diff options
| -rw-r--r-- | src/devices/audio_avoiding_pi.jd | 309 | ||||
| -rw-r--r-- | src/devices/audio_terminology.jd | 218 | ||||
| -rw-r--r-- | src/devices/devices_toc.cs | 10 | ||||
| -rw-r--r-- | src/devices/latency_design.jd | 215 | ||||
| -rw-r--r-- | src/devices/tech/input/key-layout-files.jd | 5 | ||||
| -rw-r--r-- | src/devices/tech/security/enhancements42.jd (renamed from src/devices/tech/security/enhancements.jd) | 0 | ||||
| -rw-r--r-- | src/devices/tech/security/enhancements43.jd | 87 | ||||
| -rw-r--r-- | src/devices/tech/storage/index.jd | 36 |
8 files changed, 872 insertions, 8 deletions
diff --git a/src/devices/audio_avoiding_pi.jd b/src/devices/audio_avoiding_pi.jd new file mode 100644 index 00000000..184a1509 --- /dev/null +++ b/src/devices/audio_avoiding_pi.jd @@ -0,0 +1,309 @@ +page.title=Avoiding Priority Inversion +@jd:body + +<div id="qv-wrapper"> + <div id="qv"> + <h2>In this document</h2> + <ol id="auto-toc"> + </ol> + </div> +</div> + +<p> +This article explains how the Android's audio system attempts to avoid +priority inversion, as of the Android 4.1 (Jellybean) release, +and highlights techniques that you can use too. +</p> + +<p> +These techniques may be useful to developers of high-performance +audio apps, OEMs, and SoC providers who are implementing an audio +HAL. Please note that implementing these techniques is not +guaranteed to prevent glitches or other failures, particularly if +used outside of the audio context. +Your results may vary and you should conduct your own +evaluation and testing. +</p> + +<h2 id="background">Background</h2> + +<p> +The Android audio server "AudioFlinger" and AudioTrack/AudioRecord +client implementation are being re-architected to reduce latency. +This work started in Android 4.1 (Jellybean), continued in 4.2 +(Jellybean MR1), and more improvements are likely in "K". +</p> + +<p> +The lower latency needed many changes throughout the system. One +important change was to assign CPU resources to time-critical +threads with a more predictable scheduling policy. Reliable scheduling +allows the audio buffer sizes and counts to be reduced, while still +avoiding artifacts due to underruns. +</p> + +<h2 id="priorityInversion">Priority Inversion</h2> + +<p> +<a href="http://en.wikipedia.org/wiki/Priority_inversion">Priority inversion</a> +is a classic failure mode of real-time systems, +where a higher-priority task is blocked for an unbounded time waiting +for a lower-priority task to release a resource such as [shared +state protected by] a +<a href="http://en.wikipedia.org/wiki/Mutual_exclusion">mutex</a>. +</p> + +<p> +In an audio system, priority inversion typically manifests as a +<a href="http://en.wikipedia.org/wiki/Glitch">glitch</a> +(click, pop, dropout), +<a href="http://en.wikipedia.org/wiki/Max_Headroom_(character)">repeated audio</a> +when circular buffers +are used, or delay in responding to a command. +</p> + +<p> +In the Android audio implementation, priority inversion is most +likely to occur in these places, and so we focus attention here: +</p> + +<ul> + +<li> +between normal mixer thread and fast mixer thread in AudioFlinger +</li> + +<li> +between application callback thread for a fast AudioTrack and +fast mixer thread (they both have elevated priority, but slightly +different priorities) +</li> + +<li> +within the audio HAL implementation, e.g. for telephony or echo cancellation +</li> + +<li> +within the audio driver in kernel +</li> + +<li> +between AudioTrack callback thread and other app threads (this is out of our control) +</li> + +</ul> + +<p> +As of this writing, reduced latency for AudioRecord is planned but +not yet implemented. The likely priority inversion spots will be +similar to those for AudioTrack. +</p> + +<h2 id="commonSolutions">Common Solutions</h2> + +<p> +The typical solutions listed in the Wikipedia article include: +</p> + +<ul> + +<li> +disabling interrupts +</li> + +<li> +priority inheritance mutexes +</li> + +</ul> + +<p> +Disabling interrupts is not feasible in Linux user space, and does +not work for SMP. +</p> + + +<p> +Priority inheritance +<a href="http://en.wikipedia.org/wiki/Futex">futexes</a> +(fast user-space mutexes) are available +in Linux kernel, but are not currently exposed by the Android C +runtime library +<a href="http://en.wikipedia.org/wiki/Bionic_(software)">Bionic</a>. +We chose not to use them in the audio system +because they are relatively heavyweight, and because they rely on +a trusted client. +</p> + +<h2 id="androidTechniques">Techniques used by Android</h2> + +<p> +We started with "try lock" and lock with timeout. These are +non-blocking and bounded blocking variants of the mutex lock +operation. Try lock and lock with timeout worked fairly well for +us, but were susceptible to a couple of obscure failure modes: the +server was not guaranteed to be able to access the shared state if +the client happened to be busy, and the cumulative timeout could +be too long if there was a long sequence of unrelated locks that +all timed out. +</p> + + +<p> +We also use +<a href="http://en.wikipedia.org/wiki/Linearizability">atomic operations</a> +such as: +</p> + +<ul> +<li>increment</li> +<li>bitwise "or"</li> +<li>bitwise "and"</li> +</ul> + +<p> +All of these return the previous value, and include the necessary +SMP barriers. The disadvantage is they can require unbounded retries. +In practice, we've found that the retries are not a problem. +</p> + +<p> +Note: atomic operations and their interactions with memory barriers +are notoriously badly misunderstood and used incorrectly. We include +these here for completeness, but recommend you also read the article +<a href="https://developer.android.com/training/articles/smp.html"> +SMP Primer for Android</a> +for further information. +</p> + +<p> +We still have and use most of the above tools, and have recently +added these techniques: +</p> + +<ul> + +<li> +Use non-blocking single-reader single-writer +<a href="http://en.wikipedia.org/wiki/Circular_buffer">FIFO queues</a> +for data. +</li> + +<li> +Try to +<i>copy</i> +state rather than +<i>share</i> +state between high- and +low-priority modules. +</li> + +<li> +When state does need to be shared, limit the state to the +maximum-size +<a href="http://en.wikipedia.org/wiki/Word_(computer_architecture)">word</a> +that can be accessed atomically in one bus operation +without retries. +</li> + +<li> +For complex multi-word state, use a state queue. A state queue +is basically just a non-blocking single-reader single-writer FIFO +queue used for state rather than data, except the writer collapses +adjacent pushes into a single push. +</li> + +<li> +Pay attention to +<a href="http://en.wikipedia.org/wiki/Memory_barrier">memory barriers</a> +for SMP correctness. +</li> + +<li> +<a href="http://en.wikipedia.org/wiki/Trust,_but_verify">Trust, but verify</a>. +When sharing +<i>state</i> +between processes, don't +assume that the state is well-formed. For example, check that indices +are within bounds. This verification isn't needed between threads +in the same process, between mutual trusting processes (which +typically have the same UID). It's also unnecessary for shared +<i>data</i> +such as PCM audio where a corruption is inconsequential. +</li> + +</ul> + +<h2 id="nonBlockingAlgorithms">Non-Blocking Algorithms</h2> + +<p> +<a href="http://en.wikipedia.org/wiki/Non-blocking_algorithm">Non-blocking algorithms</a> +have been a subject of much recent study. +But with the exception of single-reader single-writer FIFO queues, +we've found them to be complex and error-prone. +</p> + +<p> +In Android 4.2 (Jellybean MR1), you can find our non-blocking, +single-reader/writer classes in these locations: +</p> + +<ul> + +<li> +frameworks/av/include/media/nbaio/ +</li> + +<li> +frameworks/av/media/libnbaio/ +</li> + +<li> +frameworks/av/services/audioflinger/StateQueue* +</li> + +</ul> + +<p> +These were designed specifically for AudioFlinger and are not +general-purpose. Non-blocking algorithms are notorious for being +difficult to debug. You can look at this code as a model, but be +aware there may be bugs, and the classes are not guaranteed to be +suitable for other purposes. +</p> + +<p> +For developers, we may update some of the sample OpenSL ES application +code to use non-blocking, or referencing a non-Android open source +library. +</p> + +<h2 id="tools">Tools</h2> + +<p> +To the best of our knowledge, there are no automatic tools for +finding priority inversion, especially before it happens. Some +research static code analysis tools are capable of finding priority +inversions if able to access the entire codebase. Of course, if +arbitrary user code is involved (as it is here for the application) +or is a large codebase (as for the Linux kernel and device drivers), +static analysis may be impractical. The most important thing is to +read the code very carefully and get a good grasp on the entire +system and the interactions. Tools such as +<a href="http://developer.android.com/tools/help/systrace.html">systrace</a> +and +<code>ps -t -p</code> +are useful for seeing priority inversion after it occurs, but do +not tell you in advance. +</p> + +<h2 id="aFinalWord">A Final Word</h2> + +<p> +After all of this discussion, don't be afraid of mutexes. Mutexes +are your friend for ordinary use, when used and implemented correctly +in ordinary non-time-critical use cases. But between high- and +low-priority tasks and in time-sensitive systems mutexes are more +likely to cause trouble. +</p> + diff --git a/src/devices/audio_terminology.jd b/src/devices/audio_terminology.jd new file mode 100644 index 00000000..f6258502 --- /dev/null +++ b/src/devices/audio_terminology.jd @@ -0,0 +1,218 @@ +page.title=Audio Terminology +@jd:body + +<div id="qv-wrapper"> + <div id="qv"> + <h2>In this document</h2> + <ol id="auto-toc"> + </ol> + </div> +</div> + +<p> +This document provides a glossary of audio-related terminology, including +a list of widely used, generic terms and a list of terms that are specific +to Android. +</p> + +<h2 id="genericTerm">Generic Terms</h2> + +<p> +These are audio terms that are widely used, with their conventional meanings. +</p> + +<dl> + +<dt>bits per sample or bit depth</dt> +<dd> +Number of bits of information per sample. +</dd> + +<dt>channel</dt> +<dd> +A single stream of audio information, usually corresponding to one +location of recording or playback. +</dd> + +<dt>frame</dt> +<dd> +A set of samples, one per channel, at a point in time. +</dd> + +<dt>frames per buffer</dt> +<dd> +The number of frames handed from one module to the next at once; +for example the audio HAL interface uses this concept. +</dd> + +<dt>mono</dt> +<dd> +One channel. +</dd> + +<dt>sample</dt> +<dd> +A number representing the audio value for a single channel at a point in time. +</dd> + +<dt>sample rate or frame rate</dt> +<dd> +Number of frames per second; +note that "frame rate" is thus more accurate, +but "sample rate" is conventionally used to mean "frame rate". +</dd> + +<dt>stereo</dt> +<dd> +Two channels. +</dd> + +</dl> + +<h2 id="androidSpecificTerms">Android-Specific Terms</h2> + +<p> +These are terms that are specific to Android audio framework, or that +may have a special meaning within Android beyond their general meaning. +</p> + +<dl> + +<dt>ALSA</dt> +<dd> +Advanced Linux Sound Architecture. As the name suggests, it is an audio +framework primarily for Linux, but it has influenced other systems. +See Wikipedia article +<a class="external-link" href="http://en.wikipedia.org/wiki/Advanced_Linux_Sound_Architecture" target="_android">ALSA</a> +for the general definition. As used within Android, it refers primarily +to the kernel audio framework and drivers, not to the user-mode API. See +tinyalsa. +</dd> + +<dt>AudioFlinger</dt> +<dd> +The sound server implementation for Android. AudioFlinger +runs within the mediaserver process. See Wikipedia article +<a class="external-link" href="http://en.wikipedia.org/wiki/Sound_server" target="_android">Sound server</a> +for the generic definition. +</dd> + +<dt>AudioMixer</dt> +<dd> +The module within AudioFlinger responsible for +combining multiple tracks and applying attenuation +(volume) and certain effects. The Wikipedia article +<a class="external-link" href="http://en.wikipedia.org/wiki/Audio_mixing_(recorded_music)" target="_android">Audio mixing (recorded music)</a> +may be useful for understanding the generic +concept. But that article describes a mixer more as a hardware device +or a software application, rather than a software module within a system. +</dd> + +<dt>AudioRecord</dt> +<dd> +The primary low-level client API for receiving data from an audio +input device such as microphone. The data is usually in PCM format. +</dd> + +<dt>AudioResampler</dt> +<dd> +The module within AudioFlinger responsible for sample-rate conversion. See Wikipedia article +<a class="external-link" href="http://en.wikipedia.org/wiki/Resampling_(audio)" target="_android">Resampling (audio)</a> +for the generic definition. +</dd> + +<dt>audio policy</dt> +<dd> +Service responsible for all actions that require a policy decision +to be made first, such as opening a new I/O stream, re-routing after a +change and stream volume management. +</dd> + +<dt>AudioTrack</dt> +<dd> +The primary low-level client API for sending data to an audio output +device such as a speaker. The data is usually in PCM format. +</dd> + +<dt>client</dt> +<dd> +Usually same as application or app, but sometimes the "client" of +AudioFlinger is actually a thread running within the mediaserver system +process. An example of that is when playing media that is decoded by a +MediaPlayer object. +</dd> + +<dt>HAL</dt> +<dd> +Hardware Abstraction Layer. HAL is a generic term in Android. With +respect to audio, it is a layer between AudioFlinger and the kernel +device driver with a C API, which replaces the earlier C++ libaudio. +</dd> + +<dt>FastMixer</dt> +<dd> +A thread within AudioFlinger that services lower latency "fast tracks" +and drives the primary output device. +</dd> + +<dt>fast track</dt> +<dd> +An AudioTrack client with lower latency but fewer features, on some devices. +</dd> + +<dt>MediaPlayer</dt> +<dd> +A higher-level client API than AudioTrack, for playing either encoded +content, or content which includes multi-media audio and video tracks. +</dd> + +<dt>mediaserver</dt> +<dd> +An Android system process that contains a number of media-related +services, including AudioFlinger. +</dd> + +<dt>NBAIO</dt> +<dd> +An abstraction for "non-blocking" audio input/output ports used within +AudioFlinger. The name can be misleading, as some implementations of +the NBAIO API actually do support blocking. The key implementations of +NBAIO are for pipes of various kinds. +</dd> + +<dt>normal mixer</dt> +<dd> +A thread within AudioFlinger that services most full-featured +AudioTrack clients, and either directly drives an output device or feeds +it's sub-mix into FastMixer via a pipe. +</dd> + +<dt>OpenSL ES</dt> +<dd> +An audio API standard by The Khronos Group. Android versions since +API level 9 support a native audio API which is based on a subset of +OpenSL ES 1.0.1. +</dd> + +<dt>StateQueue</dt> +<dd> +A module within AudioFlinger responsible for synchronizing state +among threads. Whereas NBAIO is used to pass data, StateQueue is used +to pass control information. +</dd> + +<dt>tinyalsa</dt> +<dd> +A small user-mode API above ALSA kernel with BSD license, recommended +for use by HAL implementations. +</dd> + +<dt>track</dt> +<dd> +An audio stream, controlled by the AudioTrack API. +</dd> + +</dl> + +</p> + diff --git a/src/devices/devices_toc.cs b/src/devices/devices_toc.cs index 70d6da56..ac5c09ec 100644 --- a/src/devices/devices_toc.cs +++ b/src/devices/devices_toc.cs @@ -34,6 +34,9 @@ <ul> <li><a href="<?cs var:toroot ?>devices/audio_latency.html">Latency</a></li> <li><a href="<?cs var:toroot ?>devices/audio_warmup.html">Warmup</a></li> + <li><a href="<?cs var:toroot ?>devices/audio_avoiding_pi.html">Avoiding Priority Inversion</a></li> + <li><a href="<?cs var:toroot ?>devices/latency_design.html">Design For Reduced Latency</a></li> + <li><a href="<?cs var:toroot ?>devices/audio_terminology.html">Terminology</a></li> </ul> </li> <li><a href="<?cs var:toroot ?>devices/camera.html">Camera v1</a></li> @@ -151,10 +154,15 @@ </div> <ul> <li> - <a href="<?cs var:toroot ?>devices/tech/security/enhancements.html"> + <a href="<?cs var:toroot ?>devices/tech/security/enhancements42.html"> <span class="en">Security Enhancements in Android 4.2</span> </a> </li> + <li> + <a href="<?cs var:toroot ?>devices/tech/security/enhancements43.html"> + <span class="en">Security Enhancements in Android 4.3</span> + </a> + </li> </ul> </li> diff --git a/src/devices/latency_design.jd b/src/devices/latency_design.jd new file mode 100644 index 00000000..8e6d7664 --- /dev/null +++ b/src/devices/latency_design.jd @@ -0,0 +1,215 @@ +page.title=Design For Reduced Latency +@jd:body + +<div id="qv-wrapper"> + <div id="qv"> + <h2>In this document</h2> + <ol id="auto-toc"> + </ol> + </div> +</div> + +<p> +Android 4.1 (Jelly Bean) release introduced internal framework changes for +a lower latency audio output path. There were no public client API +or HAL API changes. This document describes the initial design, +which is expected to evolve over time. +Having a good understanding of this design should help device OEM and +SoC vendors to implement the design correctly on their particular devices +and chipsets. This article is not intended for application developers. +</p> + +<h2 id="trackCreation">Track Creation</h2> + +<p> +The client can optionally set bit <code>AUDIO_OUTPUT_FLAG_FAST</code> in the +<code>audio_output_flags_t</code> parameter of AudioTrack C++ constructor or +<code>AudioTrack::set()</code>. Currently the only clients that do so are: +</p> + +<ul> +<li>OpenSL ES</li> +<li>SoundPool</li> +<li>ToneGenerator</li> +</ul> + +<p> +The AudioTrack C++ implementation reviews the <code>AUDIO_OUTPUT_FLAG_FAST</code> +request and may optionally deny the request at client level. If it +decides to pass the request on, it does so using <code>TRACK_FAST</code> bit of +the <code>track_flags_t</code> parameter of the <code>IAudioTrack</code> factory method +<code>IAudioFlinger::createTrack()</code>. +</p> + +<p> +AudioFlinger (server) reviews the <code>TRACK_FAST</code> request and may +optionally deny the request at server level. It informs the client +whether or not the request was accepted, via bit <code>CBLK_FAST</code> of the +shared memory control block. +</p> + +<p> +The factors that impact the decision include: +</p> + +<ul> +<li>presence of a fast mixer thread for this output (see below)</li> +<li>track sample rate</li> +<li>presence of a client thread to execute callback handlers for this track</li> +<li>track buffer size</li> +<li>available fast track slots (see below)</li> +</ul> + +<p> +If the client's request was accepted, it is called a "fast track", +otherwise it's called a "normal track". +</p> + +<h2 id="mixerThreads">Mixer Threads</h2> + +<p> +At the time AudioFlinger creates a normal mixer thread, it decides +whether or not to also create a fast mixer thread. Both the normal +mixer and fast mixer are not associated with a particular track, +but rather with a set of tracks. There is always a normal mixer +thread. The fast mixer thread, if it exists, is subservient to the +normal mixer thread and acts under its control. +</p> + +<h3 id="fastMixer">Fast mixer</h3> + +<h4>Features</h4> + +<p> +The fast mixer thread provides these features: +</p> + +<ul> +<li>mixing of the normal mixer's sub-mix and up to 7 client fast tracks</li> +<li>Per track attenuation</li> +</ul> + +<p> +Omitted features: +</p> + +<ul> +<li>Per track sample rate conversion</li> +<li>Per track effects</li> +<li>Per mix effects</li> +</ul> + +<h4>Period</h4> + +<p> +The fast mixer runs periodically, with a recommended period of 2 +to 3 ms, or slightly higher if needed for scheduling stability. +This number was chosen so that, accounting for the complete +buffer pipeline, the total latency is on the order of 10 ms. Smaller +values are possible but may result in increased power consumption +and chance of glitches depending on CPU scheduling predictability. +Larger values are possible, up to 20 ms, but result in degraded +total latency and so should be avoided. +</p> + +<h4>Scheduling</h4> + +<p> +The fast mixer runs at elevated <code>SCHED_FIFO</code> priority. It needs very +little CPU time, but must run often and with low scheduling jitter. +Running too late will result in glitches due to underrun. Running +too early will result in glitches due to pulling from a fast track +before the track has provided data. +</p> + +<h4>Blocking</h4> + +<p> +Ideally the fast mixer thread never blocks, other than at HAL +<code>write()</code>. Other occurrences of blocking within the fast mixer are +considered bugs. In particular, mutexes are avoided. +</p> + +<h4>Relationship to other components</h4> + +<p> +The fast mixer has little direct interaction with clients. In +particular, it does not see binder-level operations, but it does +access the client's shared memory control block. +</p> + +<p> +The fast mixer receives commands from the normal mixer via a state queue. +</p> + +<p> +Other than pulling track data, interaction with clients is via the normal mixer. +</p> + +<p> +The fast mixer's primary sink is the audio HAL. +</p> + +<h3 id="normalMixer">Normal mixer</h3> + +<h4>Features</h4> + +<p> +All features are enabled: +</p> + +<ul> +<li>Up to 32 tracks</li> +<li>Per track attenuation</li> +<li>Per track sample rate conversion</li> +<li>Effects processing</li> +</ul> + +<h4>Period</h4> + +<p> +The period is computed to be the first integral multiple of the +fast mixer period that is >= 20 milliseconds. +</p> + +<h4>Scheduling</h4> + +<p> +The normal mixer runs at elevated <code>SCHED_OTHER</code> priority. +</p> + +<h4>Blocking</h4> + +<p> +The normal mixer is permitted to block, and often does so at various +mutexes as well as at a blocking pipe to write its sub-mix. +</p> + +<h4>Relationship to other components</h4> + +<p> +The normal mixer interacts extensively with the outside world, +including binder threads, audio policy manager, fast mixer thread, +and client tracks. +</p> + +<p> +The normal mixer's sink is a blocking pipe to the fast mixer's track 0. +</p> + +<h2 id="flags">Flags</h2> + +<p> +<code>AUDIO_OUTPUT_FLAG_FAST</code> bit is a hint. There's no guarantee the +request will be fulfilled. +</p> + +<p> +<code>AUDIO_OUTPUT_FLAG_FAST</code> is a client-level concept. It does not appear +in server. +</p> + +<p> +<code>TRACK_FAST</code> is a client -> server concept. +</p> + diff --git a/src/devices/tech/input/key-layout-files.jd b/src/devices/tech/input/key-layout-files.jd index 63fbcac6..e9258818 100644 --- a/src/devices/tech/input/key-layout-files.jd +++ b/src/devices/tech/input/key-layout-files.jd @@ -108,9 +108,10 @@ then both <code>AXIS_GAS</code> and <code>AXIS_BRAKE</code> are set to <code>0</ <p>An inverted axis inverts the sign of the axis value.</p> <p>The following declaration maps <code>ABS_RZ</code> (indicated by <code>0x05</code>) to <code>AXIS_BRAKE</code> (indicated by <code>BRAKE</code>), and inverts the output by negating it.</p> -<pre><code>axis 0x05 invert AXIS_RZ +<pre><code>axis 0x05 invert BRAKE </code></pre> -<p>In the above example, if the value of <code>ABS_RZ</code> is <code>2</code> then <code>AXIS_RZ</code> is set to <code>-2</code>.</p> +<p>In the above example, if the value of <code>ABS_RZ</code> is <code>2</code> then +<code>AXIS_BRAKE</code> is set to <code>-2</code>.</p> <h4 id="center-flat-position-option">Center Flat Position Option</h4> <p>The Linux input protocol provides a way for input device drivers to specify the center flat position of joystick axes but not all of them do and some of them diff --git a/src/devices/tech/security/enhancements.jd b/src/devices/tech/security/enhancements42.jd index 4044a1ea..4044a1ea 100644 --- a/src/devices/tech/security/enhancements.jd +++ b/src/devices/tech/security/enhancements42.jd diff --git a/src/devices/tech/security/enhancements43.jd b/src/devices/tech/security/enhancements43.jd new file mode 100644 index 00000000..277e010a --- /dev/null +++ b/src/devices/tech/security/enhancements43.jd @@ -0,0 +1,87 @@ +page.title=Security Enhancements in Android 4.3 +@jd:body + +<p> +Every Android release includes dozens of security enhancements to protect +users. The following are some of the security enhancements available +in Android 4.3: +</p> + +<ul> + <li><strong>Android sandbox reinforced with SELinux.</strong> + This release strengthens the Android sandbox using the SELinux + mandatory access control system (MAC) in the Linux kernel. SELinux + reinforcement is invisible to users and developers, and adds robustness + to the existing Android security model while maintaining compatibility + with existing applications. To ensure continued compatibility this release + allows the use of SELinux in a permissive mode. This mode logs any policy + violations, but will not break applications or affect system behavior.</li> + + <li><strong>No setuid/setgid programs.</strong> + Added support for filesystem capabilities + to Android system files and removed all setuid/setguid programs. This + reduces root attack surface and the likelihood of potential security + vulnerabilities.</li> + + <li><strong>ADB Authentication.</strong> + Since Android 4.2.2, connections to ADB are + authenticated with an RSA keypair. This prevents unauthorized use of + ADB where the attacker has physical access to a device.</li> + + <li><strong>Restrict Setuid from Android Apps.</strong> + The /system partition is now mounted + nosuid for zygote-spawned processes, preventing Android applications + from executing setuid programs. This reduces root attack surface and + the likelihood of potential security vulnerabilities.</li> + + <li><strong>Capability bounding.</strong> + Android zygote and ADB now use prctl(PR_CAPBSET_DROP) to drop + unnecessary capabilities prior to executing applications. + This prevents Android applications and applications launched from + the shell from acquiring privileged capabilities.</li> + + <li><strong>AndroidKeyStore Provider.</strong> + Android now has a keystore provider that allows + applications to create exclusive use keys. This provides applications + with an API to create or store private keys that cannot be used by + other applications.</li> + + <li><strong>KeyChain isBoundKeyAlgorithm.</strong> + Keychain API now provides a method + (isBoundKeyType) that allows applications to confirm that system-wide keys + are bound to a hardware root of trust for the device. This provides + a place to create or store private keys that cannot be exported off the + device, even in the event of a root compromise.</li> + + <li><strong>NO_NEW_PRIVS.</strong> + Android zygote now uses prctl(PR_SET_NO_NEW_PRIVS) to block addition + of new privileges prior to execution application code. This + prevents Android applications from performing operations which can + elevate privileges via execve. (This requires Linux kernel version 3.5 + or greater).</li> + + <li><strong>FORTIFY_SOURCE enhancements.</strong> + Enabled FORTIFY_SOURCE on Android x86 and MIPS + and fortified strchr(), strrchr(), strlen(), and umask() calls. This + can detect potential memory corruption vulnerabilities or unterminated + string constants.</li> + + <li><strong>Relocation protections.</strong> + Enabled read only relocations (relro) for + statically linked executables and removed all text relocations in Android + code. This provides defense in depth against potential memory corruption + vulnerabilities.</li> + + <li><strong>Improved EntropyMixer.</strong> + EntropyMixer now writes entropy at shutdown / + reboot, in addition to periodic mixing. This allows retention of all + entropy generated while devices are powered on, and is especially useful + for devices that are rebooted immediately after provisioning.</li> + + <li><strong>Security Fixes.</strong> + Android 4.3 also includes fixes for Android-specific + vulnerabilities. Information about these vulnerabilities has been provided + to Open Handset Alliance members and fixes are available in Android Open + Source Project. To improve security, some devices with earlier versions + of Android may also include these fixes.</li> +</ul> diff --git a/src/devices/tech/storage/index.jd b/src/devices/tech/storage/index.jd index 71ea31c0..0f1b2678 100644 --- a/src/devices/tech/storage/index.jd +++ b/src/devices/tech/storage/index.jd @@ -26,8 +26,10 @@ developers through API.</p> <p>External storage is managed by a combination of the <code>vold</code> init service and <code>MountService</code> system service.</p> <p>Mounting of physical external storage volumes is handled by <code>vold</code>, which -performs staging operations to prepare the media before exposing it to apps. -The device-specific <code>vold.fstab</code> configuration file defines mappings from sysfs +performs staging operations to prepare the media before exposing it to apps.</p> + +<p>For Android 4.2.2 and earlier, the device-specific <code>vold.fstab</code> +configuration file defines mappings from sysfs devices to filesystem mount points, and each line follows this format:</p> <pre><code>dev_mount <label> <mount_point> <partition> <sysfs_path> [flags] </code></pre> @@ -40,6 +42,25 @@ point. Separated by spaces, and each must start with <code>/</code>.</li> <li><code>flags</code>: Optional comma separated list of flags, must not contain <code>/</code>. Possible values include <code>nonremovable</code> and <code>encryptable</code>.</li> </ul> +<p>For Android releases 4.3 and later, the various fstab files used by init, vold and +recovery were unified in the <code>/fstab.<device></code> file. For external +storage volumes that are managed by <code>vold</code>, the entries should have the +following format:</p> +<pre><code><src> <mnt_point> <type> <mnt_flags> <fs_mgr_flags> +</code></pre> +<ul> +<li><code>src</code>: A path under sysfs (usually mounted at /sys) to the device that +can provide the mount point. The path must start with <code>/</code>.</li> <li><code>mount_point</code>: Filesystem path where the volume should be mounted.</li> +<li><code>type</code>: The type of the filesystem on the volume. For external cards, +this is usually <code>vfat</code>.</li> +<li><code>mnt_flags</code>: <code>Vold</code> ignores this field and it should be set +to <code>defaults</code></li> +<li><code>fs_mgr_flags</code>: <code>Vold</code> ignores any lines in the unified fstab +that do not include the <code>voldmanaged=</code> flag in this field. This flag must +be followed by a label describing the card, and a partition number or the word +<code>auto</code>. Here is an example: <code>voldmanaged=sdcard:auto</code>. +Other possible flags are <code>nonremovable</code> and <code>encryptable=sdcard</code>. +</ul> <p>External storage interactions at and above the framework level are handled through <code>MountService</code>. The device-specific <code>storage_list.xml</code> configuration file, typically provided through a <code>frameworks/base</code> overlay, defines the @@ -74,13 +95,18 @@ environment variable must be defined as the path to the primary external storage. The <code>/sdcard</code> path must also resolve to the same location, possibly through a symlink. If a device adjusts the location of external storage between platform updates, symlinks should be created so that old paths continue working.</p> -<p>As an example, here’s the storage configuration for Xoom, which uses a FUSE -daemon to provide primary external storage, and includes a physical SD card as +<p>As an example for Android 4.2.2 and earlier, here's the storage configuration for Xoom, +which uses a FUSE daemon to provide primary external storage, and includes a physical SD card as secondary external storage:</p> <ul> <li><a href="https://android.googlesource.com/device/moto/wingray/+/master/vold.fstab">vold.fstab</a></li> <li><a href="https://android.googlesource.com/device/moto/wingray/+/master/overlay/frameworks/base/core/res/res/xml/storage_list.xml">storage_list.xml</a></li> </ul> +<p>As an example for Android 4.3 and later devices, here's the <code>fstab.goldfish</code> file +for the Android emulator, which emulates an external SD card as primary external storage:</p> +<ul> +<li><a href="https://android.googlesource.com/device/generic/goldfish/+/master/fstab.goldfish">fstab.goldfish</a></li> +</ul> <p>Access to external storage is protected by various Android permissions. Starting in Android 1.0, write access is protected with the <code>WRITE_EXTERNAL_STORAGE</code> permission, implemented using the <code>sdcard_rw</code> GID. @@ -113,7 +139,7 @@ storage into that private namespace.</p> it bind mounts the appropriate user-specific subdirectory from under the FUSE daemon to <code>EMULATED_STORAGE_TARGET</code> so that external storage paths resolve correctly for the app. Because an app lacks accessible mount points for other -users’ storage, they can only access storage for the user it was started as.</p> +users' storage, they can only access storage for the user it was started as.</p> <p>This implementation also uses the shared subtree kernel feature to propagate mount events from the default root namespace into app namespaces, which ensures that features like ASEC containers and OBB mounting continue working correctly. |