1 // Copyright (C) 2019 The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #define ATRACE_TAG ATRACE_TAG_APP
16 #define LOG_TAG "FuseDaemon"
17 #define LIBFUSE_LOG_TAG "libfuse"
18
19 #include "FuseDaemon.h"
20
21 #include <android-base/logging.h>
22 #include <android-base/properties.h>
23 #include <android-base/strings.h>
24 #include <android/log.h>
25 #include <android/trace.h>
26 #include <ctype.h>
27 #include <dirent.h>
28 #include <errno.h>
29 #include <fcntl.h>
30 #include <fuse_i.h>
31 #include <fuse_kernel.h>
32 #include <fuse_log.h>
33 #include <fuse_lowlevel.h>
34 #include <inttypes.h>
35 #include <limits.h>
36 #include <stdbool.h>
37 #include <stdio.h>
38 #include <stdlib.h>
39 #include <string.h>
40 #include <sys/inotify.h>
41 #include <sys/mman.h>
42 #include <sys/mount.h>
43 #include <sys/param.h>
44 #include <sys/resource.h>
45 #include <sys/stat.h>
46 #include <sys/statfs.h>
47 #include <sys/statvfs.h>
48 #include <sys/time.h>
49 #include <sys/types.h>
50 #include <sys/uio.h>
51 #include <unistd.h>
52
53 #include <iostream>
54 #include <map>
55 #include <mutex>
56 #include <queue>
57 #include <regex>
58 #include <thread>
59 #include <unordered_map>
60 #include <unordered_set>
61 #include <vector>
62
63 #define BPF_FD_JUST_USE_INT
64 #include "BpfSyscallWrappers.h"
65 #include "MediaProviderWrapper.h"
66 #include "libfuse_jni/FuseUtils.h"
67 #include "libfuse_jni/ReaddirHelper.h"
68 #include "libfuse_jni/RedactionInfo.h"
69
70 using mediaprovider::fuse::DirectoryEntry;
71 using mediaprovider::fuse::dirhandle;
72 using mediaprovider::fuse::handle;
73 using mediaprovider::fuse::node;
74 using mediaprovider::fuse::RedactionInfo;
75 using std::string;
76 using std::vector;
77
78 // logging macros to avoid duplication.
79 #define TRACE_NODE(__node, __req) \
80 LOG(VERBOSE) << __FUNCTION__ << " : " << #__node << " = [" << get_name(__node) \
81 << "] (uid=" << (__req)->ctx.uid << ") "
82
83 #define ATRACE_NAME(name) ScopedTrace ___tracer(name)
84 #define ATRACE_CALL() ATRACE_NAME(__FUNCTION__)
85
86 class ScopedTrace {
87 public:
ScopedTrace(const char * name)88 explicit inline ScopedTrace(const char *name) {
89 ATrace_beginSection(name);
90 }
91
~ScopedTrace()92 inline ~ScopedTrace() {
93 ATrace_endSection();
94 }
95 };
96
97 const bool IS_OS_DEBUGABLE = android::base::GetIntProperty("ro.debuggable", 0);
98
99 #define FUSE_UNKNOWN_INO 0xffffffff
100
101 // Stolen from: android_filesystem_config.h
102 #define AID_APP_START 10000
103
104 constexpr size_t MAX_READ_SIZE = 128 * 1024;
105 // Stolen from: UserHandle#getUserId
106 constexpr int PER_USER_RANGE = 100000;
107
108 // Stolen from: UserManagerService
109 constexpr int MAX_USER_ID = UINT32_MAX / PER_USER_RANGE;
110
111 const int MY_UID = getuid();
112 const int MY_USER_ID = MY_UID / PER_USER_RANGE;
113 const std::string MY_USER_ID_STRING(std::to_string(MY_UID / PER_USER_RANGE));
114
115 // Regex copied from FileUtils.java in MediaProvider, but without media directory.
116 const std::regex PATTERN_OWNED_PATH(
117 "^/storage/[^/]+/(?:[0-9]+/)?Android/(?:data|obb)/([^/]+)(/?.*)?",
118 std::regex_constants::icase);
119 const std::regex PATTERN_BPF_BACKING_PATH("^/storage/[^/]+/[0-9]+/Android/(data|obb)$",
120 std::regex_constants::icase);
121
122 static constexpr char TRANSFORM_SYNTHETIC_DIR[] = "synthetic";
123 static constexpr char TRANSFORM_TRANSCODE_DIR[] = "transcode";
124 static constexpr char PRIMARY_VOLUME_PREFIX[] = "/storage/emulated";
125
126 static constexpr char FUSE_BPF_PROG_PATH[] = "/sys/fs/bpf/prog_fuse_media_fuse_media";
127
128 enum class BpfFd { REMOVE = -1 };
129
130 /*
131 * In order to avoid double caching with fuse, call fadvise on the file handles
132 * in the underlying file system. However, if this is done on every read/write,
133 * the fadvises cause a very significant slowdown in tests (specifically fio
134 * seq_write). So call fadvise on the file handles with the most reads/writes
135 * only after a threshold is passed.
136 */
137 class FAdviser {
138 public:
FAdviser()139 FAdviser() : thread_(MessageLoop, this), total_size_(0) {}
140
~FAdviser()141 ~FAdviser() {
142 SendMessage(Message::quit);
143 thread_.join();
144 }
145
Record(int fd,size_t size)146 void Record(int fd, size_t size) { SendMessage(Message::record, fd, size); }
147
Close(int fd)148 void Close(int fd) { SendMessage(Message::close, fd); }
149
150 private:
151 struct Message {
152 enum Type { record, close, quit };
153 Type type;
154 int fd;
155 size_t size;
156 };
157
RecordImpl(int fd,size_t size)158 void RecordImpl(int fd, size_t size) {
159 total_size_ += size;
160
161 // Find or create record in files_
162 // Remove record from sizes_ if it exists, adjusting size appropriately
163 auto file = files_.find(fd);
164 if (file != files_.end()) {
165 auto old_size = file->second;
166 size += old_size->first;
167 sizes_.erase(old_size);
168 } else {
169 file = files_.insert(Files::value_type(fd, sizes_.end())).first;
170 }
171
172 // Now (re) insert record in sizes_
173 auto new_size = sizes_.insert(Sizes::value_type(size, fd));
174 file->second = new_size;
175
176 if (total_size_ < threshold_) return;
177
178 LOG(INFO) << "Threshold exceeded - fadvising " << total_size_;
179 while (!sizes_.empty() && total_size_ > target_) {
180 auto size = --sizes_.end();
181 total_size_ -= size->first;
182 posix_fadvise(size->second, 0, 0, POSIX_FADV_DONTNEED);
183 files_.erase(size->second);
184 sizes_.erase(size);
185 }
186 LOG(INFO) << "Threshold now " << total_size_;
187 }
188
CloseImpl(int fd)189 void CloseImpl(int fd) {
190 auto file = files_.find(fd);
191 if (file == files_.end()) return;
192
193 total_size_ -= file->second->first;
194 sizes_.erase(file->second);
195 files_.erase(file);
196 }
197
MessageLoopImpl()198 void MessageLoopImpl() {
199 while (1) {
200 Message message;
201
202 {
203 std::unique_lock<std::mutex> lock(mutex_);
204 cv_.wait(lock, [this] { return !queue_.empty(); });
205 message = queue_.front();
206 queue_.pop();
207 }
208
209 switch (message.type) {
210 case Message::record:
211 RecordImpl(message.fd, message.size);
212 break;
213
214 case Message::close:
215 CloseImpl(message.fd);
216 break;
217
218 case Message::quit:
219 return;
220 }
221 }
222 }
223
MessageLoop(FAdviser * ptr)224 static int MessageLoop(FAdviser* ptr) {
225 ptr->MessageLoopImpl();
226 return 0;
227 }
228
SendMessage(Message::Type type,int fd=-1,size_t size=0)229 void SendMessage(Message::Type type, int fd = -1, size_t size = 0) {
230 {
231 std::unique_lock<std::mutex> lock(mutex_);
232 Message message = {type, fd, size};
233 queue_.push(message);
234 }
235 cv_.notify_one();
236 }
237
238 std::mutex mutex_;
239 std::condition_variable cv_;
240 std::queue<Message> queue_;
241 std::thread thread_;
242
243 typedef std::multimap<size_t, int> Sizes;
244 typedef std::map<int, Sizes::iterator> Files;
245
246 Files files_;
247 Sizes sizes_;
248 size_t total_size_;
249
250 const size_t threshold_ = 64 * 1024 * 1024;
251 const size_t target_ = 32 * 1024 * 1024;
252 };
253
254 /* Single FUSE mount */
255 struct fuse {
fusefuse256 explicit fuse(const std::string& _path, const ino_t _ino, const bool _uncached_mode,
257 const bool _bpf, const int _bpf_fd,
258 const std::vector<string>& _supported_transcoding_relative_paths,
259 const std::vector<string>& _supported_uncached_relative_paths)
260 : path(_path),
261 tracker(mediaprovider::fuse::NodeTracker(&lock)),
262 root(node::CreateRoot(_path, &lock, _ino, &tracker)),
263 uncached_mode(_uncached_mode),
264 mp(0),
265 zero_addr(0),
266 disable_dentry_cache(false),
267 passthrough(false),
268 bpf(_bpf),
269 bpf_fd(_bpf_fd),
270 supported_transcoding_relative_paths(_supported_transcoding_relative_paths),
271 supported_uncached_relative_paths(_supported_uncached_relative_paths) {}
272
IsRootfuse273 inline bool IsRoot(const node* node) const { return node == root; }
274
GetEffectiveRootPathfuse275 inline string GetEffectiveRootPath() {
276 if (android::base::StartsWith(path, PRIMARY_VOLUME_PREFIX)) {
277 return path + "/" + MY_USER_ID_STRING;
278 }
279 return path;
280 }
281
GetTransformsDirfuse282 inline string GetTransformsDir() { return GetEffectiveRootPath() + "/.transforms"; }
283
284 // Note that these two (FromInode / ToInode) conversion wrappers are required
285 // because fuse_lowlevel_ops documents that the root inode is always one
286 // (see FUSE_ROOT_ID in fuse_lowlevel.h). There are no particular requirements
287 // on any of the other inodes in the FS.
FromInodefuse288 inline node* FromInode(__u64 inode) {
289 if (inode == FUSE_ROOT_ID) {
290 return root;
291 }
292
293 return node::FromInode(inode, &tracker);
294 }
295
FromInodeNoThrowfuse296 inline node* FromInodeNoThrow(__u64 inode) {
297 if (inode == FUSE_ROOT_ID) {
298 return root;
299 }
300
301 return node::FromInodeNoThrow(inode, &tracker);
302 }
303
ToInodefuse304 inline __u64 ToInode(node* node) const {
305 if (IsRoot(node)) {
306 return FUSE_ROOT_ID;
307 }
308
309 return node::ToInode(node);
310 }
311
IsTranscodeSupportedPathfuse312 inline bool IsTranscodeSupportedPath(const string& path) {
313 // Keep in sync with MediaProvider#supportsTranscode
314 if (!android::base::EndsWithIgnoreCase(path, ".mp4")) {
315 return false;
316 }
317
318 const std::string& base_path = GetEffectiveRootPath() + "/";
319 for (const std::string& relative_path : supported_transcoding_relative_paths) {
320 if (android::base::StartsWithIgnoreCase(path, base_path + relative_path)) {
321 return true;
322 }
323 }
324
325 return false;
326 }
327
IsUncachedPathfuse328 inline bool IsUncachedPath(const std::string& path) {
329 const std::string base_path = GetEffectiveRootPath() + "/";
330 for (const std::string& relative_path : supported_uncached_relative_paths) {
331 if (android::base::StartsWithIgnoreCase(path, base_path + relative_path)) {
332 return true;
333 }
334 }
335
336 return false;
337 }
338
ShouldNotCachefuse339 inline bool ShouldNotCache(const std::string& path) {
340 if (uncached_mode) {
341 // Cache is disabled for the entire volume.
342 return true;
343 }
344
345 if (supported_uncached_relative_paths.empty()) {
346 // By default there is no supported uncached path. Just return early in this case.
347 return false;
348 }
349
350 if (!android::base::StartsWithIgnoreCase(path, PRIMARY_VOLUME_PREFIX)) {
351 // Uncached path config applies only to primary volumes.
352 return false;
353 }
354
355 if (android::base::EndsWith(path, "/")) {
356 return IsUncachedPath(path);
357 } else {
358 // Append a slash at the end to make sure that the exact match is picked up.
359 return IsUncachedPath(path + "/");
360 }
361 }
362
363 std::recursive_mutex lock;
364 const string path;
365 // The Inode tracker associated with this FUSE instance.
366 mediaprovider::fuse::NodeTracker tracker;
367 node* const root;
368 struct fuse_session* se;
369
370 const bool uncached_mode;
371
372 /*
373 * Used to make JNI calls to MediaProvider.
374 * Responsibility of freeing this object falls on corresponding
375 * FuseDaemon object.
376 */
377 mediaprovider::fuse::MediaProviderWrapper* mp;
378
379 /*
380 * Points to a range of zeroized bytes, used by pf_read to represent redacted ranges.
381 * The memory is read only and should never be modified.
382 */
383 /* const */ char* zero_addr;
384
385 FAdviser fadviser;
386
387 std::atomic_bool* active;
388 std::atomic_bool disable_dentry_cache;
389 std::atomic_bool passthrough;
390 std::atomic_bool bpf;
391
392 const int bpf_fd;
393
394 // FUSE device id.
395 std::atomic_uint dev;
396 const std::vector<string> supported_transcoding_relative_paths;
397 const std::vector<string> supported_uncached_relative_paths;
398 };
399
400 struct OpenInfo {
401 int flags;
402 bool for_write;
403 bool direct_io;
404 };
405
406 enum class FuseOp { lookup, readdir, mknod, mkdir, create };
407
get_name(node * n)408 static inline string get_name(node* n) {
409 if (n) {
410 std::string name = IS_OS_DEBUGABLE ? "real_path: " + n->BuildPath() + " " : "";
411 name += "node_path: " + n->BuildSafePath();
412 return name;
413 }
414 return "?";
415 }
416
ptr_to_id(const void * ptr)417 static inline __u64 ptr_to_id(const void* ptr) {
418 return (__u64)(uintptr_t) ptr;
419 }
420
421 /*
422 * Set an F_RDLCK or F_WRLCKK on fd with fcntl(2).
423 *
424 * This is called before the MediaProvider returns fd from the lower file
425 * system to an app over the ContentResolver interface. This allows us
426 * check with is_file_locked if any reference to that fd is still open.
427 */
set_file_lock(int fd,bool for_read,const std::string & path)428 static int set_file_lock(int fd, bool for_read, const std::string& path) {
429 std::string lock_str = (for_read ? "read" : "write");
430
431 struct flock fl{};
432 fl.l_type = for_read ? F_RDLCK : F_WRLCK;
433 fl.l_whence = SEEK_SET;
434
435 int res = fcntl(fd, F_OFD_SETLK, &fl);
436 if (res) {
437 PLOG(WARNING) << "Failed to set lock: " << lock_str;
438 return res;
439 }
440 return res;
441 }
442
443 /*
444 * Check if an F_RDLCK or F_WRLCK is set on fd with fcntl(2).
445 *
446 * This is used to determine if the MediaProvider has given an fd to the lower fs to an app over
447 * the ContentResolver interface. Before that happens, we always call set_file_lock on the file
448 * allowing us to know if any reference to that fd is still open here.
449 *
450 * Returns true if fd may have a lock, false otherwise
451 */
is_file_locked(int fd,const std::string & path)452 static bool is_file_locked(int fd, const std::string& path) {
453 struct flock fl{};
454 fl.l_type = F_WRLCK;
455 fl.l_whence = SEEK_SET;
456
457 int res = fcntl(fd, F_OFD_GETLK, &fl);
458 if (res) {
459 PLOG(WARNING) << "Failed to check lock";
460 // Assume worst
461 return true;
462 }
463 bool locked = fl.l_type != F_UNLCK;
464 return locked;
465 }
466
get_fuse(fuse_req_t req)467 static struct fuse* get_fuse(fuse_req_t req) {
468 return reinterpret_cast<struct fuse*>(fuse_req_userdata(req));
469 }
470
is_package_owned_path(const string & path,const string & fuse_path)471 static bool is_package_owned_path(const string& path, const string& fuse_path) {
472 if (path.rfind(fuse_path, 0) != 0) {
473 return false;
474 }
475 return std::regex_match(path, PATTERN_OWNED_PATH);
476 }
477
is_bpf_backing_path(const string & path)478 static bool is_bpf_backing_path(const string& path) {
479 return std::regex_match(path, PATTERN_BPF_BACKING_PATH);
480 }
481
482 // See fuse_lowlevel.h fuse_lowlevel_notify_inval_entry for how to call this safetly without
483 // deadlocking the kernel
fuse_inval(fuse_session * se,fuse_ino_t parent_ino,fuse_ino_t child_ino,const string & child_name,const string & path)484 static void fuse_inval(fuse_session* se, fuse_ino_t parent_ino, fuse_ino_t child_ino,
485 const string& child_name, const string& path) {
486 if (mediaprovider::fuse::containsMount(path)) {
487 LOG(WARNING) << "Ignoring attempt to invalidate dentry for FUSE mounts";
488 return;
489 }
490
491 if (fuse_lowlevel_notify_inval_entry(se, parent_ino, child_name.c_str(), child_name.size())) {
492 // Invalidating the dentry can fail if there's no dcache entry, however, there may still
493 // be cached attributes, so attempt to invalidate those by invalidating the inode
494 fuse_lowlevel_notify_inval_inode(se, child_ino, 0, 0);
495 }
496 }
497
get_entry_timeout(const string & path,bool should_inval,struct fuse * fuse)498 static double get_entry_timeout(const string& path, bool should_inval, struct fuse* fuse) {
499 string media_path = fuse->GetEffectiveRootPath() + "/Android/media";
500 if (fuse->disable_dentry_cache || should_inval || is_package_owned_path(path, fuse->path) ||
501 android::base::StartsWithIgnoreCase(path, media_path) || fuse->ShouldNotCache(path)) {
502 // We set dentry timeout to 0 for the following reasons:
503 // 1. The dentry cache was completely disabled for the entire volume.
504 // 2.1 Case-insensitive lookups need to invalidate other case-insensitive dentry matches
505 // 2.2 Nodes supporting transforms need to be invalidated, so that subsequent lookups by a
506 // uid requiring a transform is guaranteed to come to the FUSE daemon.
507 // 3. With app data isolation enabled, app A should not guess existence of app B from the
508 // Android/{data,obb}/<package> paths, hence we prevent the kernel from caching that
509 // information.
510 // 4. Installd might delete Android/media/<package> dirs when app data is cleared.
511 // This can leave a stale entry in the kernel dcache, and break subsequent creation of the
512 // dir via FUSE.
513 // 5. The dentry cache was completely disabled for the given path.
514 return 0;
515 }
516 return std::numeric_limits<double>::max();
517 }
518
get_path(node * node)519 static std::string get_path(node* node) {
520 const string& io_path = node->GetIoPath();
521 return io_path.empty() ? node->BuildPath() : io_path;
522 }
523
524 // Returns true if the path resides under .transforms/synthetic.
525 // NOTE: currently only file paths corresponding to redacted URIs reside under this folder. The path
526 // itself never exists and just a link for transformation.
is_synthetic_path(const string & path,struct fuse * fuse)527 static inline bool is_synthetic_path(const string& path, struct fuse* fuse) {
528 return android::base::StartsWithIgnoreCase(
529 path, fuse->GetTransformsDir() + "/" + TRANSFORM_SYNTHETIC_DIR);
530 }
531
is_transforms_dir_path(const string & path,struct fuse * fuse)532 static inline bool is_transforms_dir_path(const string& path, struct fuse* fuse) {
533 return android::base::StartsWithIgnoreCase(path, fuse->GetTransformsDir());
534 }
535
validate_node_path(const std::string & path,const std::string & name,fuse_req_t req,int * error_code,struct fuse_entry_param * e,const FuseOp op)536 static std::unique_ptr<mediaprovider::fuse::FileLookupResult> validate_node_path(
537 const std::string& path, const std::string& name, fuse_req_t req, int* error_code,
538 struct fuse_entry_param* e, const FuseOp op) {
539 struct fuse* fuse = get_fuse(req);
540 const struct fuse_ctx* ctx = fuse_req_ctx(req);
541 memset(e, 0, sizeof(*e));
542
543 const bool synthetic_path = is_synthetic_path(path, fuse);
544 if (lstat(path.c_str(), &e->attr) < 0 && !(op == FuseOp::lookup && synthetic_path)) {
545 *error_code = errno;
546 return nullptr;
547 }
548
549 if (is_transforms_dir_path(path, fuse)) {
550 if (op == FuseOp::lookup) {
551 // Lookups are only allowed under .transforms/synthetic dir
552 if (!(android::base::EqualsIgnoreCase(path, fuse->GetTransformsDir()) ||
553 android::base::StartsWithIgnoreCase(
554 path, fuse->GetTransformsDir() + "/" + TRANSFORM_SYNTHETIC_DIR))) {
555 *error_code = ENONET;
556 return nullptr;
557 }
558 } else {
559 // user-code is only allowed to make lookups under .transforms dir, and that too only
560 // under .transforms/synthetic dir
561 *error_code = ENOENT;
562 return nullptr;
563 }
564 }
565
566 if (S_ISDIR(e->attr.st_mode)) {
567 // now that we have reached this point, ops on directories are safe and require no
568 // transformation.
569 return std::make_unique<mediaprovider::fuse::FileLookupResult>(0, 0, 0, true, false, "");
570 }
571
572 if (!synthetic_path && !fuse->IsTranscodeSupportedPath(path)) {
573 // Transforms are only supported for synthetic or transcode-supported paths
574 return std::make_unique<mediaprovider::fuse::FileLookupResult>(0, 0, 0, true, false, "");
575 }
576
577 // Handle potential file transforms
578 std::unique_ptr<mediaprovider::fuse::FileLookupResult> file_lookup_result =
579 fuse->mp->FileLookup(path, req->ctx.uid, req->ctx.pid);
580
581 if (!file_lookup_result) {
582 // Fail lookup if we can't fetch FileLookupResult for path
583 LOG(WARNING) << "Failed to fetch FileLookupResult for " << path;
584 *error_code = EFAULT;
585 return nullptr;
586 }
587
588 const string& io_path = file_lookup_result->io_path;
589 // Update size with io_path iff there's an io_path
590 if (!io_path.empty() && (lstat(io_path.c_str(), &e->attr) < 0)) {
591 *error_code = errno;
592 return nullptr;
593 }
594
595 return file_lookup_result;
596 }
597
make_node_entry(fuse_req_t req,node * parent,const string & name,const string & path,struct fuse_entry_param * e,int * error_code,const FuseOp op)598 static node* make_node_entry(fuse_req_t req, node* parent, const string& name, const string& path,
599 struct fuse_entry_param* e, int* error_code, const FuseOp op) {
600 struct fuse* fuse = get_fuse(req);
601 const struct fuse_ctx* ctx = fuse_req_ctx(req);
602 node* node;
603
604 memset(e, 0, sizeof(*e));
605
606 std::unique_ptr<mediaprovider::fuse::FileLookupResult> file_lookup_result =
607 validate_node_path(path, name, req, error_code, e, op);
608 if (!file_lookup_result) {
609 // Fail lookup if we can't validate |path, |errno| would have already been set
610 return nullptr;
611 }
612
613 bool should_invalidate = file_lookup_result->transforms_supported;
614 const bool transforms_complete = file_lookup_result->transforms_complete;
615 const int transforms = file_lookup_result->transforms;
616 const int transforms_reason = file_lookup_result->transforms_reason;
617 const string& io_path = file_lookup_result->io_path;
618 if (transforms) {
619 // If the node requires transforms, we MUST never cache it in the VFS
620 CHECK(should_invalidate);
621 }
622
623 node = parent->LookupChildByName(name, true /* acquire */, transforms);
624 if (!node) {
625 ino_t ino = e->attr.st_ino;
626 node = ::node::Create(parent, name, io_path, transforms_complete, transforms,
627 transforms_reason, &fuse->lock, ino, &fuse->tracker);
628 } else if (!mediaprovider::fuse::containsMount(path)) {
629 // Only invalidate a path if it does not contain mount and |name| != node->GetName.
630 // Invalidate both names to ensure there's no dentry left in the kernel after the following
631 // operations:
632 // 1) touch foo, touch FOO, unlink *foo*
633 // 2) touch foo, touch FOO, unlink *FOO*
634 // Invalidating lookup_name fixes (1) and invalidating node_name fixes (2)
635 // -Set |should_invalidate| to true to invalidate lookup_name by using 0 timeout below
636 // -Explicitly invalidate node_name. Note that we invalidate async otherwise we will
637 // deadlock the kernel
638 if (name != node->GetName()) {
639 // Force node invalidation to fix the kernel dentry cache for case (1) above
640 should_invalidate = true;
641 // Make copies of the node name and path so we're not attempting to acquire
642 // any node locks from the invalidation thread. Depending on timing, we may end
643 // up invalidating the wrong inode but that shouldn't result in correctness issues.
644 const fuse_ino_t parent_ino = fuse->ToInode(parent);
645 const fuse_ino_t child_ino = fuse->ToInode(node);
646 const std::string& node_name = node->GetName();
647 std::thread t([=]() { fuse_inval(fuse->se, parent_ino, child_ino, node_name, path); });
648 t.detach();
649 // Update the name after |node_name| reference above has been captured in lambda
650 // This avoids invalidating the node again on subsequent accesses with |name|
651 node->SetName(name);
652 }
653
654 // This updated value allows us correctly decide if to keep_cache and use direct_io during
655 // FUSE_OPEN. Between the last lookup and this lookup, we might have deleted a cached
656 // transcoded file on the lower fs. A subsequent transcode at FUSE_READ should ensure we
657 // don't reuse any stale transcode page cache content.
658 node->SetTransformsComplete(transforms_complete);
659 }
660 TRACE_NODE(node, req);
661
662 if (should_invalidate && fuse->IsTranscodeSupportedPath(path)) {
663 // Some components like the MTP stack need an efficient mechanism to determine if a file
664 // supports transcoding. This allows them workaround an issue with MTP clients on windows
665 // where those clients incorrectly use the original file size instead of the transcoded file
666 // size to copy files from the device. This size misuse causes transcoded files to be
667 // truncated to the original file size, hence corrupting the transcoded file.
668 //
669 // We expose the transcode bit via the st_nlink stat field. This should be safe because the
670 // field is not supported on FAT filesystems which FUSE is emulating.
671 // WARNING: Apps should never rely on this behavior as it is NOT supported API and will be
672 // removed in a future release when the MTP stack has better support for transcoded files on
673 // Windows OS.
674 e->attr.st_nlink = 2;
675 }
676
677 // This FS is not being exported via NFS so just a fixed generation number
678 // for now. If we do need this, we need to increment the generation ID each
679 // time the fuse daemon restarts because that's what it takes for us to
680 // reuse inode numbers.
681 e->generation = 0;
682 e->ino = fuse->ToInode(node);
683
684 // When FUSE BPF is used, the caching of node attributes and lookups is
685 // disabled to avoid possible inconsistencies between the FUSE cache and
686 // the lower file system state.
687 // With FUSE BPF the file system requests are forwarded to the lower file
688 // system bypassing the FUSE daemon, so dropping the caching does not
689 // introduce a performance regression.
690 // Currently FUSE BPF is limited to the Android/data and Android/obb
691 // directories.
692 if (!fuse->bpf || !is_bpf_backing_path(path)) {
693 e->entry_timeout = get_entry_timeout(path, should_invalidate, fuse);
694 e->attr_timeout = std::numeric_limits<double>::max();
695 }
696 return node;
697 }
698
699 namespace mediaprovider {
700 namespace fuse {
701
702 /**
703 * Function implementations
704 *
705 * These implement the various functions in fuse_lowlevel_ops
706 *
707 */
708
pf_init(void * userdata,struct fuse_conn_info * conn)709 static void pf_init(void* userdata, struct fuse_conn_info* conn) {
710 struct fuse* fuse = reinterpret_cast<struct fuse*>(userdata);
711
712 // We don't want a getattr request with every read request
713 conn->want &= ~FUSE_CAP_AUTO_INVAL_DATA & ~FUSE_CAP_READDIRPLUS_AUTO;
714 unsigned mask = (FUSE_CAP_SPLICE_WRITE | FUSE_CAP_SPLICE_MOVE | FUSE_CAP_SPLICE_READ |
715 FUSE_CAP_ASYNC_READ | FUSE_CAP_ATOMIC_O_TRUNC | FUSE_CAP_WRITEBACK_CACHE |
716 FUSE_CAP_EXPORT_SUPPORT | FUSE_CAP_FLOCK_LOCKS);
717
718 bool disable_splice_write = false;
719 if (fuse->passthrough) {
720 if (conn->capable & FUSE_CAP_PASSTHROUGH) {
721 mask |= FUSE_CAP_PASSTHROUGH;
722
723 // SPLICE_WRITE seems to cause linux kernel cache corruption with passthrough enabled.
724 // It is still under investigation but while running
725 // ScopedStorageDeviceTest#testAccessMediaLocationInvalidation, we notice test flakes
726 // of about 1/20 for the following reason:
727 // 1. App without ACCESS_MEDIA_LOCATION permission reads redacted bytes via FUSE cache
728 // 2. App with ACCESS_MEDIA_LOCATION permission reads non-redacted bytes via passthrough
729 // cache
730 // (2) fails because bytes from (1) sneak into the passthrough cache??
731 // To workaround, we disable splice for write when passthrough is enabled.
732 // This shouldn't have any performance regression if comparing passthrough devices to
733 // no-passthrough devices for the following reasons:
734 // 1. No-op for no-passthrough devices
735 // 2. Passthrough devices
736 // a. Files not requiring redaction use passthrough which bypasses FUSE_READ entirely
737 // b. Files requiring redaction are still faster than no-passthrough devices that use
738 // direct_io
739 disable_splice_write = true;
740 } else {
741 LOG(WARNING) << "Passthrough feature not supported by the kernel";
742 fuse->passthrough = false;
743 }
744 }
745
746 conn->want |= conn->capable & mask;
747 if (disable_splice_write) {
748 conn->want &= ~FUSE_CAP_SPLICE_WRITE;
749 }
750
751 conn->max_read = MAX_READ_SIZE;
752
753 fuse->active->store(true, std::memory_order_release);
754 }
755
pf_destroy(void * userdata)756 static void pf_destroy(void* userdata) {
757 struct fuse* fuse = reinterpret_cast<struct fuse*>(userdata);
758 LOG(INFO) << "DESTROY " << fuse->path;
759
760 node::DeleteTree(fuse->root);
761 }
762
763 // Return true if the path is accessible for that uid.
is_app_accessible_path(struct fuse * fuse,const string & path,uid_t uid)764 static bool is_app_accessible_path(struct fuse* fuse, const string& path, uid_t uid) {
765 MediaProviderWrapper* mp = fuse->mp;
766
767 if (uid < AID_APP_START || uid == MY_UID) {
768 return true;
769 }
770
771 if (path == PRIMARY_VOLUME_PREFIX) {
772 // Apps should never refer to /storage/emulated - they should be using the user-spcific
773 // subdirs, eg /storage/emulated/0
774 return false;
775 }
776
777 std::smatch match;
778 if (std::regex_match(path, match, PATTERN_OWNED_PATH)) {
779 const std::string& pkg = match[1];
780 // .nomedia is not a valid package. .nomedia always exists in /Android/data directory,
781 // and it's not an external file/directory of any package
782 if (pkg == ".nomedia") {
783 return true;
784 }
785 if (!fuse->bpf && android::base::StartsWith(path, PRIMARY_VOLUME_PREFIX)) {
786 // Emulated storage bind-mounts app-private data directories, and so these
787 // should not be accessible through FUSE anyway.
788 LOG(WARNING) << "Rejected access to app-private dir on FUSE: " << path
789 << " from uid: " << uid;
790 return false;
791 }
792 if (!mp->isUidAllowedAccessToDataOrObbPath(uid, path)) {
793 PLOG(WARNING) << "Invalid other package file access from " << uid << "(: " << path;
794 return false;
795 }
796 }
797 return true;
798 }
799
fuse_bpf_fill_entries(const string & path,const int bpf_fd,struct fuse_entry_param * e,int & backing_fd)800 void fuse_bpf_fill_entries(const string& path, const int bpf_fd, struct fuse_entry_param* e,
801 int& backing_fd) {
802 /*
803 * The file descriptor `fd` must not be closed as it is closed
804 * automatically by the kernel as soon as it consumes the FUSE reply. This
805 * mechanism is necessary because userspace doesn't know when the kernel
806 * will consume the FUSE response containing `fd`, thus it may close the
807 * `fd` too soon, with the risk of assigning a backing file which is either
808 * invalid or corresponds to the wrong file in the lower file system.
809 */
810 backing_fd = open(path.c_str(), O_CLOEXEC | O_DIRECTORY | O_RDONLY);
811 if (backing_fd < 0) {
812 PLOG(ERROR) << "Failed to open: " << path;
813 return;
814 }
815
816 e->backing_action = FUSE_ACTION_REPLACE;
817 e->backing_fd = backing_fd;
818
819 if (bpf_fd >= 0) {
820 e->bpf_action = FUSE_ACTION_REPLACE;
821 e->bpf_fd = bpf_fd;
822 } else if (bpf_fd == static_cast<int>(BpfFd::REMOVE)) {
823 e->bpf_action = FUSE_ACTION_REMOVE;
824 } else {
825 e->bpf_action = FUSE_ACTION_KEEP;
826 }
827 }
828
fuse_bpf_install(struct fuse * fuse,struct fuse_entry_param * e,const string & child_path,int & backing_fd)829 void fuse_bpf_install(struct fuse* fuse, struct fuse_entry_param* e, const string& child_path,
830 int& backing_fd) {
831 // TODO(b/211873756) Enable only for the primary volume. Must be
832 // extended for other media devices.
833 if (android::base::StartsWith(child_path, PRIMARY_VOLUME_PREFIX)) {
834 if (is_bpf_backing_path(child_path)) {
835 fuse_bpf_fill_entries(child_path, fuse->bpf_fd, e, backing_fd);
836 } else if (is_package_owned_path(child_path, fuse->path)) {
837 fuse_bpf_fill_entries(child_path, static_cast<int>(BpfFd::REMOVE), e, backing_fd);
838 }
839 }
840 }
841
842 static std::regex storage_emulated_regex("^\\/storage\\/emulated\\/([0-9]+)");
do_lookup(fuse_req_t req,fuse_ino_t parent,const char * name,struct fuse_entry_param * e,int * error_code,const FuseOp op,int * backing_fd=NULL)843 static node* do_lookup(fuse_req_t req, fuse_ino_t parent, const char* name,
844 struct fuse_entry_param* e, int* error_code, const FuseOp op,
845 int* backing_fd = NULL) {
846 struct fuse* fuse = get_fuse(req);
847 node* parent_node = fuse->FromInode(parent);
848 if (!parent_node) {
849 *error_code = ENOENT;
850 return nullptr;
851 }
852 string parent_path = parent_node->BuildPath();
853 // We should always allow lookups on the root, because failing them could cause
854 // bind mounts to be invalidated.
855 if (!fuse->IsRoot(parent_node) && !is_app_accessible_path(fuse, parent_path, req->ctx.uid)) {
856 *error_code = ENOENT;
857 return nullptr;
858 }
859
860 TRACE_NODE(parent_node, req);
861
862 const string child_path = parent_path + "/" + name;
863 std::smatch match;
864 std::regex_search(child_path, match, storage_emulated_regex);
865
866 // Ensure the FuseDaemon user id matches the user id or cross-user lookups are allowed in
867 // requested path
868 if (match.size() == 2 && MY_USER_ID_STRING != match[1].str()) {
869 // If user id mismatch, check cross-user lookups
870 long userId = strtol(match[1].str().c_str(), nullptr, 10);
871 if (userId < 0 || userId > MAX_USER_ID ||
872 !fuse->mp->ShouldAllowLookup(req->ctx.uid, userId)) {
873 *error_code = EACCES;
874 return nullptr;
875 }
876 }
877
878 auto node = make_node_entry(req, parent_node, name, child_path, e, error_code, op);
879
880 if (fuse->bpf && op == FuseOp::lookup) fuse_bpf_install(fuse, e, child_path, *backing_fd);
881
882 return node;
883 }
884
pf_lookup(fuse_req_t req,fuse_ino_t parent,const char * name)885 static void pf_lookup(fuse_req_t req, fuse_ino_t parent, const char* name) {
886 ATRACE_CALL();
887 struct fuse_entry_param e;
888 int backing_fd = -1;
889
890 int error_code = 0;
891 if (do_lookup(req, parent, name, &e, &error_code, FuseOp::lookup, &backing_fd)) {
892 fuse_reply_entry(req, &e);
893 } else {
894 CHECK(error_code != 0);
895 fuse_reply_err(req, error_code);
896 }
897
898 if (backing_fd != -1) close(backing_fd);
899 }
900
do_forget(fuse_req_t req,struct fuse * fuse,fuse_ino_t ino,uint64_t nlookup)901 static void do_forget(fuse_req_t req, struct fuse* fuse, fuse_ino_t ino, uint64_t nlookup) {
902 node* node = fuse->FromInode(ino);
903 TRACE_NODE(node, req);
904 if (node) {
905 // This is a narrowing conversion from an unsigned 64bit to a 32bit value. For
906 // some reason we only keep 32 bit refcounts but the kernel issues
907 // forget requests with a 64 bit counter.
908 node->Release(static_cast<uint32_t>(nlookup));
909 }
910 }
911
pf_forget(fuse_req_t req,fuse_ino_t ino,uint64_t nlookup)912 static void pf_forget(fuse_req_t req, fuse_ino_t ino, uint64_t nlookup) {
913 // Always allow to forget so no need to check is_app_accessible_path()
914 ATRACE_CALL();
915 node* node;
916 struct fuse* fuse = get_fuse(req);
917
918 do_forget(req, fuse, ino, nlookup);
919 fuse_reply_none(req);
920 }
921
pf_forget_multi(fuse_req_t req,size_t count,struct fuse_forget_data * forgets)922 static void pf_forget_multi(fuse_req_t req,
923 size_t count,
924 struct fuse_forget_data* forgets) {
925 ATRACE_CALL();
926 struct fuse* fuse = get_fuse(req);
927
928 for (int i = 0; i < count; i++) {
929 do_forget(req, fuse, forgets[i].ino, forgets[i].nlookup);
930 }
931 fuse_reply_none(req);
932 }
933
pf_fallocate(fuse_req_t req,fuse_ino_t ino,int mode,off_t offset,off_t length,fuse_file_info * fi)934 static void pf_fallocate(fuse_req_t req, fuse_ino_t ino, int mode, off_t offset, off_t length,
935 fuse_file_info* fi) {
936 ATRACE_CALL();
937 struct fuse* fuse = get_fuse(req);
938
939 handle* h = reinterpret_cast<handle*>(fi->fh);
940 auto err = fallocate(h->fd, mode, offset, length);
941 fuse_reply_err(req, err ? errno : 0);
942 }
943
pf_getattr(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)944 static void pf_getattr(fuse_req_t req,
945 fuse_ino_t ino,
946 struct fuse_file_info* fi) {
947 ATRACE_CALL();
948 struct fuse* fuse = get_fuse(req);
949 node* node = fuse->FromInode(ino);
950 if (!node) {
951 fuse_reply_err(req, ENOENT);
952 return;
953 }
954 const string& path = get_path(node);
955 if (!is_app_accessible_path(fuse, path, req->ctx.uid)) {
956 fuse_reply_err(req, ENOENT);
957 return;
958 }
959 TRACE_NODE(node, req);
960
961 struct stat s;
962 memset(&s, 0, sizeof(s));
963 if (lstat(path.c_str(), &s) < 0) {
964 fuse_reply_err(req, errno);
965 } else {
966 fuse_reply_attr(req, &s, std::numeric_limits<double>::max());
967 }
968 }
969
pf_setattr(fuse_req_t req,fuse_ino_t ino,struct stat * attr,int to_set,struct fuse_file_info * fi)970 static void pf_setattr(fuse_req_t req,
971 fuse_ino_t ino,
972 struct stat* attr,
973 int to_set,
974 struct fuse_file_info* fi) {
975 ATRACE_CALL();
976 struct fuse* fuse = get_fuse(req);
977 node* node = fuse->FromInode(ino);
978 if (!node) {
979 fuse_reply_err(req, ENOENT);
980 return;
981 }
982 const string& path = get_path(node);
983 if (!is_app_accessible_path(fuse, path, req->ctx.uid)) {
984 fuse_reply_err(req, ENOENT);
985 return;
986 }
987
988 int fd = -1;
989 if (fi) {
990 // If we have a file_info, setattr was called with an fd so use the fd instead of path
991 handle* h = reinterpret_cast<handle*>(fi->fh);
992 fd = h->fd;
993 } else {
994 const struct fuse_ctx* ctx = fuse_req_ctx(req);
995 std::unique_ptr<FileOpenResult> result = fuse->mp->OnFileOpen(
996 path, path, ctx->uid, ctx->pid, node->GetTransformsReason(), true /* for_write */,
997 false /* redact */, false /* log_transforms_metrics */);
998
999 if (!result) {
1000 fuse_reply_err(req, EFAULT);
1001 return;
1002 }
1003
1004 if (result->status) {
1005 fuse_reply_err(req, EACCES);
1006 return;
1007 }
1008 }
1009 struct timespec times[2];
1010 TRACE_NODE(node, req);
1011
1012 /* XXX: incomplete implementation on purpose.
1013 * chmod/chown should NEVER be implemented.*/
1014
1015 if ((to_set & FUSE_SET_ATTR_SIZE)) {
1016 int res = 0;
1017 if (fd == -1) {
1018 res = truncate64(path.c_str(), attr->st_size);
1019 } else {
1020 res = ftruncate64(fd, attr->st_size);
1021 }
1022
1023 if (res < 0) {
1024 fuse_reply_err(req, errno);
1025 return;
1026 }
1027 }
1028
1029 /* Handle changing atime and mtime. If FATTR_ATIME_and FATTR_ATIME_NOW
1030 * are both set, then set it to the current time. Else, set it to the
1031 * time specified in the request. Same goes for mtime. Use utimensat(2)
1032 * as it allows ATIME and MTIME to be changed independently, and has
1033 * nanosecond resolution which fuse also has.
1034 */
1035 if (to_set & (FATTR_ATIME | FATTR_MTIME)) {
1036 times[0].tv_nsec = UTIME_OMIT;
1037 times[1].tv_nsec = UTIME_OMIT;
1038 if (to_set & FATTR_ATIME) {
1039 if (to_set & FATTR_ATIME_NOW) {
1040 times[0].tv_nsec = UTIME_NOW;
1041 } else {
1042 times[0] = attr->st_atim;
1043 }
1044 }
1045
1046 if (to_set & FATTR_MTIME) {
1047 if (to_set & FATTR_MTIME_NOW) {
1048 times[1].tv_nsec = UTIME_NOW;
1049 } else {
1050 times[1] = attr->st_mtim;
1051 }
1052 }
1053
1054 TRACE_NODE(node, req);
1055 int res = 0;
1056 if (fd == -1) {
1057 res = utimensat(-1, path.c_str(), times, 0);
1058 } else {
1059 res = futimens(fd, times);
1060 }
1061
1062 if (res < 0) {
1063 fuse_reply_err(req, errno);
1064 return;
1065 }
1066 }
1067
1068 lstat(path.c_str(), attr);
1069 fuse_reply_attr(req, attr, std::numeric_limits<double>::max());
1070 }
1071
pf_canonical_path(fuse_req_t req,fuse_ino_t ino)1072 static void pf_canonical_path(fuse_req_t req, fuse_ino_t ino)
1073 {
1074 struct fuse* fuse = get_fuse(req);
1075 node* node = fuse->FromInode(ino);
1076 const string& path = node ? get_path(node) : "";
1077
1078 if (node && is_app_accessible_path(fuse, path, req->ctx.uid)) {
1079 // TODO(b/147482155): Check that uid has access to |path| and its contents
1080 fuse_reply_canonical_path(req, path.c_str());
1081 return;
1082 }
1083 fuse_reply_err(req, ENOENT);
1084 }
1085
pf_mknod(fuse_req_t req,fuse_ino_t parent,const char * name,mode_t mode,dev_t rdev)1086 static void pf_mknod(fuse_req_t req,
1087 fuse_ino_t parent,
1088 const char* name,
1089 mode_t mode,
1090 dev_t rdev) {
1091 ATRACE_CALL();
1092 struct fuse* fuse = get_fuse(req);
1093 node* parent_node = fuse->FromInode(parent);
1094 if (!parent_node) {
1095 fuse_reply_err(req, ENOENT);
1096 return;
1097 }
1098 string parent_path = parent_node->BuildPath();
1099 if (!is_app_accessible_path(fuse, parent_path, req->ctx.uid)) {
1100 fuse_reply_err(req, ENOENT);
1101 return;
1102 }
1103
1104 TRACE_NODE(parent_node, req);
1105
1106 const string child_path = parent_path + "/" + name;
1107
1108 mode = (mode & (~0777)) | 0664;
1109 if (mknod(child_path.c_str(), mode, rdev) < 0) {
1110 fuse_reply_err(req, errno);
1111 return;
1112 }
1113
1114 int error_code = 0;
1115 struct fuse_entry_param e;
1116 if (make_node_entry(req, parent_node, name, child_path, &e, &error_code, FuseOp::mknod)) {
1117 fuse_reply_entry(req, &e);
1118 } else {
1119 CHECK(error_code != 0);
1120 fuse_reply_err(req, error_code);
1121 }
1122 }
1123
pf_mkdir(fuse_req_t req,fuse_ino_t parent,const char * name,mode_t mode)1124 static void pf_mkdir(fuse_req_t req,
1125 fuse_ino_t parent,
1126 const char* name,
1127 mode_t mode) {
1128 ATRACE_CALL();
1129 struct fuse* fuse = get_fuse(req);
1130 node* parent_node = fuse->FromInode(parent);
1131 if (!parent_node) {
1132 fuse_reply_err(req, ENOENT);
1133 return;
1134 }
1135 const struct fuse_ctx* ctx = fuse_req_ctx(req);
1136 const string parent_path = parent_node->BuildPath();
1137 if (!is_app_accessible_path(fuse, parent_path, ctx->uid)) {
1138 fuse_reply_err(req, ENOENT);
1139 return;
1140 }
1141
1142 TRACE_NODE(parent_node, req);
1143
1144 const string child_path = parent_path + "/" + name;
1145
1146 int status = fuse->mp->IsCreatingDirAllowed(child_path, ctx->uid);
1147 if (status) {
1148 fuse_reply_err(req, status);
1149 return;
1150 }
1151
1152 mode = (mode & (~0777)) | 0775;
1153 if (mkdir(child_path.c_str(), mode) < 0) {
1154 fuse_reply_err(req, errno);
1155 return;
1156 }
1157
1158 int error_code = 0;
1159 struct fuse_entry_param e;
1160 if (make_node_entry(req, parent_node, name, child_path, &e, &error_code, FuseOp::mkdir)) {
1161 fuse_reply_entry(req, &e);
1162 } else {
1163 CHECK(error_code != 0);
1164 fuse_reply_err(req, error_code);
1165 }
1166 }
1167
pf_unlink(fuse_req_t req,fuse_ino_t parent,const char * name)1168 static void pf_unlink(fuse_req_t req, fuse_ino_t parent, const char* name) {
1169 ATRACE_CALL();
1170 struct fuse* fuse = get_fuse(req);
1171 node* parent_node = fuse->FromInode(parent);
1172 if (!parent_node) {
1173 fuse_reply_err(req, ENOENT);
1174 return;
1175 }
1176 const struct fuse_ctx* ctx = fuse_req_ctx(req);
1177 const string parent_path = parent_node->BuildPath();
1178 if (!is_app_accessible_path(fuse, parent_path, ctx->uid)) {
1179 fuse_reply_err(req, ENOENT);
1180 return;
1181 }
1182
1183 TRACE_NODE(parent_node, req);
1184
1185 const string child_path = parent_path + "/" + name;
1186
1187 int status = fuse->mp->DeleteFile(child_path, ctx->uid);
1188 if (status) {
1189 fuse_reply_err(req, status);
1190 return;
1191 }
1192
1193 // TODO(b/169306422): Log each deleted node
1194 parent_node->SetDeletedForChild(name);
1195 fuse_reply_err(req, 0);
1196 }
1197
pf_rmdir(fuse_req_t req,fuse_ino_t parent,const char * name)1198 static void pf_rmdir(fuse_req_t req, fuse_ino_t parent, const char* name) {
1199 ATRACE_CALL();
1200 struct fuse* fuse = get_fuse(req);
1201 node* parent_node = fuse->FromInode(parent);
1202 if (!parent_node) {
1203 fuse_reply_err(req, ENOENT);
1204 return;
1205 }
1206 const string parent_path = parent_node->BuildPath();
1207 if (!is_app_accessible_path(fuse, parent_path, req->ctx.uid)) {
1208 fuse_reply_err(req, ENOENT);
1209 return;
1210 }
1211
1212 if (is_transforms_dir_path(parent_path, fuse)) {
1213 // .transforms is a special daemon controlled dir so apps shouldn't be able to see it via
1214 // readdir, and any dir operations attempted on it should fail
1215 fuse_reply_err(req, ENOENT);
1216 return;
1217 }
1218
1219 TRACE_NODE(parent_node, req);
1220
1221 const string child_path = parent_path + "/" + name;
1222
1223 int status = fuse->mp->IsDeletingDirAllowed(child_path, req->ctx.uid);
1224 if (status) {
1225 fuse_reply_err(req, status);
1226 return;
1227 }
1228
1229 if (rmdir(child_path.c_str()) < 0) {
1230 fuse_reply_err(req, errno);
1231 return;
1232 }
1233
1234 node* child_node = parent_node->LookupChildByName(name, false /* acquire */);
1235 TRACE_NODE(child_node, req);
1236 if (child_node) {
1237 child_node->SetDeleted();
1238 }
1239
1240 fuse_reply_err(req, 0);
1241 }
1242 /*
1243 static void pf_symlink(fuse_req_t req, const char* link, fuse_ino_t parent,
1244 const char* name)
1245 {
1246 cout << "TODO:" << __func__;
1247 }
1248 */
do_rename(fuse_req_t req,fuse_ino_t parent,const char * name,fuse_ino_t new_parent,const char * new_name,unsigned int flags)1249 static int do_rename(fuse_req_t req, fuse_ino_t parent, const char* name, fuse_ino_t new_parent,
1250 const char* new_name, unsigned int flags) {
1251 ATRACE_CALL();
1252 struct fuse* fuse = get_fuse(req);
1253
1254 if (flags != 0) {
1255 return EINVAL;
1256 }
1257
1258 node* old_parent_node = fuse->FromInode(parent);
1259 if (!old_parent_node) return ENOENT;
1260 const struct fuse_ctx* ctx = fuse_req_ctx(req);
1261 const string old_parent_path = old_parent_node->BuildPath();
1262 if (!is_app_accessible_path(fuse, old_parent_path, ctx->uid)) {
1263 return ENOENT;
1264 }
1265
1266 if (is_transforms_dir_path(old_parent_path, fuse)) {
1267 // .transforms is a special daemon controlled dir so apps shouldn't be able to see it via
1268 // readdir, and any dir operations attempted on it should fail
1269 return ENOENT;
1270 }
1271
1272 node* new_parent_node;
1273 if (fuse->bpf) {
1274 new_parent_node = fuse->FromInodeNoThrow(new_parent);
1275 if (!new_parent_node) return EXDEV;
1276 } else {
1277 new_parent_node = fuse->FromInode(new_parent);
1278 if (!new_parent_node) return ENOENT;
1279 }
1280 const string new_parent_path = new_parent_node->BuildPath();
1281 if (!is_app_accessible_path(fuse, new_parent_path, ctx->uid)) {
1282 return ENOENT;
1283 }
1284
1285 if (!old_parent_node || !new_parent_node) {
1286 return ENOENT;
1287 } else if (parent == new_parent && name == new_name) {
1288 // No rename required.
1289 return 0;
1290 }
1291
1292 TRACE_NODE(old_parent_node, req);
1293 TRACE_NODE(new_parent_node, req);
1294
1295 const string old_child_path = old_parent_path + "/" + name;
1296 const string new_child_path = new_parent_path + "/" + new_name;
1297
1298 if (android::base::EqualsIgnoreCase(fuse->GetEffectiveRootPath() + "/android", old_child_path)) {
1299 // Prevent renaming Android/ dir since it contains bind-mounts on the primary volume
1300 return EACCES;
1301 }
1302
1303 // TODO(b/147408834): Check ENOTEMPTY & EEXIST error conditions before JNI call.
1304 const int res = fuse->mp->Rename(old_child_path, new_child_path, req->ctx.uid);
1305 // TODO(b/145663158): Lookups can go out of sync if file/directory is actually moved but
1306 // EFAULT/EIO is reported due to JNI exception.
1307 if (res == 0) {
1308 // Mark any existing destination nodes as deleted. This fixes the following edge case:
1309 // 1. New destination node is forgotten
1310 // 2. Old destination node is not forgotten because there's still an open fd ref to it
1311 // 3. Lookup for |new_name| returns old destination node with stale metadata
1312 new_parent_node->SetDeletedForChild(new_name);
1313 // TODO(b/169306422): Log each renamed node
1314 old_parent_node->RenameChild(name, new_name, new_parent_node);
1315 }
1316 return res;
1317 }
1318
pf_rename(fuse_req_t req,fuse_ino_t parent,const char * name,fuse_ino_t new_parent,const char * new_name,unsigned int flags)1319 static void pf_rename(fuse_req_t req, fuse_ino_t parent, const char* name, fuse_ino_t new_parent,
1320 const char* new_name, unsigned int flags) {
1321 int res = do_rename(req, parent, name, new_parent, new_name, flags);
1322 fuse_reply_err(req, res);
1323 }
1324
1325 /*
1326 static void pf_link(fuse_req_t req, fuse_ino_t ino, fuse_ino_t new_parent,
1327 const char* new_name)
1328 {
1329 cout << "TODO:" << __func__;
1330 }
1331 */
1332
create_handle_for_node(struct fuse * fuse,const string & path,int fd,uid_t uid,uid_t transforms_uid,node * node,const RedactionInfo * ri,const bool allow_passthrough,const bool open_info_direct_io,int * keep_cache)1333 static handle* create_handle_for_node(struct fuse* fuse, const string& path, int fd, uid_t uid,
1334 uid_t transforms_uid, node* node, const RedactionInfo* ri,
1335 const bool allow_passthrough, const bool open_info_direct_io,
1336 int* keep_cache) {
1337 std::lock_guard<std::recursive_mutex> guard(fuse->lock);
1338
1339 bool redaction_needed = ri->isRedactionNeeded();
1340 handle* handle = nullptr;
1341 int transforms = node->GetTransforms();
1342 bool transforms_complete = node->IsTransformsComplete();
1343 if (transforms_uid > 0) {
1344 CHECK(transforms);
1345 }
1346
1347 if (fuse->passthrough && allow_passthrough) {
1348 *keep_cache = transforms_complete;
1349 // We only enabled passthrough iff these 2 conditions hold
1350 // 1. Redaction is not needed
1351 // 2. Node transforms are completed, e.g transcoding.
1352 // (2) is important because we transcode lazily (on the first read) and with passthrough,
1353 // we will never get a read into the FUSE daemon, so passthrough would have returned
1354 // arbitrary bytes the first time around. However, if we ensure that transforms are
1355 // completed, then it's safe to use passthrough. Additionally, transcoded nodes never
1356 // require redaction so (2) implies (1)
1357 handle = new struct handle(fd, ri, !open_info_direct_io /* cached */,
1358 !redaction_needed && transforms_complete /* passthrough */, uid,
1359 transforms_uid);
1360 } else {
1361 // Without fuse->passthrough, we don't want to use the FUSE VFS cache in two cases:
1362 // 1. When redaction is needed because app A with EXIF access might access
1363 // a region that should have been redacted for app B without EXIF access, but app B on
1364 // a subsequent read, will be able to see the EXIF data because the read request for
1365 // that region will be served from cache and not get to the FUSE daemon
1366 // 2. When the file has a read or write lock on it. This means that the MediaProvider
1367 // has given an fd to the lower file system to an app. There are two cases where using
1368 // the cache in this case can be a problem:
1369 // a. Writing to a FUSE fd with caching enabled will use the write-back cache and a
1370 // subsequent read from the lower fs fd will not see the write.
1371 // b. Reading from a FUSE fd with caching enabled may not see the latest writes using
1372 // the lower fs fd because those writes did not go through the FUSE layer and reads from
1373 // FUSE after that write may be served from cache
1374 bool has_redacted = node->HasRedactedCache();
1375 bool is_redaction_change =
1376 (redaction_needed && !has_redacted) || (!redaction_needed && has_redacted);
1377 bool is_cached_file_open = node->HasCachedHandle();
1378 bool direct_io = open_info_direct_io || (is_cached_file_open && is_redaction_change) ||
1379 is_file_locked(fd, path) || fuse->ShouldNotCache(path);
1380
1381 if (!is_cached_file_open && is_redaction_change) {
1382 node->SetRedactedCache(redaction_needed);
1383 // Purges stale page cache before open
1384 *keep_cache = 0;
1385 } else {
1386 *keep_cache = transforms_complete;
1387 }
1388 handle = new struct handle(fd, ri, !direct_io /* cached */, false /* passthrough */, uid,
1389 transforms_uid);
1390 }
1391
1392 node->AddHandle(handle);
1393 return handle;
1394 }
1395
do_passthrough_enable(fuse_req_t req,struct fuse_file_info * fi,unsigned int fd)1396 static bool do_passthrough_enable(fuse_req_t req, struct fuse_file_info* fi, unsigned int fd) {
1397 int passthrough_fh = fuse_passthrough_enable(req, fd);
1398
1399 if (passthrough_fh <= 0) {
1400 return false;
1401 }
1402
1403 fi->passthrough_fh = passthrough_fh;
1404 return true;
1405 }
1406
parse_open_flags(const string & path,const int in_flags)1407 static OpenInfo parse_open_flags(const string& path, const int in_flags) {
1408 const bool for_write = in_flags & (O_WRONLY | O_RDWR);
1409 int out_flags = in_flags;
1410 bool direct_io = false;
1411
1412 if (in_flags & O_DIRECT) {
1413 // Set direct IO on the FUSE fs file
1414 direct_io = true;
1415
1416 if (android::base::StartsWith(path, PRIMARY_VOLUME_PREFIX)) {
1417 // Remove O_DIRECT because there are strict alignment requirements for direct IO and
1418 // there were some historical bugs affecting encrypted block devices.
1419 // Hence, this is only supported on public volumes.
1420 out_flags &= ~O_DIRECT;
1421 }
1422 }
1423 if (in_flags & O_WRONLY) {
1424 // Replace O_WRONLY with O_RDWR because even if the FUSE fd is opened write-only, the FUSE
1425 // driver might issue reads on the lower fs ith the writeback cache enabled
1426 out_flags &= ~O_WRONLY;
1427 out_flags |= O_RDWR;
1428 }
1429 if (in_flags & O_APPEND) {
1430 // Remove O_APPEND because passing it to the lower fs can lead to file corruption when
1431 // multiple FUSE threads race themselves reading. With writeback cache enabled, the FUSE
1432 // driver already handles the O_APPEND
1433 out_flags &= ~O_APPEND;
1434 }
1435
1436 return {.flags = out_flags, .for_write = for_write, .direct_io = direct_io};
1437 }
1438
fill_fuse_file_info(const handle * handle,const OpenInfo * open_info,const int keep_cache,struct fuse_file_info * fi)1439 static void fill_fuse_file_info(const handle* handle, const OpenInfo* open_info,
1440 const int keep_cache, struct fuse_file_info* fi) {
1441 fi->fh = ptr_to_id(handle);
1442 fi->keep_cache = keep_cache;
1443 fi->direct_io = !handle->cached;
1444 }
1445
pf_open(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)1446 static void pf_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info* fi) {
1447 ATRACE_CALL();
1448 struct fuse* fuse = get_fuse(req);
1449 node* node = fuse->FromInode(ino);
1450 if (!node) {
1451 fuse_reply_err(req, ENOENT);
1452 return;
1453 }
1454 const struct fuse_ctx* ctx = fuse_req_ctx(req);
1455 const string& io_path = get_path(node);
1456 const string& build_path = node->BuildPath();
1457 if (!is_app_accessible_path(fuse, io_path, ctx->uid)) {
1458 fuse_reply_err(req, ENOENT);
1459 return;
1460 }
1461
1462 const OpenInfo open_info = parse_open_flags(io_path, fi->flags);
1463
1464 if (open_info.for_write && node->GetTransforms()) {
1465 TRACE_NODE(node, req) << "write with transforms";
1466 } else {
1467 TRACE_NODE(node, req) << (open_info.for_write ? "write" : "read");
1468 }
1469
1470 // Force permission check with the build path because the MediaProvider database might not be
1471 // aware of the io_path
1472 // We don't redact if the caller was granted write permission for this file
1473 std::unique_ptr<FileOpenResult> result = fuse->mp->OnFileOpen(
1474 build_path, io_path, ctx->uid, ctx->pid, node->GetTransformsReason(),
1475 open_info.for_write, !open_info.for_write /* redact */,
1476 true /* log_transforms_metrics */);
1477 if (!result) {
1478 fuse_reply_err(req, EFAULT);
1479 return;
1480 }
1481
1482 if (result->status) {
1483 fuse_reply_err(req, result->status);
1484 return;
1485 }
1486
1487 int fd = -1;
1488 const bool is_fd_from_java = result->fd >= 0;
1489 if (is_fd_from_java) {
1490 fd = result->fd;
1491 TRACE_NODE(node, req) << "opened in Java";
1492 } else {
1493 fd = open(io_path.c_str(), open_info.flags);
1494 if (fd < 0) {
1495 fuse_reply_err(req, errno);
1496 return;
1497 }
1498 }
1499
1500 int keep_cache = 1;
1501 // If is_fd_from_java==true, we disallow passthrough because the fd can be pointing to the
1502 // FUSE fs if gotten from another process
1503 const handle* h = create_handle_for_node(fuse, io_path, fd, result->uid, result->transforms_uid,
1504 node, result->redaction_info.release(),
1505 /* allow_passthrough */ !is_fd_from_java,
1506 open_info.direct_io, &keep_cache);
1507 fill_fuse_file_info(h, &open_info, keep_cache, fi);
1508
1509 // TODO(b/173190192) ensuring that h->cached must be enabled in order to
1510 // user FUSE passthrough is a conservative rule and might be dropped as
1511 // soon as demonstrated its correctness.
1512 if (h->passthrough && !do_passthrough_enable(req, fi, fd)) {
1513 // TODO: Should we crash here so we can find errors easily?
1514 PLOG(ERROR) << "Passthrough OPEN failed for " << io_path;
1515 fuse_reply_err(req, EFAULT);
1516 return;
1517 }
1518
1519 fuse_reply_open(req, fi);
1520 }
1521
do_read(fuse_req_t req,size_t size,off_t off,struct fuse_file_info * fi,bool direct_io)1522 static void do_read(fuse_req_t req, size_t size, off_t off, struct fuse_file_info* fi,
1523 bool direct_io) {
1524 handle* h = reinterpret_cast<handle*>(fi->fh);
1525 struct fuse_bufvec buf = FUSE_BUFVEC_INIT(size);
1526
1527 buf.buf[0].fd = h->fd;
1528 buf.buf[0].pos = off;
1529 buf.buf[0].flags =
1530 (enum fuse_buf_flags) (FUSE_BUF_IS_FD | FUSE_BUF_FD_SEEK);
1531 if (direct_io) {
1532 // sdcardfs does not register splice_read_file_operations and some requests fail with EFAULT
1533 // Specifically, FUSE splice is only enabled for 8KB+ buffers, hence such reads fail
1534 fuse_reply_data(req, &buf, (enum fuse_buf_copy_flags)FUSE_BUF_NO_SPLICE);
1535 } else {
1536 fuse_reply_data(req, &buf, (enum fuse_buf_copy_flags)0);
1537 }
1538 }
1539
1540 /**
1541 * Sets the parameters for a fuse_buf that reads from memory, including flags.
1542 * Makes buf->mem point to an already mapped region of zeroized memory.
1543 * This memory is read only.
1544 */
create_mem_fuse_buf(size_t size,fuse_buf * buf,struct fuse * fuse)1545 static void create_mem_fuse_buf(size_t size, fuse_buf* buf, struct fuse* fuse) {
1546 buf->size = size;
1547 buf->mem = fuse->zero_addr;
1548 buf->flags = static_cast<fuse_buf_flags>(0 /*read from fuse_buf.mem*/);
1549 buf->pos = -1;
1550 buf->fd = -1;
1551 }
1552
1553 /**
1554 * Sets the parameters for a fuse_buf that reads from file, including flags.
1555 */
create_file_fuse_buf(size_t size,off_t pos,int fd,fuse_buf * buf)1556 static void create_file_fuse_buf(size_t size, off_t pos, int fd, fuse_buf* buf) {
1557 buf->size = size;
1558 buf->fd = fd;
1559 buf->pos = pos;
1560 buf->flags = static_cast<fuse_buf_flags>(FUSE_BUF_IS_FD | FUSE_BUF_FD_SEEK);
1561 buf->mem = nullptr;
1562 }
1563
do_read_with_redaction(fuse_req_t req,size_t size,off_t off,fuse_file_info * fi,bool direct_io)1564 static void do_read_with_redaction(fuse_req_t req, size_t size, off_t off, fuse_file_info* fi,
1565 bool direct_io) {
1566 handle* h = reinterpret_cast<handle*>(fi->fh);
1567
1568 std::vector<ReadRange> ranges;
1569 h->ri->getReadRanges(off, size, &ranges);
1570
1571 // As an optimization, return early if there are no ranges to redact.
1572 if (ranges.size() == 0) {
1573 do_read(req, size, off, fi, direct_io);
1574 return;
1575 }
1576
1577 const size_t num_bufs = ranges.size();
1578 auto bufvec_ptr = std::unique_ptr<fuse_bufvec, decltype(free)*>{
1579 reinterpret_cast<fuse_bufvec*>(
1580 malloc(sizeof(fuse_bufvec) + (num_bufs - 1) * sizeof(fuse_buf))),
1581 free};
1582 fuse_bufvec& bufvec = *bufvec_ptr;
1583
1584 // initialize bufvec
1585 bufvec.count = num_bufs;
1586 bufvec.idx = 0;
1587 bufvec.off = 0;
1588
1589 for (int i = 0; i < num_bufs; ++i) {
1590 const ReadRange& range = ranges[i];
1591 if (range.is_redaction) {
1592 create_mem_fuse_buf(range.size, &(bufvec.buf[i]), get_fuse(req));
1593 } else {
1594 create_file_fuse_buf(range.size, range.start, h->fd, &(bufvec.buf[i]));
1595 }
1596 }
1597
1598 fuse_reply_data(req, &bufvec, static_cast<fuse_buf_copy_flags>(0));
1599 }
1600
pf_read(fuse_req_t req,fuse_ino_t ino,size_t size,off_t off,struct fuse_file_info * fi)1601 static void pf_read(fuse_req_t req, fuse_ino_t ino, size_t size, off_t off,
1602 struct fuse_file_info* fi) {
1603 ATRACE_CALL();
1604 handle* h = reinterpret_cast<handle*>(fi->fh);
1605 const bool direct_io = !h->cached;
1606 struct fuse* fuse = get_fuse(req);
1607
1608 node* node = fuse->FromInode(ino);
1609
1610 if (!node->IsTransformsComplete()) {
1611 if (!fuse->mp->Transform(node->BuildPath(), node->GetIoPath(), node->GetTransforms(),
1612 node->GetTransformsReason(), req->ctx.uid, h->uid,
1613 h->transforms_uid)) {
1614 fuse_reply_err(req, EFAULT);
1615 return;
1616 }
1617 node->SetTransformsComplete(true);
1618 }
1619
1620 fuse->fadviser.Record(h->fd, size);
1621
1622 if (h->ri->isRedactionNeeded()) {
1623 do_read_with_redaction(req, size, off, fi, direct_io);
1624 } else {
1625 do_read(req, size, off, fi, direct_io);
1626 }
1627 }
1628
1629 /*
1630 static void pf_write(fuse_req_t req, fuse_ino_t ino, const char* buf,
1631 size_t size, off_t off, struct fuse_file_info* fi)
1632 {
1633 cout << "TODO:" << __func__;
1634 }
1635 */
1636
pf_write_buf(fuse_req_t req,fuse_ino_t ino,struct fuse_bufvec * bufv,off_t off,struct fuse_file_info * fi)1637 static void pf_write_buf(fuse_req_t req,
1638 fuse_ino_t ino,
1639 struct fuse_bufvec* bufv,
1640 off_t off,
1641 struct fuse_file_info* fi) {
1642 ATRACE_CALL();
1643 handle* h = reinterpret_cast<handle*>(fi->fh);
1644 struct fuse_bufvec buf = FUSE_BUFVEC_INIT(fuse_buf_size(bufv));
1645 ssize_t size;
1646 struct fuse* fuse = get_fuse(req);
1647
1648 buf.buf[0].fd = h->fd;
1649 buf.buf[0].pos = off;
1650 buf.buf[0].flags =
1651 (enum fuse_buf_flags) (FUSE_BUF_IS_FD | FUSE_BUF_FD_SEEK);
1652 size = fuse_buf_copy(&buf, bufv, (enum fuse_buf_copy_flags) 0);
1653
1654 if (size < 0)
1655 fuse_reply_err(req, -size);
1656 else {
1657 // Execute Record *before* fuse_reply_write to avoid the following ordering:
1658 // fuse_reply_write -> pf_release (destroy handle) -> Record (use handle after free)
1659 fuse->fadviser.Record(h->fd, size);
1660 fuse_reply_write(req, size);
1661 }
1662 }
1663 // Haven't tested this one. Not sure what calls it.
1664 #if 0
1665 static void pf_copy_file_range(fuse_req_t req, fuse_ino_t ino_in,
1666 off_t off_in, struct fuse_file_info* fi_in,
1667 fuse_ino_t ino_out, off_t off_out,
1668 struct fuse_file_info* fi_out, size_t len,
1669 int flags)
1670 {
1671 handle* h_in = reinterpret_cast<handle *>(fi_in->fh);
1672 handle* h_out = reinterpret_cast<handle *>(fi_out->fh);
1673 struct fuse_bufvec buf_in = FUSE_BUFVEC_INIT(len);
1674 struct fuse_bufvec buf_out = FUSE_BUFVEC_INIT(len);
1675 ssize_t size;
1676
1677 buf_in.buf[0].fd = h_in->fd;
1678 buf_in.buf[0].pos = off_in;
1679 buf_in.buf[0].flags = (enum fuse_buf_flags)(FUSE_BUF_IS_FD|FUSE_BUF_FD_SEEK);
1680
1681 buf_out.buf[0].fd = h_out->fd;
1682 buf_out.buf[0].pos = off_out;
1683 buf_out.buf[0].flags = (enum fuse_buf_flags)(FUSE_BUF_IS_FD|FUSE_BUF_FD_SEEK);
1684 size = fuse_buf_copy(&buf_out, &buf_in, (enum fuse_buf_copy_flags) 0);
1685
1686 if (size < 0) {
1687 fuse_reply_err(req, -size);
1688 }
1689
1690 fuse_reply_write(req, size);
1691 }
1692 #endif
1693
1694 /*
1695 * This function does nothing except being a placeholder to keep the FUSE
1696 * driver handling flushes on close(2).
1697 * In fact, kernels prior to 5.8 stop attempting flushing the cache on close(2)
1698 * if the .flush operation is not implemented by the FUSE daemon.
1699 * This has been fixed in the kernel by commit 614c026e8a46 ("fuse: always
1700 * flush dirty data on close(2)"), merged in Linux 5.8, but until then
1701 * userspace must mitigate this behavior by not leaving the .flush function
1702 * pointer empty.
1703 */
pf_flush(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)1704 static void pf_flush(fuse_req_t req,
1705 fuse_ino_t ino,
1706 struct fuse_file_info* fi) {
1707 ATRACE_CALL();
1708 struct fuse* fuse = get_fuse(req);
1709 TRACE_NODE(nullptr, req) << "noop";
1710 fuse_reply_err(req, 0);
1711 }
1712
pf_release(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)1713 static void pf_release(fuse_req_t req,
1714 fuse_ino_t ino,
1715 struct fuse_file_info* fi) {
1716 ATRACE_CALL();
1717 struct fuse* fuse = get_fuse(req);
1718
1719 node* node = fuse->FromInode(ino);
1720 handle* h = reinterpret_cast<handle*>(fi->fh);
1721 TRACE_NODE(node, req);
1722
1723 fuse->fadviser.Close(h->fd);
1724 if (node) {
1725 node->DestroyHandle(h);
1726 }
1727
1728 fuse_reply_err(req, 0);
1729 }
1730
do_sync_common(int fd,bool datasync)1731 static int do_sync_common(int fd, bool datasync) {
1732 int res = datasync ? fdatasync(fd) : fsync(fd);
1733
1734 if (res == -1) return errno;
1735 return 0;
1736 }
1737
pf_fsync(fuse_req_t req,fuse_ino_t ino,int datasync,struct fuse_file_info * fi)1738 static void pf_fsync(fuse_req_t req,
1739 fuse_ino_t ino,
1740 int datasync,
1741 struct fuse_file_info* fi) {
1742 ATRACE_CALL();
1743 handle* h = reinterpret_cast<handle*>(fi->fh);
1744 int err = do_sync_common(h->fd, datasync);
1745
1746 fuse_reply_err(req, err);
1747 }
1748
pf_fsyncdir(fuse_req_t req,fuse_ino_t ino,int datasync,struct fuse_file_info * fi)1749 static void pf_fsyncdir(fuse_req_t req,
1750 fuse_ino_t ino,
1751 int datasync,
1752 struct fuse_file_info* fi) {
1753 dirhandle* h = reinterpret_cast<dirhandle*>(fi->fh);
1754 int err = do_sync_common(dirfd(h->d), datasync);
1755
1756 fuse_reply_err(req, err);
1757 }
1758
pf_opendir(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)1759 static void pf_opendir(fuse_req_t req,
1760 fuse_ino_t ino,
1761 struct fuse_file_info* fi) {
1762 ATRACE_CALL();
1763 struct fuse* fuse = get_fuse(req);
1764 node* node = fuse->FromInode(ino);
1765 if (!node) {
1766 fuse_reply_err(req, ENOENT);
1767 return;
1768 }
1769 const struct fuse_ctx* ctx = fuse_req_ctx(req);
1770 const string path = node->BuildPath();
1771 if (!is_app_accessible_path(fuse, path, ctx->uid)) {
1772 fuse_reply_err(req, ENOENT);
1773 return;
1774 }
1775
1776 TRACE_NODE(node, req);
1777
1778 int status = fuse->mp->IsOpendirAllowed(path, ctx->uid, /* forWrite */ false);
1779 if (status) {
1780 fuse_reply_err(req, status);
1781 return;
1782 }
1783
1784 DIR* dir = opendir(path.c_str());
1785 if (!dir) {
1786 fuse_reply_err(req, errno);
1787 return;
1788 }
1789
1790 dirhandle* h = new dirhandle(dir);
1791 node->AddDirHandle(h);
1792
1793 fi->fh = ptr_to_id(h);
1794 fuse_reply_open(req, fi);
1795 }
1796
1797 #define READDIR_BUF 8192LU
1798
do_readdir_common(fuse_req_t req,fuse_ino_t ino,size_t size,off_t off,struct fuse_file_info * fi,bool plus)1799 static void do_readdir_common(fuse_req_t req,
1800 fuse_ino_t ino,
1801 size_t size,
1802 off_t off,
1803 struct fuse_file_info* fi,
1804 bool plus) {
1805 struct fuse* fuse = get_fuse(req);
1806 dirhandle* h = reinterpret_cast<dirhandle*>(fi->fh);
1807 size_t len = std::min<size_t>(size, READDIR_BUF);
1808 char buf[READDIR_BUF];
1809 size_t used = 0;
1810 std::shared_ptr<DirectoryEntry> de;
1811
1812 struct fuse_entry_param e;
1813 size_t entry_size = 0;
1814
1815 node* node = fuse->FromInode(ino);
1816 if (!node) {
1817 fuse_reply_err(req, ENOENT);
1818 return;
1819 }
1820 const string path = node->BuildPath();
1821 if (!is_app_accessible_path(fuse, path, req->ctx.uid)) {
1822 fuse_reply_err(req, ENOENT);
1823 return;
1824 }
1825
1826 TRACE_NODE(node, req);
1827 // Get all directory entries from MediaProvider on first readdir() call of
1828 // directory handle. h->next_off = 0 indicates that current readdir() call
1829 // is first readdir() call for the directory handle, Avoid multiple JNI calls
1830 // for single directory handle.
1831 if (h->next_off == 0) {
1832 h->de = fuse->mp->GetDirectoryEntries(req->ctx.uid, path, h->d);
1833 }
1834 // If the last entry in the previous readdir() call was rejected due to
1835 // buffer capacity constraints, update directory offset to start from
1836 // previously rejected entry. Directory offset can also change if there was
1837 // a seekdir() on the given directory handle.
1838 if (off != h->next_off) {
1839 h->next_off = off;
1840 }
1841 const int num_directory_entries = h->de.size();
1842 // Check for errors. Any error/exception occurred while obtaining directory
1843 // entries will be indicated by marking first directory entry name as empty
1844 // string. In the erroneous case corresponding d_type will hold error number.
1845 if (num_directory_entries && h->de[0]->d_name.empty()) {
1846 fuse_reply_err(req, h->de[0]->d_type);
1847 return;
1848 }
1849
1850 while (h->next_off < num_directory_entries) {
1851 de = h->de[h->next_off];
1852 entry_size = 0;
1853 h->next_off++;
1854 if (plus) {
1855 int error_code = 0;
1856 if (do_lookup(req, ino, de->d_name.c_str(), &e, &error_code, FuseOp::readdir)) {
1857 entry_size = fuse_add_direntry_plus(req, buf + used, len - used, de->d_name.c_str(),
1858 &e, h->next_off);
1859 } else {
1860 // Ignore lookup errors on
1861 // 1. non-existing files returned from MediaProvider database.
1862 // 2. path that doesn't match FuseDaemon UID and calling uid.
1863 if (error_code == ENOENT || error_code == EPERM || error_code == EACCES
1864 || error_code == EIO) continue;
1865 fuse_reply_err(req, error_code);
1866 return;
1867 }
1868 } else {
1869 // This should never happen because we have readdir_plus enabled without adaptive
1870 // readdir_plus, FUSE_CAP_READDIRPLUS_AUTO
1871 LOG(WARNING) << "Handling plain readdir for " << de->d_name << ". Invalid d_ino";
1872 e.attr.st_ino = FUSE_UNKNOWN_INO;
1873 e.attr.st_mode = de->d_type << 12;
1874 entry_size = fuse_add_direntry(req, buf + used, len - used, de->d_name.c_str(), &e.attr,
1875 h->next_off);
1876 }
1877 // If buffer in fuse_add_direntry[_plus] is not large enough then
1878 // the entry is not added to buffer but the size of the entry is still
1879 // returned. Check available buffer size + returned entry size is less
1880 // than actual buffer size to confirm entry is added to buffer.
1881 if (used + entry_size > len) {
1882 // When an entry is rejected, lookup called by readdir_plus will not be tracked by
1883 // kernel. Call forget on the rejected node to decrement the reference count.
1884 if (plus) {
1885 do_forget(req, fuse, e.ino, 1);
1886 }
1887 break;
1888 }
1889 used += entry_size;
1890 }
1891 fuse_reply_buf(req, buf, used);
1892 }
1893
pf_readdir(fuse_req_t req,fuse_ino_t ino,size_t size,off_t off,struct fuse_file_info * fi)1894 static void pf_readdir(fuse_req_t req, fuse_ino_t ino, size_t size, off_t off,
1895 struct fuse_file_info* fi) {
1896 ATRACE_CALL();
1897 do_readdir_common(req, ino, size, off, fi, false);
1898 }
1899
pf_readdirplus(fuse_req_t req,fuse_ino_t ino,size_t size,off_t off,struct fuse_file_info * fi)1900 static void pf_readdirplus(fuse_req_t req,
1901 fuse_ino_t ino,
1902 size_t size,
1903 off_t off,
1904 struct fuse_file_info* fi) {
1905 ATRACE_CALL();
1906 do_readdir_common(req, ino, size, off, fi, true);
1907 }
1908
pf_releasedir(fuse_req_t req,fuse_ino_t ino,struct fuse_file_info * fi)1909 static void pf_releasedir(fuse_req_t req,
1910 fuse_ino_t ino,
1911 struct fuse_file_info* fi) {
1912 ATRACE_CALL();
1913 struct fuse* fuse = get_fuse(req);
1914
1915 node* node = fuse->FromInode(ino);
1916
1917 dirhandle* h = reinterpret_cast<dirhandle*>(fi->fh);
1918 TRACE_NODE(node, req);
1919 if (node) {
1920 node->DestroyDirHandle(h);
1921 }
1922
1923 fuse_reply_err(req, 0);
1924 }
1925
pf_statfs(fuse_req_t req,fuse_ino_t ino)1926 static void pf_statfs(fuse_req_t req, fuse_ino_t ino) {
1927 ATRACE_CALL();
1928 struct statvfs st;
1929 struct fuse* fuse = get_fuse(req);
1930
1931 if (statvfs(fuse->root->GetName().c_str(), &st))
1932 fuse_reply_err(req, errno);
1933 else
1934 fuse_reply_statfs(req, &st);
1935 }
1936 /*
1937 static void pf_setxattr(fuse_req_t req, fuse_ino_t ino, const char* name,
1938 const char* value, size_t size, int flags)
1939 {
1940 cout << "TODO:" << __func__;
1941 }
1942
1943 static void pf_getxattr(fuse_req_t req, fuse_ino_t ino, const char* name,
1944 size_t size)
1945 {
1946 cout << "TODO:" << __func__;
1947 }
1948
1949 static void pf_listxattr(fuse_req_t req, fuse_ino_t ino, size_t size)
1950 {
1951 cout << "TODO:" << __func__;
1952 }
1953
1954 static void pf_removexattr(fuse_req_t req, fuse_ino_t ino, const char* name)
1955 {
1956 cout << "TODO:" << __func__;
1957 }*/
1958
pf_access(fuse_req_t req,fuse_ino_t ino,int mask)1959 static void pf_access(fuse_req_t req, fuse_ino_t ino, int mask) {
1960 ATRACE_CALL();
1961 struct fuse* fuse = get_fuse(req);
1962
1963 node* node = fuse->FromInode(ino);
1964 if (!node) {
1965 fuse_reply_err(req, ENOENT);
1966 return;
1967 }
1968 const string path = node->BuildPath();
1969 if (path != PRIMARY_VOLUME_PREFIX && !is_app_accessible_path(fuse, path, req->ctx.uid)) {
1970 fuse_reply_err(req, ENOENT);
1971 return;
1972 }
1973 TRACE_NODE(node, req);
1974
1975 // exists() checks are always allowed.
1976 if (mask == F_OK) {
1977 int res = access(path.c_str(), F_OK);
1978 fuse_reply_err(req, res ? errno : 0);
1979 return;
1980 }
1981 struct stat stat;
1982 if (lstat(path.c_str(), &stat)) {
1983 // File doesn't exist
1984 fuse_reply_err(req, ENOENT);
1985 return;
1986 }
1987
1988 // For read and write permission checks we go to MediaProvider.
1989 int status = 0;
1990 bool for_write = mask & W_OK;
1991 bool is_directory = S_ISDIR(stat.st_mode);
1992 if (is_directory) {
1993 if (path == PRIMARY_VOLUME_PREFIX && mask == X_OK) {
1994 // Special case for this path: apps should be allowed to enter it,
1995 // but not list directory contents (which would be user numbers).
1996 int res = access(path.c_str(), X_OK);
1997 fuse_reply_err(req, res ? errno : 0);
1998 return;
1999 }
2000 status = fuse->mp->IsOpendirAllowed(path, req->ctx.uid, for_write);
2001 } else {
2002 if (mask & X_OK) {
2003 // Fuse is mounted with MS_NOEXEC.
2004 fuse_reply_err(req, EACCES);
2005 return;
2006 }
2007
2008 std::unique_ptr<FileOpenResult> result = fuse->mp->OnFileOpen(
2009 path, path, req->ctx.uid, req->ctx.pid, node->GetTransformsReason(), for_write,
2010 false /* redact */, false /* log_transforms_metrics */);
2011 if (!result) {
2012 status = EFAULT;
2013 } else if (result->status) {
2014 status = EACCES;
2015 }
2016 }
2017
2018 fuse_reply_err(req, status);
2019 }
2020
pf_create(fuse_req_t req,fuse_ino_t parent,const char * name,mode_t mode,struct fuse_file_info * fi)2021 static void pf_create(fuse_req_t req,
2022 fuse_ino_t parent,
2023 const char* name,
2024 mode_t mode,
2025 struct fuse_file_info* fi) {
2026 ATRACE_CALL();
2027 struct fuse* fuse = get_fuse(req);
2028 node* parent_node = fuse->FromInode(parent);
2029 if (!parent_node) {
2030 fuse_reply_err(req, ENOENT);
2031 return;
2032 }
2033 const string parent_path = parent_node->BuildPath();
2034 if (!is_app_accessible_path(fuse, parent_path, req->ctx.uid)) {
2035 fuse_reply_err(req, ENOENT);
2036 return;
2037 }
2038
2039 TRACE_NODE(parent_node, req);
2040
2041 const string child_path = parent_path + "/" + name;
2042
2043 const OpenInfo open_info = parse_open_flags(child_path, fi->flags);
2044
2045 int mp_return_code = fuse->mp->InsertFile(child_path.c_str(), req->ctx.uid);
2046 if (mp_return_code) {
2047 fuse_reply_err(req, mp_return_code);
2048 return;
2049 }
2050
2051 mode = (mode & (~0777)) | 0664;
2052 int fd = open(child_path.c_str(), open_info.flags, mode);
2053 if (fd < 0) {
2054 int error_code = errno;
2055 // We've already inserted the file into the MP database before the
2056 // failed open(), so that needs to be rolled back here.
2057 fuse->mp->DeleteFile(child_path.c_str(), req->ctx.uid);
2058 fuse_reply_err(req, error_code);
2059 return;
2060 }
2061
2062 int error_code = 0;
2063 struct fuse_entry_param e;
2064 node* node =
2065 make_node_entry(req, parent_node, name, child_path, &e, &error_code, FuseOp::create);
2066 TRACE_NODE(node, req);
2067 if (!node) {
2068 CHECK(error_code != 0);
2069 fuse_reply_err(req, error_code);
2070 return;
2071 }
2072
2073 // Let MediaProvider know we've created a new file
2074 fuse->mp->OnFileCreated(child_path);
2075
2076 // TODO(b/147274248): Assume there will be no EXIF to redact.
2077 // This prevents crashing during reads but can be a security hole if a malicious app opens an fd
2078 // to the file before all the EXIF content is written. We could special case reads before the
2079 // first close after a file has just been created.
2080 int keep_cache = 1;
2081 const handle* h = create_handle_for_node(
2082 fuse, child_path, fd, req->ctx.uid, 0 /* transforms_uid */, node, new RedactionInfo(),
2083 /* allow_passthrough */ true, open_info.direct_io, &keep_cache);
2084 fill_fuse_file_info(h, &open_info, keep_cache, fi);
2085
2086 // TODO(b/173190192) ensuring that h->cached must be enabled in order to
2087 // user FUSE passthrough is a conservative rule and might be dropped as
2088 // soon as demonstrated its correctness.
2089 if (h->passthrough && !do_passthrough_enable(req, fi, fd)) {
2090 PLOG(ERROR) << "Passthrough CREATE failed for " << child_path;
2091 fuse_reply_err(req, EFAULT);
2092 return;
2093 }
2094
2095 fuse_reply_create(req, &e, fi);
2096 }
2097 /*
2098 static void pf_getlk(fuse_req_t req, fuse_ino_t ino,
2099 struct fuse_file_info* fi, struct flock* lock)
2100 {
2101 cout << "TODO:" << __func__;
2102 }
2103
2104 static void pf_setlk(fuse_req_t req, fuse_ino_t ino,
2105 struct fuse_file_info* fi,
2106 struct flock* lock, int sleep)
2107 {
2108 cout << "TODO:" << __func__;
2109 }
2110
2111 static void pf_bmap(fuse_req_t req, fuse_ino_t ino, size_t blocksize,
2112 uint64_t idx)
2113 {
2114 cout << "TODO:" << __func__;
2115 }
2116
2117 static void pf_ioctl(fuse_req_t req, fuse_ino_t ino, unsigned int cmd,
2118 void* arg, struct fuse_file_info* fi, unsigned flags,
2119 const void* in_buf, size_t in_bufsz, size_t out_bufsz)
2120 {
2121 cout << "TODO:" << __func__;
2122 }
2123
2124 static void pf_poll(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info* fi,
2125 struct fuse_pollhandle* ph)
2126 {
2127 cout << "TODO:" << __func__;
2128 }
2129
2130 static void pf_retrieve_reply(fuse_req_t req, void* cookie, fuse_ino_t ino,
2131 off_t offset, struct fuse_bufvec* bufv)
2132 {
2133 cout << "TODO:" << __func__;
2134 }
2135
2136 static void pf_flock(fuse_req_t req, fuse_ino_t ino,
2137 struct fuse_file_info* fi, int op)
2138 {
2139 cout << "TODO:" << __func__;
2140 }
2141
2142 static void pf_fallocate(fuse_req_t req, fuse_ino_t ino, int mode,
2143 off_t offset, off_t length, struct fuse_file_info* fi)
2144 {
2145 cout << "TODO:" << __func__;
2146 }
2147 */
2148
2149 static struct fuse_lowlevel_ops ops{
2150 .init = pf_init, .destroy = pf_destroy, .lookup = pf_lookup, .forget = pf_forget,
2151 .getattr = pf_getattr, .setattr = pf_setattr, .canonical_path = pf_canonical_path,
2152 .mknod = pf_mknod, .mkdir = pf_mkdir, .unlink = pf_unlink, .rmdir = pf_rmdir,
2153 /*.symlink = pf_symlink,*/
2154 .rename = pf_rename,
2155 /*.link = pf_link,*/
2156 .open = pf_open, .read = pf_read,
2157 /*.write = pf_write,*/
2158 .flush = pf_flush,
2159 .release = pf_release, .fsync = pf_fsync, .opendir = pf_opendir, .readdir = pf_readdir,
2160 .releasedir = pf_releasedir, .fsyncdir = pf_fsyncdir, .statfs = pf_statfs,
2161 /*.setxattr = pf_setxattr,
2162 .getxattr = pf_getxattr,
2163 .listxattr = pf_listxattr,
2164 .removexattr = pf_removexattr,*/
2165 .access = pf_access, .create = pf_create,
2166 /*.getlk = pf_getlk,
2167 .setlk = pf_setlk,
2168 .bmap = pf_bmap,
2169 .ioctl = pf_ioctl,
2170 .poll = pf_poll,*/
2171 .write_buf = pf_write_buf,
2172 /*.retrieve_reply = pf_retrieve_reply,*/
2173 .forget_multi = pf_forget_multi,
2174 /*.flock = pf_flock,*/
2175 .fallocate = pf_fallocate,
2176 .readdirplus = pf_readdirplus,
2177 /*.copy_file_range = pf_copy_file_range,*/
2178 };
2179
2180 static struct fuse_loop_config config = {
2181 .clone_fd = 1,
2182 .max_idle_threads = 10,
2183 };
2184
2185 static std::unordered_map<enum fuse_log_level, enum android_LogPriority> fuse_to_android_loglevel({
2186 {FUSE_LOG_EMERG, ANDROID_LOG_FATAL},
2187 {FUSE_LOG_ALERT, ANDROID_LOG_ERROR},
2188 {FUSE_LOG_CRIT, ANDROID_LOG_ERROR},
2189 {FUSE_LOG_ERR, ANDROID_LOG_ERROR},
2190 {FUSE_LOG_WARNING, ANDROID_LOG_WARN},
2191 {FUSE_LOG_NOTICE, ANDROID_LOG_INFO},
2192 {FUSE_LOG_INFO, ANDROID_LOG_DEBUG},
2193 {FUSE_LOG_DEBUG, ANDROID_LOG_VERBOSE},
2194 });
2195
fuse_logger(enum fuse_log_level level,const char * fmt,va_list ap)2196 static void fuse_logger(enum fuse_log_level level, const char* fmt, va_list ap) {
2197 __android_log_vprint(fuse_to_android_loglevel.at(level), LIBFUSE_LOG_TAG, fmt, ap);
2198 }
2199
ShouldOpenWithFuse(int fd,bool for_read,const std::string & path)2200 bool FuseDaemon::ShouldOpenWithFuse(int fd, bool for_read, const std::string& path) {
2201 if (fuse->passthrough) {
2202 // Always open with FUSE if passthrough is enabled. This avoids the delicate file lock
2203 // acquisition below to ensure VFS cache consistency and doesn't impact filesystem
2204 // performance since read(2)/write(2) happen in the kernel
2205 return true;
2206 }
2207
2208 bool use_fuse = false;
2209
2210 if (active.load(std::memory_order_acquire)) {
2211 std::lock_guard<std::recursive_mutex> guard(fuse->lock);
2212 const node* node = node::LookupAbsolutePath(fuse->root, path);
2213 if (node && node->HasCachedHandle()) {
2214 use_fuse = true;
2215 } else {
2216 // If we are unable to set a lock, we should use fuse since we can't track
2217 // when all fd references (including dups) are closed. This can happen when
2218 // we try to set a write lock twice on the same file
2219 use_fuse = set_file_lock(fd, for_read, path);
2220 }
2221 } else {
2222 LOG(WARNING) << "FUSE daemon is inactive. Cannot open file with FUSE";
2223 }
2224
2225 return use_fuse;
2226 }
2227
UsesFusePassthrough() const2228 bool FuseDaemon::UsesFusePassthrough() const {
2229 return fuse->passthrough;
2230 }
2231
InvalidateFuseDentryCache(const std::string & path)2232 void FuseDaemon::InvalidateFuseDentryCache(const std::string& path) {
2233 LOG(VERBOSE) << "Invalidating FUSE dentry cache";
2234 if (active.load(std::memory_order_acquire)) {
2235 string name;
2236 fuse_ino_t parent;
2237 fuse_ino_t child;
2238 {
2239 std::lock_guard<std::recursive_mutex> guard(fuse->lock);
2240 const node* node = node::LookupAbsolutePath(fuse->root, path);
2241 if (node) {
2242 name = node->GetName();
2243 child = fuse->ToInode(const_cast<class node*>(node));
2244 parent = fuse->ToInode(node->GetParent());
2245 }
2246 }
2247
2248 if (!name.empty()) {
2249 fuse_inval(fuse->se, parent, child, name, path);
2250 }
2251 } else {
2252 LOG(WARNING) << "FUSE daemon is inactive. Cannot invalidate dentry";
2253 }
2254 }
2255
FuseDaemon(JNIEnv * env,jobject mediaProvider)2256 FuseDaemon::FuseDaemon(JNIEnv* env, jobject mediaProvider) : mp(env, mediaProvider),
2257 active(false), fuse(nullptr) {}
2258
IsStarted() const2259 bool FuseDaemon::IsStarted() const {
2260 return active.load(std::memory_order_acquire);
2261 }
2262
IsFuseBpfEnabled()2263 bool IsFuseBpfEnabled() {
2264 std::string bpf_override = android::base::GetProperty("persist.sys.fuse.bpf.override", "");
2265 if (bpf_override == "true") {
2266 return true;
2267 } else if (bpf_override == "false") {
2268 return false;
2269 }
2270 return android::base::GetBoolProperty("ro.fuse.bpf.enabled", false);
2271 }
2272
Start(android::base::unique_fd fd,const std::string & path,const bool uncached_mode,const std::vector<std::string> & supported_transcoding_relative_paths,const std::vector<std::string> & supported_uncached_relative_paths)2273 void FuseDaemon::Start(android::base::unique_fd fd, const std::string& path,
2274 const bool uncached_mode,
2275 const std::vector<std::string>& supported_transcoding_relative_paths,
2276 const std::vector<std::string>& supported_uncached_relative_paths) {
2277 android::base::SetDefaultTag(LOG_TAG);
2278
2279 struct fuse_args args;
2280 struct fuse_cmdline_opts opts;
2281
2282 struct stat stat;
2283
2284 if (lstat(path.c_str(), &stat)) {
2285 PLOG(ERROR) << "ERROR: failed to stat source " << path;
2286 return;
2287 }
2288
2289 if (!S_ISDIR(stat.st_mode)) {
2290 PLOG(ERROR) << "ERROR: source is not a directory";
2291 return;
2292 }
2293
2294 args = FUSE_ARGS_INIT(0, nullptr);
2295 if (fuse_opt_add_arg(&args, path.c_str()) || fuse_opt_add_arg(&args, "-odebug") ||
2296 fuse_opt_add_arg(&args, ("-omax_read=" + std::to_string(MAX_READ_SIZE)).c_str())) {
2297 LOG(ERROR) << "ERROR: failed to set options";
2298 return;
2299 }
2300
2301 bool bpf_enabled = IsFuseBpfEnabled();
2302 int bpf_fd = -1;
2303 if (bpf_enabled) {
2304 LOG(INFO) << "Using FUSE BPF";
2305
2306 bpf_fd = android::bpf::bpfFdGet(FUSE_BPF_PROG_PATH, BPF_F_RDONLY);
2307 if (bpf_fd < 0) {
2308 PLOG(ERROR) << "Failed to fetch BPF prog fd: " << bpf_fd;
2309 bpf_enabled = false;
2310 } else {
2311 LOG(INFO) << "BPF prog fd fetched";
2312 }
2313 }
2314
2315 struct fuse fuse_default(path, stat.st_ino, uncached_mode, bpf_enabled, bpf_fd,
2316 supported_transcoding_relative_paths,
2317 supported_uncached_relative_paths);
2318 fuse_default.mp = ∓
2319 // fuse_default is stack allocated, but it's safe to save it as an instance variable because
2320 // this method blocks and FuseDaemon#active tells if we are currently blocking
2321 fuse = &fuse_default;
2322
2323 // Used by pf_read: redacted ranges are represented by zeroized ranges of bytes,
2324 // so we mmap the maximum length of redacted ranges in the beginning and save memory allocations
2325 // on each read.
2326 fuse_default.zero_addr = static_cast<char*>(mmap(
2327 NULL, MAX_READ_SIZE, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, /*fd*/ -1, /*off*/ 0));
2328 if (fuse_default.zero_addr == MAP_FAILED) {
2329 LOG(FATAL) << "mmap failed - could not start fuse! errno = " << errno;
2330 }
2331
2332 // Custom logging for libfuse
2333 if (android::base::GetBoolProperty("persist.sys.fuse.log", false)) {
2334 fuse_set_log_func(fuse_logger);
2335 }
2336
2337 if (MY_USER_ID != 0 && mp.IsAppCloneUser(MY_USER_ID)) {
2338 // Disable dentry caching for the app clone user
2339 fuse->disable_dentry_cache = true;
2340 }
2341
2342 fuse->passthrough = android::base::GetBoolProperty("persist.sys.fuse.passthrough.enable", false);
2343 if (fuse->passthrough) {
2344 LOG(INFO) << "Using FUSE passthrough";
2345 }
2346
2347 struct fuse_session
2348 * se = fuse_session_new(&args, &ops, sizeof(ops), &fuse_default);
2349 if (!se) {
2350 PLOG(ERROR) << "Failed to create session ";
2351 return;
2352 }
2353 fuse_default.se = se;
2354 fuse_default.active = &active;
2355 se->fd = fd.release(); // libfuse owns the FD now
2356 se->mountpoint = strdup(path.c_str());
2357
2358 // Single thread. Useful for debugging
2359 // fuse_session_loop(se);
2360 // Multi-threaded
2361 LOG(INFO) << "Starting fuse...";
2362 fuse_session_loop_mt(se, &config);
2363 fuse->active->store(false, std::memory_order_release);
2364 LOG(INFO) << "Ending fuse...";
2365
2366 if (munmap(fuse_default.zero_addr, MAX_READ_SIZE)) {
2367 PLOG(ERROR) << "munmap failed!";
2368 }
2369
2370 fuse_opt_free_args(&args);
2371 fuse_session_destroy(se);
2372 LOG(INFO) << "Ended fuse";
2373 return;
2374 }
2375
CheckFdAccess(int fd,uid_t uid) const2376 std::unique_ptr<FdAccessResult> FuseDaemon::CheckFdAccess(int fd, uid_t uid) const {
2377 struct stat s;
2378 memset(&s, 0, sizeof(s));
2379 if (fstat(fd, &s) < 0) {
2380 PLOG(DEBUG) << "CheckFdAccess fstat failed.";
2381 return std::make_unique<FdAccessResult>(string(), false);
2382 }
2383
2384 ino_t ino = s.st_ino;
2385 dev_t dev = s.st_dev;
2386
2387 dev_t fuse_dev = fuse->dev.load(std::memory_order_acquire);
2388 if (dev != fuse_dev) {
2389 PLOG(DEBUG) << "CheckFdAccess FUSE device id does not match.";
2390 return std::make_unique<FdAccessResult>(string(), false);
2391 }
2392
2393 const node* node = node::LookupInode(fuse->root, ino);
2394 if (!node) {
2395 PLOG(DEBUG) << "CheckFdAccess no node found with given ino";
2396 return std::make_unique<FdAccessResult>(string(), false);
2397 }
2398
2399 return node->CheckHandleForUid(uid);
2400 }
2401
InitializeDeviceId(const std::string & path)2402 void FuseDaemon::InitializeDeviceId(const std::string& path) {
2403 struct stat stat;
2404
2405 if (lstat(path.c_str(), &stat)) {
2406 PLOG(ERROR) << "InitializeDeviceId failed to stat given path " << path;
2407 return;
2408 }
2409
2410 fuse->dev.store(stat.st_dev, std::memory_order_release);
2411 }
2412 } //namespace fuse
2413 } // namespace mediaprovider
2414