Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 783c90e9 authored by Sudheer Shanka's avatar Sudheer Shanka
Browse files

Allow sandboxed apps to access only package specific dirs. 

Bug: 130427780
Test: manual
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
Change-Id: Ie2d959c1cd8f44c48fb060c8ac5aa2d195298c8a
parent d5bf01ca

core/jni/com_android_internal_os_Zygote.cpp

+7 −2
Original line number Diff line number Diff line
@@ -877,8 +877,12 @@ static void MountEmulatedStorage(uid_t uid, jint mount_mode, 
    storage_source = "/mnt/runtime/default";

  } else if (mount_mode == MOUNT_EXTERNAL_READ) {

    storage_source = "/mnt/runtime/read";

  } else if (mount_mode == MOUNT_EXTERNAL_WRITE) {

  } else if (mount_mode == MOUNT_EXTERNAL_WRITE

      || mount_mode == MOUNT_EXTERNAL_LEGACY

      || mount_mode == MOUNT_EXTERNAL_INSTALLER) {

    storage_source = "/mnt/runtime/write";

  } else if (mount_mode == MOUNT_EXTERNAL_FULL) {

    storage_source = "/mnt/runtime/full";

  } else if (mount_mode == MOUNT_EXTERNAL_NONE && !force_mount_namespace) {

    // Sane default of no storage visible

    return;
@@ -894,7 +898,8 @@ static void MountEmulatedStorage(uid_t uid, jint mount_mode, 
    return;

  }



  if (GetBoolProperty(kIsolatedStorageSnapshot, GetBoolProperty(kIsolatedStorage, true))) {

  if (/* DISABLES CODE */ (false)

      && GetBoolProperty(kIsolatedStorageSnapshot, GetBoolProperty(kIsolatedStorage, true))) {

    if (mount_mode == MOUNT_EXTERNAL_FULL || mount_mode == MOUNT_EXTERNAL_LEGACY) {

      storage_source = (mount_mode == MOUNT_EXTERNAL_FULL)

          ? "/mnt/runtime/full" : "/mnt/runtime/write";

services/core/java/com/android/server/StorageManagerService.java

+3 −2
Original line number Diff line number Diff line
@@ -1679,6 +1679,7 @@ class StorageManagerService extends IStorageManager.Stub 
                ServiceManager.getService(Context.APP_OPS_SERVICE));

        try {

            mIAppOpsService.startWatchingMode(OP_REQUEST_INSTALL_PACKAGES, null, mAppOpsCallback);

            mIAppOpsService.startWatchingMode(OP_LEGACY_STORAGE, null, mAppOpsCallback);

        } catch (RemoteException e) {

        }
@@ -3443,7 +3444,7 @@ class StorageManagerService extends IStorageManager.Stub 
    }



    private String translateInternal(String path, int pid, int uid, boolean toSystem) {

        if (!ENABLE_ISOLATED_STORAGE) return path;

        if (true) return path;



        if (path.contains("/../")) {

            throw new SecurityException("Shady looking path " + path);
@@ -3873,7 +3874,7 @@ class StorageManagerService extends IStorageManager.Stub 
            if ((hasLegacy || requestedLegacy) && hasStorage) {

                return Zygote.MOUNT_EXTERNAL_LEGACY;

            } else {

                return Zygote.MOUNT_EXTERNAL_WRITE;

                return Zygote.MOUNT_EXTERNAL_DEFAULT;

            }

        } catch (RemoteException e) {

            // Should not happen