Allow forward locked apps to be in ASECs

We couldn't put forward-locked apps in ASEC containers before since we
didn't have any permissioned filesystems. This adds the ability for
forward-locked applications to be in ASEC containers.

This means that forward locked applications will be able to be on the SD
card now.

This change also removes the old type of forward-locking that placed
parts of apps in /data/app-private.  Now all forward-locked applications
will be in ASEC containers.

Change-Id: I17ae0b0d65a4a965ef33c0ac2c47e990e55707ad

Author: kruton

core/java/android/os/storage/IMountService.java

@@ -252,7 +252,7 @@ public String getVolumeState(String mountPoint) throws RemoteException {
              * an int consistent with MountServiceResultCode
              */
             public int createSecureContainer(String id, int sizeMb, String fstype, String key,
-                    int ownerUid) throws RemoteException {
+                    int ownerUid, boolean external) throws RemoteException {
                 Parcel _data = Parcel.obtain();
                 Parcel _reply = Parcel.obtain();
                 int _result;
@@ -263,6 +263,7 @@ public int createSecureContainer(String id, int sizeMb, String fstype, String ke
                     _data.writeString(fstype);
                     _data.writeString(key);
                     _data.writeInt(ownerUid);
+                    _data.writeInt(external ? 1 : 0);
                     mRemote.transact(Stub.TRANSACTION_createSecureContainer, _data, _reply, 0);
                     _reply.readException();
                     _result = _reply.readInt();
@@ -711,6 +712,31 @@ public String getSecureContainerFilesystemPath(String id) throws RemoteException
                 }
                 return _result;
             }
+
+            /**
+             * Fix permissions in a container which has just been created and
+             * populated. Returns an int consistent with MountServiceResultCode
+             */
+            public int fixPermissionsSecureContainer(String id, int gid, String filename)
+                    throws RemoteException {
+                Parcel _data = Parcel.obtain();
+                Parcel _reply = Parcel.obtain();
+                int _result;
+                try {
+                    _data.writeInterfaceToken(DESCRIPTOR);
+                    _data.writeString(id);
+                    _data.writeInt(gid);
+                    _data.writeString(filename);
+                    mRemote.transact(Stub.TRANSACTION_fixPermissionsSecureContainer, _data, _reply, 0);
+                    _reply.readException();
+                    _result = _reply.readInt();
+                } finally {
+                    _reply.recycle();
+                    _data.recycle();
+                }
+                return _result;
+
+            }
         }
 
         private static final String DESCRIPTOR = "IMountService";
@@ -781,6 +807,8 @@ public String getSecureContainerFilesystemPath(String id) throws RemoteException
 
         static final int TRANSACTION_verifyEncryptionPassword = IBinder.FIRST_CALL_TRANSACTION + 32;
 
+        static final int TRANSACTION_fixPermissionsSecureContainer = IBinder.FIRST_CALL_TRANSACTION + 33;
+
         /**
          * Cast an IBinder object into an IMountService interface, generating a
          * proxy if needed.
@@ -909,7 +937,10 @@ public boolean onTransact(int code, Parcel data, Parcel reply,
                     key = data.readString();
                     int ownerUid;
                     ownerUid = data.readInt();
-                    int resultCode = createSecureContainer(id, sizeMb, fstype, key, ownerUid);
+                    boolean external;
+                    external = 0 != data.readInt();
+                    int resultCode = createSecureContainer(id, sizeMb, fstype, key, ownerUid,
+                            external);
                     reply.writeNoException();
                     reply.writeInt(resultCode);
                     return true;
@@ -1109,6 +1140,19 @@ public boolean onTransact(int code, Parcel data, Parcel reply,
                     reply.writeInt(result);
                     return true;
                 }
+                case TRANSACTION_fixPermissionsSecureContainer: {
+                    data.enforceInterface(DESCRIPTOR);
+                    String id;
+                    id = data.readString();
+                    int gid;
+                    gid = data.readInt();
+                    String filename;
+                    filename = data.readString();
+                    int resultCode = fixPermissionsSecureContainer(id, gid, filename);
+                    reply.writeNoException();
+                    reply.writeInt(resultCode);
+                    return true;
+                }
             }
             return super.onTransact(code, data, reply, flags);
         }
@@ -1118,8 +1162,8 @@ public boolean onTransact(int code, Parcel data, Parcel reply,
      * Creates a secure container with the specified parameters. Returns an int
      * consistent with MountServiceResultCode
      */
-    public int createSecureContainer(String id, int sizeMb, String fstype, String key, int ownerUid)
-            throws RemoteException;
+    public int createSecureContainer(String id, int sizeMb, String fstype, String key,
+            int ownerUid, boolean external) throws RemoteException;
 
     /*
      * Destroy a secure container, and free up all resources associated with it.
@@ -1317,4 +1361,11 @@ public void unmountVolume(String mountPoint, boolean force, boolean removeEncryp
     public Parcelable[] getVolumeList() throws RemoteException;
 
     public String getSecureContainerFilesystemPath(String id) throws RemoteException;
+
+    /*
+     * Fix permissions in a container which has just been created and populated.
+     * Returns an int consistent with MountServiceResultCode
+     */
+    public int fixPermissionsSecureContainer(String id, int gid, String filename)
+            throws RemoteException;
 }

core/java/com/android/internal/app/IMediaContainerService.aidl

@@ -22,14 +22,14 @@ import android.content.pm.PackageInfoLite;
 import android.content.res.ObbInfo;
 
 interface IMediaContainerService {
-    String copyResourceToContainer(in Uri packageURI,
-                String containerId,
-                String key, String resFileName);
+    String copyResourceToContainer(in Uri packageURI, String containerId, String key,
+            String resFileName, String publicResFileName, boolean isExternal,
+            boolean isForwardLocked);
     int copyResource(in Uri packageURI,
                 in ParcelFileDescriptor outStream);
     PackageInfoLite getMinimalPackageInfo(in Uri fileUri, in int flags, in long threshold);
-    boolean checkInternalFreeStorage(in Uri fileUri, in long threshold);
-    boolean checkExternalFreeStorage(in Uri fileUri);
+    boolean checkInternalFreeStorage(in Uri fileUri, boolean isForwardLocked, in long threshold);
+    boolean checkExternalFreeStorage(in Uri fileUri, boolean isForwardLocked);
     ObbInfo getObbInfo(in String filename);
     long calculateDirectorySize(in String directory);
     /** Return file system stats: [0] is total bytes, [1] is available bytes */

core/java/com/android/internal/content/PackageHelper.java

@@ -67,17 +67,17 @@ public static IMountService getMountService() {
         return null;
     }
 
-    public static String createSdDir(int sizeMb, String cid,
-            String sdEncKey, int uid) {
+    public static String createSdDir(int sizeMb, String cid, String sdEncKey, int uid,
+            boolean isExternal) {
         // Create mount point via MountService
         IMountService mountService = getMountService();
 
         if (localLOGV)
             Log.i(TAG, "Size of container " + sizeMb + " MB");
 
         try {
-            int rc = mountService.createSecureContainer(
-                    cid, sizeMb, "fat", sdEncKey, uid);
+            int rc = mountService.createSecureContainer(cid, sizeMb, "ext4", sdEncKey, uid,
+                    isExternal);
             if (rc != StorageResultCode.OperationSucceeded) {
                 Log.e(TAG, "Failed to create secure container " + cid);
                 return null;
@@ -206,10 +206,21 @@ public static boolean isContainerMounted(String cid) {
        return false;
    }
 
-    public static void extractPublicFiles(String packagePath, File publicZipFile)
+    public static int extractPublicFiles(String packagePath, File publicZipFile)
             throws IOException {
-        final FileOutputStream fstr = new FileOutputStream(publicZipFile);
-        final ZipOutputStream publicZipOutStream = new ZipOutputStream(fstr);
+        final FileOutputStream fstr;
+        final ZipOutputStream publicZipOutStream;
+
+        if (publicZipFile == null) {
+            fstr = null;
+            publicZipOutStream = null;
+        } else {
+            fstr = new FileOutputStream(publicZipFile);
+            publicZipOutStream = new ZipOutputStream(fstr);
+        }
+
+        int size = 0;
+
         try {
             final ZipFile privateZip = new ZipFile(packagePath);
             try {
@@ -219,25 +230,29 @@ public static void extractPublicFiles(String packagePath, File publicZipFile)
                     if ("AndroidManifest.xml".equals(zipEntryName)
                             || "resources.arsc".equals(zipEntryName)
                             || zipEntryName.startsWith("res/")) {
-                        copyZipEntry(zipEntry, privateZip, publicZipOutStream);
+                        size += zipEntry.getSize();
+                        if (publicZipFile != null) {
+                            copyZipEntry(zipEntry, privateZip, publicZipOutStream);
+                        }
                     }
                 }
             } finally {
-                try {
-                    privateZip.close();
-                } catch (IOException e) {
-                }
+                try { privateZip.close(); } catch (IOException e) {}
             }
 
-            publicZipOutStream.finish();
-            publicZipOutStream.flush();
-            FileUtils.sync(fstr);
-            publicZipOutStream.close();
-            FileUtils.setPermissions(publicZipFile.getAbsolutePath(), FileUtils.S_IRUSR
-                    | FileUtils.S_IWUSR | FileUtils.S_IRGRP | FileUtils.S_IROTH, -1, -1);
+            if (publicZipFile != null) {
+                publicZipOutStream.finish();
+                publicZipOutStream.flush();
+                FileUtils.sync(fstr);
+                publicZipOutStream.close();
+                FileUtils.setPermissions(publicZipFile.getAbsolutePath(), FileUtils.S_IRUSR
+                        | FileUtils.S_IWUSR | FileUtils.S_IRGRP | FileUtils.S_IROTH, -1, -1);
+            }
         } finally {
             IoUtils.closeQuietly(publicZipOutStream);
         }
+
+        return size;
     }
 
     private static void copyZipEntry(ZipEntry zipEntry, ZipFile inZipFile,
@@ -265,4 +280,18 @@ private static void copyZipEntry(ZipEntry zipEntry, ZipFile inZipFile,
             IoUtils.closeQuietly(data);
         }
     }
+
+    public static boolean fixSdPermissions(String cid, int gid, String filename) {
+        try {
+            int rc = getMountService().fixPermissionsSecureContainer(cid, gid, filename);
+            if (rc != StorageResultCode.OperationSucceeded) {
+                Log.i(TAG, "Failed to fixperms container " + cid);
+                return false;
+            }
+            return true;
+        } catch (RemoteException e) {
+            Log.e(TAG, "Failed to fixperms container " + cid + " with exception " + e);
+        }
+        return false;
+    }
 }

core/tests/coretests/src/android/content/pm/PackageHelperTests.java

@@ -81,7 +81,8 @@ protected void tearDown() throws Exception {
     public void testMountAndPullSdCard() {
         try {
             fullId = PREFIX;
-            fullId2 = PackageHelper.createSdDir(1024, fullId, "none", android.os.Process.myUid());
+            fullId2 = PackageHelper.createSdDir(1024, fullId, "none", android.os.Process.myUid(),
+                    true);
 
             Log.d(TAG,PackageHelper.getSdDir(fullId));
             PackageHelper.unMountSdDir(fullId);