Loading core/java/android/os/ZygoteProcess.java +3 −3 Original line number Original line Diff line number Diff line Loading @@ -1318,15 +1318,15 @@ public class ZygoteProcess { Process.ProcessStartResult result; Process.ProcessStartResult result; try { try { // As app zygote is for generating isolated process, at the end it can't access // We will bind mount app data dirs so app zygote can't access /data/data, while // apps data, so doesn't need to its data info. // we don't need to bind mount storage dirs as /storage won't be mounted. result = startViaZygote(processClass, niceName, uid, gid, result = startViaZygote(processClass, niceName, uid, gid, gids, runtimeFlags, 0 /* mountExternal */, 0 /* targetSdkVersion */, seInfo, gids, runtimeFlags, 0 /* mountExternal */, 0 /* targetSdkVersion */, seInfo, abi, instructionSet, null /* appDataDir */, null /* invokeWith */, abi, instructionSet, null /* appDataDir */, null /* invokeWith */, true /* startChildZygote */, null /* packageName */, true /* startChildZygote */, null /* packageName */, ZYGOTE_POLICY_FLAG_SYSTEM_PROCESS /* zygotePolicyFlags */, false /* isTopApp */, ZYGOTE_POLICY_FLAG_SYSTEM_PROCESS /* zygotePolicyFlags */, false /* isTopApp */, null /* disabledCompatChanges */, null /* pkgDataInfoMap */, null /* disabledCompatChanges */, null /* pkgDataInfoMap */, null /* whitelistedDataInfoMap */, false /* bindMountAppsData*/, null /* whitelistedDataInfoMap */, true /* bindMountAppsData*/, /* bindMountAppStorageDirs */ false, extraArgs); /* bindMountAppStorageDirs */ false, extraArgs); } catch (ZygoteStartFailedEx ex) { } catch (ZygoteStartFailedEx ex) { Loading core/jni/com_android_internal_os_Zygote.cpp +8 −15 Original line number Original line Diff line number Diff line Loading @@ -1359,7 +1359,13 @@ static void isolateAppData(JNIEnv* env, const std::vector<std::string>& merged_d } } closedir(dir); closedir(dir); bool legacySymlinkCreated = false; // Prepare default dirs for user 0 as user 0 always exists. int result = symlink("/data/data", "/data/user/0"); if (result != 0) { fail_fn(CREATE_ERROR("Failed to create symlink /data/user/0 %s", strerror(errno))); } PrepareDirIfNotPresent("/data/user_de/0", DEFAULT_DATA_DIR_PERMISSION, AID_ROOT, AID_ROOT, fail_fn); for (int i = 0; i < size; i += 3) { for (int i = 0; i < size; i += 3) { std::string const & packageName = merged_data_info_list[i]; std::string const & packageName = merged_data_info_list[i]; Loading Loading @@ -1400,17 +1406,8 @@ static void isolateAppData(JNIEnv* env, const std::vector<std::string>& merged_d char internalDeUserPath[PATH_MAX]; char internalDeUserPath[PATH_MAX]; snprintf(internalCeUserPath, PATH_MAX, "/data/user/%d", userId); snprintf(internalCeUserPath, PATH_MAX, "/data/user/%d", userId); snprintf(internalDeUserPath, PATH_MAX, "/data/user_de/%d", userId); snprintf(internalDeUserPath, PATH_MAX, "/data/user_de/%d", userId); // If it's user 0, create a symlink /data/user/0 -> /data/data, // If it's not user 0, create /data/user/$USER. // otherwise create /data/user/$USER if (userId == 0) { if (userId == 0) { if (!legacySymlinkCreated) { legacySymlinkCreated = true; int result = symlink(internalLegacyCePath, internalCeUserPath); if (result != 0) { fail_fn(CREATE_ERROR("Failed to create symlink %s %s", internalCeUserPath, strerror(errno))); } } actualCePath = internalLegacyCePath; actualCePath = internalLegacyCePath; } else { } else { PrepareDirIfNotPresent(internalCeUserPath, DEFAULT_DATA_DIR_PERMISSION, PrepareDirIfNotPresent(internalCeUserPath, DEFAULT_DATA_DIR_PERMISSION, Loading Loading @@ -1587,10 +1584,6 @@ static void BindMountStorageDirs(JNIEnv* env, jobjectArray pkg_data_info_list, // Fuse is ready, so we can start using fuse path. // Fuse is ready, so we can start using fuse path. int size = (pkg_data_info_list != nullptr) ? env->GetArrayLength(pkg_data_info_list) : 0; int size = (pkg_data_info_list != nullptr) ? env->GetArrayLength(pkg_data_info_list) : 0; if (size == 0) { fail_fn(CREATE_ERROR("Data package list cannot be empty")); } // Create tmpfs on Android/obb and Android/data so these 2 dirs won't enter fuse anymore. // Create tmpfs on Android/obb and Android/data so these 2 dirs won't enter fuse anymore. std::string androidObbDir = StringPrintf("/storage/emulated/%d/Android/obb", user_id); std::string androidObbDir = StringPrintf("/storage/emulated/%d/Android/obb", user_id); MountAppDataTmpFs(androidObbDir, fail_fn); MountAppDataTmpFs(androidObbDir, fail_fn); Loading services/core/java/com/android/server/am/ProcessList.java +12 −4 Original line number Original line Diff line number Diff line Loading @@ -2214,11 +2214,11 @@ public final class ProcessList { app.setHasForegroundActivities(true); app.setHasForegroundActivities(true); } } final Map<String, Pair<String, Long>> pkgDataInfoMap; Map<String, Pair<String, Long>> pkgDataInfoMap; final Map<String, Pair<String, Long>> whitelistedAppDataInfoMap; Map<String, Pair<String, Long>> whitelistedAppDataInfoMap; boolean bindMountAppStorageDirs = false; boolean bindMountAppStorageDirs = false; boolean bindMountAppsData = mAppDataIsolationEnabled boolean bindMountAppsData = mAppDataIsolationEnabled && UserHandle.isApp(app.uid) && (UserHandle.isApp(app.uid) || UserHandle.isIsolated(app.uid)) && mPlatformCompat.isChangeEnabled(APP_DATA_DIRECTORY_ISOLATION, app.info); && mPlatformCompat.isChangeEnabled(APP_DATA_DIRECTORY_ISOLATION, app.info); // Get all packages belongs to the same shared uid. sharedPackages is empty array // Get all packages belongs to the same shared uid. sharedPackages is empty array Loading Loading @@ -2266,6 +2266,13 @@ public final class ProcessList { } } } } // If it's an isolated process, it should not even mount its own app data directories, // since it has no access to them anyway. if (app.isolated) { pkgDataInfoMap = null; whitelistedAppDataInfoMap = null; } final Process.ProcessStartResult startResult; final Process.ProcessStartResult startResult; if (hostingRecord.usesWebviewZygote()) { if (hostingRecord.usesWebviewZygote()) { startResult = startWebView(entryPoint, startResult = startWebView(entryPoint, Loading @@ -2276,13 +2283,14 @@ public final class ProcessList { } else if (hostingRecord.usesAppZygote()) { } else if (hostingRecord.usesAppZygote()) { final AppZygote appZygote = createAppZygoteForProcessIfNeeded(app); final AppZygote appZygote = createAppZygoteForProcessIfNeeded(app); // We can't isolate app data and storage data as parent zygote already did that. startResult = appZygote.getProcess().start(entryPoint, startResult = appZygote.getProcess().start(entryPoint, app.processName, uid, uid, gids, runtimeFlags, mountExternal, app.processName, uid, uid, gids, runtimeFlags, mountExternal, app.info.targetSdkVersion, seInfo, requiredAbi, instructionSet, app.info.targetSdkVersion, seInfo, requiredAbi, instructionSet, app.info.dataDir, null, app.info.packageName, app.info.dataDir, null, app.info.packageName, /*zygotePolicyFlags=*/ ZYGOTE_POLICY_FLAG_EMPTY, isTopApp, /*zygotePolicyFlags=*/ ZYGOTE_POLICY_FLAG_EMPTY, isTopApp, app.mDisabledCompatChanges, pkgDataInfoMap, whitelistedAppDataInfoMap, app.mDisabledCompatChanges, pkgDataInfoMap, whitelistedAppDataInfoMap, bindMountAppsData, bindMountAppStorageDirs, false, false, new String[]{PROC_START_SEQ_IDENT + app.startSeq}); new String[]{PROC_START_SEQ_IDENT + app.startSeq}); } else { } else { startResult = Process.start(entryPoint, startResult = Process.start(entryPoint, Loading Loading
core/java/android/os/ZygoteProcess.java +3 −3 Original line number Original line Diff line number Diff line Loading @@ -1318,15 +1318,15 @@ public class ZygoteProcess { Process.ProcessStartResult result; Process.ProcessStartResult result; try { try { // As app zygote is for generating isolated process, at the end it can't access // We will bind mount app data dirs so app zygote can't access /data/data, while // apps data, so doesn't need to its data info. // we don't need to bind mount storage dirs as /storage won't be mounted. result = startViaZygote(processClass, niceName, uid, gid, result = startViaZygote(processClass, niceName, uid, gid, gids, runtimeFlags, 0 /* mountExternal */, 0 /* targetSdkVersion */, seInfo, gids, runtimeFlags, 0 /* mountExternal */, 0 /* targetSdkVersion */, seInfo, abi, instructionSet, null /* appDataDir */, null /* invokeWith */, abi, instructionSet, null /* appDataDir */, null /* invokeWith */, true /* startChildZygote */, null /* packageName */, true /* startChildZygote */, null /* packageName */, ZYGOTE_POLICY_FLAG_SYSTEM_PROCESS /* zygotePolicyFlags */, false /* isTopApp */, ZYGOTE_POLICY_FLAG_SYSTEM_PROCESS /* zygotePolicyFlags */, false /* isTopApp */, null /* disabledCompatChanges */, null /* pkgDataInfoMap */, null /* disabledCompatChanges */, null /* pkgDataInfoMap */, null /* whitelistedDataInfoMap */, false /* bindMountAppsData*/, null /* whitelistedDataInfoMap */, true /* bindMountAppsData*/, /* bindMountAppStorageDirs */ false, extraArgs); /* bindMountAppStorageDirs */ false, extraArgs); } catch (ZygoteStartFailedEx ex) { } catch (ZygoteStartFailedEx ex) { Loading
core/jni/com_android_internal_os_Zygote.cpp +8 −15 Original line number Original line Diff line number Diff line Loading @@ -1359,7 +1359,13 @@ static void isolateAppData(JNIEnv* env, const std::vector<std::string>& merged_d } } closedir(dir); closedir(dir); bool legacySymlinkCreated = false; // Prepare default dirs for user 0 as user 0 always exists. int result = symlink("/data/data", "/data/user/0"); if (result != 0) { fail_fn(CREATE_ERROR("Failed to create symlink /data/user/0 %s", strerror(errno))); } PrepareDirIfNotPresent("/data/user_de/0", DEFAULT_DATA_DIR_PERMISSION, AID_ROOT, AID_ROOT, fail_fn); for (int i = 0; i < size; i += 3) { for (int i = 0; i < size; i += 3) { std::string const & packageName = merged_data_info_list[i]; std::string const & packageName = merged_data_info_list[i]; Loading Loading @@ -1400,17 +1406,8 @@ static void isolateAppData(JNIEnv* env, const std::vector<std::string>& merged_d char internalDeUserPath[PATH_MAX]; char internalDeUserPath[PATH_MAX]; snprintf(internalCeUserPath, PATH_MAX, "/data/user/%d", userId); snprintf(internalCeUserPath, PATH_MAX, "/data/user/%d", userId); snprintf(internalDeUserPath, PATH_MAX, "/data/user_de/%d", userId); snprintf(internalDeUserPath, PATH_MAX, "/data/user_de/%d", userId); // If it's user 0, create a symlink /data/user/0 -> /data/data, // If it's not user 0, create /data/user/$USER. // otherwise create /data/user/$USER if (userId == 0) { if (userId == 0) { if (!legacySymlinkCreated) { legacySymlinkCreated = true; int result = symlink(internalLegacyCePath, internalCeUserPath); if (result != 0) { fail_fn(CREATE_ERROR("Failed to create symlink %s %s", internalCeUserPath, strerror(errno))); } } actualCePath = internalLegacyCePath; actualCePath = internalLegacyCePath; } else { } else { PrepareDirIfNotPresent(internalCeUserPath, DEFAULT_DATA_DIR_PERMISSION, PrepareDirIfNotPresent(internalCeUserPath, DEFAULT_DATA_DIR_PERMISSION, Loading Loading @@ -1587,10 +1584,6 @@ static void BindMountStorageDirs(JNIEnv* env, jobjectArray pkg_data_info_list, // Fuse is ready, so we can start using fuse path. // Fuse is ready, so we can start using fuse path. int size = (pkg_data_info_list != nullptr) ? env->GetArrayLength(pkg_data_info_list) : 0; int size = (pkg_data_info_list != nullptr) ? env->GetArrayLength(pkg_data_info_list) : 0; if (size == 0) { fail_fn(CREATE_ERROR("Data package list cannot be empty")); } // Create tmpfs on Android/obb and Android/data so these 2 dirs won't enter fuse anymore. // Create tmpfs on Android/obb and Android/data so these 2 dirs won't enter fuse anymore. std::string androidObbDir = StringPrintf("/storage/emulated/%d/Android/obb", user_id); std::string androidObbDir = StringPrintf("/storage/emulated/%d/Android/obb", user_id); MountAppDataTmpFs(androidObbDir, fail_fn); MountAppDataTmpFs(androidObbDir, fail_fn); Loading
services/core/java/com/android/server/am/ProcessList.java +12 −4 Original line number Original line Diff line number Diff line Loading @@ -2214,11 +2214,11 @@ public final class ProcessList { app.setHasForegroundActivities(true); app.setHasForegroundActivities(true); } } final Map<String, Pair<String, Long>> pkgDataInfoMap; Map<String, Pair<String, Long>> pkgDataInfoMap; final Map<String, Pair<String, Long>> whitelistedAppDataInfoMap; Map<String, Pair<String, Long>> whitelistedAppDataInfoMap; boolean bindMountAppStorageDirs = false; boolean bindMountAppStorageDirs = false; boolean bindMountAppsData = mAppDataIsolationEnabled boolean bindMountAppsData = mAppDataIsolationEnabled && UserHandle.isApp(app.uid) && (UserHandle.isApp(app.uid) || UserHandle.isIsolated(app.uid)) && mPlatformCompat.isChangeEnabled(APP_DATA_DIRECTORY_ISOLATION, app.info); && mPlatformCompat.isChangeEnabled(APP_DATA_DIRECTORY_ISOLATION, app.info); // Get all packages belongs to the same shared uid. sharedPackages is empty array // Get all packages belongs to the same shared uid. sharedPackages is empty array Loading Loading @@ -2266,6 +2266,13 @@ public final class ProcessList { } } } } // If it's an isolated process, it should not even mount its own app data directories, // since it has no access to them anyway. if (app.isolated) { pkgDataInfoMap = null; whitelistedAppDataInfoMap = null; } final Process.ProcessStartResult startResult; final Process.ProcessStartResult startResult; if (hostingRecord.usesWebviewZygote()) { if (hostingRecord.usesWebviewZygote()) { startResult = startWebView(entryPoint, startResult = startWebView(entryPoint, Loading @@ -2276,13 +2283,14 @@ public final class ProcessList { } else if (hostingRecord.usesAppZygote()) { } else if (hostingRecord.usesAppZygote()) { final AppZygote appZygote = createAppZygoteForProcessIfNeeded(app); final AppZygote appZygote = createAppZygoteForProcessIfNeeded(app); // We can't isolate app data and storage data as parent zygote already did that. startResult = appZygote.getProcess().start(entryPoint, startResult = appZygote.getProcess().start(entryPoint, app.processName, uid, uid, gids, runtimeFlags, mountExternal, app.processName, uid, uid, gids, runtimeFlags, mountExternal, app.info.targetSdkVersion, seInfo, requiredAbi, instructionSet, app.info.targetSdkVersion, seInfo, requiredAbi, instructionSet, app.info.dataDir, null, app.info.packageName, app.info.dataDir, null, app.info.packageName, /*zygotePolicyFlags=*/ ZYGOTE_POLICY_FLAG_EMPTY, isTopApp, /*zygotePolicyFlags=*/ ZYGOTE_POLICY_FLAG_EMPTY, isTopApp, app.mDisabledCompatChanges, pkgDataInfoMap, whitelistedAppDataInfoMap, app.mDisabledCompatChanges, pkgDataInfoMap, whitelistedAppDataInfoMap, bindMountAppsData, bindMountAppStorageDirs, false, false, new String[]{PROC_START_SEQ_IDENT + app.startSeq}); new String[]{PROC_START_SEQ_IDENT + app.startSeq}); } else { } else { startResult = Process.start(entryPoint, startResult = Process.start(entryPoint, Loading
