1 /* 2 ** Copyright 2008, The Android Open Source Project 3 ** 4 ** Licensed under the Apache License, Version 2.0 (the "License"); 5 ** you may not use this file except in compliance with the License. 6 ** You may obtain a copy of the License at 7 ** 8 ** http://www.apache.org/licenses/LICENSE-2.0 9 ** 10 ** Unless required by applicable law or agreed to in writing, software 11 ** distributed under the License is distributed on an "AS IS" BASIS, 12 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 ** See the License for the specific language governing permissions and 14 ** limitations under the License. 15 */ 16 17 #include "utils.h" 18 19 #include <errno.h> 20 #include <fcntl.h> 21 #include <fts.h> 22 #include <stdlib.h> 23 #include <sys/capability.h> 24 #include <sys/stat.h> 25 #include <sys/wait.h> 26 #include <sys/xattr.h> 27 #include <sys/statvfs.h> 28 29 #include <android-base/logging.h> 30 #include <android-base/strings.h> 31 #include <android-base/stringprintf.h> 32 #include <android-base/unique_fd.h> 33 #include <cutils/fs.h> 34 #include <cutils/properties.h> 35 #include <log/log.h> 36 #include <private/android_filesystem_config.h> 37 38 #include "dexopt_return_codes.h" 39 #include "globals.h" // extern variables. 40 41 #ifndef LOG_TAG 42 #define LOG_TAG "installd" 43 #endif 44 45 #define DEBUG_XATTRS 0 46 47 using android::base::EndsWith; 48 using android::base::Fdopendir; 49 using android::base::StringPrintf; 50 using android::base::unique_fd; 51 52 namespace android { 53 namespace installd { 54 55 /** 56 * Check that given string is valid filename, and that it attempts no 57 * parent or child directory traversal. 58 */ 59 bool is_valid_filename(const std::string& name) { 60 if (name.empty() || (name == ".") || (name == "..") 61 || (name.find('/') != std::string::npos)) { 62 return false; 63 } else { 64 return true; 65 } 66 } 67 68 static void check_package_name(const char* package_name) { 69 CHECK(is_valid_filename(package_name)); 70 CHECK(is_valid_package_name(package_name)); 71 } 72 73 static std::string resolve_ce_path_by_inode_or_fallback(const std::string& root_path, 74 ino_t ce_data_inode, const std::string& fallback) { 75 if (ce_data_inode != 0) { 76 DIR* dir = opendir(root_path.c_str()); 77 if (dir == nullptr) { 78 PLOG(ERROR) << "Failed to opendir " << root_path; 79 return fallback; 80 } 81 82 struct dirent* ent; 83 while ((ent = readdir(dir))) { 84 if (ent->d_ino == ce_data_inode) { 85 auto resolved = StringPrintf("%s/%s", root_path.c_str(), ent->d_name); 86 if (resolved != fallback) { 87 LOG(DEBUG) << "Resolved path " << resolved << " for inode " << ce_data_inode 88 << " instead of " << fallback; 89 } 90 closedir(dir); 91 return resolved; 92 } 93 } 94 LOG(WARNING) << "Failed to resolve inode " << ce_data_inode << "; using " << fallback; 95 closedir(dir); 96 return fallback; 97 } else { 98 return fallback; 99 } 100 } 101 102 /** 103 * Create the path name where package app contents should be stored for 104 * the given volume UUID and package name. An empty UUID is assumed to 105 * be internal storage. 106 */ 107 std::string create_data_app_package_path(const char* volume_uuid, 108 const char* package_name) { 109 check_package_name(package_name); 110 return StringPrintf("%s/%s", 111 create_data_app_path(volume_uuid).c_str(), package_name); 112 } 113 114 /** 115 * Create the path name where package data should be stored for the given 116 * volume UUID, package name, and user ID. An empty UUID is assumed to be 117 * internal storage. 118 */ 119 std::string create_data_user_ce_package_path(const char* volume_uuid, 120 userid_t user, const char* package_name) { 121 check_package_name(package_name); 122 return StringPrintf("%s/%s", 123 create_data_user_ce_path(volume_uuid, user).c_str(), package_name); 124 } 125 126 /** 127 * Create the path name where package data should be stored for the given 128 * volume UUID, package name, and user ID. An empty UUID is assumed to be 129 * internal storage. 130 * Compared to create_data_user_ce_package_path this method always return the 131 * ".../user/..." directory. 132 */ 133 std::string create_data_user_ce_package_path_as_user_link( 134 const char* volume_uuid, userid_t userid, const char* package_name) { 135 check_package_name(package_name); 136 std::string data(create_data_path(volume_uuid)); 137 return StringPrintf("%s/user/%u/%s", data.c_str(), userid, package_name); 138 } 139 140 std::string create_data_user_ce_package_path(const char* volume_uuid, userid_t user, 141 const char* package_name, ino_t ce_data_inode) { 142 // For testing purposes, rely on the inode when defined; this could be 143 // optimized to use access() in the future. 144 auto fallback = create_data_user_ce_package_path(volume_uuid, user, package_name); 145 auto user_path = create_data_user_ce_path(volume_uuid, user); 146 return resolve_ce_path_by_inode_or_fallback(user_path, ce_data_inode, fallback); 147 } 148 149 std::string create_data_user_de_package_path(const char* volume_uuid, 150 userid_t user, const char* package_name) { 151 check_package_name(package_name); 152 return StringPrintf("%s/%s", 153 create_data_user_de_path(volume_uuid, user).c_str(), package_name); 154 } 155 156 std::string create_data_path(const char* volume_uuid) { 157 if (volume_uuid == nullptr) { 158 return "/data"; 159 } else if (!strcmp(volume_uuid, "TEST")) { 160 CHECK(property_get_bool("ro.debuggable", false)); 161 return "/data/local/tmp"; 162 } else { 163 CHECK(is_valid_filename(volume_uuid)); 164 return StringPrintf("/mnt/expand/%s", volume_uuid); 165 } 166 } 167 168 /** 169 * Create the path name for app data. 170 */ 171 std::string create_data_app_path(const char* volume_uuid) { 172 return StringPrintf("%s/app", create_data_path(volume_uuid).c_str()); 173 } 174 175 /** 176 * Create the path name for user data for a certain userid. 177 * Keep same implementation as vold to minimize path walking overhead 178 */ 179 std::string create_data_user_ce_path(const char* volume_uuid, userid_t userid) { 180 std::string data(create_data_path(volume_uuid)); 181 if (volume_uuid == nullptr && userid == 0) { 182 std::string legacy = StringPrintf("%s/data", data.c_str()); 183 struct stat sb; 184 if (lstat(legacy.c_str(), &sb) == 0 && S_ISDIR(sb.st_mode)) { 185 /* /data/data is dir, return /data/data for legacy system */ 186 return legacy; 187 } 188 } 189 return StringPrintf("%s/user/%u", data.c_str(), userid); 190 } 191 192 /** 193 * Create the path name for device encrypted user data for a certain userid. 194 */ 195 std::string create_data_user_de_path(const char* volume_uuid, userid_t userid) { 196 std::string data(create_data_path(volume_uuid)); 197 return StringPrintf("%s/user_de/%u", data.c_str(), userid); 198 } 199 200 std::string create_data_misc_ce_rollback_base_path(const char* volume_uuid, userid_t user) { 201 return StringPrintf("%s/misc_ce/%u/rollback", create_data_path(volume_uuid).c_str(), user); 202 } 203 204 std::string create_data_misc_de_rollback_base_path(const char* volume_uuid, userid_t user) { 205 return StringPrintf("%s/misc_de/%u/rollback", create_data_path(volume_uuid).c_str(), user); 206 } 207 208 std::string create_data_misc_ce_rollback_path(const char* volume_uuid, userid_t user, 209 int32_t snapshot_id) { 210 return StringPrintf("%s/%d", create_data_misc_ce_rollback_base_path(volume_uuid, user).c_str(), 211 snapshot_id); 212 } 213 214 std::string create_data_misc_de_rollback_path(const char* volume_uuid, userid_t user, 215 int32_t snapshot_id) { 216 return StringPrintf("%s/%d", create_data_misc_de_rollback_base_path(volume_uuid, user).c_str(), 217 snapshot_id); 218 } 219 220 std::string create_data_misc_ce_rollback_package_path(const char* volume_uuid, 221 userid_t user, int32_t snapshot_id, const char* package_name) { 222 return StringPrintf("%s/%s", 223 create_data_misc_ce_rollback_path(volume_uuid, user, snapshot_id).c_str(), package_name); 224 } 225 226 std::string create_data_misc_ce_rollback_package_path(const char* volume_uuid, 227 userid_t user, int32_t snapshot_id, const char* package_name, ino_t ce_rollback_inode) { 228 auto fallback = create_data_misc_ce_rollback_package_path(volume_uuid, user, snapshot_id, 229 package_name); 230 auto user_path = create_data_misc_ce_rollback_path(volume_uuid, user, snapshot_id); 231 return resolve_ce_path_by_inode_or_fallback(user_path, ce_rollback_inode, fallback); 232 } 233 234 std::string create_data_misc_de_rollback_package_path(const char* volume_uuid, 235 userid_t user, int32_t snapshot_id, const char* package_name) { 236 return StringPrintf("%s/%s", 237 create_data_misc_de_rollback_path(volume_uuid, user, snapshot_id).c_str(), package_name); 238 } 239 240 /** 241 * Create the path name for media for a certain userid. 242 */ 243 std::string create_data_media_path(const char* volume_uuid, userid_t userid) { 244 return StringPrintf("%s/media/%u", create_data_path(volume_uuid).c_str(), userid); 245 } 246 247 std::string create_data_media_package_path(const char* volume_uuid, userid_t userid, 248 const char* data_type, const char* package_name) { 249 return StringPrintf("%s/Android/%s/%s", create_data_media_path(volume_uuid, userid).c_str(), 250 data_type, package_name); 251 } 252 253 std::string create_data_misc_legacy_path(userid_t userid) { 254 return StringPrintf("%s/misc/user/%u", create_data_path(nullptr).c_str(), userid); 255 } 256 257 std::string create_primary_cur_profile_dir_path(userid_t userid) { 258 return StringPrintf("%s/cur/%u", android_profiles_dir.c_str(), userid); 259 } 260 261 std::string create_primary_current_profile_package_dir_path(userid_t user, 262 const std::string& package_name) { 263 check_package_name(package_name.c_str()); 264 return StringPrintf("%s/%s", 265 create_primary_cur_profile_dir_path(user).c_str(), package_name.c_str()); 266 } 267 268 std::string create_primary_ref_profile_dir_path() { 269 return StringPrintf("%s/ref", android_profiles_dir.c_str()); 270 } 271 272 std::string create_primary_reference_profile_package_dir_path(const std::string& package_name) { 273 check_package_name(package_name.c_str()); 274 return StringPrintf("%s/ref/%s", android_profiles_dir.c_str(), package_name.c_str()); 275 } 276 277 std::string create_data_dalvik_cache_path() { 278 return "/data/dalvik-cache"; 279 } 280 281 // Keep profile paths in sync with ActivityThread and LoadedApk. 282 const std::string PROFILE_EXT = ".prof"; 283 const std::string CURRENT_PROFILE_EXT = ".cur"; 284 const std::string SNAPSHOT_PROFILE_EXT = ".snapshot"; 285 286 // Gets the parent directory and the file name for the given secondary dex path. 287 // Returns true on success, false on failure (if the dex_path does not have the expected 288 // structure). 289 static bool get_secondary_dex_location(const std::string& dex_path, 290 std::string* out_dir_name, std::string* out_file_name) { 291 size_t dirIndex = dex_path.rfind('/'); 292 if (dirIndex == std::string::npos) { 293 return false; 294 } 295 if (dirIndex == dex_path.size() - 1) { 296 return false; 297 } 298 *out_dir_name = dex_path.substr(0, dirIndex); 299 *out_file_name = dex_path.substr(dirIndex + 1); 300 301 return true; 302 } 303 304 std::string create_current_profile_path(userid_t user, const std::string& package_name, 305 const std::string& location, bool is_secondary_dex) { 306 if (is_secondary_dex) { 307 // Secondary dex current profiles are stored next to the dex files under the oat folder. 308 std::string dex_dir; 309 std::string dex_name; 310 CHECK(get_secondary_dex_location(location, &dex_dir, &dex_name)) 311 << "Unexpected dir structure for secondary dex " << location; 312 return StringPrintf("%s/oat/%s%s%s", 313 dex_dir.c_str(), dex_name.c_str(), CURRENT_PROFILE_EXT.c_str(), 314 PROFILE_EXT.c_str()); 315 } else { 316 // Profiles for primary apks are under /data/misc/profiles/cur. 317 std::string profile_dir = create_primary_current_profile_package_dir_path( 318 user, package_name); 319 return StringPrintf("%s/%s", profile_dir.c_str(), location.c_str()); 320 } 321 } 322 323 std::string create_reference_profile_path(const std::string& package_name, 324 const std::string& location, bool is_secondary_dex) { 325 if (is_secondary_dex) { 326 // Secondary dex reference profiles are stored next to the dex files under the oat folder. 327 std::string dex_dir; 328 std::string dex_name; 329 CHECK(get_secondary_dex_location(location, &dex_dir, &dex_name)) 330 << "Unexpected dir structure for secondary dex " << location; 331 return StringPrintf("%s/oat/%s%s", 332 dex_dir.c_str(), dex_name.c_str(), PROFILE_EXT.c_str()); 333 } else { 334 // Reference profiles for primary apks are stored in /data/misc/profile/ref. 335 std::string profile_dir = create_primary_reference_profile_package_dir_path(package_name); 336 return StringPrintf("%s/%s", profile_dir.c_str(), location.c_str()); 337 } 338 } 339 340 std::string create_snapshot_profile_path(const std::string& package, 341 const std::string& profile_name) { 342 std::string ref_profile = create_reference_profile_path(package, profile_name, 343 /*is_secondary_dex*/ false); 344 return ref_profile + SNAPSHOT_PROFILE_EXT; 345 } 346 347 std::vector<userid_t> get_known_users(const char* volume_uuid) { 348 std::vector<userid_t> users; 349 350 // We always have an owner 351 users.push_back(0); 352 353 std::string path(create_data_path(volume_uuid) + "/" + SECONDARY_USER_PREFIX); 354 DIR* dir = opendir(path.c_str()); 355 if (dir == nullptr) { 356 // Unable to discover other users, but at least return owner 357 PLOG(ERROR) << "Failed to opendir " << path; 358 return users; 359 } 360 361 struct dirent* ent; 362 while ((ent = readdir(dir))) { 363 if (ent->d_type != DT_DIR) { 364 continue; 365 } 366 367 char* end; 368 userid_t user = strtol(ent->d_name, &end, 10); 369 if (*end == '\0' && user != 0) { 370 LOG(DEBUG) << "Found valid user " << user; 371 users.push_back(user); 372 } 373 } 374 closedir(dir); 375 376 return users; 377 } 378 379 int calculate_tree_size(const std::string& path, int64_t* size, 380 int32_t include_gid, int32_t exclude_gid, bool exclude_apps) { 381 FTS *fts; 382 FTSENT *p; 383 int64_t matchedSize = 0; 384 char *argv[] = { (char*) path.c_str(), nullptr }; 385 if (!(fts = fts_open(argv, FTS_PHYSICAL | FTS_NOCHDIR | FTS_XDEV, nullptr))) { 386 if (errno != ENOENT) { 387 PLOG(ERROR) << "Failed to fts_open " << path; 388 } 389 return -1; 390 } 391 while ((p = fts_read(fts)) != nullptr) { 392 switch (p->fts_info) { 393 case FTS_D: 394 case FTS_DEFAULT: 395 case FTS_F: 396 case FTS_SL: 397 case FTS_SLNONE: 398 int32_t uid = p->fts_statp->st_uid; 399 int32_t gid = p->fts_statp->st_gid; 400 int32_t user_uid = multiuser_get_app_id(uid); 401 int32_t user_gid = multiuser_get_app_id(gid); 402 if (exclude_apps && ((user_uid >= AID_APP_START && user_uid <= AID_APP_END) 403 || (user_gid >= AID_CACHE_GID_START && user_gid <= AID_CACHE_GID_END) 404 || (user_gid >= AID_SHARED_GID_START && user_gid <= AID_SHARED_GID_END))) { 405 // Don't traverse inside or measure 406 fts_set(fts, p, FTS_SKIP); 407 break; 408 } 409 if (include_gid != -1 && gid != include_gid) { 410 break; 411 } 412 if (exclude_gid != -1 && gid == exclude_gid) { 413 break; 414 } 415 matchedSize += (p->fts_statp->st_blocks * 512); 416 break; 417 } 418 } 419 fts_close(fts); 420 #if MEASURE_DEBUG 421 if ((include_gid == -1) && (exclude_gid == -1)) { 422 LOG(DEBUG) << "Measured " << path << " size " << matchedSize; 423 } else { 424 LOG(DEBUG) << "Measured " << path << " size " << matchedSize << "; include " << include_gid 425 << " exclude " << exclude_gid; 426 } 427 #endif 428 *size += matchedSize; 429 return 0; 430 } 431 432 /** 433 * Checks whether the package name is valid. Returns -1 on error and 434 * 0 on success. 435 */ 436 bool is_valid_package_name(const std::string& packageName) { 437 // This logic is borrowed from PackageParser.java 438 bool hasSep = false; 439 bool front = true; 440 441 auto it = packageName.begin(); 442 for (; it != packageName.end() && *it != '-'; it++) { 443 char c = *it; 444 if ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) { 445 front = false; 446 continue; 447 } 448 if (!front) { 449 if ((c >= '0' && c <= '9') || c == '_') { 450 continue; 451 } 452 } 453 if (c == '.') { 454 hasSep = true; 455 front = true; 456 continue; 457 } 458 LOG(WARNING) << "Bad package character " << c << " in " << packageName; 459 return false; 460 } 461 462 if (front) { 463 LOG(WARNING) << "Missing separator in " << packageName; 464 return false; 465 } 466 467 for (; it != packageName.end(); it++) { 468 char c = *it; 469 if ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) continue; 470 if ((c >= '0' && c <= '9') || c == '_' || c == '-' || c == '=') continue; 471 LOG(WARNING) << "Bad suffix character " << c << " in " << packageName; 472 return false; 473 } 474 475 return true; 476 } 477 478 static int _delete_dir_contents(DIR *d, 479 int (*exclusion_predicate)(const char *name, const int is_dir)) 480 { 481 int result = 0; 482 struct dirent *de; 483 int dfd; 484 485 dfd = dirfd(d); 486 487 if (dfd < 0) return -1; 488 489 while ((de = readdir(d))) { 490 const char *name = de->d_name; 491 492 /* check using the exclusion predicate, if provided */ 493 if (exclusion_predicate && exclusion_predicate(name, (de->d_type == DT_DIR))) { 494 continue; 495 } 496 497 if (de->d_type == DT_DIR) { 498 int subfd; 499 DIR *subdir; 500 501 /* always skip "." and ".." */ 502 if (name[0] == '.') { 503 if (name[1] == 0) continue; 504 if ((name[1] == '.') && (name[2] == 0)) continue; 505 } 506 507 subfd = openat(dfd, name, O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC); 508 if (subfd < 0) { 509 ALOGE("Couldn't openat %s: %s\n", name, strerror(errno)); 510 result = -1; 511 continue; 512 } 513 subdir = fdopendir(subfd); 514 if (subdir == nullptr) { 515 ALOGE("Couldn't fdopendir %s: %s\n", name, strerror(errno)); 516 close(subfd); 517 result = -1; 518 continue; 519 } 520 if (_delete_dir_contents(subdir, exclusion_predicate)) { 521 result = -1; 522 } 523 closedir(subdir); 524 if (unlinkat(dfd, name, AT_REMOVEDIR) < 0) { 525 ALOGE("Couldn't unlinkat %s: %s\n", name, strerror(errno)); 526 result = -1; 527 } 528 } else { 529 if (unlinkat(dfd, name, 0) < 0) { 530 ALOGE("Couldn't unlinkat %s: %s\n", name, strerror(errno)); 531 result = -1; 532 } 533 } 534 } 535 536 return result; 537 } 538 539 int create_dir_if_needed(const std::string& pathname, mode_t perms) { 540 struct stat st; 541 542 int rc; 543 if ((rc = stat(pathname.c_str(), &st)) != 0) { 544 if (errno == ENOENT) { 545 return mkdir(pathname.c_str(), perms); 546 } else { 547 return rc; 548 } 549 } else if (!S_ISDIR(st.st_mode)) { 550 LOG(DEBUG) << pathname << " is not a folder"; 551 return -1; 552 } 553 554 mode_t actual_perms = st.st_mode & ALLPERMS; 555 if (actual_perms != perms) { 556 LOG(WARNING) << pathname << " permissions " << actual_perms << " expected " << perms; 557 return -1; 558 } 559 560 return 0; 561 } 562 563 int delete_dir_contents(const std::string& pathname, bool ignore_if_missing) { 564 return delete_dir_contents(pathname.c_str(), 0, nullptr, ignore_if_missing); 565 } 566 567 int delete_dir_contents_and_dir(const std::string& pathname, bool ignore_if_missing) { 568 return delete_dir_contents(pathname.c_str(), 1, nullptr, ignore_if_missing); 569 } 570 571 int delete_dir_contents(const char *pathname, 572 int also_delete_dir, 573 int (*exclusion_predicate)(const char*, const int), 574 bool ignore_if_missing) 575 { 576 int res = 0; 577 DIR *d; 578 579 d = opendir(pathname); 580 if (d == nullptr) { 581 if (ignore_if_missing && (errno == ENOENT)) { 582 return 0; 583 } 584 ALOGE("Couldn't opendir %s: %s\n", pathname, strerror(errno)); 585 return -errno; 586 } 587 res = _delete_dir_contents(d, exclusion_predicate); 588 closedir(d); 589 if (also_delete_dir) { 590 if (rmdir(pathname)) { 591 ALOGE("Couldn't rmdir %s: %s\n", pathname, strerror(errno)); 592 res = -1; 593 } 594 } 595 return res; 596 } 597 598 int delete_dir_contents_fd(int dfd, const char *name) 599 { 600 int fd, res; 601 DIR *d; 602 603 fd = openat(dfd, name, O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC); 604 if (fd < 0) { 605 ALOGE("Couldn't openat %s: %s\n", name, strerror(errno)); 606 return -1; 607 } 608 d = fdopendir(fd); 609 if (d == nullptr) { 610 ALOGE("Couldn't fdopendir %s: %s\n", name, strerror(errno)); 611 close(fd); 612 return -1; 613 } 614 res = _delete_dir_contents(d, nullptr); 615 closedir(d); 616 return res; 617 } 618 619 static int _copy_owner_permissions(int srcfd, int dstfd) 620 { 621 struct stat st; 622 if (fstat(srcfd, &st) != 0) { 623 return -1; 624 } 625 if (fchmod(dstfd, st.st_mode) != 0) { 626 return -1; 627 } 628 return 0; 629 } 630 631 static int _copy_dir_files(int sdfd, int ddfd, uid_t owner, gid_t group) 632 { 633 int result = 0; 634 if (_copy_owner_permissions(sdfd, ddfd) != 0) { 635 ALOGE("_copy_dir_files failed to copy dir permissions\n"); 636 } 637 if (fchown(ddfd, owner, group) != 0) { 638 ALOGE("_copy_dir_files failed to change dir owner\n"); 639 } 640 641 DIR *ds = fdopendir(sdfd); 642 if (ds == nullptr) { 643 ALOGE("Couldn't fdopendir: %s\n", strerror(errno)); 644 return -1; 645 } 646 struct dirent *de; 647 while ((de = readdir(ds))) { 648 if (de->d_type != DT_REG) { 649 continue; 650 } 651 652 const char *name = de->d_name; 653 int fsfd = openat(sdfd, name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC); 654 int fdfd = openat(ddfd, name, O_WRONLY | O_NOFOLLOW | O_CLOEXEC | O_CREAT, 0600); 655 if (fsfd == -1 || fdfd == -1) { 656 ALOGW("Couldn't copy %s: %s\n", name, strerror(errno)); 657 } else { 658 if (_copy_owner_permissions(fsfd, fdfd) != 0) { 659 ALOGE("Failed to change file permissions\n"); 660 } 661 if (fchown(fdfd, owner, group) != 0) { 662 ALOGE("Failed to change file owner\n"); 663 } 664 665 char buf[8192]; 666 ssize_t size; 667 while ((size = read(fsfd, buf, sizeof(buf))) > 0) { 668 write(fdfd, buf, size); 669 } 670 if (size < 0) { 671 ALOGW("Couldn't copy %s: %s\n", name, strerror(errno)); 672 result = -1; 673 } 674 } 675 close(fdfd); 676 close(fsfd); 677 } 678 679 return result; 680 } 681 682 int copy_dir_files(const char *srcname, 683 const char *dstname, 684 uid_t owner, 685 uid_t group) 686 { 687 int res = 0; 688 DIR *ds = nullptr; 689 DIR *dd = nullptr; 690 691 ds = opendir(srcname); 692 if (ds == nullptr) { 693 ALOGE("Couldn't opendir %s: %s\n", srcname, strerror(errno)); 694 return -errno; 695 } 696 697 mkdir(dstname, 0600); 698 dd = opendir(dstname); 699 if (dd == nullptr) { 700 ALOGE("Couldn't opendir %s: %s\n", dstname, strerror(errno)); 701 closedir(ds); 702 return -errno; 703 } 704 705 int sdfd = dirfd(ds); 706 int ddfd = dirfd(dd); 707 if (sdfd != -1 && ddfd != -1) { 708 res = _copy_dir_files(sdfd, ddfd, owner, group); 709 } else { 710 res = -errno; 711 } 712 closedir(dd); 713 closedir(ds); 714 return res; 715 } 716 717 int64_t data_disk_free(const std::string& data_path) { 718 struct statvfs sfs; 719 if (statvfs(data_path.c_str(), &sfs) == 0) { 720 return static_cast<int64_t>(sfs.f_bavail) * sfs.f_frsize; 721 } else { 722 PLOG(ERROR) << "Couldn't statvfs " << data_path; 723 return -1; 724 } 725 } 726 727 int get_path_inode(const std::string& path, ino_t *inode) { 728 struct stat buf; 729 memset(&buf, 0, sizeof(buf)); 730 if (stat(path.c_str(), &buf) != 0) { 731 PLOG(WARNING) << "Failed to stat " << path; 732 return -1; 733 } else { 734 *inode = buf.st_ino; 735 return 0; 736 } 737 } 738 739 /** 740 * Write the inode of a specific child file into the given xattr on the 741 * parent directory. This allows you to find the child later, even if its 742 * name is encrypted. 743 */ 744 int write_path_inode(const std::string& parent, const char* name, const char* inode_xattr) { 745 ino_t inode = 0; 746 uint64_t inode_raw = 0; 747 auto path = StringPrintf("%s/%s", parent.c_str(), name); 748 749 if (get_path_inode(path, &inode) != 0) { 750 // Path probably doesn't exist yet; ignore 751 return 0; 752 } 753 754 // Check to see if already set correctly 755 if (getxattr(parent.c_str(), inode_xattr, &inode_raw, sizeof(inode_raw)) == sizeof(inode_raw)) { 756 if (inode_raw == inode) { 757 // Already set correctly; skip writing 758 return 0; 759 } else { 760 PLOG(WARNING) << "Mismatched inode value; found " << inode 761 << " on disk but marked value was " << inode_raw << "; overwriting"; 762 } 763 } 764 765 inode_raw = inode; 766 if (setxattr(parent.c_str(), inode_xattr, &inode_raw, sizeof(inode_raw), 0) != 0 && errno != EOPNOTSUPP) { 767 PLOG(ERROR) << "Failed to write xattr " << inode_xattr << " at " << parent; 768 return -1; 769 } else { 770 return 0; 771 } 772 } 773 774 /** 775 * Read the inode of a specific child file from the given xattr on the 776 * parent directory. Returns a currently valid path for that child, which 777 * might have an encrypted name. 778 */ 779 std::string read_path_inode(const std::string& parent, const char* name, const char* inode_xattr) { 780 ino_t inode = 0; 781 uint64_t inode_raw = 0; 782 auto fallback = StringPrintf("%s/%s", parent.c_str(), name); 783 784 // Lookup the inode value written earlier 785 if (getxattr(parent.c_str(), inode_xattr, &inode_raw, sizeof(inode_raw)) == sizeof(inode_raw)) { 786 inode = inode_raw; 787 } 788 789 // For testing purposes, rely on the inode when defined; this could be 790 // optimized to use access() in the future. 791 if (inode != 0) { 792 DIR* dir = opendir(parent.c_str()); 793 if (dir == nullptr) { 794 PLOG(ERROR) << "Failed to opendir " << parent; 795 return fallback; 796 } 797 798 struct dirent* ent; 799 while ((ent = readdir(dir))) { 800 if (ent->d_ino == inode) { 801 auto resolved = StringPrintf("%s/%s", parent.c_str(), ent->d_name); 802 #if DEBUG_XATTRS 803 if (resolved != fallback) { 804 LOG(DEBUG) << "Resolved path " << resolved << " for inode " << inode 805 << " instead of " << fallback; 806 } 807 #endif 808 closedir(dir); 809 return resolved; 810 } 811 } 812 LOG(WARNING) << "Failed to resolve inode " << inode << "; using " << fallback; 813 closedir(dir); 814 return fallback; 815 } else { 816 return fallback; 817 } 818 } 819 820 void remove_path_xattr(const std::string& path, const char* inode_xattr) { 821 if (removexattr(path.c_str(), inode_xattr) && errno != ENODATA) { 822 PLOG(ERROR) << "Failed to remove xattr " << inode_xattr << " at " << path; 823 } 824 } 825 826 /** 827 * Validate that the path is valid in the context of the provided directory. 828 * The path is allowed to have at most one subdirectory and no indirections 829 * to top level directories (i.e. have ".."). 830 */ 831 static int validate_path(const std::string& dir, const std::string& path, int maxSubdirs) { 832 // Argument sanity checking 833 if (dir.find('/') != 0 || dir.rfind('/') != dir.size() - 1 834 || dir.find("..") != std::string::npos) { 835 LOG(ERROR) << "Invalid directory " << dir; 836 return -1; 837 } 838 if (path.find("..") != std::string::npos) { 839 LOG(ERROR) << "Invalid path " << path; 840 return -1; 841 } 842 843 if (path.compare(0, dir.size(), dir) != 0) { 844 // Common case, path isn't under directory 845 return -1; 846 } 847 848 // Count number of subdirectories 849 auto pos = path.find('/', dir.size()); 850 int count = 0; 851 while (pos != std::string::npos) { 852 auto next = path.find('/', pos + 1); 853 if (next > pos + 1) { 854 count++; 855 } 856 pos = next; 857 } 858 859 if (count > maxSubdirs) { 860 LOG(ERROR) << "Invalid path depth " << path << " when tested against " << dir; 861 return -1; 862 } 863 864 return 0; 865 } 866 867 /** 868 * Checks whether a path points to a system app (.apk file). Returns 0 869 * if it is a system app or -1 if it is not. 870 */ 871 int validate_system_app_path(const char* path) { 872 std::string path_ = path; 873 for (const auto& dir : android_system_dirs) { 874 if (validate_path(dir, path, 1) == 0) { 875 return 0; 876 } 877 } 878 return -1; 879 } 880 881 bool validate_secondary_dex_path(const std::string& pkgname, const std::string& dex_path, 882 const char* volume_uuid, int uid, int storage_flag) { 883 CHECK(storage_flag == FLAG_STORAGE_CE || storage_flag == FLAG_STORAGE_DE); 884 885 // Empty paths are not allowed. 886 if (dex_path.empty()) { return false; } 887 // First character should always be '/'. No relative paths. 888 if (dex_path[0] != '/') { return false; } 889 // The last character should not be '/'. 890 if (dex_path[dex_path.size() - 1] == '/') { return false; } 891 // There should be no '.' after the directory marker. 892 if (dex_path.find("/.") != std::string::npos) { return false; } 893 // The path should be at most PKG_PATH_MAX long. 894 if (dex_path.size() > PKG_PATH_MAX) { return false; } 895 896 // The dex_path should be under the app data directory. 897 std::string app_private_dir = storage_flag == FLAG_STORAGE_CE 898 ? create_data_user_ce_package_path( 899 volume_uuid, multiuser_get_user_id(uid), pkgname.c_str()) 900 : create_data_user_de_package_path( 901 volume_uuid, multiuser_get_user_id(uid), pkgname.c_str()); 902 903 if (strncmp(dex_path.c_str(), app_private_dir.c_str(), app_private_dir.size()) != 0) { 904 // The check above might fail if the dex file is accessed via the /data/user/0 symlink. 905 // If that's the case, attempt to validate against the user data link. 906 std::string app_private_dir_symlink = create_data_user_ce_package_path_as_user_link( 907 volume_uuid, multiuser_get_user_id(uid), pkgname.c_str()); 908 if (strncmp(dex_path.c_str(), app_private_dir_symlink.c_str(), 909 app_private_dir_symlink.size()) != 0) { 910 return false; 911 } 912 } 913 914 // If we got here we have a valid path. 915 return true; 916 } 917 918 /** 919 * Check whether path points to a valid path for an APK file. The path must 920 * begin with a whitelisted prefix path and must be no deeper than |maxSubdirs| within 921 * that path. Returns -1 when an invalid path is encountered and 0 when a valid path 922 * is encountered. 923 */ 924 static int validate_apk_path_internal(const std::string& path, int maxSubdirs) { 925 if (validate_path(android_app_dir, path, maxSubdirs) == 0) { 926 return 0; 927 } else if (validate_path(android_staging_dir, path, maxSubdirs) == 0) { 928 return 0; 929 } else if (validate_path(android_app_private_dir, path, maxSubdirs) == 0) { 930 return 0; 931 } else if (validate_path(android_app_ephemeral_dir, path, maxSubdirs) == 0) { 932 return 0; 933 } else if (validate_path(android_asec_dir, path, maxSubdirs) == 0) { 934 return 0; 935 } else if (android::base::StartsWith(path, android_mnt_expand_dir)) { 936 // Rewrite the path as if it were on internal storage, and test that 937 size_t end = path.find('/', android_mnt_expand_dir.size() + 1); 938 if (end != std::string::npos) { 939 auto modified = path; 940 modified.replace(0, end + 1, android_data_dir); 941 return validate_apk_path_internal(modified, maxSubdirs); 942 } 943 } 944 return -1; 945 } 946 947 int validate_apk_path(const char* path) { 948 return validate_apk_path_internal(path, 1 /* maxSubdirs */); 949 } 950 951 int validate_apk_path_subdirs(const char* path) { 952 return validate_apk_path_internal(path, 3 /* maxSubdirs */); 953 } 954 955 int ensure_config_user_dirs(userid_t userid) { 956 // writable by system, readable by any app within the same user 957 const int uid = multiuser_get_uid(userid, AID_SYSTEM); 958 const int gid = multiuser_get_uid(userid, AID_EVERYBODY); 959 960 // Ensure /data/misc/user/<userid> exists 961 auto path = create_data_misc_legacy_path(userid); 962 return fs_prepare_dir(path.c_str(), 0750, uid, gid); 963 } 964 965 int wait_child(pid_t pid) 966 { 967 int status; 968 pid_t got_pid; 969 970 while (1) { 971 got_pid = waitpid(pid, &status, 0); 972 if (got_pid == -1 && errno == EINTR) { 973 printf("waitpid interrupted, retrying\n"); 974 } else { 975 break; 976 } 977 } 978 if (got_pid != pid) { 979 ALOGW("waitpid failed: wanted %d, got %d: %s\n", 980 (int) pid, (int) got_pid, strerror(errno)); 981 return 1; 982 } 983 984 if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { 985 return 0; 986 } else { 987 return status; /* always nonzero */ 988 } 989 } 990 991 /** 992 * Prepare an app cache directory, which offers to fix-up the GID and 993 * directory mode flags during a platform upgrade. 994 * The app cache directory path will be 'parent'/'name'. 995 */ 996 int prepare_app_cache_dir(const std::string& parent, const char* name, mode_t target_mode, 997 uid_t uid, gid_t gid) { 998 auto path = StringPrintf("%s/%s", parent.c_str(), name); 999 struct stat st; 1000 if (stat(path.c_str(), &st) != 0) { 1001 if (errno == ENOENT) { 1002 // This is fine, just create it 1003 if (fs_prepare_dir_strict(path.c_str(), target_mode, uid, gid) != 0) { 1004 PLOG(ERROR) << "Failed to prepare " << path; 1005 return -1; 1006 } else { 1007 return 0; 1008 } 1009 } else { 1010 PLOG(ERROR) << "Failed to stat " << path; 1011 return -1; 1012 } 1013 } 1014 1015 mode_t actual_mode = st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO | S_ISGID); 1016 if (st.st_uid != uid) { 1017 // Mismatched UID is real trouble; we can't recover 1018 LOG(ERROR) << "Mismatched UID at " << path << ": found " << st.st_uid 1019 << " but expected " << uid; 1020 return -1; 1021 } else if (st.st_gid == gid && actual_mode == target_mode) { 1022 // Everything looks good! 1023 return 0; 1024 } else { 1025 // Mismatched GID/mode is recoverable; fall through to update 1026 LOG(DEBUG) << "Mismatched cache GID/mode at " << path << ": found " << st.st_gid 1027 << "/" << actual_mode << " but expected " << gid << "/" << target_mode; 1028 } 1029 1030 // Directory is owned correctly, but GID or mode mismatch means it's 1031 // probably a platform upgrade so we need to fix them 1032 FTS *fts; 1033 FTSENT *p; 1034 char *argv[] = { (char*) path.c_str(), nullptr }; 1035 if (!(fts = fts_open(argv, FTS_PHYSICAL | FTS_NOCHDIR | FTS_XDEV, nullptr))) { 1036 PLOG(ERROR) << "Failed to fts_open " << path; 1037 return -1; 1038 } 1039 while ((p = fts_read(fts)) != nullptr) { 1040 switch (p->fts_info) { 1041 case FTS_DP: 1042 if (chmod(p->fts_path, target_mode) != 0) { 1043 PLOG(WARNING) << "Failed to chmod " << p->fts_path; 1044 } 1045 [[fallthrough]]; // to also set GID 1046 case FTS_F: 1047 if (chown(p->fts_path, -1, gid) != 0) { 1048 PLOG(WARNING) << "Failed to chown " << p->fts_path; 1049 } 1050 break; 1051 case FTS_SL: 1052 case FTS_SLNONE: 1053 if (lchown(p->fts_path, -1, gid) != 0) { 1054 PLOG(WARNING) << "Failed to chown " << p->fts_path; 1055 } 1056 break; 1057 } 1058 } 1059 fts_close(fts); 1060 return 0; 1061 } 1062 1063 // Collect all non empty profiles from the given directory and puts then into profile_paths. 1064 // The profiles are identified based on PROFILE_EXT extension. 1065 // If a subdirectory or profile file cannot be opened the method logs a warning and moves on. 1066 // It returns true if there were no errors at all, and false otherwise. 1067 static bool collect_profiles(DIR* d, 1068 const std::string& current_path, 1069 std::vector<std::string>* profiles_paths) { 1070 int32_t dir_fd = dirfd(d); 1071 if (dir_fd < 0) { 1072 return false; 1073 } 1074 1075 bool result = true; 1076 struct dirent* dir_entry; 1077 while ((dir_entry = readdir(d))) { 1078 std::string name = dir_entry->d_name; 1079 std::string local_path = current_path + "/" + name; 1080 1081 if (dir_entry->d_type == DT_REG) { 1082 // Check if this is a non empty profile file. 1083 if (EndsWith(name, PROFILE_EXT)) { 1084 struct stat st; 1085 if (stat(local_path.c_str(), &st) != 0) { 1086 PLOG(WARNING) << "Cannot stat local path " << local_path; 1087 result = false; 1088 continue; 1089 } else if (st.st_size > 0) { 1090 profiles_paths->push_back(local_path); 1091 } 1092 } 1093 } else if (dir_entry->d_type == DT_DIR) { 1094 // always skip "." and ".." 1095 if (name == "." || name == "..") { 1096 continue; 1097 } 1098 1099 unique_fd subdir_fd(openat(dir_fd, name.c_str(), 1100 O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC)); 1101 if (subdir_fd < 0) { 1102 PLOG(WARNING) << "Could not open dir path " << local_path; 1103 result = false; 1104 continue; 1105 } 1106 1107 DIR* subdir = Fdopendir(std::move(subdir_fd)); 1108 if (subdir == nullptr) { 1109 PLOG(WARNING) << "Could not open dir path " << local_path; 1110 result = false; 1111 continue; 1112 } 1113 bool new_result = collect_profiles(subdir, local_path, profiles_paths); 1114 result = result && new_result; 1115 if (closedir(subdir) != 0) { 1116 PLOG(WARNING) << "Could not close dir path " << local_path; 1117 } 1118 } 1119 } 1120 1121 return result; 1122 } 1123 1124 bool collect_profiles(std::vector<std::string>* profiles_paths) { 1125 DIR* d = opendir(android_profiles_dir.c_str()); 1126 if (d == nullptr) { 1127 return false; 1128 } else { 1129 return collect_profiles(d, android_profiles_dir, profiles_paths); 1130 } 1131 } 1132 1133 void drop_capabilities(uid_t uid) { 1134 if (setgid(uid) != 0) { 1135 PLOG(ERROR) << "setgid(" << uid << ") failed in installd during dexopt"; 1136 exit(DexoptReturnCodes::kSetGid); 1137 } 1138 if (setuid(uid) != 0) { 1139 PLOG(ERROR) << "setuid(" << uid << ") failed in installd during dexopt"; 1140 exit(DexoptReturnCodes::kSetUid); 1141 } 1142 // drop capabilities 1143 struct __user_cap_header_struct capheader; 1144 struct __user_cap_data_struct capdata[2]; 1145 memset(&capheader, 0, sizeof(capheader)); 1146 memset(&capdata, 0, sizeof(capdata)); 1147 capheader.version = _LINUX_CAPABILITY_VERSION_3; 1148 if (capset(&capheader, &capdata[0]) < 0) { 1149 PLOG(ERROR) << "capset failed"; 1150 exit(DexoptReturnCodes::kCapSet); 1151 } 1152 } 1153 1154 } // namespace installd 1155 } // namespace android 1156
