Don't unmount /storage for early native processes

Motivation: Early processes launched before the runtime APEX - that hosts the bionic libs - is activated can't use the bionic libs from the APEX, but from the system partition (which we call the bootstrap bionic). Other processes after the APEX activation should use the bionic libs from the APEX. In order to let both types of processes to access the bionic libs via the same standard paths /system/lib/{libc|libdl|libm}.so, some mount namespace magic is used. To be specific, when the device boots, the init initially bind-mounts the bootstrap bionic libs to the standard paths with MS_PRIVATE. Early processes are then executed with their own mount namespaces (via unshare(CLONE_NEWNS)). After the runtime APEX is activated, init bind-mounts the bionic libs in the APEX to the same standard paths. Processes launched thereafter use the bionic libs from the APEX (which can be updated.) Important thing is that, since the propagation type of the mount points (the standard paths) is 'private', the new bind-mount events for the updated bionic libs should not affect the early processes. Otherwise, they would experience sudden change of bionic libs at runtime. However, other mount/unmounts events outside of the private mount points are still shared across early/late processes as before. This is made possible because the propagation type of / is 'shared' . Problem: vold uses the equality of the mount namespace to filter-out processes that share the global mount namespace (the namespace of the init). However, due to the aforementioned change, the early processes are not filtered out because they have different mount namespaces. As a result, umount2("/storage/") is executed on them and this unmount event becomes visible to the global mount namespace (because as mentioned before / is 'shared'). Solution: Fiter-out the early processes by skipping a native (non-Java) process whose UID is < AID_APP. The former condition is because all early processes are native ones; i.e., zygote is started after the runtime APEX is activated. The latter condition is to not filter-out native processes created locally by apps. Bug: 120266448 Test: m; device boots Change-Id: I054deedc4af8421854cf35be84e14995523a259a
6 years ago · 8d21c924d7
parent decda14f02
commit 8d21c924d7
2 changed files with 26 additions and 0 deletions
--- a/Android.bp
+++ b/Android.bp
@ -152,6 +152,9 @@ cc_library_static {
    shared_libs: [
        "android.hardware.health.storage@1.0",
    ],
+    whole_static_libs: [
+        "com.android.sysprop.apex",
+    ],
 }

 cc_binary {
--- a/VolumeManager.cpp
+++ b/VolumeManager.cpp
@ -33,6 +33,7 @@

 #include <linux/kdev_t.h>

+#include <ApexProperties.sysprop.h>
 #include <android-base/logging.h>
 #include <android-base/parseint.h>
 #include <android-base/properties.h>
@ -432,6 +433,8 @@ int VolumeManager::remountUid(uid_t uid, const std::string& mode) {
    struct stat sb;
    pid_t child;

+    static bool apexUpdatable = android::sysprop::ApexProperties::updatable().value_or(false);
+
    if (!(dir = opendir("/proc"))) {
        PLOG(ERROR) << "Failed to opendir";
        return -1;
@ -476,6 +479,26 @@ int VolumeManager::remountUid(uid_t uid, const std::string& mode) {
            goto next;
        }

+        if (apexUpdatable) {
+            std::string exeName;
+            // When ro.apex.bionic_updatable is set to true,
+            // some early native processes have mount namespaces that are different
+            // from that of the init. Therefore, above check can't filter them out.
+            // Since the propagation type of / is 'shared', unmounting /storage
+            // for the early native processes affects other processes including
+            // init. Filter out such processes by skipping if a process is a
+            // non-Java process whose UID is < AID_APP_START. (The UID condition
+            // is required to not filter out child processes spawned by apps.)
+            if (!android::vold::Readlinkat(pidFd, "exe", &exeName)) {
+                PLOG(WARNING) << "Failed to read exe name for " << de->d_name;
+                goto next;
+            }
+            if (!StartsWith(exeName, "/system/bin/app_process") && sb.st_uid < AID_APP_START) {
+                LOG(WARNING) << "Skipping due to native system process";
+                goto next;
+            }
+        }
+
        // We purposefully leave the namespace open across the fork
        nsFd = openat(pidFd, "ns/mnt", O_RDONLY);  // not O_CLOEXEC
        if (nsFd < 0) {