| Clay Murphy | f9d451e | 2014-10-21 18:11:12 -0700 | [diff] [blame] | 1 | page.title=External Storage |
| Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 2 | @jd:body |
| 3 | |
| 4 | <!-- |
| Heidi von Markham | 1e7b8b7 | 2015-03-09 10:13:48 -0700 | [diff] [blame^] | 5 | Copyright 2015 The Android Open Source Project |
| Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 6 | |
| 7 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 8 | you may not use this file except in compliance with the License. |
| 9 | You may obtain a copy of the License at |
| 10 | |
| 11 | http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | |
| 13 | Unless required by applicable law or agreed to in writing, software |
| 14 | distributed under the License is distributed on an "AS IS" BASIS, |
| 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | See the License for the specific language governing permissions and |
| 17 | limitations under the License. |
| 18 | --> |
| Ken Sumrall | 93c0b9c | 2013-04-16 15:43:27 -0700 | [diff] [blame] | 19 | |
| Heidi von Markham | 1e7b8b7 | 2015-03-09 10:13:48 -0700 | [diff] [blame^] | 20 | <img style="float: right; margin: 0px 15px 15px 0px;" src="images/ape_fwk_hal_extstor.png" alt="Android external storage HAL icon" width="175" /> |
| Jeff Sharkey | 790c02d | 2013-10-18 13:57:33 -0700 | [diff] [blame] | 21 | |
| 22 | <p>Android supports devices with external storage, which is defined to be a |
| 23 | case-insensitive filesystem with immutable POSIX permission classes and |
| 24 | modes. External storage can be provided by physical media (such as an SD |
| 25 | card), or by exposing a portion of internal storage through an emulation |
| 26 | layer. Devices may contain multiple instances of external storage.</p> |
| 27 | |
| 28 | <p>Access to external storage is protected by various Android |
| 29 | permissions. Starting in Android 1.0, write access is protected with the |
| 30 | <code>WRITE_EXTERNAL_STORAGE</code> permission. Starting in Android 4.1, |
| 31 | read access is protected with the <code>READ_EXTERNAL_STORAGE</code> |
| 32 | permission.</p> |
| 33 | |
| 34 | <p>Starting in Android 4.4, the owner, group and modes of files on external |
| 35 | storage devices are now synthesized based on directory structure. This |
| 36 | enables apps to manage their package-specific directories on external |
| 37 | storage without requiring they hold the broad |
| 38 | <code>WRITE_EXTERNAL_STORAGE</code> permission. For example, the app with |
| 39 | package name <code>com.example.foo</code> can now freely access |
| 40 | <code>Android/data/com.example.foo/</code> on external storage devices with |
| 41 | no permissions. These synthesized permissions are accomplished by wrapping |
| 42 | raw storage devices in a FUSE daemon.</p> |
| 43 | |
| 44 | <p>Since external storage offers minimal protection for stored data, system |
| 45 | code should not store sensitive data on external storage. Specifically, |
| 46 | configuration and log files should only be stored on internal storage where |
| 47 | they can be effectively protected.</p> |
| 48 | |
| 49 | |
| 50 | <h2 id="multiple-external-storage-devices">Multiple external storage devices</h2> |
| 51 | |
| 52 | <p>Starting in Android 4.4, multiple external storage devices are surfaced |
| 53 | to developers through <code>Context.getExternalFilesDirs()</code>, |
| 54 | <code>Context.getExternalCacheDirs()</code>, and |
| 55 | <code>Context.getObbDirs()</code>.</p> |
| 56 | |
| 57 | </p>External storage devices surfaced through these APIs must be a |
| 58 | semi-permanent part of the device (such as an SD card slot in a battery |
| 59 | compartment). Developers expect data stored in these locations to be |
| 60 | available over long periods of time. For this reason, transient storage |
| 61 | devices (such as USB mass storage drives) should not be surfaced through |
| 62 | these APIs.</p> |
| 63 | |
| 64 | <p>The <code>WRITE_EXTERNAL_STORAGE</code> permission must only grant write |
| 65 | access to the primary external storage on a device. Apps must not be |
| 66 | allowed to write to secondary external storage devices, except in their |
| 67 | package-specific directories as allowed by synthesized |
| 68 | permissions. Restricting writes in this way ensures the system can clean |
| 69 | up files when applications are uninstalled.</p> |
| 70 | |
| 71 | |
| Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 72 | <h2 id="multi-user-external-storage">Multi-user external storage</h2> |
| Jeff Sharkey | 790c02d | 2013-10-18 13:57:33 -0700 | [diff] [blame] | 73 | |
| Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 74 | <p>Starting in Android 4.2, devices can support multiple users, and external |
| 75 | storage must meet the following constraints:</p> |
| Jeff Sharkey | 790c02d | 2013-10-18 13:57:33 -0700 | [diff] [blame] | 76 | |
| Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 77 | <ul> |
| Jeff Sharkey | 790c02d | 2013-10-18 13:57:33 -0700 | [diff] [blame] | 78 | <li>Each user must have their own isolated primary external storage, and |
| 79 | must not have access to the primary external storage of other users.</li> |
| 80 | <li>The <code>/sdcard</code> path must resolve to the correct user-specific |
| 81 | primary external storage based on the user a process is running as.</li> |
| 82 | <li>Storage for large OBB files in the <code>Android/obb</code> directory |
| 83 | may be shared between multiple users as an optimization.</li> |
| 84 | <li>Secondary external storage must not be writable by apps, except in |
| 85 | package-specific directories as allowed by synthesized permissions.</li> |
| Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 86 | </ul> |
| Jeff Sharkey | 790c02d | 2013-10-18 13:57:33 -0700 | [diff] [blame] | 87 | |
| Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 88 | <p>The default platform implementation of this feature leverages Linux kernel |
| Jeff Sharkey | 790c02d | 2013-10-18 13:57:33 -0700 | [diff] [blame] | 89 | namespaces to create isolated mount tables for each Zygote-forked process, |
| 90 | and then uses bind mounts to offer the correct user-specific primary external |
| Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 91 | storage into that private namespace.</p> |
| Jeff Sharkey | 790c02d | 2013-10-18 13:57:33 -0700 | [diff] [blame] | 92 | |
| 93 | <p>At boot, the system mounts a single emulated external storage FUSE daemon |
| 94 | at <code>EMULATED_STORAGE_SOURCE</code>, which is hidden from apps. After |
| 95 | the Zygote forks, it bind mounts the appropriate user-specific subdirectory |
| 96 | from under the FUSE daemon to <code>EMULATED_STORAGE_TARGET</code> so that |
| 97 | external storage paths resolve correctly for the app. Because an app lacks |
| 98 | accessible mount points for other users' storage, they can only access |
| 99 | storage for the user it was started as.</p> |
| 100 | |
| 101 | <p>This implementation also uses the shared subtree kernel feature to |
| 102 | propagate mount events from the default root namespace into app namespaces, |
| 103 | which ensures that features like ASEC containers and OBB mounting continue |
| 104 | working correctly. It does this by mounting the rootfs as shared, and then |
| 105 | remounting it as slave after each Zygote namespace is created.</p> |