ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "Revert "Securely encrypt the master key""

Browse source
This commit is contained in:
Paul Lawrence 2015-04-28 19:15:40 +00:00 committed by Gerrit Code Review
commit 2b3a493946
3 changed files with 44 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
fs_mgr/fs_mgr.c
View file

@ -31,7 +31,7 @@
#include <dirent.h> #include <dirent.h>
#include <ext4.h> #include <ext4.h>
#include <ext4_sb.h> #include <ext4_sb.h>
#include <ext4_crypt_init_extensions.h> #include <ext4_crypt.h>
#include <linux/loop.h> #include <linux/loop.h>
#include <private/android_filesystem_config.h> #include <private/android_filesystem_config.h>
@ -483,6 +483,16 @@ static int handle_encryptable(struct fstab *fstab, const struct fstab_rec* rec)
return FS_MGR_MNTALL_FAIL; return FS_MGR_MNTALL_FAIL;
} }
// Link it to the normal place so ext4_crypt functions work normally
strlcat(tmp_mnt, "/unencrypted", sizeof(tmp_mnt));
char link_path[PATH_MAX];
strlcpy(link_path, rec->mount_point, sizeof(link_path));
strlcat(link_path, "/unencrypted", sizeof(link_path));
if (symlink(tmp_mnt, link_path)) {
ERROR("Error creating symlink to unencrypted directory\n");
return FS_MGR_MNTALL_FAIL;
}
return FS_MGR_MNTALL_DEV_NON_DEFAULT_FILE_ENCRYPTED; return FS_MGR_MNTALL_DEV_NON_DEFAULT_FILE_ENCRYPTED;
} }

45
init/builtins.cpp
View file

@ -29,7 +29,7 @@
#include <sys/wait.h> #include <sys/wait.h>
#include <unistd.h> #include <unistd.h>
#include <linux/loop.h> #include <linux/loop.h>
#include <ext4_crypt_init_extensions.h> #include <ext4_crypt.h>
#include <selinux/selinux.h> #include <selinux/selinux.h>
#include <selinux/label.h> #include <selinux/label.h>
@ -385,6 +385,18 @@ static int wipe_data_via_recovery()
while (1) { pause(); } // never reached while (1) { pause(); } // never reached
} }
/*
* Callback to make a directory from the ext4 code
*/
static int do_mount_alls_make_dir(const char* dir)
{
if (make_dir(dir, 0700) && errno != EEXIST) {
return -1;
}
return 0;
}
/* /*
* This function might request a reboot, in which case it will * This function might request a reboot, in which case it will
* not return. * not return.
@ -453,6 +465,22 @@ int do_mount_all(int nargs, char **args)
ret = wipe_data_via_recovery(); ret = wipe_data_via_recovery();
/* If reboot worked, there is no return. */ /* If reboot worked, there is no return. */
} else if (ret == FS_MGR_MNTALL_DEV_DEFAULT_FILE_ENCRYPTED) { } else if (ret == FS_MGR_MNTALL_DEV_DEFAULT_FILE_ENCRYPTED) {
// We have to create the key files here. Only init can call make_dir,
// and we can't do it from fs_mgr as then fs_mgr would depend on
// make_dir creating a circular dependency.
fstab = fs_mgr_read_fstab(args[1]);
for (int i = 0; i < fstab->num_entries; ++i) {
if (fs_mgr_is_file_encrypted(&fstab->recs[i])) {
if (e4crypt_create_device_key(fstab->recs[i].mount_point,
do_mount_alls_make_dir)) {
ERROR("Could not create device key on %s"
" - continue unencrypted\n",
fstab->recs[i].mount_point);
}
}
}
fs_mgr_free_fstab(fstab);
if (e4crypt_install_keyring()) { if (e4crypt_install_keyring()) {
return -1; return -1;
} }
@ -812,23 +840,10 @@ int do_wait(int nargs, char **args)
return -1; return -1;
} }
/*
* Callback to make a directory from the ext4 code
*/
static int do_installkeys_ensure_dir_exists(const char* dir)
{
if (make_dir(dir, 0700) && errno != EEXIST) {
return -1;
}
return 0;
}
int do_installkey(int nargs, char **args) int do_installkey(int nargs, char **args)
{ {
if (nargs == 2) { if (nargs == 2) {
return e4crypt_create_device_key(args[1], return e4crypt_install_key(args[1]);
do_installkeys_ensure_dir_exists);
} }
return -1; return -1;

8
rootdir/init.rc
View file

@ -220,17 +220,14 @@ on post-fs
mkdir /cache/lost+found 0770 root root mkdir /cache/lost+found 0770 root root
on post-fs-data on post-fs-data
installkey /data
# We chown/chmod /data again so because mount is run as root + defaults # We chown/chmod /data again so because mount is run as root + defaults
chown system system /data chown system system /data
chmod 0771 /data chmod 0771 /data
# We restorecon /data in case the userdata partition has been reset. # We restorecon /data in case the userdata partition has been reset.
restorecon /data restorecon /data
# Make sure we have the device encryption key
start logd
start vold
installkey /data
# Start bootcharting as soon as possible after the data partition is # Start bootcharting as soon as possible after the data partition is
# mounted to collect more data. # mounted to collect more data.
mkdir /data/bootchart 0755 shell shell mkdir /data/bootchart 0755 shell shell
@ -452,6 +449,7 @@ on property:vold.decrypt=trigger_restart_min_framework
class_start main class_start main
on property:vold.decrypt=trigger_restart_framework on property:vold.decrypt=trigger_restart_framework
installkey /data
class_start main class_start main
class_start late_start class_start late_start