commit 015bcb5c4cef54b5d5360efb5b0c6775fe98d135
author Victor Hsieh <victorhsieh@google.com> Wed Nov 17 17:28:01 2021 -0800
committer Victor Hsieh <victorhsieh@google.com> Thu Nov 18 07:44:44 2021 -0800
tree 08f3c635ea17d8558986088a7943459348be2203
parent 64290a53892b27492d9524d4c444c1d50e9282da

Support remote directories in authfs_service

Also take advantage of the new nested type in AIDL.

Bug: 205750213
Test: Can use the API locally
Change-Id: I8f7e63dedeb6dd72433f70807dcc65288c702097

authfs/service/src/authfs.rs

diff --git a/authfs/service/src/authfs.rs b/authfs/service/src/authfs.rs
index 1b05749..2d4f707 100644
--- a/authfs/service/src/authfs.rs
+++ b/authfs/service/src/authfs.rs
@@ -26,11 +26,11 @@
 use std::thread::sleep;
 use std::time::{Duration, Instant};
 
-use authfs_aidl_interface::aidl::com::android::virt::fs::IAuthFs::{BnAuthFs, IAuthFs};
-use authfs_aidl_interface::aidl::com::android::virt::fs::{
-    AuthFsConfig::AuthFsConfig, InputFdAnnotation::InputFdAnnotation,
-    OutputFdAnnotation::OutputFdAnnotation,
+use authfs_aidl_interface::aidl::com::android::virt::fs::AuthFsConfig::{
+    AuthFsConfig, InputDirFdAnnotation::InputDirFdAnnotation, InputFdAnnotation::InputFdAnnotation,
+    OutputDirFdAnnotation::OutputDirFdAnnotation, OutputFdAnnotation::OutputFdAnnotation,
 };
+use authfs_aidl_interface::aidl::com::android::virt::fs::IAuthFs::{BnAuthFs, IAuthFs};
 use authfs_aidl_interface::binder::{
     self, BinderFeatures, ExceptionCode, Interface, ParcelFileDescriptor, Strong,
 };
@@ -80,6 +80,8 @@
             &mountpoint,
             &config.inputFdAnnotations,
             &config.outputFdAnnotations,
+            &config.inputDirFdAnnotations,
+            &config.outputDirFdAnnotations,
             debuggable,
         )?;
         wait_until_authfs_ready(&child, &mountpoint).map_err(|e| {
@@ -121,29 +123,41 @@
 
 fn run_authfs(
     mountpoint: &OsStr,
-    in_fds: &[InputFdAnnotation],
-    out_fds: &[OutputFdAnnotation],
+    in_file_fds: &[InputFdAnnotation],
+    out_file_fds: &[OutputFdAnnotation],
+    in_dir_fds: &[InputDirFdAnnotation],
+    out_dir_fds: &[OutputDirFdAnnotation],
     debuggable: bool,
 ) -> Result<SharedChild> {
     let mut args = vec![mountpoint.to_owned(), OsString::from("--cid=2")];
     args.push(OsString::from("-o"));
     args.push(OsString::from("fscontext=u:object_r:authfs_fuse:s0"));
-    for conf in in_fds {
+    for conf in in_file_fds {
         // TODO(b/185178698): Many input files need to be signed and verified.
         // or can we use debug cert for now, which is better than nothing?
         args.push(OsString::from("--remote-ro-file-unverified"));
         args.push(OsString::from(conf.fd.to_string()));
     }
-    for conf in out_fds {
+    for conf in out_file_fds {
         args.push(OsString::from("--remote-new-rw-file"));
         args.push(OsString::from(conf.fd.to_string()));
     }
+    for conf in in_dir_fds {
+        args.push(OsString::from("--remote-ro-dir"));
+        // TODO(206869687): Replace /dev/null with the real path when possible.
+        args.push(OsString::from(format!("{}:{}:{}", conf.fd, conf.manifestPath, conf.prefix)));
+    }
+    for conf in out_dir_fds {
+        args.push(OsString::from("--remote-new-rw-dir"));
+        args.push(OsString::from(conf.fd.to_string()));
+    }
     if debuggable {
         args.push(OsString::from("--debug"));
     }
 
     let mut command = Command::new(AUTHFS_BIN);
     command.args(&args);
+    debug!("Spawn authfs: {:?}", command);
     SharedChild::spawn(&mut command).context("Spawn authfs")
 }