android sdcard存储方案(基于fuse文件系统):之一

一、 启动三个相关service

按启动顺序,如下:

service vold /system/bin/vold
    class core
    socket vold stream 0660 root mount


service installd /system/bin/installd
    class main
    socket installd stream 600 system system


service sdcard /system/bin/sdcard -u 1023 -g 1023 -l /data/media /mnt/shell/emulated
    class late_start


上面三个service启动后,内置sdcard状态如下图:




注:

android_filesystem_config.h

#define AID_MEDIA_RW      1023  /* internal media storage write access */

#define AID_SDCARD_RW     1015  /* external storage write access */

#define AID_SDCARD_R      1028  /* external storage read access */


二、insalld service

frameworks/native/cmds/installd/installd.c 
installd 启动时将/data/media 目录创建好,并将预置资源迁移到/data/media/0目录

int initialize_directories() {
    int res = -1;

    // Read current filesystem layout version to handle upgrade paths
    char version_path[PATH_MAX];
    snprintf(version_path, PATH_MAX, "%s.layout_version", android_data_dir.path);

    int oldVersion;
    if (fs_read_atomic_int(version_path, &oldVersion) == -1) {
        oldVersion = 0;
    }
    int version = oldVersion;
    if (version == 0) {
        // Introducing multi-user, so migrate /data/media contents into /data/media/0
        ALOGD("Upgrading /data/media for multi-user");
        // Ensure /data/media
        if (fs_prepare_dir(android_media_dir.path, 0770, AID_MEDIA_RW, AID_MEDIA_RW) == -1) {
            goto fail;
        }
        // /data/media.tmp
        char media_tmp_dir[PATH_MAX];
        snprintf(media_tmp_dir, PATH_MAX, "%smedia.tmp", android_data_dir.path);
        // Only copy when upgrade not already in progress
        if (access(media_tmp_dir, F_OK) == -1) {
            if (rename(android_media_dir.path, media_tmp_dir) == -1) {
                ALOGE("Failed to move legacy media path: %s", strerror(errno));
                goto fail;
            }
        }
        // Create /data/media again
        if (fs_prepare_dir(android_media_dir.path, 0770, AID_MEDIA_RW, AID_MEDIA_RW) == -1) {
            goto fail;
        }
        // /data/media/0
        char owner_media_dir[PATH_MAX];
        snprintf(owner_media_dir, PATH_MAX, "%s0", android_media_dir.path);

        // Move any owner data into place
        if (access(media_tmp_dir, F_OK) == 0) {
            if (rename(media_tmp_dir, owner_media_dir) == -1) {
                ALOGE("Failed to move owner media path: %s", strerror(errno));
                goto fail;
            }
        }

  。。。。。。

 }


三、sdcard service


1、初始化fuse


static void fuse_init(struct fuse *fuse, int fd, const char *source_path,

        gid_t write_gid, derive_t derive, bool split_perms) {

 //此函数初始化重要的全局数据结构fuse,供后面创建的多线程使用

    这个全局结构体变量在run()函数中定义,因为run()函数永不退出,所以虽然fuse是函数内的局部变量,但它的内存其实永不释放。达相当于全局变量的效果啦。

/*********=============================================

提前将run函数注释说明fuse数据结构相关代码:

static int run(const char* source_path, const char* dest_path, uid_t uid,
        gid_t gid, gid_t write_gid, int num_threads, derive_t derive,
        bool split_perms) {
    int fd;
    char opts[256];
    int res;
   
struct fuse fuse;


    /* cleanup from previous instance, if necessary */
    umount2(dest_path, 2);

    ...................

        res = ignite_fuse(&fuse, num_threads);


    /* we do not attempt to umount the file system here because we are no longer
     * running as the root user */

*********================================================/

    pthread_mutex_init(&fuse->lock, NULL);         //初始化多线程互斥量
   
    fuse->fd = fd;      // dev/fuse 作为user space /kernel space 交互的设备节点
    fuse->next_generation = 0;

 // 系统启动时带-d / -l 或者不速这两个参数,会对 fuse->derive赋不同的值:  service sdcard /system/bin/sdcard -u 1023 -g 1023-l /data/media /mnt/shell/emulated

typedef enum {
    DERIVE_NONE,
    DERIVE_LEGACY,
    DERIVE_UNIFIED,
} derive_t;  

 // -l :derive初始化为DERIVE_LEGACY , -d :derive初始化为DERIVE_UNIFIED ,无这两参数:derive初始化为DERIVE_NONE/

// derive 初始化这几值有什么不同呢????
    fuse->derive = derive;                  
    fuse->split_perms = split_perms;
    fuse->write_gid = write_gid;        //w 

    memset(&fuse->root, 0, sizeof(fuse->root));
    fuse->root.nid = FUSE_ROOT_ID; /* 1 */   
    fuse->root.refcount = 2;
    fuse->root.namelen = strlen(source_path);
    fuse->root.name = strdup(source_path);        //这里记录根目录路径为:/data/media ,后面操作/mnt/shell/emulated会转换到/data/media
    fuse->root.userid = 0;
    fuse->root.uid = AID_ROOT;

    /* Set up root node for various modes of operation */
    switch (derive) {
        。。。。。。。。。。。。//derive 初始化为DERIVE_LEGACY
    case DERIVE_LEGACY:
        /* Legacy behavior used to support internal multiuser layout which
         * places user_id at the top directory level, with the actual roots
         * just below that. Shared OBB path is also at top level. */
        fuse->root.perm = PERM_LEGACY_PRE_ROOT;                 //初始化根目录node,sdcard.c也类似kernel fs为每个目录和文件维护了一个node结构体
        fuse->root.mode = 0771;
        fuse->root.gid = AID_SDCARD_R;
        fuse->package_to_appid = hashmapCreate(256, str_hash, str_icase_equals);
        fuse->appid_with_rw = hashmapCreate(128, int_hash, int_equals);
        snprintf(fuse->obbpath, sizeof(fuse->obbpath), "%s/obb", source_path);
        fs_prepare_dir(fuse->obbpath, 0775, getuid(), getgid());
        break;

    }

//容量控制
#ifdef LIMIT_SDCARD_SIZE
    struct statfs stat;
    if (statfs(fuse->root.name, &stat) < 0) {
        ERROR("get %s fs status fail \n",fuse->root.name);
fuse->free_size =0;
    }else{
fuse->free_size = stat.f_bfree*stat.f_bsize;
LOG("[fuse_debug]fuse.free_size =%lld \n",fuse->free_size);
    }
#endif
}


两个重要数据结构:fuse和node

/* Global data structure shared by all fuse handlers. */
struct fuse {
    pthread_mutex_t lock;

    __u64 next_generation;
    int fd;
    derive_t derive;
    bool split_perms;
    gid_t write_gid;
    struct node root;
    char obbpath[PATH_MAX];

    Hashmap* package_to_appid;           //hash map
    Hashmap* appid_with_rw;

#ifdef LIMIT_SDCARD_SIZE
__u64 free_size; //add by mtk for limit internal sdcard size
#endif
};


struct node {
    __u32 refcount;
    __u64 nid;                 // node id
    __u64 gen;

    /* State derived based on current position in hierarchy. */
    perm_t perm;
    userid_t userid;
    uid_t uid;
    gid_t gid;
    mode_t mode;

    struct node *next;          /* per-dir sibling list */
    struct node *child;         /* first contained file by this dir */
    struct node *parent;        /* containing directory */


    size_t namelen;
    char *name;
    /* If non-null, this is the real name of the file in the underlying storage.
     * This may differ from the field "name" only by case.
     * strlen(actual_name) will always equal strlen(name), so it is safe to use
     * namelen for both fields.
     */
    char *actual_name;

    /* If non-null, an exact underlying path that should be grafted into this
     * position. Used to support things like OBB. */
    char* graft_path;
    size_t graft_pathlen;
};


2、启动fuse

static int run(const char* source_path, const char* dest_path, uid_t uid,
        gid_t gid, gid_t write_gid, int num_threads, derive_t derive,
        bool split_perms) {
    int fd;
    char opts[256];
    int res;
    struct fuse fuse;   //这个局部变量,却起到全局变量的效果。

    /* cleanup from previous instance, if necessary */
    umount2(dest_path, 2);     //先做一次强制umount动作


     fd = open("/dev/fuse", O_RDWR);  //打开/dev/fuse字符型设备,这个fd将要传递到kernel fuse
    if (fd < 0){
        ERROR("cannot open fuse device: %s\n", strerror(errno));
        return -1;
    }
    snprintf(opts, sizeof(opts),
            "fd=%i,rootmode=40000,default_permissions,allow_other,user_id=%d,group_id=%d",
            fd, uid, gid);

    res = mount("/dev/fuse", dest_path, "fuse", MS_NOSUID | MS_NODEV, opts);      //将 /mnt/shell/emulated 挂载到/dev/fuse设备
    if (res < 0) {
        ERROR("cannot mount fuse filesystem: %s\n", strerror(errno));
        goto error;
    }
     //将sdcard的权限由root降为media_rw
    res = setgid(gid);
    if (res < 0) {
        ERROR("cannot setgid: %s\n", strerror(errno));
        goto error;
    }
    res = setuid(uid);
    if (res < 0) {
        ERROR("cannot setuid: %s\n", strerror(errno));
        goto error;
    }

     // /初始化重要的fuse数据结构  ,
    fuse_init(&fuse, fd, source_path, write_gid, derive, split_perms);
    umask(0);
   //创建 hander thread, 启动fuse
    res = ignite_fuse(&fuse, num_threads);      

    /* we do not attempt to umount the file system here because we are no longer
     * running as the root user */

error:
    close(fd);
    return res;
}
下面再看handler thread 创建,及启动。
关于pthread请看我转的一篇blog,写得非常好。

static int ignite_fuse(struct fuse* fuse, int num_threads)
{
    struct fuse_handler* handlers;
    int i;

    handlers = malloc(num_threads * sizeof(struct fuse_handler));
    if (!handlers) {
        ERROR("cannot allocate storage for threads\n");
        return -ENOMEM;
    }

    for (i = 0; i < num_threads; i++) {        // 默认num_threads==2  // #define DEFAULT_NUM_THREADS 2
        handlers[i].fuse = fuse;
        handlers[i].token = i;                         // 以线程号作为 token,标识handler 。 
    }

    /* When deriving permissions, this thread is used to process inotify events,
     * otherwise it becomes one of the FUSE handlers. */
    i = (fuse->derive == DERIVE_NONE) ? 1 : 0;
    for (; i < num_threads; i++) {
        ERROR("to start thread #%d \n", i);
        pthread_t thread;

      //service sdcard /system/bin/sdcard -u 1023 -g 1023-l /data/media /mnt/shell/emulated  

      // 启动sdcard service时带 -d / -l 参数, derive 为DERIVE_LEGACY或DERIVE_UNIFIED时。

  //为什么要两个线程?这两个线程要怎么同步吗?

        int res = pthread_create(&thread, NULL, start_handler, &handlers[i]);
        if (res) {
            ERROR("failed to start thread #%d, error=%d\n", i, res);
            goto quit;
        }
    }
    ERROR("fuse->derive #%d \n", fuse->derive);
    if (fuse->derive == DERIVE_NONE) {             handle_fuse_requests(&handlers[0]);       //derive 为DERIVE_NONE,主进程处理handlers[0] 
    } else {
        watch_package_list(fuse);    // 主进程watch文件:"/data/system/packages.list" 的delete通知事件! 

                                     // 可是watch到delete事件后,并没有做什么?可以android后续版本会有什么改进!!??
    }
    ERROR("terminated prematurely\n");
    /* don't bother killing all of the other threads or freeing anything,
     * should never get here anyhow */
quit:
    exit(1);
}

接上个的函数

static void handle_fuse_requests(struct fuse_handler* handler)
{
    struct fuse* fuse = handler->fuse;
    for (;;) {
        ssize_t len = read(fuse->fd,       //从字符型设备/dev/fuse中读取kernel fuse文件系统发送出来的处理请求包
                handler->request_buffer, sizeof(handler->request_buffer));   
  。。。。。。。
        const struct fuse_in_header *hdr = (void*)handler->request_buffer;        //请求包中解析出fuse request header
        if (hdr->len != (size_t)len) {
            ERROR("[%d] malformed header: len=%zu, hdr->len=%u\n",
                    handler->token, (size_t)len, hdr->len);
            continue;
        }
        const void *data = handler->request_buffer + sizeof(struct fuse_in_header);
        size_t data_len = len - sizeof(struct fuse_in_header);
        __u64 unique = hdr->unique;
        int res = handle_fuse_request(fuse, handler, hdr, data, data_len);         //处理kernel fuse requst请求包
        /* We do not access the request again after this point because the underlying
         * buffer storage may have been reused while processing the request. */
        if (res != NO_STATUS) {
            if (res) {
                TRACE("[%d] ERROR %d\n", handler->token, res);
            }
            fuse_status(fuse, unique, res);                 //返回fuse request请求的处理结果。
        }
    }
}


3、fuse请求包处理

先看几个相关的宏定义,及重要的结构体:struct fuse_handler 
/* Maximum number of bytes to write in one request. */
#define MAX_WRITE (256 * 1024)


/* Maximum number of bytes to read in one request. */
#define MAX_READ (128 * 1024)


/* Largest possible request.
 * The request size is bounded by the maximum size of a FUSE_WRITE request because it has
 * the largest possible data payload. */
#define MAX_REQUEST_SIZE (sizeof(struct fuse_in_header) + sizeof(struct fuse_write_in) + MAX_WRITE)



/* Private data used by a single fuse handler. */
struct fuse_handler {
    struct fuse* fuse;                //指向上面重点介绍过的全局变量fuse 
    int token;                              // 以线程号作为 token,标识handler 

    /* To save memory, we never use the contents of the request buffer and the read
     * buffer at the same time.  This allows us to share the underlying storage. */
    union {
        __u8 request_buffer[MAX_REQUEST_SIZE];     // 从这个数组大小的宏定义MAX_REQUEST_SIZE,可以看出它有两个作用:
  //1、保存从字符型设备/dev/fuse中读取kernel fuse文件系统发送出来的处理请求包。
  //2、保存从内核fuse write请求copy而来的需要通过ext4写入到存储设备的数据。
        __u8 read_buffer[MAX_READ];    //保存通过ext4从存储读取到的,需要通过内核fuse read请求,传上userspace app 的数据。
    };
};


sdcard service 与 kernel 文件系统的交互请求:
enum fuse_opcode {
FUSE_LOOKUP   = 1,
FUSE_FORGET   = 2,  /* no reply */
FUSE_GETATTR   = 3,
FUSE_SETATTR   = 4,
FUSE_READLINK   = 5,
FUSE_SYMLINK   = 6,
FUSE_MKNOD   = 8,
FUSE_MKDIR   = 9,
FUSE_UNLINK   = 10,
FUSE_RMDIR   = 11,
FUSE_RENAME   = 12,
FUSE_LINK   = 13,
FUSE_OPEN   = 14,
FUSE_READ   = 15,
FUSE_WRITE   = 16,
FUSE_STATFS   = 17,
FUSE_RELEASE       = 18,
FUSE_FSYNC         = 20,
FUSE_SETXATTR      = 21,
FUSE_GETXATTR      = 22,
FUSE_LISTXATTR     = 23,
FUSE_REMOVEXATTR   = 24,
FUSE_FLUSH         = 25,
FUSE_INIT          = 26,
FUSE_OPENDIR       = 27,
FUSE_READDIR       = 28,
FUSE_RELEASEDIR    = 29,
FUSE_FSYNCDIR      = 30,
FUSE_GETLK         = 31,
FUSE_SETLK         = 32,
FUSE_SETLKW        = 33,
FUSE_ACCESS        = 34,
FUSE_CREATE        = 35,
FUSE_INTERRUPT     = 36,
FUSE_BMAP          = 37,
FUSE_DESTROY       = 38,
FUSE_IOCTL         = 39,
FUSE_POLL          = 40,


/* CUSE specific operations */
CUSE_INIT          = 4096,
};


好了,了解上面这些后,看下面两fuse请求包处理函数就很容易了!

static void handle_fuse_requests(struct fuse_handler* handler)
{
    struct fuse* fuse = handler->fuse;
    for (;;) {
        ssize_t len = read(fuse->fd,       //从字符型设备/dev/fuse中读取kernel fuse文件系统发送出来的处理请求包,
                handler->request_buffer, sizeof(handler->request_buffer));    //如果是write请求命令,此时包里还有要写的数据。
  。。。。。。。
        const struct fuse_in_header *hdr = (void*)handler->request_buffer;         //请求包中解析出fuse request header
        if (hdr->len != (size_t)len) {
            ERROR("[%d] malformed header: len=%zu, hdr->len=%u\n",
                    handler->token, (size_t)len, hdr->len);
            continue;
        }
        const void *data = handler->request_buffer + sizeof(struct fuse_in_header);
        size_t data_len = len - sizeof(struct fuse_in_header);
        __u64 unique = hdr->unique;
        int res = handle_fuse_request(fuse, handler, hdr, data, data_len);          //处理kernel fuse requst请求包
        /* We do not access the request again after this point because the underlying
         * buffer storage may have been reused while processing the request. */
        if (res != NO_STATUS) {
            if (res) {
                TRACE("[%d] ERROR %d\n", handler->token, res);
            }
            fuse_status(fuse, unique, res);                 //返回fuse request请求的处理结果。
        }
    }
}


static int handle_fuse_request(struct fuse *fuse, struct fuse_handler* handler,
        const struct fuse_in_header *hdr, const void *data, size_t data_len)
{
    switch (hdr->opcode) {

    。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。

    case FUSE_OPEN: { /* open_in -> open_out */                              //打开要操作的文件, 记录文件描述符fd
        const struct fuse_open_in *req = data;
        return handle_open(fuse, handler, hdr, req);                     
    }


    //  READ / WRITE 操作都涉及到sdcard usrspace 与kernel fuse kernel spcace之间的读、写数据的内存copy交互。
    case FUSE_READ: { /* read_in -> byte[] */
        const struct fuse_read_in *req = data;
        return handle_read(fuse, handler, hdr, req);                         
    }


    case FUSE_WRITE: { /* write_in, byte[write_in.size] -> write_out */
        const struct fuse_write_in *req = data;
        const void* buffer = (const __u8*)data + sizeof(*req);
        return handle_write(fuse, handler, hdr, req, buffer);
    }

 。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
    
    }
}

4、derive permission授权


前面提到sdcard.c也类似kernel fs为每个目录和文件维护了一个node结构体,
下面围绕这个node来看整个权限控限过程就很明白了。

首先看看几个跟权限相关的enum :


定义的文件几种权限选则:
typedef enum {
/* Nothing special; this node should just inherit from its parent. */
PERM_INHERIT,
/* This node is one level above a normal root; used for legacy layouts
* which use the first level to represent user_id. */
PERM_LEGACY_PRE_ROOT,
/* This node is "/" */
PERM_ROOT,
/* This node is "/Android" */
PERM_ANDROID,
/* This node is "/Android/data" */
PERM_ANDROID_DATA,
/* This node is "/Android/obb" */
PERM_ANDROID_OBB,
/* This node is "/Android/user" */
PERM_ANDROID_USER,
} perm_t;  

权限控制的三种方法,
/* Permissions structure to derive */
typedef enum {
DERIVE_NONE,
DERIVE_LEGACY,    ====》用于内置sdcard ,主要用于多用户的权限控制
DERIVE_UNIFIED,    ====》用于外置sdcard

} derive_t;

==========================================
DERIVE_LEGACY
DERIVE_UNIFIED

这两个枚举fuck地让我迷糊很久啊,到底有什么不一样啊???分析下面的代码很久才搞明白。
==========================================


即下来看重要的node结构体 : 
struct node {
    __u32 refcount;     // node 的引用计数
    __u64 nid;      //node id ,用于唯一标识node,太聪明了,除root node 使用该node申请的内存指针地址作为id,肯定可以达到唯一性。


    /* State derived based on current position in hierarchy. */
    perm_t perm;                //权限控制方式
    userid_t userid;     //用户id,即,0、 1、 2、 3、 。。。。
    uid_t uid;         //uid
    gid_t gid;                                 //gid
    mode_t mode;                       //访问模式

    //node链就和vfs类似了……
    struct node *next;          /* per-dir sibling list */
    struct node *child;         /* first contained file by this dir */
    struct node *parent;        /* containing directory */


    size_t namelen;          //node 名长度
    char *name;          //node 名

};

下面fuse_init函数初始化fuse结构体前面已经说过的。
这里重点看fuse结构体里的root node结构的初始化。

static void fuse_init (struct fuse *fuse, int fd, const char *source_path,
        gid_t write_gid, derive_t derive, bool split_perms) {
    pthread_mutex_init(&fuse->lock, NULL);


    fuse->fd = fd;
    fuse->next_generation = 0; 
    fuse->derive = derive;
    fuse->split_perms = split_perms;
    fuse->write_gid = write_gid;                                      //初始设置有sdcard读写权限的gid

    memset(&fuse->root, 0, sizeof(fuse->root));                 // 创建第一个node,后面的node都往这里插入
    fuse->root.nid = FUSE_ROOT_ID; /* 1 */                       //  root node id  = 1 ,
    fuse->root.refcount = 2;
    fuse->root.namelen = strlen(source_path);
    fuse->root.name = strdup(source_path);                         // root node 对应的是什么呢?? 即根目录:'/data/media' , 不要以为是为是'/data/media/0 ' 啊 !
    fuse->root.userid = 0;
    fuse->root.uid = AID_ROOT;            // uid  :  root


    /* Set up root node for various modes of operation */
    switch (derive) {
    case DERIVE_NONE:        //无权限控制的方式,现在一般不用。无法selinux的要求吧!
        /* Traditional behavior that treats entire device as being accessible
         * to sdcard_rw, and no permissions are derived. */
        fuse->root.perm = PERM_ROOT;
        fuse->root.mode = 0775;
        fuse->root.gid = AID_SDCARD_RW;
        break;

    case DERIVE_LEGACY:           
//内置sdcard使用,支持多用户的访问独立sdcard数据权限控制方式,
//内置sdcard目录顶层为用户id为名的0、1、2、3等用户目录, data/media/0, data/media/1, data/media/2 ............... 等
//,目录顶层也包括/data/media/obb 目录
// data/media/userid 目录下/data/media/userid/Android/data/ 子目录才是app的么有数据 。
        /* Legacy behavior used to support internal multiuser layout which
         * places user_id at the top directory level, with the actual roots
         * just below that. Shared OBB path is also at top level. */
        fuse->root.perm = PERM_LEGACY_PRE_ROOT;                      //root node 的权限,后面根目录下根据useid创建的的0 , 1 ,,2 , 3 .....目录权限为:PERM_ROOT
        fuse->root.mode = 0771;
        fuse->root.gid = AID_SDCARD_R;                                                                                           // gid =  AID_SDCARD_R
        fuse->package_to_appid = hashmapCreate(256, str_hash, str_icase_equals);   // 初始hash Map ,用于做什么? 下面会详细说明,它跟权限有关就是。
        fuse->appid_with_rw = hashmapCreate(128, int_hash, int_equals);
        snprintf(fuse->obbpath, sizeof(fuse->obbpath), "%s/obb", source_path);
        fs_prepare_dir(fuse->obbpath, 0775, getuid(), getgid());              //  创建/data/media/obb 目录,用于apk独立数据访问权限控制的?

        LOG("[fuse_debug]obbpath =%s \n",fuse->obbpath);
        break;
    case DERIVE_UNIFIED:
        /* Unified multiuser layout which places secondary user_id under
         * /Android/user and shared OBB path under /Android/obb. */
// 不支持多用户的的权限控制方式。
//  外置sdcard目录顶层即为user 0的用户数据, 及Android/obb
// 而user 1开始的第二个用户数所都放在Android/user目录下 。
        fuse->root.perm = PERM_ROOT;                          // root node 的权限就为PERM_ROOT
        fuse->root.mode = 0771;
        fuse->root.gid = AID_SDCARD_R;
        fuse->package_to_appid = hashmapCreate(256, str_hash, str_icase_equals);
        fuse->appid_with_rw = hashmapCreate(128, int_hash, int_equals);
        snprintf(fuse->obbpath, sizeof(fuse->obbpath), "%s/Android/obb", source_path);
        break;
    }

}

再看下面的这个函数的作用:根据parent node的权限为新的child node 分配权限。

static void derive_permissions_locked(struct fuse* fuse, struct node *parent,
        struct node *node) {
    appid_t appid;


    /* By default, each node inherits from its parent */
    node->perm = PERM_INHERIT;
    node->userid = parent->userid;
    node->uid = parent->uid;                               //新的node默认 继承父node uid / gid 
    node->gid = parent->gid;

    node->mode = parent->mode;


    if (fuse->derive == DERIVE_NONE) {
        return;
    }
 //这里添加一条重要的log打印 
    TRACE("derive_permissions_locked %s 0%d  (%s)\n",
            node->name, parent->perm, parent->name);


    /* Derive custom permissions based on parent and current node */
    switch (parent->perm) {
    case PERM_INHERIT:
        /* Already inherited above */
        break;
    case PERM_LEGACY_PRE_ROOT:        // 内置sdcard的根目录权限为PERM_LEGACY_PRE_ROOT
        /* Legacy internal layout places users at top level */
        node->perm = PERM_ROOT;                                /内置sdcard的/根目录下,根据用户id创建的0、1、2、3等用户子目录,授权为: PERM_ROOT
        node->userid = strtoul(node->name, NULL, 10);   // userid设为0、1、2、3.......
        break;
    case PERM_ROOT:                                                     //外置sdcard,及内置sdcard根目录下的0、1、2、3等用户子目录的权限为:PERM_ROOT
        /* Assume masked off by default. */
        node->mode = 0770;
  // 下面为外置sdcard根目录下的子目录,及内置sdcard根目录下的0、1、2、3等用户子目录 授予不同权限 :  
        if (!strcasecmp(node->name, "Android")) {              //root/Android目录授权 
            /* App-specific directories inside; let anyone traverse */ 
            node->perm = PERM_ANDROID;                  
            node->mode = 0771; 
        } 
        break;
    case PERM_ANDROID:
        if (!strcasecmp(node->name, "data")) {                                                       // root/Android/data目录授权
            /* App-specific directories inside; let anyone traverse */
            node->perm = PERM_ANDROID_DATA;                               
            node->mode = 0771;
        } else if (!strcasecmp(node->name, "obb")) {            // root/Android/obb目录授权 
            /* App-specific directories inside; let anyone traverse */
            node->perm = PERM_ANDROID_OBB;
            node->mode = 0771;
            /* Single OBB directory is always shared */
            node->graft_path = fuse->obbpath;
            node->graft_pathlen = strlen(fuse->obbpath);
        } else if (!strcasecmp(node->name, "user")) {                                            // root/Android/user目录授权 , 同时修改gid
            /* User directories must only be accessible to system, protected
             * by sdcard_all. Zygote will bind mount the appropriate user-
             * specific path. */
            node->perm = PERM_ANDROID_USER;
            node->gid = AID_SDCARD_ALL;
            node->mode = 0770;
        }
        break;
    case PERM_ANDROID_DATA:                                    // root/Android/data 与  root/Android/obb 目录下的各子目录授权,appid作为uid,让该app独占该目录                       
    case PERM_ANDROID_OBB:
        appid = (appid_t) hashmapGet(fuse->package_to_appid, node->name);    //从haspMap里获取appid 
        if (appid != 0) {
            node->uid = multiuser_get_uid(parent->userid, appid);      // appid 作为uid,让该app才能有权限访问
        }
        node->mode = 0770;
        break;
    case PERM_ANDROID_USER:                  //roo t/Android/user目录授权目录下的的子录目授权,比如外置多用户:sdcard2/user/2 授权为根目录 PERM_ROOT
        /* Root of a secondary user */
        node->perm = PERM_ROOT;
        node->userid = strtoul(node->name, NULL, 10);
        node->gid = AID_SDCARD_R;
        node->mode = 0771;
        break;
    }
}

通过在derive_permissions_locked添加的一句打印log分析看看:

#define FUSE_TRACE 1  //打出sdcard service debug log 可以看到下面这些sdcard service 针对内置sdcard的log信息:
06-04 17:49:41.993   232   232 I sdcard  : source_path='/data/media', dest_path='/mnt/shell/emulated', derive=1, write_gid=1015

这里为根目录/data/media/0  授权02: PERM_ROOT
06-04 17:50:03.904   232   251 D sdcard  : [1] LOOKUP 0 @ 1 (/data/media)   
06-04 17:50:03.904   232   251 D sdcard  : derive_permissions_locked 0 01  (/data/media)

// 为/data/media/0 /Android 授权
06-04 17:50:09.023   232   251 D sdcard  : derive_permissions_locked Android 02  (0)

// 为/data/media/0 /Android/data  授权
06-04 17:50:09.038   232   250 D sdcard  : derive_permissions_locked data 03  (Android)


06-04 17:50:09.052   232   251 D sdcard  : derive_permissions_locked com.amap.android.location 04  (data)


下面通过/sdcard/Android/data目录的实际的授权结果是什么样的:
可以看到uid是随着app变化而变化的。
root@S850:/sdcard/Android/data # ls -Z   ////这个目录下创建的都是以app名为的子目录。
drwxrwx---
u0_a0    sdcard_r          u:object_r:sdcard_external:s0 com.amap.android.location
drwxrwx---
u0_a3    sdcard_r          u:object_r:sdcard_external:s0 com.lenovo.carapplication
drwxrwx---
u0_a67   sdcard_r          u:object_r:sdcard_external:s0 com.len


通过上面的代码分析, DERIVE_LEGACY 与 DERIVE_UNIFIED 的区别已经很清楚啦!

5、sdcard node访问权限控制


上面提到很多对node授权,实际访问是如何进行权限控制的呢? 其实就是通过上面偶有提到HashMap,下面仔细再看看。

fuse 结构体中有两个重要的HashMap变量,如下:
struct fuse {
 。。。。。。。
    Hashmap* package_to_appid;
    Hashmap* appid_with_rw;

 。。。。。。
};

fuse_init()函数中对这两个hashMap变量进行了初始化 ,请看:

static void fuse_init(struct fuse *fuse, int fd, const char *source_path,
        gid_t write_gid, derive_t derive, bool split_perms) {
。。。。。。。。。。。。。。。。
    /* Set up root node for various modes of operation */
    switch (derive) {
。。。。。。。。。。。。。。。。
    case DERIVE_LEGACY:
   //初始化了两个haspMap实例指针,具体怎么初始化的,请仔细看/system/core/libcutils/hashmap.c
        fuse->package_to_appid = hashmapCreate(256, str_hash, str_icase_equals);
        fuse->appid_with_rw = hashmapCreate(128, int_hash, int_equals);
。。。。。。。。。。。。。。


hashMap是如何创建的呢? 继续 ~……

ignite_fuse()函数启动两个fuse handle线程后,主进程调用watch_package_list()进入死循环,watch文件"/data/system/packages.list"。

注:packages.list这个文件的内容是系统在启动时扫描出的已安装的应用apk列表信息。内容例子如下:
root@:/data/system # cat packages.list                                     
com.lakala.android 10111 0 /data/data/com.lakala.android default 1028,1015,1023,3003
com.android.defcontainer 10004 0 /data/data/com.android.defcontainer platform 1028,1015,1023,2001,1035

下面我们分析一下主进程调用 watch_package_list()如何创建hashMap 的?
static void watch_package_list(struct fuse* fuse) {
。。。。。。
    bool active = false;
    while (1) {
        if (!active) {
            int res = inotify_add_watch(nfd, kPackagesListFile, IN_DELETE_SELF);
。。。。。。。。。
            /* Watch above will tell us about any future changes, so
             * read the current state. */
            if ( read_package_list(fuse) == -1) {   //解析文件packages.list内容,并创建hashMap 
                ERROR("read_package_list failed: %s\n", strerror(errno));
                return;
            }
            active = true;
        }

。。。。。。。。。。。。。。
}

hashMap的创建一切就在这里了!
static int read_package_list(struct fuse *fuse) {
    pthread_mutex_lock(&fuse->lock);
 
  //如果已有hashMap,则清干净。(如果watch到packages.list初删除,就要重新创建hashMap,那就要先清干净原来的旧值了)
    hashmapForEach(fuse->package_to_appid, remove_str_to_int, fuse->package_to_appid);
    hashmapForEach(fuse->appid_with_rw, remove_int_to_null, fuse->appid_with_rw);

    FILE* file = fopen(kPackagesListFile, "r");       //打开文件: packages.list
    if (!file) {
        ERROR("failed to open package list: %s\n", strerror(errno));
        pthread_mutex_unlock(&fuse->lock);
        return -1;
    }

    char buf[512];
    bool is_found = false;
    while (fgets(buf, sizeof(buf), file) != NULL) {       //读packages.list一行
        char package_name[512];
        int appid;
        char gids[512];


        is_found = false;
        //从packages.list读取的一行内容,比如:com.lakala.android 10111 0 /data/data/com.lakala.android default 1028,1015,1023,3003
   // 解析app名,appid,数据所在目录,app所属组s (可能属于多组啊!)
        if (sscanf(buf, "%s %d %*d %*s %*s %s", package_name, &appid, gids) == 3) {     // 
            char* package_name_dup = strdup(package_name);
            hashmapPut(fuse->package_to_appid, package_name_dup, (void*) appid);      // 以app name , app id 创建一个新的hashMap添加到package_to_appid, Map 如下:
/* 注:
struct Entry {
    void* key;       //app name
    int hash;          // app name's hash value
    void* value;       // app id
    Entry* next;
};
*/
            char* token = strtok(gids, ",");     
            while (token != NULL) {
                if (strtoul(token, NULL, 10) == fuse->write_gid) {   //从上面获取到的app所属组s, 判断是否该app属组 fuse->write_gid(AID_SDCARD_RW)。
           hashmapPut(fuse->appid_with_rw, (void*) appid, (void*) 1);      
     //属于组AID_SDCARD_RW,则有sdcard rw权限,则以app id 和1创建一个新的hashMap添加到appid_with_rw ,Map如下;     
     /* 注: 
     struct Entry {
          void* key;       //app id
          int hash;          // app ids hash value
          void* value;       // 1
          Entry* next;
     };
     */

                    is_found = true;
                    break;
                }
                token = strtok(NULL, ",");
            }
            if (is_found == false) {
                if (!hashmapContainsKey(fuse->appid_with_rw, (void*) appid)){
                    hashmapPut(fuse->appid_with_rw, (void*) appid, (void*) 0);
                }
            }
        }
    }


    TRACE("read_package_list: found %d packages, %d with write_gid\n",
            hashmapSize(fuse->package_to_appid),
            hashmapSize(fuse->appid_with_rw));
    fclose(file);
    pthread_mutex_unlock(&fuse->lock);
    return 0;
}


好的,这样hashMap package_to_appid 和appid_with_rw就创建好了。 接着,看看derive_permissions_locked()是如何根据hashMap进行授权工作的啦!

static void derive_permissions_locked(struct fuse* fuse, struct node *parent,
        struct node *node) {
    appid_t appid;


    /* By default, each node inherits from its parent */
    node->perm = PERM_INHERIT;
    node->userid = parent->userid;
    node->uid = parent->uid;
    node->gid = parent->gid;
    node->mode = parent->mode;
。。。。。。。。。。。。。。。。。。。。。。。。
    TRACE("derive_permissions_locked %s 0%d  (%s)\n",
            node->name, parent->perm, parent->name);
            
    /* Derive custom permissions based on parent and current node */
    switch (parent->perm) {
。。。。。。。。。。。。。。。。。。。。。。。。
    case PERM_ANDROID_DATA:
    case PERM_ANDROID_OBB:
        appid = (appid_t) hashmapGet(fuse->package_to_appid, node->name);     // 通过node name, 即app名,获取appid。(上面说过,他们有创建过map的)
        if (appid != 0) {
            node->uid = multiuser_get_uid(parent->userid, appid);        // 通过appid 和 userid 计算出一个唯一的uid(算法:multiuser_get_uid),分配给该app,下面马上用到它了!!
        }
        node->mode = 0770;
        break;
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
    }
}

下面最后看看如何通过get_caller_has_rw_locked进行访问权限控制的吧!

/* Return if the calling UID holds sdcard_rw. */
static bool get_caller_has_rw_locked(struct fuse* fuse, const struct fuse_in_header *hdr) {
。。。。。。。。。
    appid_t appid = multiuser_get_app_id(hdr->uid);    //uid 反算出appid 
    
    if (appid == AID_SHELL) {
      /* for mtklogger with uid, shell, grant the write permisssion to them */
      TRACE("WARNING: appid is AID_SHELL. Grant the write permission to it\n");
      return true;
    }
    else if (hashmapContainsKey(fuse->appid_with_rw, (void*) appid)) {   //判断appid对应的app是否在有权限RW sdcard的hashMap中。
       return (bool)hashmapGet(fuse->appid_with_rw, appid);    //返回derive_permissions_locked所授权value: 1,表未有rw权限。
//appid_with_rw中的hashMap如下:
     struct Entry {
          void* key;       //app id
          int hash;          // app ids hash value
          void* value;       // 1 or 0
          Entry* next;
     };
     */

    }
    else {
       TRACE("WARNING: appid=%d is NOT in packages.list. Grant the write permission to it\n", appid);    //没有授权RW sdcard 
       return true;
    }
}




over !终于完成了,sdcard.c也基本搞明白啦!!!






评论 5
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值