1 /*
2  * Copyright (C) 2016 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef FUSE_H_
18 #define FUSE_H_
19 
20 #include <dirent.h>
21 #include <fcntl.h>
22 #include <linux/fuse.h>
23 #include <pthread.h>
24 #include <stdbool.h>
25 #include <stdlib.h>
26 #include <sys/param.h>
27 #include <sys/stat.h>
28 #include <sys/statfs.h>
29 #include <sys/types.h>
30 #include <sys/uio.h>
31 #include <unistd.h>
32 
33 #include <map>
34 #include <string>
35 
36 #include <android-base/logging.h>
37 #include <cutils/fs.h>
38 #include <cutils/multiuser.h>
39 #include <packagelistparser/packagelistparser.h>
40 
41 #include <private/android_filesystem_config.h>
42 
43 #define FUSE_TRACE 0
44 
45 #if FUSE_TRACE
46 static constexpr bool kEnableDLog = true;
47 #else  // FUSE_TRACE == 0
48 static constexpr bool kEnableDLog = false;
49 #endif
50 
51 // Use same strategy as DCHECK().
52 #define DLOG(x) \
53     if (kEnableDLog) LOG(x)
54 
55 /* Maximum number of bytes to write in one request. */
56 #define MAX_WRITE (256 * 1024)
57 
58 /* Maximum number of bytes to read in one request. */
59 #define MAX_READ (128 * 1024)
60 
61 /* Largest possible request.
62  * The request size is bounded by the maximum size of a FUSE_WRITE request because it has
63  * the largest possible data payload. */
64 #define MAX_REQUEST_SIZE (sizeof(struct fuse_in_header) + sizeof(struct fuse_write_in) + MAX_WRITE)
65 
66 namespace {
67 struct CaseInsensitiveCompare {
operatorCaseInsensitiveCompare68     bool operator()(const std::string& lhs, const std::string& rhs) const {
69         return strcasecmp(lhs.c_str(), rhs.c_str()) < 0;
70     }
71 };
72 }
73 
74 using AppIdMap = std::map<std::string, appid_t, CaseInsensitiveCompare>;
75 
76 /* Permission mode for a specific node. Controls how file permissions
77  * are derived for children nodes. */
78 typedef enum {
79     /* Nothing special; this node should just inherit from its parent. */
80     PERM_INHERIT,
81     /* This node is one level above a normal root; used for legacy layouts
82      * which use the first level to represent user_id. */
83     PERM_PRE_ROOT,
84     /* This node is "/" */
85     PERM_ROOT,
86     /* This node is "/Android" */
87     PERM_ANDROID,
88     /* This node is "/Android/data" */
89     PERM_ANDROID_DATA,
90     /* This node is "/Android/obb" */
91     PERM_ANDROID_OBB,
92     /* This node is "/Android/media" */
93     PERM_ANDROID_MEDIA,
94 } perm_t;
95 
96 struct handle {
97     int fd;
98 };
99 
100 struct dirhandle {
101     DIR *d;
102 };
103 
104 struct node {
105     __u32 refcount;
106     __u64 nid;
107     __u64 gen;
108     /*
109      * The inode number for this FUSE node. Note that this isn't stable across
110      * multiple invocations of the FUSE daemon.
111      */
112     __u32 ino;
113 
114     /* State derived based on current position in hierarchy. */
115     perm_t perm;
116     userid_t userid;
117     uid_t uid;
118     bool under_android;
119 
120     struct node *next;          /* per-dir sibling list */
121     struct node *child;         /* first contained file by this dir */
122     struct node *parent;        /* containing directory */
123 
124     size_t namelen;
125     char *name;
126     /* If non-null, this is the real name of the file in the underlying storage.
127      * This may differ from the field "name" only by case.
128      * strlen(actual_name) will always equal strlen(name), so it is safe to use
129      * namelen for both fields.
130      */
131     char *actual_name;
132 
133     /* If non-null, an exact underlying path that should be grafted into this
134      * position. Used to support things like OBB. */
135     char* graft_path;
136     size_t graft_pathlen;
137 
138     bool deleted;
139 };
140 
141 /* Global data for all FUSE mounts */
142 struct fuse_global {
143     pthread_mutex_t lock;
144 
145     uid_t uid;
146     gid_t gid;
147     bool multi_user;
148 
149     char source_path[PATH_MAX];
150     char obb_path[PATH_MAX];
151 
152     AppIdMap* package_to_appid;
153 
154     __u64 next_generation;
155     struct node root;
156 
157     /* Used to allocate unique inode numbers for fuse nodes. We use
158      * a simple counter based scheme where inode numbers from deleted
159      * nodes aren't reused. Note that inode allocations are not stable
160      * across multiple invocation of the sdcard daemon, but that shouldn't
161      * be a huge problem in practice.
162      *
163      * Note that we restrict inodes to 32 bit unsigned integers to prevent
164      * truncation on 32 bit processes when unsigned long long stat.st_ino is
165      * assigned to an unsigned long ino_t type in an LP32 process.
166      *
167      * Also note that fuse_attr and fuse_dirent inode values are 64 bits wide
168      * on both LP32 and LP64, but the fuse kernel code doesn't squash 64 bit
169      * inode numbers into 32 bit values on 64 bit kernels (see fuse_squash_ino
170      * in fs/fuse/inode.c).
171      *
172      * Accesses must be guarded by |lock|.
173      */
174     __u32 inode_ctr;
175 
176     struct fuse* fuse_default;
177     struct fuse* fuse_read;
178     struct fuse* fuse_write;
179 };
180 
181 /* Single FUSE mount */
182 struct fuse {
183     struct fuse_global* global;
184 
185     char dest_path[PATH_MAX];
186 
187     int fd;
188 
189     gid_t gid;
190     mode_t mask;
191 };
192 
193 /* Private data used by a single FUSE handler */
194 struct fuse_handler {
195     struct fuse* fuse;
196     int token;
197 
198     /* To save memory, we never use the contents of the request buffer and the read
199      * buffer at the same time.  This allows us to share the underlying storage. */
200     union {
201         __u8 request_buffer[MAX_REQUEST_SIZE];
202         __u8 read_buffer[MAX_READ + PAGE_SIZE];
203     };
204 };
205 
206 void handle_fuse_requests(struct fuse_handler* handler);
207 void derive_permissions_recursive_locked(struct fuse* fuse, struct node *parent);
208 
209 #endif  /* FUSE_H_ */
210