Support remote directories in authfs_service
Also take advantage of the new nested type in AIDL.
Bug: 205750213
Test: Can use the API locally
Change-Id: I8f7e63dedeb6dd72433f70807dcc65288c702097
diff --git a/authfs/service/src/authfs.rs b/authfs/service/src/authfs.rs
index 1b05749..2d4f707 100644
--- a/authfs/service/src/authfs.rs
+++ b/authfs/service/src/authfs.rs
@@ -26,11 +26,11 @@
use std::thread::sleep;
use std::time::{Duration, Instant};
-use authfs_aidl_interface::aidl::com::android::virt::fs::IAuthFs::{BnAuthFs, IAuthFs};
-use authfs_aidl_interface::aidl::com::android::virt::fs::{
- AuthFsConfig::AuthFsConfig, InputFdAnnotation::InputFdAnnotation,
- OutputFdAnnotation::OutputFdAnnotation,
+use authfs_aidl_interface::aidl::com::android::virt::fs::AuthFsConfig::{
+ AuthFsConfig, InputDirFdAnnotation::InputDirFdAnnotation, InputFdAnnotation::InputFdAnnotation,
+ OutputDirFdAnnotation::OutputDirFdAnnotation, OutputFdAnnotation::OutputFdAnnotation,
};
+use authfs_aidl_interface::aidl::com::android::virt::fs::IAuthFs::{BnAuthFs, IAuthFs};
use authfs_aidl_interface::binder::{
self, BinderFeatures, ExceptionCode, Interface, ParcelFileDescriptor, Strong,
};
@@ -80,6 +80,8 @@
&mountpoint,
&config.inputFdAnnotations,
&config.outputFdAnnotations,
+ &config.inputDirFdAnnotations,
+ &config.outputDirFdAnnotations,
debuggable,
)?;
wait_until_authfs_ready(&child, &mountpoint).map_err(|e| {
@@ -121,29 +123,41 @@
fn run_authfs(
mountpoint: &OsStr,
- in_fds: &[InputFdAnnotation],
- out_fds: &[OutputFdAnnotation],
+ in_file_fds: &[InputFdAnnotation],
+ out_file_fds: &[OutputFdAnnotation],
+ in_dir_fds: &[InputDirFdAnnotation],
+ out_dir_fds: &[OutputDirFdAnnotation],
debuggable: bool,
) -> Result<SharedChild> {
let mut args = vec![mountpoint.to_owned(), OsString::from("--cid=2")];
args.push(OsString::from("-o"));
args.push(OsString::from("fscontext=u:object_r:authfs_fuse:s0"));
- for conf in in_fds {
+ for conf in in_file_fds {
// TODO(b/185178698): Many input files need to be signed and verified.
// or can we use debug cert for now, which is better than nothing?
args.push(OsString::from("--remote-ro-file-unverified"));
args.push(OsString::from(conf.fd.to_string()));
}
- for conf in out_fds {
+ for conf in out_file_fds {
args.push(OsString::from("--remote-new-rw-file"));
args.push(OsString::from(conf.fd.to_string()));
}
+ for conf in in_dir_fds {
+ args.push(OsString::from("--remote-ro-dir"));
+ // TODO(206869687): Replace /dev/null with the real path when possible.
+ args.push(OsString::from(format!("{}:{}:{}", conf.fd, conf.manifestPath, conf.prefix)));
+ }
+ for conf in out_dir_fds {
+ args.push(OsString::from("--remote-new-rw-dir"));
+ args.push(OsString::from(conf.fd.to_string()));
+ }
if debuggable {
args.push(OsString::from("--debug"));
}
let mut command = Command::new(AUTHFS_BIN);
command.args(&args);
+ debug!("Spawn authfs: {:?}", command);
SharedChild::spawn(&mut command).context("Spawn authfs")
}