1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 //! AuthFsService facilitates authfs mounting (which is a privileged operation) for the client. The
18 //! client will provide an `AuthFsConfig` which includes the backend address (only port for now) and
19 //! the filesystem configuration. It is up to the client to ensure the backend server is running. On
20 //! a successful mount, the client receives an `IAuthFs`, and through the binder object, the client
21 //! is able to retrieve "remote file descriptors".
22 
23 mod authfs;
24 
25 use anyhow::{bail, Result};
26 use log::*;
27 use rpcbinder::RpcServer;
28 use rustutils::sockets::android_get_control_socket;
29 use std::ffi::OsString;
30 use std::fs::{create_dir, read_dir, remove_dir_all, remove_file};
31 use std::sync::atomic::{AtomicUsize, Ordering};
32 
33 use authfs_aidl_interface::aidl::com::android::virt::fs::AuthFsConfig::AuthFsConfig;
34 use authfs_aidl_interface::aidl::com::android::virt::fs::IAuthFs::IAuthFs;
35 use authfs_aidl_interface::aidl::com::android::virt::fs::IAuthFsService::{
36     BnAuthFsService, IAuthFsService, AUTHFS_SERVICE_SOCKET_NAME,
37 };
38 use binder::{self, BinderFeatures, ExceptionCode, Interface, Status, Strong};
39 
40 const SERVICE_ROOT: &str = "/data/misc/authfs";
41 
42 /// Implementation of `IAuthFsService`.
43 pub struct AuthFsService {
44     serial_number: AtomicUsize,
45     debuggable: bool,
46 }
47 
48 impl Interface for AuthFsService {}
49 
50 impl IAuthFsService for AuthFsService {
mount(&self, config: &AuthFsConfig) -> binder::Result<Strong<dyn IAuthFs>>51     fn mount(&self, config: &AuthFsConfig) -> binder::Result<Strong<dyn IAuthFs>> {
52         self.validate(config)?;
53 
54         let mountpoint = self.get_next_mount_point();
55 
56         // The directory is supposed to be deleted when `AuthFs` is dropped.
57         create_dir(&mountpoint).map_err(|e| {
58             Status::new_service_specific_error_str(
59                 -1,
60                 Some(format!("Cannot create mount directory {:?}: {:?}", &mountpoint, e)),
61             )
62         })?;
63 
64         authfs::AuthFs::mount_and_wait(mountpoint, config, self.debuggable).map_err(|e| {
65             Status::new_service_specific_error_str(
66                 -1,
67                 Some(format!("mount_and_wait failed: {:?}", e)),
68             )
69         })
70     }
71 }
72 
73 impl AuthFsService {
new_binder(debuggable: bool) -> Strong<dyn IAuthFsService>74     fn new_binder(debuggable: bool) -> Strong<dyn IAuthFsService> {
75         let service = AuthFsService { serial_number: AtomicUsize::new(1), debuggable };
76         BnAuthFsService::new_binder(service, BinderFeatures::default())
77     }
78 
validate(&self, config: &AuthFsConfig) -> binder::Result<()>79     fn validate(&self, config: &AuthFsConfig) -> binder::Result<()> {
80         if config.port < 0 {
81             return Err(Status::new_exception_str(
82                 ExceptionCode::ILLEGAL_ARGUMENT,
83                 Some(format!("Invalid port: {}", config.port)),
84             ));
85         }
86         Ok(())
87     }
88 
get_next_mount_point(&self) -> OsString89     fn get_next_mount_point(&self) -> OsString {
90         let previous = self.serial_number.fetch_add(1, Ordering::Relaxed);
91         OsString::from(format!("{}/{}", SERVICE_ROOT, previous))
92     }
93 }
94 
clean_up_working_directory() -> Result<()>95 fn clean_up_working_directory() -> Result<()> {
96     for entry in read_dir(SERVICE_ROOT)? {
97         let entry = entry?;
98         let path = entry.path();
99         if path.is_dir() {
100             remove_dir_all(path)?;
101         } else if path.is_file() {
102             remove_file(path)?;
103         } else {
104             bail!("Unrecognized path type: {:?}", path);
105         }
106     }
107     Ok(())
108 }
109 
110 #[allow(clippy::eq_op)]
try_main() -> Result<()>111 fn try_main() -> Result<()> {
112     // SAFETY: This is very early in the process. Nobody has taken ownership of the inherited FDs
113     // yet.
114     unsafe { rustutils::inherited_fd::init_once()? };
115 
116     let debuggable = env!("TARGET_BUILD_VARIANT") != "user";
117     let log_level = if debuggable { log::LevelFilter::Trace } else { log::LevelFilter::Info };
118     android_logger::init_once(
119         android_logger::Config::default().with_tag("authfs_service").with_max_level(log_level),
120     );
121 
122     clean_up_working_directory()?;
123 
124     let socket_fd = android_get_control_socket(AUTHFS_SERVICE_SOCKET_NAME)?;
125     let service = AuthFsService::new_binder(debuggable).as_binder();
126     debug!("{} is starting as a rpc service.", AUTHFS_SERVICE_SOCKET_NAME);
127     let server = RpcServer::new_bound_socket(service, socket_fd)?;
128     info!("The RPC server '{}' is running.", AUTHFS_SERVICE_SOCKET_NAME);
129     server.join();
130     info!("The RPC server at '{}' has shut down gracefully.", AUTHFS_SERVICE_SOCKET_NAME);
131     Ok(())
132 }
133 
main()134 fn main() {
135     if let Err(e) = try_main() {
136         error!("failed with {:?}", e);
137         std::process::exit(1);
138     }
139 }
140