Eliminating Android wrapfs "hackery"

By Jake Edge
April 4, 2017

LSFMM 2017

As it has evolved over the years, Android has acquired some hacks in how it handles its filesystems. Ted Ts'o would like to see those hacks eliminated, so he led a session at LSFMM 2017 to look at the problem and see what, if any, upstream-acceptable solution could be found.

Ts'o started with some history. Early Android devices had SD card slots with a FAT filesystem on them. The Android team tried to kill SD cards for the devices, but were ultimately unsuccessful. Meanwhile, the /sdcard mount moved into the /data partition and a FUSE filesystem was added to emulate the case-insensitive behavior of FAT.

In fact, there are three separate FUSE mounts used today to enforce different levels of app privilege: read-only, read-write, or no access to /data. Based on the capabilities of the app, nsenter is used to put it into the namespace where the filesystem is mounted with the proper access restrictions. But this FUSE-based solution has started to become a performance problem, he said.

The weird permission regime could be handled with a stackable Linux Security Module (LSM) on top of the SELinux module that is already used, he said. But supporting case insensitivity is harder. That had been discussed some at LSFMM 2016, but objections were raised because of UTF-8 case-folding requirements and the need to do a brute-force directory search.

Ts'o looked at what Android is doing; it is only handling ASCII file names. He wondered if a case-folding feature could be added to the virtual filesystem (VFS) layer. It could just use strcasecmp() for comparing file names.

Al Viro pointed out that using strcasecmp() would mean that negative directory entries (dentries), which denote names that were looked up but not found, would not work correctly. Unsuccessful searches for "Makefile" with several case variations would leave negative dentries behind, but then "some joker" creates a file with that name and there would be both positive and negative dentries for the "same" name. He suggested that dropping negative dentries for this case might work; it is, he said, what case-insensitive XFS is doing.

The performance implication of dropping negative dentries is probably just fine for Android. The current solution uses FUSE, after all, so it is not hard to do better than that, Ts'o said. Case-insensitive filesystems could be added as a kernel configuration option and as a mount option for specific mounts.

So, Ts'o asked, is that something that could go upstream? Clearly the stacked FUSE approach is not going to cut it, so perhaps some variant of this could? Viro suggested simply doing it in ext4, but Ts'o said that Christoph Hellwig had suggested adding something to the VFS so that all filesystems could use it. Some ideas were thrown around about ways to solve the problem without losing the ability to have negative dentries. No one seemed to come up with a solution there. It seems like it might be possible to get the feature in without negative dentry support, though.

Index entries for this article
Kernel	Android
Conference	Storage, Filesystem, and Memory-Management Summit/2017

Eliminating Android wrapfs "hackery"

Posted Apr 4, 2017 21:02 UTC (Tue) by dezgeg (subscriber, #92243) [Link] (7 responses)

I wonder if any application is actually depending on the case-insensitiveness of the filesystem? Has anybody from the Android team tried to disable the case-insensitive handling code from the FUSE filesystem and seeing if anything breaks?

Eliminating Android wrapfs "hackery"

Posted Apr 4, 2017 21:48 UTC (Tue) by jhhaller (guest, #56103) [Link] (2 responses)

The problem with removing case-insensitivity is that when one moves the SD card to another system which does enforce case-insensitivity, that the second matching file would not be accessible. If users were knowledgeable about filesystems, they would bang their hand on their head and realize their mistake. But, that's not the average phone user, so instead, there would be periodic contacts to support about inaccessible files. It would also change the user interface in that users who type filenames (admittedly few) would need to match case, which is a change to Android user-land. I'm not sure if it would also change ordering of files in the UI in a file-chooser, but that's a possibility, probably easily fixed.

Eliminating Android wrapfs "hackery"

Posted Apr 5, 2017 0:44 UTC (Wed) by BenHutchings (subscriber, #37955) [Link]

> The problem with removing case-insensitivity is that when one moves the SD card to another system which does enforce case-insensitivity, that the second matching file would not be accessible

The SD card that's actually emulated on top of a directory in the internal storage? Pretty hard to remove that.

Eliminating Android wrapfs "hackery"

Posted Apr 5, 2017 1:35 UTC (Wed) by kokada (subscriber, #92849) [Link]

> The problem with removing case-insensitivity is that when one moves the SD card to another system which does enforce case-insensitivity, that the second matching file would not be accessible. If users were knowledgeable about filesystems, they would bang their hand on their head and realize their mistake. But, that's not the average phone user, so instead, there would be periodic contacts to support about inaccessible files. It would also change the user interface in that users who type filenames (admittedly few) would need to match case, which is a change to Android user-land. I'm not sure if it would also change ordering of files in the UI in a file-chooser, but that's a possibility, probably easily fixed

That actually isn't a problem since this is specifically for use in modern Android devices, that "simulates" an SD card by having a /data partition that is some part of the internal storage (a 16GB device will dedicate 2GB for the system and the rest for /data, for example). This partition is formatted as ext4/f2fs and only accessed by MTP.

This is mostly for consistency and backwards compatibility purposes, really. Pre-3.0 Android had /data mounted as an actual SD card that generally was formatted as FAT32, so the Android API have a obscure requirement of having case-insensitivity FS (similar to MacOS). And more recently, some Android devices have both internal memory and support for external SD cards. If the user does not use "adopt storage" feature (that formats the SD card with ext4 FS, allowing first class usage of SD card including installation of Apps without needing to manually moving them), the card will maintain its original FS (FAT32 or exFAT, generally) and you will have the problem of case-insensitivity again.

Either way, what you said wouldn't occur even if Android didn't care about trying to be case-insensitivity. Writing to SD card formatted as FAT32 would be case-insensitivity as always, and writing to internal storage formatted as ext4 would be case-sensitivity. However, this is really prone to bugs since an application can use this space to write user data.

Eliminating Android wrapfs "hackery"

Posted Apr 4, 2017 22:05 UTC (Tue) by khim (subscriber, #9252) [Link] (2 responses)

It would be interesting to see what percentage of apps would be broken, but yes, there are thousands of applications which rely on that.

It's not hard accidentally rely of stuff like that: put something into "Config.Dat" on Java side, read "config.dat" on C++ side - and voila: you have that problem.

Eliminating Android wrapfs "hackery"

Posted Apr 5, 2017 16:34 UTC (Wed) by tao (subscriber, #17563) [Link] (1 responses)

Then again, thousands and thousands of Android apps break every time they make a new release, so it's not like this would be special.

Eliminating Android wrapfs "hackery"

Posted Apr 6, 2017 7:10 UTC (Thu) by khim (subscriber, #9252) [Link]

There are different kinds of breakage. Applications which breaks are usually doing something crazy - e.g. I've seen an application which had ARM-only libraries in “official” package, but also pulled x86 library from resources and injected it into a process if Intel's ARM-emulator, libhoudini, was found. These kinda of tricks are unlikely to be supported by new version of Android.

Applications which only use published API are, in general, considered “safe” - and that case insensitivity is part of published API. I don't think Android developers would seriously consider breaking these!

Eliminating Android wrapfs "hackery"

Posted Apr 5, 2017 10:38 UTC (Wed) by foom (subscriber, #14868) [Link]

Surely the usual way to do this would be to disable the case insensitive hack only for apps compiled for new target sdk versions.

That seems like it'd allow the app developers as much time as they like to ensure the change doesn't break their apps, and also allow apps fast filesystem access once they do. Win?

Eliminating Android wrapfs "hackery"

Posted Apr 6, 2017 3:13 UTC (Thu) by ringerc (subscriber, #3071) [Link] (1 responses)

If the FS doesn't have to support a mix of case-sensitive and case-insensitive access at the same time, can't they just case-fold before doing lookups, so negative dentries would always be lower case and so would their lookups?

That's obvious, so I guess they must have to support both access modes at the same time.

Eliminating Android wrapfs "hackery"

Posted Apr 6, 2017 6:03 UTC (Thu) by dtlin (subscriber, #36537) [Link]

Can't case-fold everything if you need both case-insensitive and case-preserving, e.g. if you create a new foo.DAT file, readdir returns foo.DAT, not FOO.DAT or foo.dat, although those can be used to open the same file.