Give secondary users read-only physical cards.

Long ago, we mounted secondary physical cards as readable by all
users on the device, which enabled the use-case of loading media on
a card and viewing it from all users.

More recently, we started giving write access to these secondary
physical cards, but this created a one-directional channel for
communication across user boundaries; something that CDD disallows.

This change is designed to give us the best of both worlds: the
package-specific directories are writable for the user that mounted
the card, but access to those "Android" directories are blocked for
all other users.  Other users remain able to read content elsewhere
on the card.

Bug: 22787184
Change-Id: Ied8c98995fec1b7b50ff7d930550feabb4398582

1 files changed, 6 insertions, 6 deletions

diff --git a/services/core/java/com/android/server/MountService.java b/services/core/java/com/android/server/MountService.java
index 857394f..6ab2fd7 100644
--- a/services/core/java/com/android/server/MountService.java
+++ b/services/core/java/com/android/server/MountService.java
@@ -69,7 +69,6 @@ import android.os.storage.IMountServiceListener;
 import android.os.storage.IMountShutdownObserver;
 import android.os.storage.IObbActionListener;
 import android.os.storage.MountServiceInternal;
-import android.os.storage.MountServiceInternal.ExternalStorageMountPolicy;
 import android.os.storage.OnObbStateChangeListener;
 import android.os.storage.StorageManager;
 import android.os.storage.StorageResultCode;
@@ -809,7 +808,7 @@ class MountService extends IMountService.Stub
         synchronized (mVolumes) {
             for (int i = 0; i < mVolumes.size(); i++) {
                 final VolumeInfo vol = mVolumes.valueAt(i);
-                if (vol.isVisibleToUser(userId) && vol.isMountedReadable()) {
+                if (vol.isVisibleForRead(userId) && vol.isMountedReadable()) {
                     final StorageVolume userVol = vol.buildStorageVolume(mContext, userId, false);
                     mHandler.obtainMessage(H_VOLUME_BROADCAST, userVol).sendToTarget();
 
@@ -1252,7 +1251,7 @@ class MountService extends IMountService.Stub
             // started after this point will trigger additional
             // user-specific broadcasts.
             for (int userId : mStartedUsers) {
-                if (vol.isVisibleToUser(userId)) {
+                if (vol.isVisibleForRead(userId)) {
                     final StorageVolume userVol = vol.buildStorageVolume(mContext, userId, false);
                     mHandler.obtainMessage(H_VOLUME_BROADCAST, userVol).sendToTarget();
 
@@ -2610,13 +2609,14 @@ class MountService extends IMountService.Stub
     }
 
     @Override
-    public StorageVolume[] getVolumeList(int uid, String packageName) {
+    public StorageVolume[] getVolumeList(int uid, String packageName, int flags) {
+        final boolean forWrite = (flags & StorageManager.FLAG_FOR_WRITE) != 0;
+
         final ArrayList<StorageVolume> res = new ArrayList<>();
         boolean foundPrimary = false;
 
         final int userId = UserHandle.getUserId(uid);
         final boolean reportUnmounted;
-
         final long identity = Binder.clearCallingIdentity();
         try {
             reportUnmounted = !mMountServiceInternal.hasExternalStorage(
@@ -2628,7 +2628,7 @@ class MountService extends IMountService.Stub
         synchronized (mLock) {
             for (int i = 0; i < mVolumes.size(); i++) {
                 final VolumeInfo vol = mVolumes.valueAt(i);
-                if (vol.isVisibleToUser(userId)) {
+                if (forWrite ? vol.isVisibleForWrite(userId) : vol.isVisibleForRead(userId)) {
                     final StorageVolume userVol = vol.buildStorageVolume(mContext, userId,
                             reportUnmounted);
                     if (vol.isPrimary()) {