316 handle* h = reinterpret_cast<handle*>(fi->fh);
1317 struct fuse_bufvec buf = FUSE_BUFVEC_INIT(size);
1318
1319 buf.buf[0].fd = h->fd;
1320 buf.buf[0].pos = off;
1321 buf.buf[0].flags =
1322 (enum fuse_buf_flags) (FUSE_BUF_IS_FD | FUSE_BUF_FD_SEEK);
1323
1324 fuse_reply_data(req, &buf, (enum fuse_buf_copy_flags) 0);
1325 }
1326
1327 /**
1328 * Sets the parameters for a fuse_buf that reads from memory, including flags.
1329 * Makes buf->mem point to an already mapped region of zeroized memory.
1330 * This memory is read only.
1331 */
create_mem_fuse_buf(size_t size,fuse_buf * buf,struct fuse * fuse)1332 static void create_mem_fuse_buf(size_t size, fuse_buf* buf, struct fuse* fuse) {
1333 buf->size = size;
1334 buf->mem = fuse->zero_addr;
1335 buf->flags = static_cast<fuse_buf_flags>(0 /*read from fuse_buf.mem*/);
1336 buf->pos = -1;
1337 buf->fd = -1;
1338 }
1339
1340 /**
1341 * Sets the parameters for a fuse_buf that reads from file, including flags.
1342 */
create_file_fuse_buf(size_t size,off_t pos,int fd,fuse_buf * buf)1343 static void create_file_fuse_buf(size_t size, off_t pos, int fd, fuse_buf* buf) {
1344 buf->size = size;
1345 buf->fd = fd;
1346 buf->pos = pos;
1347 buf->flags = static_cast<fuse_buf_flags>(FUSE_BUF_IS_FD | FUSE_BUF_FD_SEEK);
1348 buf->mem = nullptr;
1349 }
1350
do_read_with_redaction(fuse_req_t req,size_t size,off_t off,fuse_file_info * fi)1351 static void do_read_with_redaction(fuse_req_t req, size_t size, off_t off, fuse_file_info* fi) {
1352 handle* h = reinterpret_cast<handle*>(fi->fh);
1353
1354 std::vector<ReadRange> ranges;
1355 h->ri->getReadRanges(off, size, &ranges);
1356
1357 // As an optimization, return early if there are no ranges to redact.
1358 if (ranges.size() == 0) {
1359 do_read(req, size, off, fi);
1360 return;
1361 }
1362
1363 const size_t num_bufs = ranges.size();
1364 auto bufvec_ptr = std::unique_ptr<fuse_bufvec, decltype(free)*>{
1365 reinterpret_cast<fuse_bufvec*>(
1366 malloc(sizeof(fuse_bufvec) + (num_bufs - 1) * sizeof(fuse_buf))),
1367 free};
1368 fuse_bufvec& bufvec = *bufvec_ptr;
1369
1370 // initialize bufvec
1371 bufvec.count = num_bufs;
1372 bufvec.idx = 0;
1373 bufvec.off = 0;
1374
1375 for (int i = 0; i < num_bufs; ++i) {
1376 const ReadRange& range = ranges[i];
1377 if (range.is_redaction) {
1378 create_mem_fuse_buf(range.size, &(bufvec.buf[i]), get_fuse(req));
1379 } else {
1380 create_file_fuse_buf(range.size, range.start, h->fd, &(bufvec.buf[i]));
1381 }
1382 }
1383
1384 fuse_reply_data(req, &bufvec, static_cast<fuse_buf_copy_flags>(0));
1385 }
1386
pf_read(fuse_req_t req,fuse_ino_t ino,size_t size,off_t off,struct fuse_file_info * fi)1387 static void pf_read(fuse_req_t req, fuse_ino_t ino, size_t size, off_t off,
1388 struct fuse_file_info* fi) {
1389 ATRACE_CALL();
1390 handle* h = reinterpret_cast<handle*>(fi->fh);
1391 struct fuse* fuse = get_fuse(req);
1392
1393 node* node = fuse->FromInode(ino);
1394
1395 if (!node->IsTransformsComplete()) {
1396 if (!fuse->mp->Transform(node->BuildPath(), node->GetIoPath(), node->GetTransforms(),
1397 node->GetTransformsReason(), req->ctx.uid, h->uid,
1398 h->transforms_uid)) {
1399 fuse_reply_err(req, EFAULT);
1400 return;
1401 }
1402 node->SetTransformsComplete(true);
1403 }
1404
1405 fuse->fadviser.Record(h->fd, size);
1406
1407 if (h->ri->isRedactionNeeded()) {
1408 do_read_with_redaction(req, size, off, fi);
1409 } else {
1410 do_read(req, size, off, fi);
1411 }
1412 }
1413
1414 /*
1415 static void pf_write(fuse_req_t req, fuse_ino_t ino, const char* buf,
1416 size_t size, off_t off, struct fuse_file_info* fi)
1417 {
1418 cout << "TODO:" << __func__;
1419 }
1420 */
1421
pf_write_buf(fuse_req_t req,fuse_ino_t ino,struct fuse_bufvec * bufv,off_t off,struct fuse_file_info * fi)1422 static void pf_write_buf(fuse_req_t req,
1423 fuse_ino_t ino,
1424 struct fuse_bufvec* bufv,
1425 off_t off,
1426 struct fuse_file_info* fi) {
1427 ATRACE_CALL();
1428 handle* h = reinterpret_cast<handle*>(fi->fh);
1429 struct fuse_bufvec buf = FUSE_BUFVEC_INIT(fuse_buf_size(bufv));
1430 ssize_t size;
1431 struct fuse* fuse = get_fuse(req);
1432
1433 buf.buf[0].fd = h->fd;
1434 buf.buf[0].pos = off;
1435 buf.buf[0].flags =
1436 (enum fuse_buf_flags) (FUSE_BUF_IS_FD | FUSE_BUF_FD_SEEK);
1437 size = fuse_buf_copy(&buf, bufv, (enum fuse_buf_copy_flags) 0);
1438
1439 if (size < 0)
1440 fuse_reply_err(req, -size);
1441 else {
1442 // Execute Record *before* fuse_reply_write to avoid the following ordering:
1443 // fuse_reply_write -> pf_release (destroy handle) -> Record (use handle after free)
1444 fuse->fadviser.Record(h->fd, size);
1445 fuse_reply_write(req, size);
1446 }
1447 }
1448 // Haven't tested this one. Not sure what calls it.
1449 #if 0
1450 static void pf_copy_file_range(fuse_req_t req, fuse_ino_t ino_in,
1451 off_t off_in, struct fuse_file_info* fi_in,
1452 fuse_ino_t ino_out, off_t off_out,
1453 struct fuse_file_info* fi_out, size_t len,
1454 int flags)
1455 {
1456 handle* h_in = reinterpret_cast<handle *>(fi_in->fh);
1457 handle* h_out = reinterpret_cast<handle *>(fi_out->fh);
1458 struct fuse_bufvec buf_in = FUSE_BUFVEC_INIT(len);
1459 struct fuse_bufvec buf_out = FUSE_BUFVEC_INIT(len);
1460 ssize_t size;
1461
1462 buf_in.buf[0].fd = h_in->fd;
1463 buf_in.buf[0].pos = off_in;
1464 buf_in.buf[0].flags = (enum fuse_buf_flags)(FUSE_BUF_IS_FD|FUSE_BUF_FD_SEEK);
1465
1466 buf_out.buf[0].fd = h_out->fd;
1467 buf_out.buf[0].pos = off_out;
1468 buf_out.buf[0].flags = (enum fuse_buf_flags)(FUSE_BUF_IS_FD|FUSE_BUF_FD_SEEK);
1469 size = fuse_buf_copy(&buf_out, &buf_in, (enum fuse_buf_copy_flags) 0);
1470
1471 if (size < 0) {
1472 fuse_reply_err(req, -size);
1473 }
1474
1475 fuse_reply_write(req, size);
1476 }
1477 #endif
1478
pf_release(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)1479 static void pf_release(fuse_req_t req,
1480 fuse_ino_t ino,
1481 struct fuse_file_info* fi) {
1482 ATRACE_CALL();
1483 struct fuse* fuse = get_fuse(req);
1484
1485 node* node = fuse->FromInode(ino);
1486 handle* h = reinterpret_cast<handle*>(fi->fh);
1487 TRACE_NODE(node, req);
1488
1489 fuse->fadviser.Close(h->fd);
1490 if (node) {
1491 node->DestroyHandle(h);
1492 }
1493
1494 fuse_reply_err(req, 0);
1495 }
1496
do_sync_common(int fd,bool datasync)1497 static int do_sync_common(int fd, bool datasync) {
1498 int res = datasync ? fdatasync(fd) : fsync(fd);
1499
1500 if (res == -1) return errno;
1501 return 0;
1502 }
1503
pf_fsync(fuse_req_t req,fuse_ino_t ino,int datasync,struct fuse_file_info * fi)1504 static void pf_fsync(fuse_req_t req,
1505 fuse_ino_t ino,
1506 int datasync,
1507 struct fuse_file_info* fi) {
1508 ATRACE_CALL();
1509 handle* h = reinterpret_cast<handle*>(fi->fh);
1510 int err = do_sync_common(h->fd, datasync);
1511
1512 fuse_reply_err(req, err);
1513 }
1514
pf_fsyncdir(fuse_req_t req,fuse_ino_t ino,int datasync,struct fuse_file_info * fi)1515 static void pf_fsyncdir(fuse_req_t req,
1516 fuse_ino_t ino,
1517 int datasync,
1518 struct fuse_file_info* fi) {
1519 dirhandle* h = reinterpret_cast<dirhandle*>(fi->fh);
1520 int err = do_sync_common(dirfd(h->d), datasync);
1521
1522 fuse_reply_err(req, err);
1523 }
1524
pf_opendir(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)1525 static void pf_opendir(fuse_req_t req,
1526 fuse_ino_t ino,
1527 struct fuse_file_info* fi) {
1528 ATRACE_CALL();
1529 struct fuse* fuse = get_fuse(req);
1530 node* node = fuse->FromInode(ino);
1531 if (!node) {
1532 fuse_reply_err(req, ENOENT);
1533 return;
1534 }
1535 const struct fuse_ctx* ctx = fuse_req_ctx(req);
1536 const string path = node->BuildPath();
1537 if (!is_app_accessible_path(fuse->mp, path, ctx->uid)) {
1538 fuse_reply_err(req, ENOENT);
1539 return;
1540 }
1541
1542 TRACE_NODE(node, req);
1543
1544 int status = fuse->mp->IsOpendirAllowed(path, ctx->uid, /* forWrite */ false);
1545 if (status) {
1546 fuse_reply_err(req, status);
1547 return;
1548 }
1549
1550 DIR* dir = opendir(path.c_str());
1551 if (!dir) {
1552 fuse_reply_err(req, errno);
1553 return;
1554 }
1555
1556 dirhandle* h = new dirhandle(dir);
1557 node->AddDirHandle(h);
1558
1559 fi->fh = ptr_to_id(h);
1560 fuse_reply_open(req, fi);
1561 }
1562
1563 #define READDIR_BUF 8192LU
1564
do_readdir_common(fuse_req_t req,fuse_ino_t ino,size_t size,off_t off,struct fuse_file_info * fi,bool plus)1565 static void do_readdir_common(fuse_req_t req,
1566 fuse_ino_t ino,
1567 size_t size,
1568 off_t off,
1569 struct fuse_file_info* fi,
1570 bool plus) {
1571 struct fuse* fuse = get_fuse(req);
1572 dirhandle* h = reinterpret_cast<dirhandle*>(fi->fh);
1573 size_t len = std::min<size_t>(size, READDIR_BUF);
1574 char buf[READDIR_BUF];
1575 size_t used = 0;
1576 std::shared_ptr<DirectoryEntry> de;
1577
1578 struct fuse_entry_param e;
1579 size_t entry_size = 0;
1580
1581 node* node = fuse->FromInode(ino);
1582 if (!node) {
1583 fuse_reply_err(req, ENOENT);
1584 return;
1585 }
1586 const string path = node->BuildPath();
1587 if (!is_app_accessible_path(fuse->mp, path, req->ctx.uid)) {
1588 fuse_reply_err(req, ENOENT);
1589 return;
1590 }
1591
1592 TRACE_NODE(node, req);
1593 // Get all directory entries from MediaProvider on first readdir() call of
1594 // directory handle. h->next_off = 0 indicates that current readdir() call
1595 // is first readdir() call for the directory handle, Avoid multiple JNI calls
1596 // for single directory handle.
1597 if (h->next_off == 0) {
1598 h->de = fuse->mp->GetDirectoryEntries(req->ctx.uid, path, h->d);
1599 }
1600 // If the last entry in the previous readdir() call was rejected due to
1601 // buffer capacity constraints, update directory offset to start from
1602 // previously rejected entry. Directory offset can also change if there was
1603 // a seekdir() on the given directory handle.
1604 if (off != h->next_off) {
1605 h->next_off = off;
1606 }
1607 const int num_directory_entries = h->de.size();
1608 // Check for errors. Any error/exception occurred while obtaining directory
1609 // entries will be indicated by marking first directory entry name as empty
1610 // string. In the erroneous case corresponding d_type will hold error number.
1611 if (num_directory_entries && h->de[0]->d_name.empty()) {
1612 fuse_reply_err(req, h->de[0]->d_type);
1613 return;
1614 }
1615
1616 while (h->next_off < num_directory_entries) {
1617 de = h->de[h->next_off];
1618 entry_size = 0;
1619 h->next_off++;
1620 if (plus) {
1621 int error_code = 0;
1622 if (do_lookup(req, ino, de->d_name.c_str(), &e, &error_code, FuseOp::readdir)) {
1623 entry_size = fuse_add_direntry_plus(req, buf + used, len - used, de->d_name.c_str(),
1624 &e, h->next_off);
1625 } else {
1626 // Ignore lookup errors on
1627 // 1. non-existing files returned from MediaProvider database.
1628 // 2. path that doesn't match FuseDaemon UID and calling uid.
1629 if (error_code == ENOENT || error_code == EPERM || error_code == EACCES
1630 || error_code == EIO) continue;
1631 fuse_reply_err(req, error_code);
1632 return;
1633 }
1634 } else {
1635 // This should never happen because we have readdir_plus enabled without adaptive
1636 // readdir_plus, FUSE_CAP_READDIRPLUS_AUTO
1637 LOG(WARNING) << "Handling plain readdir for " << de->d_name << ". Invalid d_ino";
1638 e.attr.st_ino = FUSE_UNKNOWN_INO;
1639 e.attr.st_mode = de->d_type << 12;
1640 entry_size = fuse_add_direntry(req, buf + used, len - used, de->d_name.c_str(), &e.attr,
1641 h->next_off);
1642 }
1643 // If buffer in fuse_add_direntry[_plus] is not large enough then
1644 // the entry is not added to buffer but the size of the entry is still
1645 // returned. Check available buffer size + returned entry size is less
1646 // than actual buffer size to confirm entry is added to buffer.
1647 if (used + entry_size > len) {
1648 // When an entry is rejected, lookup called by readdir_plus will not be tracked by
1649 // kernel. Call forget on the rejected node to decrement the reference count.
1650 if (plus) {
1651 do_forget(req, fuse, e.ino, 1);
1652 }
1653 break;
1654 }
1655 used += entry_size;
1656 }
1657 fuse_reply_buf(req, buf, used);
1658 }
1659
pf_readdir(fuse_req_t req,fuse_ino_t ino,size_t size,off_t off,struct fuse_file_info * fi)1660 static void pf_readdir(fuse_req_t req, fuse_ino_t ino, size_t size, off_t off,
1661 struct fuse_file_info* fi) {
1662 ATRACE_CALL();
1663 do_readdir_common(req, ino, size, off, fi, false);
1664 }
1665
pf_readdirplus(fuse_req_t req,fuse_ino_t ino,size_t size,off_t off,struct fuse_file_info * fi)1666 static void pf_readdirplus(fuse_req_t req,
1667 fuse_ino_t ino,
1668 size_t size,
1669 off_t off,
1670 struct fuse_file_info* fi) {
1671 ATRACE_CALL();
1672 do_readdir_common(req, ino, size, off, fi, true);
1673 }
1674
pf_releasedir(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)1675 static void pf_releasedir(fuse_req_t req,
1676 fuse_ino_t ino,
1677 struct fuse_file_info* fi) {
1678 ATRACE_CALL();
1679 struct fuse* fuse = get_fuse(req);
1680
1681 node* node = fuse->FromInode(ino);
1682
1683 dirhandle* h = reinterpret_cast<dirhandle*>(fi->fh);
1684 TRACE_NODE(node, req);
1685 if (node) {
1686 node->DestroyDirHandle(h);
1687 }
1688
1689 fuse_reply_err(req, 0);
1690 }
1691
pf_statfs(fuse_req_t req,fuse_ino_t ino)1692 static void pf_statfs(fuse_req_t req, fuse_ino_t ino) {
1693 ATRACE_CALL();
1694 struct statvfs st;
1695 struct fuse* fuse = get_fuse(req);
1696
1697 if (statvfs(fuse->root->GetName().c_str(), &st))
1698 fuse_reply_err(req, errno);
1699 else
1700 fuse_reply_statfs(req, &st);
1701 }
1702 /*
1703 static void pf_setxattr(fuse_req_t req, fuse_ino_t ino, const char* name,
1704 const char* value, size_t size, int flags)
1705 {
1706 cout << "TODO:" << __func__;
1707 }
1708
1709 static void pf_getxattr(fuse_req_t req, fuse_ino_t ino, const char* name,
1710 size_t size)
1711 {
1712 cout << "TODO:" << __func__;
1713 }
1714
1715 static void pf_listxattr(fuse_req_t req, fuse_ino_t ino, size_t size)
1716 {
1717 cout << "TODO:" << __func__;
1718 }
1719
1720 static void pf_removexattr(fuse_req_t req, fuse_ino_t ino, const char* name)
1721 {
1722 cout << "TODO:" << __func__;
1723 }*/
1724
pf_access(fuse_req_t req,fuse_ino_t ino,int mask)1725 static void pf_access(fuse_req_t req, fuse_ino_t ino, int mask) {
1726 ATRACE_CALL();
1727 struct fuse* fuse = get_fuse(req);
1728
1729 node* node = fuse->FromInode(ino);
1730 if (!node) {
1731 fuse_reply_err(req, ENOENT);
1732 return;
1733 }
1734 const string path = node->BuildPath();
1735 if (path != "/storage/emulated" && !is_app_accessible_path(fuse->mp, path, req->ctx.uid)) {
1736 fuse_reply_err(req, ENOENT);
1737 return;
1738 }
1739 TRACE_NODE(node, req);
1740
1741 // exists() checks are always allowed.
1742 if (mask == F_OK) {
1743 int res = access(path.c_str(), F_OK);
1744 fuse_reply_err(req, res ? errno : 0);
1745 return;
1746 }
1747 struct stat stat;
1748 if (lstat(path.c_str(), &stat)) {
1749 // File doesn't exist
1750 fuse_reply_err(req, ENOENT);
1751 return;
1752 }
1753
1754 // For read and write permission checks we go to MediaProvider.
1755 int status = 0;
1756 bool for_write = mask & W_OK;
1757 bool is_directory = S_ISDIR(stat.st_mode);
1758 if (is_directory) {
1759 if (path == "/storage/emulated" && mask == X_OK) {
1760 // Special case for this path: apps should be allowed to enter it,
1761 // but not list directory contents (which would be user numbers).
1762 int res = access(path.c_str(), X_OK);
1763 fuse_reply_err(req, res ? errno : 0);
1764 return;
1765 }
1766 status = fuse->mp->IsOpendirAllowed(path, req->ctx.uid, for_write);
1767 } else {
1768 if (mask & X_OK) {
1769 // Fuse is mounted with MS_NOEXEC.
1770 fuse_reply_err(req, EACCES);
1771 return;
1772 }
1773
1774 std::unique_ptr<FileOpenResult> result = fuse->mp->OnFileOpen(
1775 path, path, req->ctx.uid, req->ctx.pid, node->GetTransformsReason(), for_write,
1776 false /* redact */, false /* log_transforms_metrics */);
1777 if (!result) {
1778 status = EFAULT;
1779 } else if (result->status) {
1780 status = EACCES;
1781 }
1782 }
1783
1784 fuse_reply_err(req, status);
1785 }
1786
pf_create(fuse_req_t req,fuse_ino_t parent,const char * name,mode_t mode,struct fuse_file_info * fi)1787 static void pf_create(fuse_req_t req,
1788 fuse_ino_t parent,
1789 const char* name,
1790 mode_t mode,
1791 struct fuse_file_info* fi) {
1792 ATRACE_CALL();
1793 struct fuse* fuse = get_fuse(req);
1794 node* parent_node = fuse->FromInode(parent);
1795 if (!parent_node) {
1796 fuse_reply_err(req, ENOENT);
1797 return;
1798 }
1799 const string parent_path = parent_node->BuildPath();
1800 if (!is_app_accessible_path(fuse->mp, parent_path, req->ctx.uid)) {
1801 fuse_reply_err(req, ENOENT);
1802 return;
1803 }
1804
1805 TRACE_NODE(parent_node, req);
1806
1807 const string child_path = parent_path + "/" + name;
1808
1809 int mp_return_code = fuse->mp->InsertFile(child_path.c_str(), req->ctx.uid);
1810 if (mp_return_code) {
1811 fuse_reply_err(req, mp_return_code);
1812 return;
1813 }
1814
1815 // With the writeback cache enabled, FUSE may generate READ requests even for files that
1816 // were opened O_WRONLY; so make sure we open it O_RDWR instead.
1817 int open_flags = fi->flags;
1818 if (open_flags & O_WRONLY) {
1819 open_flags &= ~O_WRONLY;
1820 open_flags |= O_RDWR;
1821 }
1822
1823 if (open_flags & O_APPEND) {
1824 open_flags &= ~O_APPEND;
1825 }
1826
1827 mode = (mode & (~0777)) | 0664;
1828 int fd = open(child_path.c_str(), open_flags, mode);
1829 if (fd < 0) {
1830 int error_code = errno;
1831 // We've already inserted the file into the MP database before the
1832 // failed open(), so that needs to be rolled back here.
1833 fuse->mp->DeleteFile(child_path.c_str(), req->ctx.uid);
1834 fuse_reply_err(req, error_code);
1835 return;
1836 }
1837
1838 int error_code = 0;
1839 struct fuse_entry_param e;
1840 node* node =
1841 make_node_entry(req, parent_node, name, child_path, &e, &error_code, FuseOp::create);
1842 TRACE_NODE(node, req);
1843 if (!node) {
1844 CHECK(error_code != 0);
1845 fuse_reply_err(req, error_code);
1846 return;
1847 }
1848
1849 // Let MediaProvider know we've created a new file
1850 fuse->mp->OnFileCreated(child_path);
1851
1852 // TODO(b/147274248): Assume there will be no EXIF to redact.
1853 // This prevents crashing during reads but can be a security hole if a malicious app opens an fd
1854 // to the file before all the EXIF content is written. We could special case reads before the
1855 // first close after a file has just been created.
1856 int keep_cache = 1;
1857 handle* h = create_handle_for_node(fuse, child_path, fd, req->ctx.uid, 0 /* transforms_uid */,
1858 node, new RedactionInfo(), &keep_cache);
1859 fi->fh = ptr_to_id(h);
1860 fi->keep_cache = keep_cache;
1861 fi->direct_io = !h->cached;
1862
1863 // TODO(b/173190192) ensuring that h->cached must be enabled in order to
1864 // user FUSE passthrough is a conservative rule and might be dropped as
1865 // soon as demonstrated its correctness.
1866 if (h->passthrough) {
1867 if (!do_passthrough_enable(req, fi, fd)) {
1868 PLOG(ERROR) << "Passthrough CREATE failed for " << child_path;
1869 fuse_reply_err(req, EFAULT);
1870 return;
1871 }
1872 }
1873
1874 fuse_reply_create(req, &e, fi);
1875 }
1876 /*
1877 static void pf_getlk(fuse_req_t req, fuse_ino_t ino,
1878 struct fuse_file_info* fi, struct flock* lock)
1879 {
1880 cout << "TODO:" << __func__;
1881 }
1882
1883 static void pf_setlk(fuse_req_t req, fuse_ino_t ino,
1884 struct fuse_file_info* fi,
1885 struct flock* lock, int sleep)
1886 {
1887 cout << "TODO:" << __func__;
1888 }
1889
1890 static void pf_bmap(fuse_req_t req, fuse_ino_t ino, size_t blocksize,
1891 uint64_t idx)
1892 {
1893 cout << "TODO:" << __func__;
1894 }
1895
1896 static void pf_ioctl(fuse_req_t req, fuse_ino_t ino, unsigned int cmd,
1897 void* arg, struct fuse_file_info* fi, unsigned flags,
1898 const void* in_buf, size_t in_bufsz, size_t out_bufsz)
1899 {
1900 cout << "TODO:" << __func__;
1901 }
1902
1903 static void pf_poll(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info* fi,
1904 struct fuse_pollhandle* ph)
1905 {
1906 cout << "TODO:" << __func__;
1907 }
1908
1909 static void pf_retrieve_reply(fuse_req_t req, void* cookie, fuse_ino_t ino,
1910 off_t offset, struct fuse_bufvec* bufv)
1911 {
1912 cout << "TODO:" << __func__;
1913 }
1914
1915 static void pf_flock(fuse_req_t req, fuse_ino_t ino,
1916 struct fuse_file_info* fi, int op)
1917 {
1918 cout << "TODO:" << __func__;
1919 }
1920
1921 static void pf_fallocate(fuse_req_t req, fuse_ino_t ino, int mode,
1922 off_t offset, off_t length, struct fuse_file_info* fi)
1923 {
1924 cout << "TODO:" << __func__;
1925 }
1926 */
1927
1928 static struct fuse_lowlevel_ops ops{
1929 .init = pf_init, .destroy = pf_destroy, .lookup = pf_lookup, .forget = pf_forget,
1930 .getattr = pf_getattr, .setattr = pf_setattr, .canonical_path = pf_canonical_path,
1931 .mknod = pf_mknod, .mkdir = pf_mkdir, .unlink = pf_unlink, .rmdir = pf_rmdir,
1932 /*.symlink = pf_symlink,*/
1933 .rename = pf_rename,
1934 /*.link = pf_link,*/
1935 .open = pf_open, .read = pf_read,
1936 /*.write = pf_write,*/
1937 /*.flush = pf_flush,*/
1938 .release = pf_release, .fsync = pf_fsync, .opendir = pf_opendir, .readdir = pf_readdir,
1939 .releasedir = pf_releasedir, .fsyncdir = pf_fsyncdir, .statfs = pf_statfs,
1940 /*.setxattr = pf_setxattr,
1941 .getxattr = pf_getxattr,
1942 .listxattr = pf_listxattr,
1943 .removexattr = pf_removexattr,*/
1944 .access = pf_access, .create = pf_create,
1945 /*.getlk = pf_getlk,
1946 .setlk = pf_setlk,
1947 .bmap = pf_bmap,
1948 .ioctl = pf_ioctl,
1949 .poll = pf_poll,*/
1950 .write_buf = pf_write_buf,
1951 /*.retrieve_reply = pf_retrieve_reply,*/
1952 .forget_multi = pf_forget_multi,
1953 /*.flock = pf_flock,*/
1954 .fallocate = pf_fallocate,
1955 .readdirplus = pf_readdirplus,
1956 /*.copy_file_range = pf_copy_file_range,*/
1957 };
1958
1959 static struct fuse_loop_config config = {
1960 .clone_fd = 1,
1961 .max_idle_threads = 10,
1962 };
1963
1964 static std::unordered_map<enum fuse_log_level, enum android_LogPriority> fuse_to_android_loglevel({
1965 {FUSE_LOG_EMERG, ANDROID_LOG_FATAL},
1966 {FUSE_LOG_ALERT, ANDROID_LOG_ERROR},
1967 {FUSE_LOG_CRIT, ANDROID_LOG_ERROR},
1968 {FUSE_LOG_ERR, ANDROID_LOG_ERROR},
1969 {FUSE_LOG_WARNING, ANDROID_LOG_WARN},
1970 {FUSE_LOG_NOTICE, ANDROID_LOG_INFO},
1971 {FUSE_LOG_INFO, ANDROID_LOG_DEBUG},
1972 {FUSE_LOG_DEBUG, ANDROID_LOG_VERBOSE},
1973 });
1974
fuse_logger(enum fuse_log_level level,const char * fmt,va_list ap)1975 static void fuse_logger(enum fuse_log_level level, const char* fmt, va_list ap) {
1976 __android_log_vprint(fuse_to_android_loglevel.at(level), LIBFUSE_LOG_TAG, fmt, ap);
1977 }
1978
ShouldOpenWithFuse(int fd,bool for_read,const std::string & path)1979 bool FuseDaemon::ShouldOpenWithFuse(int fd, bool for_read, const std::string& path) {
1980 if (fuse->passthrough) {
1981 // Always open with FUSE if passthrough is enabled. This avoids the delicate file lock
1982 // acquisition below to ensure VFS cache consistency and doesn't impact filesystem
1983 // performance since read(2)/write(2) happen in the kernel
1984 return true;
1985 }
1986
1987 bool use_fuse = false;
1988
1989 if (active.load(std::memory_order_acquire)) {
1990 std::lock_guard<std::recursive_mutex> guard(fuse->lock);
1991 const node* node = node::LookupAbsolutePath(fuse->root, path);
1992 if (node && node->HasCachedHandle()) {
1993 use_fuse = true;
1994 } else {
1995 // If we are unable to set a lock, we should use fuse since we can't track
1996 // when all fd references (including dups) are closed. This can happen when
1997 // we try to set a write lock twice on the same file
1998 use_fuse = set_file_lock(fd, for_read, path);
1999 }
2000 } else {
2001 LOG(WARNING) << "FUSE daemon is inactive. Cannot open file with FUSE";
2002 }
2003
2004 return use_fuse;
2005 }
2006
InvalidateFuseDentryCache(const std::string & path)2007 void FuseDaemon::InvalidateFuseDentryCache(const std::string& path) {
2008 LOG(VERBOSE) << "Invalidating FUSE dentry cache";
2009 if (active.load(std::memory_order_acquire)) {
2010 string name;
2011 fuse_ino_t parent;
2012 fuse_ino_t child;
2013 {
2014 std::lock_guard<std::recursive_mutex> guard(fuse->lock);
2015 const node* node = node::LookupAbsolutePath(fuse->root, path);
2016 if (node) {
2017 name = node->GetName();
2018 child = fuse->ToInode(const_cast<class node*>(node));
2019 parent = fuse->ToInode(node->GetParent());
2020 }
2021 }
2022
2023 if (!name.empty()) {
2024 fuse_inval(fuse->se, parent, child, name, path);
2025 }
2026 } else {
2027 LOG(WARNING) << "FUSE daemon is inactive. Cannot invalidate dentry";
2028 }
2029 }
2030
FuseDaemon(JNIEnv * env,jobject mediaProvider)2031 FuseDaemon::FuseDaemon(JNIEnv* env, jobject mediaProvider) : mp(env, mediaProvider),
2032 active(false), fuse(nullptr) {}
2033
IsStarted() const2034 bool FuseDaemon::IsStarted() const {
2035 return active.load(std::memory_order_acquire);
2036 }
2037
Start(android::base::unique_fd fd,const std::string & path)2038 void FuseDaemon::Start(android::base::unique_fd fd, const std::string& path) {
2039 android::base::SetDefaultTag(LOG_TAG);
2040
2041 struct fuse_args args;
2042 struct fuse_cmdline_opts opts;
2043
2044 struct stat stat;
2045
2046 if (lstat(path.c_str(), &stat)) {
2047 PLOG(ERROR) << "ERROR: failed to stat source " << path;
2048 return;
2049 }
2050
2051 if (!S_ISDIR(stat.st_mode)) {
2052 PLOG(ERROR) << "ERROR: source is not a directory";
2053 return;
2054 }
2055
2056 args = FUSE_ARGS_INIT(0, nullptr);
2057 if (fuse_opt_add_arg(&args, path.c_str()) || fuse_opt_add_arg(&args, "-odebug") ||
2058 fuse_opt_add_arg(&args, ("-omax_read=" + std::to_string(MAX_READ_SIZE)).c_str())) {
2059 LOG(ERROR) << "ERROR: failed to set options";
2060 return;
2061 }
2062
2063 struct fuse fuse_default(path, stat.st_ino);
2064 fuse_default.mp = ∓
2065 // fuse_default is stack allocated, but it's safe to save it as an instance variable because
2066 // this method blocks and FuseDaemon#active tells if we are currently blocking
2067 fuse = &fuse_default;
2068
2069 // Used by pf_read: redacted ranges are represented by zeroized ranges of bytes,
2070 // so we mmap the maximum length of redacted ranges in the beginning and save memory allocations
2071 // on each read.
2072 fuse_default.zero_addr = static_cast<char*>(mmap(
2073 NULL, MAX_READ_SIZE, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, /*fd*/ -1, /*off*/ 0));
2074 if (fuse_default.zero_addr == MAP_FAILED) {
2075 LOG(FATAL) << "mmap failed - could not start fuse! errno = " << errno;
2076 }
2077
2078 // Custom logging for libfuse
2079 if (android::base::GetBoolProperty("persist.sys.fuse.log", false)) {
2080 fuse_set_log_func(fuse_logger);
2081 }
2082
2083 if (MY_USER_ID != 0 && mp.IsAppCloneUser(MY_USER_ID)) {
2084 // Disable dentry caching for the app clone user
2085 fuse->disable_dentry_cache = true;
2086 }
2087
2088 fuse->passthrough = android::base::GetBoolProperty("persist.sys.fuse.passthrough.enable", false);
2089 if (fuse->passthrough) {
2090 LOG(INFO) << "Using FUSE passthrough";
2091 }
2092
2093 struct fuse_session
2094 * se = fuse_session_new(&args, &ops, sizeof(ops), &fuse_default);
2095 if (!se) {
2096 PLOG(ERROR) << "Failed to create session ";
2097 return;
2098 }
2099 fuse_default.se = se;
2100 fuse_default.active = &active;
2101 se->fd = fd.release(); // libfuse owns the FD now
2102 se->mountpoint = strdup(path.c_str());
2103
2104 // Single thread. Useful for debugging
2105 // fuse_session_loop(se);
2106 // Multi-threaded
2107 LOG(INFO) << "Starting fuse...";
2108 fuse_session_loop_mt(se, &config);
2109 fuse->active->store(false, std::memory_order_release);
2110 LOG(INFO) << "Ending fuse...";
2111
2112 if (munmap(fuse_default.zero_addr, MAX_READ_SIZE)) {
2113 PLOG(ERROR) << "munmap failed!";
2114 }
2115
2116 fuse_opt_free_args(&args);
2117 fuse_session_destroy(se);
2118 LOG(INFO) << "Ended fuse";
2119 return;
2120 }
2121
GetOriginalMediaFormatFilePath(int fd) const2122 const string FuseDaemon::GetOriginalMediaFormatFilePath(int fd) const {
2123 struct stat s;
2124 memset(&s, 0, sizeof(s));
2125 if (fstat(fd, &s) < 0) {
2126 PLOG(DEBUG) << "GetOriginalMediaFormatFilePath fstat failed.";
2127 return string();
2128 }
2129
2130 ino_t ino = s.st_ino;
2131 dev_t dev = s.st_dev;
2132
2133 dev_t fuse_dev = fuse->dev.load(std::memory_order_acquire);
2134 if (dev != fuse_dev) {
2135 PLOG(DEBUG) << "GetOriginalMediaFormatFilePath FUSE device id does not match.";
2136 return string();
2137 }
2138
2139 const node* node = node::LookupInode(fuse->root, ino);
2140 if (!node) {
2141 PLOG(DEBUG) << "GetOriginalMediaFormatFilePath no node found with given ino";
2142 return string();
2143 }
2144
2145 return node->BuildPath();
2146 }
2147
InitializeDeviceId(const std::string & path)2148 void FuseDaemon::InitializeDeviceId(const std::string& path) {
2149 struct stat stat;
2150
2151 if (lstat(path.c_str(), &stat)) {
2152 PLOG(ERROR) << "InitializeDeviceId failed to stat given path " << path;
2153 return;
2154 }
2155
2156 fuse->dev.store(stat.st_dev, std::memory_order_release);
2157 }
2158 } //namespace fuse
2159 } // namespace mediaprovider
2160