Snap for 6439596 from 5ba8aeaa8060d14f2933083702ab9355311a6552 to qt-aml-tzdata-release
Change-Id: Id018f3b9eceb19b224a00e3adb89cde6db022ff6
diff --git a/.clang-format b/.clang-format
deleted file mode 120000
index ddcf5a2..0000000
--- a/.clang-format
+++ /dev/null
@@ -1 +0,0 @@
-../../build/soong/scripts/system-clang-format
\ No newline at end of file
diff --git a/.clang-format b/.clang-format
new file mode 100644
index 0000000..ae4a451
--- /dev/null
+++ b/.clang-format
@@ -0,0 +1,11 @@
+BasedOnStyle: Google
+AccessModifierOffset: -2
+AllowShortFunctionsOnASingleLine: Inline
+ColumnLimit: 100
+CommentPragmas: NOLINT:.*
+DerivePointerAlignment: false
+IndentWidth: 4
+PointerAlignment: Left
+TabWidth: 4
+UseTab: Never
+PenaltyExcessCharacter: 32
diff --git a/Android.bp b/Android.bp
index 452746c..1045dc2 100644
--- a/Android.bp
+++ b/Android.bp
@@ -30,8 +30,6 @@
static_libs: [
"libavb",
"libbootloader_message",
- "libdm",
- "libext2_uuid",
"libfec",
"libfec_rs",
"libfs_avb",
@@ -52,9 +50,11 @@
"libdiskconfig",
"libext4_utils",
"libf2fs_sparseblock",
+ "libfscrypt",
"libhardware",
"libhardware_legacy",
"libhidlbase",
+ "libhwbinder",
"libkeymaster4support",
"libkeyutils",
"liblog",
@@ -85,7 +85,6 @@
cc_library_headers {
name: "libvold_headers",
- recovery_available: true,
export_include_dirs: ["."],
}
@@ -190,6 +189,7 @@
shared_libs: [
"[email protected]",
+ "libhidltransport",
],
}
@@ -227,6 +227,7 @@
"libhardware",
"libhardware_legacy",
"libhidlbase",
+ "libhwbinder",
"libkeymaster4support",
],
}
@@ -266,5 +267,6 @@
"binder/android/os/IVoldListener.aidl",
"binder/android/os/IVoldTaskListener.aidl",
],
- path: "binder",
}
+
+subdirs = ["tests"]
diff --git a/Benchmark.cpp b/Benchmark.cpp
index 0770da7..b0a3b85 100644
--- a/Benchmark.cpp
+++ b/Benchmark.cpp
@@ -23,8 +23,8 @@
#include <android-base/logging.h>
#include <cutils/iosched_policy.h>
+#include <hardware_legacy/power.h>
#include <private/android_filesystem_config.h>
-#include <wakelock/wakelock.h>
#include <thread>
@@ -181,7 +181,7 @@
void Benchmark(const std::string& path,
const android::sp<android::os::IVoldTaskListener>& listener) {
std::lock_guard<std::mutex> lock(kBenchmarkLock);
- android::wakelock::WakeLock wl{kWakeLock};
+ acquire_wake_lock(PARTIAL_WAKE_LOCK, kWakeLock);
PerformanceBoost boost;
android::os::PersistableBundle extras;
@@ -190,6 +190,8 @@
if (listener) {
listener->onFinished(res, extras);
}
+
+ release_wake_lock(kWakeLock);
}
} // namespace vold
diff --git a/Checkpoint.cpp b/Checkpoint.cpp
index b2b648f..3f688f8 100644
--- a/Checkpoint.cpp
+++ b/Checkpoint.cpp
@@ -61,16 +61,6 @@
namespace {
const std::string kMetadataCPFile = "/metadata/vold/checkpoint";
-binder::Status error(const std::string& msg) {
- PLOG(ERROR) << msg;
- return binder::Status::fromServiceSpecificError(errno, String8(msg.c_str()));
-}
-
-binder::Status error(int error, const std::string& msg) {
- LOG(ERROR) << msg;
- return binder::Status::fromServiceSpecificError(error, String8(msg.c_str()));
-}
-
bool setBowState(std::string const& block_device, std::string const& state) {
std::string bow_device = fs_mgr_find_bow_device(block_device);
if (bow_device.empty()) return false;
@@ -122,11 +112,7 @@
}
Status cp_startCheckpoint(int retry) {
- bool result;
- if (!cp_supportsCheckpoint(result).isOk() || !result)
- return error(ENOTSUP, "Checkpoints not supported");
-
- if (retry < -1) return error(EINVAL, "Retry count must be more than -1");
+ if (retry < -1) return Status::fromExceptionCode(EINVAL, "Retry count must be more than -1");
std::string content = std::to_string(retry + 1);
if (retry == -1) {
sp<IBootControl> module = IBootControl::getService();
@@ -137,24 +123,16 @@
}
}
if (!android::base::WriteStringToFile(content, kMetadataCPFile))
- return error("Failed to write checkpoint file");
+ return Status::fromExceptionCode(errno, "Failed to write checkpoint file");
return Status::ok();
}
namespace {
volatile bool isCheckpointing = false;
-
-volatile bool needsCheckpointWasCalled = false;
-
-// Protects isCheckpointing, needsCheckpointWasCalled and code that makes decisions based on status
-// of isCheckpointing
-std::mutex isCheckpointingLock;
}
Status cp_commitChanges() {
- std::lock_guard<std::mutex> lock(isCheckpointingLock);
-
if (!isCheckpointing) {
return Status::ok();
}
@@ -167,8 +145,10 @@
if (module) {
CommandResult cr;
module->markBootSuccessful([&cr](CommandResult result) { cr = result; });
- if (!cr.success)
- return error(EINVAL, "Error marking booted successfully: " + std::string(cr.errMsg));
+ if (!cr.success) {
+ std::string msg = "Error marking booted successfully: " + std::string(cr.errMsg);
+ return Status::fromExceptionCode(EINVAL, String8(msg.c_str()));
+ }
LOG(INFO) << "Marked slot as booted successfully.";
}
// Must take action for list of mounted checkpointed things here
@@ -179,7 +159,7 @@
Fstab mounts;
if (!ReadFstabFromFile("/proc/mounts", &mounts)) {
- return error(EINVAL, "Failed to get /proc/mounts");
+ return Status::fromExceptionCode(EINVAL, "Failed to get /proc/mounts");
}
// Walk mounted file systems
@@ -192,20 +172,19 @@
std::string options = mount_rec.fs_options + ",checkpoint=enable";
if (mount(mount_rec.blk_device.c_str(), mount_rec.mount_point.c_str(), "none",
MS_REMOUNT | fstab_rec->flags, options.c_str())) {
- return error(EINVAL, "Failed to remount");
+ return Status::fromExceptionCode(EINVAL, "Failed to remount");
}
}
} else if (fstab_rec->fs_mgr_flags.checkpoint_blk) {
if (!setBowState(mount_rec.blk_device, "2"))
- return error(EINVAL, "Failed to set bow state");
+ return Status::fromExceptionCode(EINVAL, "Failed to set bow state");
}
}
SetProperty("vold.checkpoint_committed", "1");
LOG(INFO) << "Checkpoint has been committed.";
isCheckpointing = false;
if (!android::base::RemoveFileIfExists(kMetadataCPFile, &err_str))
- return error(err_str.c_str());
-
+ return Status::fromExceptionCode(errno, err_str.c_str());
return Status::ok();
}
@@ -265,11 +244,10 @@
}
bool cp_needsCheckpoint() {
- std::lock_guard<std::mutex> lock(isCheckpointingLock);
-
// Make sure we only return true during boot. See b/138952436 for discussion
- if (needsCheckpointWasCalled) return isCheckpointing;
- needsCheckpointWasCalled = true;
+ static bool called_once = false;
+ if (called_once) return isCheckpointing;
+ called_once = true;
bool ret;
std::string content;
@@ -346,14 +324,13 @@
Status cp_prepareCheckpoint() {
// Log to notify CTS - see b/137924328 for context
LOG(INFO) << "cp_prepareCheckpoint called";
- std::lock_guard<std::mutex> lock(isCheckpointingLock);
if (!isCheckpointing) {
return Status::ok();
}
Fstab mounts;
if (!ReadFstabFromFile("/proc/mounts", &mounts)) {
- return error(EINVAL, "Failed to get /proc/mounts");
+ return Status::fromExceptionCode(EINVAL, "Failed to get /proc/mounts");
}
for (const auto& mount_rec : mounts) {
@@ -613,7 +590,10 @@
LOG(INFO) << action << " checkpoint on " << blockDevice;
base::unique_fd device_fd(open(blockDevice.c_str(), O_RDWR | O_CLOEXEC));
- if (device_fd < 0) return error("Cannot open " + blockDevice);
+ if (device_fd < 0) {
+ PLOG(ERROR) << "Cannot open " << blockDevice;
+ return Status::fromExceptionCode(errno, ("Cannot open " + blockDevice).c_str());
+ }
log_sector_v1_0 original_ls;
read(device_fd, reinterpret_cast<char*>(&original_ls), sizeof(original_ls));
@@ -621,7 +601,8 @@
validating = false;
action = "Restoring";
} else if (original_ls.magic != kMagic) {
- return error(EINVAL, "No magic");
+ LOG(ERROR) << "No magic";
+ return Status::fromExceptionCode(EINVAL, "No magic");
}
LOG(INFO) << action << " " << original_ls.sequence << " log sectors";
@@ -635,18 +616,23 @@
used_sectors[0] = false;
if (ls.magic != kMagic && (ls.magic != kPartialRestoreMagic || validating)) {
- status = error(EINVAL, "No magic");
+ LOG(ERROR) << "No magic!";
+ status = Status::fromExceptionCode(EINVAL, "No magic");
break;
}
if (ls.block_size != original_ls.block_size) {
- status = error(EINVAL, "Block size mismatch");
+ LOG(ERROR) << "Block size mismatch!";
+ status = Status::fromExceptionCode(EINVAL, "Block size mismatch");
break;
}
if ((int)ls.sequence != sequence) {
- status = error(EINVAL, "Expecting log sector " + std::to_string(sequence) +
- " but got " + std::to_string(ls.sequence));
+ LOG(ERROR) << "Expecting log sector " << sequence << " but got " << ls.sequence;
+ status = Status::fromExceptionCode(
+ EINVAL, ("Expecting log sector " + std::to_string(sequence) + " but got " +
+ std::to_string(ls.sequence))
+ .c_str());
break;
}
@@ -667,7 +653,8 @@
}
if (le->checksum && checksum != le->checksum) {
- status = error(EINVAL, "Checksums don't match");
+ LOG(ERROR) << "Checksums don't match " << std::hex << checksum;
+ status = Status::fromExceptionCode(EINVAL, "Checksums don't match");
break;
}
@@ -677,7 +664,8 @@
restoreSector(device_fd, used_sectors, ls_buffer, le, buffer);
restore_count++;
if (restore_limit && restore_count >= restore_limit) {
- status = error(EAGAIN, "Hit the test limit");
+ LOG(WARNING) << "Hit the test limit";
+ status = Status::fromExceptionCode(EAGAIN, "Hit the test limit");
break;
}
}
@@ -715,26 +703,23 @@
// If the file doesn't exist, we aren't managing a checkpoint retry counter
if (result != 0) return Status::ok();
- if (!android::base::ReadFileToString(kMetadataCPFile, &oldContent))
- return error("Failed to read checkpoint file");
+ if (!android::base::ReadFileToString(kMetadataCPFile, &oldContent)) {
+ PLOG(ERROR) << "Failed to read checkpoint file";
+ return Status::fromExceptionCode(errno, "Failed to read checkpoint file");
+ }
std::string retryContent = oldContent.substr(0, oldContent.find_first_of(" "));
if (!android::base::ParseInt(retryContent, &retry))
- return error(EINVAL, "Could not parse retry count");
+ return Status::fromExceptionCode(EINVAL, "Could not parse retry count");
if (retry > 0) {
retry--;
newContent = std::to_string(retry);
if (!android::base::WriteStringToFile(newContent, kMetadataCPFile))
- return error("Could not write checkpoint file");
+ return Status::fromExceptionCode(errno, "Could not write checkpoint file");
}
return Status::ok();
}
-void cp_resetCheckpoint() {
- std::lock_guard<std::mutex> lock(isCheckpointingLock);
- needsCheckpointWasCalled = false;
-}
-
} // namespace vold
} // namespace android
diff --git a/Checkpoint.h b/Checkpoint.h
index c1fb2b7..63ead83 100644
--- a/Checkpoint.h
+++ b/Checkpoint.h
@@ -45,7 +45,6 @@
android::binder::Status cp_markBootAttempt();
-void cp_resetCheckpoint();
} // namespace vold
} // namespace android
diff --git a/Devmapper.cpp b/Devmapper.cpp
index d55d92d..b42467c 100644
--- a/Devmapper.cpp
+++ b/Devmapper.cpp
@@ -23,6 +23,7 @@
#include <string.h>
#include <unistd.h>
+#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -31,72 +32,239 @@
#include <android-base/logging.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
-#include <libdm/dm.h>
#include <utils/Trace.h>
#include "Devmapper.h"
+#define DEVMAPPER_BUFFER_SIZE 4096
+
using android::base::StringPrintf;
-using namespace android::dm;
static const char* kVoldPrefix = "vold:";
+void Devmapper::ioctlInit(struct dm_ioctl* io, size_t dataSize, const char* name, unsigned flags) {
+ memset(io, 0, dataSize);
+ io->data_size = dataSize;
+ io->data_start = sizeof(struct dm_ioctl);
+ io->version[0] = 4;
+ io->version[1] = 0;
+ io->version[2] = 0;
+ io->flags = flags;
+ if (name) {
+ size_t ret = strlcpy(io->name, name, sizeof(io->name));
+ if (ret >= sizeof(io->name)) abort();
+ }
+}
+
int Devmapper::create(const char* name_raw, const char* loopFile, const char* key,
unsigned long numSectors, char* ubuffer, size_t len) {
- auto& dm = DeviceMapper::Instance();
auto name_string = StringPrintf("%s%s", kVoldPrefix, name_raw);
+ const char* name = name_string.c_str();
- DmTable table;
- table.Emplace<DmTargetCrypt>(0, numSectors, "twofish", key, 0, loopFile, 0);
-
- if (!dm.CreateDevice(name_string, table)) {
- LOG(ERROR) << "Failed to create device-mapper device " << name_string;
+ char* buffer = (char*)malloc(DEVMAPPER_BUFFER_SIZE);
+ if (!buffer) {
+ PLOG(ERROR) << "Failed malloc";
return -1;
}
- std::string path;
- if (!dm.GetDmDevicePathByName(name_string, &path)) {
- LOG(ERROR) << "Failed to get device-mapper device path for " << name_string;
+ int fd;
+ if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
+ PLOG(ERROR) << "Failed open";
+ free(buffer);
return -1;
}
- snprintf(ubuffer, len, "%s", path.c_str());
+
+ struct dm_ioctl* io = (struct dm_ioctl*)buffer;
+
+ // Create the DM device
+ ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
+
+ if (ioctl(fd, DM_DEV_CREATE, io)) {
+ PLOG(ERROR) << "Failed DM_DEV_CREATE";
+ free(buffer);
+ close(fd);
+ return -1;
+ }
+
+ // Set the legacy geometry
+ ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
+
+ char* geoParams = buffer + sizeof(struct dm_ioctl);
+ // bps=512 spc=8 res=32 nft=2 sec=8190 mid=0xf0 spt=63 hds=64 hid=0 bspf=8 rdcl=2 infs=1 bkbs=2
+ strlcpy(geoParams, "0 64 63 0", DEVMAPPER_BUFFER_SIZE - sizeof(struct dm_ioctl));
+ geoParams += strlen(geoParams) + 1;
+ geoParams = (char*)_align(geoParams, 8);
+ if (ioctl(fd, DM_DEV_SET_GEOMETRY, io)) {
+ PLOG(ERROR) << "Failed DM_DEV_SET_GEOMETRY";
+ free(buffer);
+ close(fd);
+ return -1;
+ }
+
+ // Retrieve the device number we were allocated
+ ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
+ if (ioctl(fd, DM_DEV_STATUS, io)) {
+ PLOG(ERROR) << "Failed DM_DEV_STATUS";
+ free(buffer);
+ close(fd);
+ return -1;
+ }
+
+ unsigned minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
+ snprintf(ubuffer, len, "/dev/block/dm-%u", minor);
+
+ // Load the table
+ struct dm_target_spec* tgt;
+ tgt = (struct dm_target_spec*)&buffer[sizeof(struct dm_ioctl)];
+
+ ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, DM_STATUS_TABLE_FLAG);
+ io->target_count = 1;
+ tgt->status = 0;
+
+ tgt->sector_start = 0;
+ tgt->length = numSectors;
+
+ strlcpy(tgt->target_type, "crypt", sizeof(tgt->target_type));
+
+ char* cryptParams = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
+ snprintf(cryptParams,
+ DEVMAPPER_BUFFER_SIZE - (sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec)),
+ "twofish %s 0 %s 0", key, loopFile);
+ cryptParams += strlen(cryptParams) + 1;
+ cryptParams = (char*)_align(cryptParams, 8);
+ tgt->next = cryptParams - buffer;
+
+ if (ioctl(fd, DM_TABLE_LOAD, io)) {
+ PLOG(ERROR) << "Failed DM_TABLE_LOAD";
+ free(buffer);
+ close(fd);
+ return -1;
+ }
+
+ // Resume the new table
+ ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
+
+ if (ioctl(fd, DM_DEV_SUSPEND, io)) {
+ PLOG(ERROR) << "Failed DM_DEV_SUSPEND";
+ free(buffer);
+ close(fd);
+ return -1;
+ }
+
+ free(buffer);
+
+ close(fd);
return 0;
}
int Devmapper::destroy(const char* name_raw) {
- auto& dm = DeviceMapper::Instance();
-
auto name_string = StringPrintf("%s%s", kVoldPrefix, name_raw);
- if (!dm.DeleteDevice(name_string)) {
+ const char* name = name_string.c_str();
+
+ char* buffer = (char*)malloc(DEVMAPPER_BUFFER_SIZE);
+ if (!buffer) {
+ PLOG(ERROR) << "Failed malloc";
+ return -1;
+ }
+
+ int fd;
+ if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
+ PLOG(ERROR) << "Failed open";
+ free(buffer);
+ return -1;
+ }
+
+ struct dm_ioctl* io = (struct dm_ioctl*)buffer;
+
+ // Create the DM device
+ ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
+
+ if (ioctl(fd, DM_DEV_REMOVE, io)) {
if (errno != ENXIO) {
PLOG(ERROR) << "Failed DM_DEV_REMOVE";
}
+ free(buffer);
+ close(fd);
return -1;
}
+
+ free(buffer);
+ close(fd);
return 0;
}
int Devmapper::destroyAll() {
ATRACE_NAME("Devmapper::destroyAll");
+ char* buffer = (char*)malloc(1024 * 64);
+ if (!buffer) {
+ PLOG(ERROR) << "Failed malloc";
+ return -1;
+ }
+ memset(buffer, 0, (1024 * 64));
- auto& dm = DeviceMapper::Instance();
- std::vector<DeviceMapper::DmBlockDevice> devices;
- if (!dm.GetAvailableDevices(&devices)) {
- LOG(ERROR) << "Failed to get dm devices";
+ char* buffer2 = (char*)malloc(DEVMAPPER_BUFFER_SIZE);
+ if (!buffer2) {
+ PLOG(ERROR) << "Failed malloc";
+ free(buffer);
return -1;
}
- for (const auto& device : devices) {
- if (android::base::StartsWith(device.name(), kVoldPrefix)) {
- LOG(DEBUG) << "Tearing down stale dm device named " << device.name();
- if (!dm.DeleteDevice(device.name())) {
+ int fd;
+ if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
+ PLOG(ERROR) << "Failed open";
+ free(buffer);
+ free(buffer2);
+ return -1;
+ }
+
+ struct dm_ioctl* io = (struct dm_ioctl*)buffer;
+ ioctlInit(io, (1024 * 64), NULL, 0);
+
+ if (ioctl(fd, DM_LIST_DEVICES, io)) {
+ PLOG(ERROR) << "Failed DM_LIST_DEVICES";
+ free(buffer);
+ free(buffer2);
+ close(fd);
+ return -1;
+ }
+
+ struct dm_name_list* n = (struct dm_name_list*)(((char*)buffer) + io->data_start);
+ if (!n->dev) {
+ free(buffer);
+ free(buffer2);
+ close(fd);
+ return 0;
+ }
+
+ unsigned nxt = 0;
+ do {
+ n = (struct dm_name_list*)(((char*)n) + nxt);
+ auto name = std::string(n->name);
+ if (android::base::StartsWith(name, kVoldPrefix)) {
+ LOG(DEBUG) << "Tearing down stale dm device named " << name;
+
+ memset(buffer2, 0, DEVMAPPER_BUFFER_SIZE);
+ struct dm_ioctl* io2 = (struct dm_ioctl*)buffer2;
+ ioctlInit(io2, DEVMAPPER_BUFFER_SIZE, n->name, 0);
+ if (ioctl(fd, DM_DEV_REMOVE, io2)) {
if (errno != ENXIO) {
- PLOG(WARNING) << "Failed to destroy dm device named " << device.name();
+ PLOG(WARNING) << "Failed to destroy dm device named " << name;
}
}
} else {
- LOG(DEBUG) << "Found unmanaged dm device named " << device.name();
+ LOG(DEBUG) << "Found unmanaged dm device named " << name;
}
- }
+ nxt = n->next;
+ } while (nxt);
+
+ free(buffer);
+ free(buffer2);
+ close(fd);
return 0;
}
+
+void* Devmapper::_align(void* ptr, unsigned int a) {
+ unsigned long agn = --a;
+
+ return (void*)(((unsigned long)ptr + agn) & ~agn);
+}
diff --git a/Devmapper.h b/Devmapper.h
index 9d4896e..b1f6dfa 100644
--- a/Devmapper.h
+++ b/Devmapper.h
@@ -26,6 +26,10 @@
unsigned long numSectors, char* buffer, size_t len);
static int destroy(const char* name);
static int destroyAll();
+
+ private:
+ static void* _align(void* ptr, unsigned int a);
+ static void ioctlInit(struct dm_ioctl* io, size_t data_size, const char* name, unsigned flags);
};
#endif
diff --git a/FsCrypt.cpp b/FsCrypt.cpp
index c101ba8..07560e0 100644
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@@ -57,7 +57,6 @@
#include <android-base/logging.h>
#include <android-base/properties.h>
#include <android-base/stringprintf.h>
-#include <android-base/strings.h>
#include <android-base/unique_fd.h>
using android::base::StringPrintf;
@@ -65,10 +64,15 @@
using android::vold::kEmptyAuthentication;
using android::vold::KeyBuffer;
using android::vold::writeStringToFile;
-using namespace android::fscrypt;
namespace {
+struct PolicyKeyRef {
+ std::string contents_mode;
+ std::string filenames_mode;
+ std::string key_raw_ref;
+};
+
const std::string device_key_dir = std::string() + DATA_MNT_POINT + fscrypt_unencrypted_folder;
const std::string device_key_path = device_key_dir + "/key";
const std::string device_key_temp = device_key_dir + "/temp";
@@ -195,54 +199,13 @@
return false;
}
-// Retrieve the options to use for encryption policies on the /data filesystem.
-static void get_data_file_encryption_options(EncryptionOptions* options) {
- auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
- if (entry == nullptr) {
- return;
- }
- if (!ParseOptions(entry->encryption_options, options)) {
- LOG(ERROR) << "Unable to parse encryption options for " << DATA_MNT_POINT ": "
- << entry->encryption_options;
- return;
- }
-}
-
-// Retrieve the version to use for encryption policies on the /data filesystem.
-static int get_data_file_policy_version(void) {
- EncryptionOptions options;
- get_data_file_encryption_options(&options);
- return options.version;
-}
-
-// Retrieve the options to use for encryption policies on adoptable storage.
-static bool get_volume_file_encryption_options(EncryptionOptions* options) {
- auto contents_mode =
- android::base::GetProperty("ro.crypto.volume.contents_mode", "aes-256-xts");
- auto filenames_mode =
- android::base::GetProperty("ro.crypto.volume.filenames_mode", "aes-256-heh");
- return ParseOptions(android::base::GetProperty("ro.crypto.volume.options",
- contents_mode + ":" + filenames_mode + ":v1"),
- options);
-}
-
-// Install a key for use by encrypted files on the /data filesystem.
-static bool install_data_key(const KeyBuffer& key, std::string* raw_ref) {
- return android::vold::installKey(key, DATA_MNT_POINT, get_data_file_policy_version(), raw_ref);
-}
-
-// Evict a key for use by encrypted files on the /data filesystem.
-static bool evict_data_key(const std::string& raw_ref) {
- return android::vold::evictKey(DATA_MNT_POINT, raw_ref, get_data_file_policy_version());
-}
-
static bool read_and_install_user_ce_key(userid_t user_id,
const android::vold::KeyAuthentication& auth) {
if (s_ce_key_raw_refs.count(user_id) != 0) return true;
KeyBuffer ce_key;
if (!read_and_fixate_user_ce_key(user_id, auth, &ce_key)) return false;
std::string ce_raw_ref;
- if (!install_data_key(ce_key, &ce_raw_ref)) return false;
+ if (!android::vold::installKey(ce_key, &ce_raw_ref)) return false;
s_ce_keys[user_id] = std::move(ce_key);
s_ce_key_raw_refs[user_id] = ce_raw_ref;
LOG(DEBUG) << "Installed ce key for user " << user_id;
@@ -292,10 +255,10 @@
return false;
}
std::string de_raw_ref;
- if (!install_data_key(de_key, &de_raw_ref)) return false;
+ if (!android::vold::installKey(de_key, &de_raw_ref)) return false;
s_de_key_raw_refs[user_id] = de_raw_ref;
std::string ce_raw_ref;
- if (!install_data_key(ce_key, &ce_raw_ref)) return false;
+ if (!android::vold::installKey(ce_key, &ce_raw_ref)) return false;
s_ce_keys[user_id] = ce_key;
s_ce_key_raw_refs[user_id] = ce_raw_ref;
LOG(DEBUG) << "Created keys for user " << user_id;
@@ -313,6 +276,21 @@
return true;
}
+static void get_data_file_encryption_modes(PolicyKeyRef* key_ref) {
+ auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
+ if (entry == nullptr) {
+ return;
+ }
+ key_ref->contents_mode = entry->file_contents_mode;
+ key_ref->filenames_mode = entry->file_names_mode;
+}
+
+static bool ensure_policy(const PolicyKeyRef& key_ref, const std::string& path) {
+ return fscrypt_policy_ensure(path.c_str(), key_ref.key_raw_ref.data(),
+ key_ref.key_raw_ref.size(), key_ref.contents_mode.c_str(),
+ key_ref.filenames_mode.c_str()) == 0;
+}
+
static bool is_numeric(const char* name) {
for (const char* p = name; *p != '\0'; p++) {
if (!isdigit(*p)) return false;
@@ -347,7 +325,7 @@
KeyBuffer key;
if (!android::vold::retrieveKey(key_path, kEmptyAuthentication, &key)) return false;
std::string raw_ref;
- if (!install_data_key(key, &raw_ref)) return false;
+ if (!android::vold::installKey(key, &raw_ref)) return false;
s_de_key_raw_refs[user_id] = raw_ref;
LOG(DEBUG) << "Installed de key for user " << user_id;
}
@@ -365,30 +343,24 @@
return true;
}
- EncryptionPolicy device_policy;
- get_data_file_encryption_options(&device_policy.options);
-
+ PolicyKeyRef device_ref;
if (!android::vold::retrieveAndInstallKey(true, kEmptyAuthentication, device_key_path,
- device_key_temp, "", device_policy.options.version,
- &device_policy.key_raw_ref))
+ device_key_temp, &device_ref.key_raw_ref))
return false;
+ get_data_file_encryption_modes(&device_ref);
- std::string options_string;
- if (!OptionsToString(device_policy.options, &options_string)) {
- LOG(ERROR) << "Unable to serialize options";
- return false;
- }
- std::string options_filename = std::string("/data") + fscrypt_key_mode;
- if (!android::vold::writeStringToFile(options_string, options_filename)) return false;
+ std::string modestring = device_ref.contents_mode + ":" + device_ref.filenames_mode;
+ std::string mode_filename = std::string("/data") + fscrypt_key_mode;
+ if (!android::vold::writeStringToFile(modestring, mode_filename)) return false;
std::string ref_filename = std::string("/data") + fscrypt_key_ref;
- if (!android::vold::writeStringToFile(device_policy.key_raw_ref, ref_filename)) return false;
+ if (!android::vold::writeStringToFile(device_ref.key_raw_ref, ref_filename)) return false;
LOG(INFO) << "Wrote system DE key reference to:" << ref_filename;
KeyBuffer per_boot_key;
if (!android::vold::randomKey(&per_boot_key)) return false;
std::string per_boot_raw_ref;
- if (!install_data_key(per_boot_key, &per_boot_raw_ref)) return false;
+ if (!android::vold::installKey(per_boot_key, &per_boot_raw_ref)) return false;
std::string per_boot_ref_filename = std::string("/data") + fscrypt_key_per_boot_ref;
if (!android::vold::writeStringToFile(per_boot_raw_ref, per_boot_ref_filename)) return false;
LOG(INFO) << "Wrote per boot key reference to:" << per_boot_ref_filename;
@@ -446,23 +418,11 @@
return true;
}
-// "Lock" all encrypted directories whose key has been removed. This is needed
-// in the case where the keys are being put in the session keyring (rather in
-// the newer filesystem-level keyrings), because removing a key from the session
-// keyring doesn't affect inodes in the kernel's inode cache whose per-file key
-// was already set up. So to remove the per-file keys and make the files
-// "appear encrypted", these inodes must be evicted.
-//
-// To do this, sync() to clean all dirty inodes, then drop all reclaimable slab
-// objects systemwide. This is overkill, but it's the best available method
-// currently. Don't use drop_caches mode "3" because that also evicts pagecache
-// for in-use files; all files relevant here are already closed and sync'ed.
-static void drop_caches_if_needed() {
- if (android::vold::isFsKeyringSupported()) {
- return;
- }
+static void drop_caches() {
+ // Clean any dirty pages (otherwise they won't be dropped).
sync();
- if (!writeStringToFile("2", "/proc/sys/vm/drop_caches")) {
+ // Drop inode and page caches.
+ if (!writeStringToFile("3", "/proc/sys/vm/drop_caches")) {
PLOG(ERROR) << "Failed to drop caches during key eviction";
}
}
@@ -473,8 +433,8 @@
std::string raw_ref;
// If we haven't loaded the CE key, no need to evict it.
if (lookup_key_ref(s_ce_key_raw_refs, user_id, &raw_ref)) {
- success &= evict_data_key(raw_ref);
- drop_caches_if_needed();
+ success &= android::vold::evictKey(raw_ref);
+ drop_caches();
}
s_ce_key_raw_refs.erase(user_id);
return success;
@@ -488,7 +448,8 @@
bool success = true;
std::string raw_ref;
success &= evict_ce_key(user_id);
- success &= lookup_key_ref(s_de_key_raw_refs, user_id, &raw_ref) && evict_data_key(raw_ref);
+ success &=
+ lookup_key_ref(s_de_key_raw_refs, user_id, &raw_ref) && android::vold::evictKey(raw_ref);
s_de_key_raw_refs.erase(user_id);
auto it = s_ephemeral_users.find(user_id);
if (it != s_ephemeral_users.end()) {
@@ -558,7 +519,7 @@
}
static bool read_or_create_volkey(const std::string& misc_path, const std::string& volume_uuid,
- EncryptionPolicy* policy) {
+ PolicyKeyRef* key_ref) {
auto secdiscardable_path = volume_secdiscardable_path(volume_uuid);
std::string secdiscardable_hash;
if (android::vold::pathExists(secdiscardable_path)) {
@@ -578,12 +539,14 @@
return false;
}
android::vold::KeyAuthentication auth("", secdiscardable_hash);
-
- if (!get_volume_file_encryption_options(&policy->options)) return false;
-
- return android::vold::retrieveAndInstallKey(true, auth, key_path, key_path + "_tmp",
- volume_uuid, policy->options.version,
- &policy->key_raw_ref);
+ if (!android::vold::retrieveAndInstallKey(true, auth, key_path, key_path + "_tmp",
+ &key_ref->key_raw_ref))
+ return false;
+ key_ref->contents_mode =
+ android::base::GetProperty("ro.crypto.volume.contents_mode", "aes-256-xts");
+ key_ref->filenames_mode =
+ android::base::GetProperty("ro.crypto.volume.filenames_mode", "aes-256-heh");
+ return true;
}
static bool destroy_volkey(const std::string& misc_path, const std::string& volume_uuid) {
@@ -728,18 +691,17 @@
if (!prepare_dir(user_de_path, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
if (fscrypt_is_native()) {
- EncryptionPolicy de_policy;
+ PolicyKeyRef de_ref;
if (volume_uuid.empty()) {
- if (!lookup_key_ref(s_de_key_raw_refs, user_id, &de_policy.key_raw_ref))
- return false;
- get_data_file_encryption_options(&de_policy.options);
- if (!EnsurePolicy(de_policy, system_de_path)) return false;
- if (!EnsurePolicy(de_policy, misc_de_path)) return false;
- if (!EnsurePolicy(de_policy, vendor_de_path)) return false;
+ if (!lookup_key_ref(s_de_key_raw_refs, user_id, &de_ref.key_raw_ref)) return false;
+ get_data_file_encryption_modes(&de_ref);
+ if (!ensure_policy(de_ref, system_de_path)) return false;
+ if (!ensure_policy(de_ref, misc_de_path)) return false;
+ if (!ensure_policy(de_ref, vendor_de_path)) return false;
} else {
- if (!read_or_create_volkey(misc_de_path, volume_uuid, &de_policy)) return false;
+ if (!read_or_create_volkey(misc_de_path, volume_uuid, &de_ref)) return false;
}
- if (!EnsurePolicy(de_policy, user_de_path)) return false;
+ if (!ensure_policy(de_ref, user_de_path)) return false;
}
}
@@ -760,20 +722,19 @@
if (!prepare_dir(user_ce_path, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
if (fscrypt_is_native()) {
- EncryptionPolicy ce_policy;
+ PolicyKeyRef ce_ref;
if (volume_uuid.empty()) {
- if (!lookup_key_ref(s_ce_key_raw_refs, user_id, &ce_policy.key_raw_ref))
- return false;
- get_data_file_encryption_options(&ce_policy.options);
- if (!EnsurePolicy(ce_policy, system_ce_path)) return false;
- if (!EnsurePolicy(ce_policy, misc_ce_path)) return false;
- if (!EnsurePolicy(ce_policy, vendor_ce_path)) return false;
+ if (!lookup_key_ref(s_ce_key_raw_refs, user_id, &ce_ref.key_raw_ref)) return false;
+ get_data_file_encryption_modes(&ce_ref);
+ if (!ensure_policy(ce_ref, system_ce_path)) return false;
+ if (!ensure_policy(ce_ref, misc_ce_path)) return false;
+ if (!ensure_policy(ce_ref, vendor_ce_path)) return false;
} else {
- if (!read_or_create_volkey(misc_ce_path, volume_uuid, &ce_policy)) return false;
+ if (!read_or_create_volkey(misc_ce_path, volume_uuid, &ce_ref)) return false;
}
- if (!EnsurePolicy(ce_policy, media_ce_path)) return false;
- if (!EnsurePolicy(ce_policy, user_ce_path)) return false;
+ if (!ensure_policy(ce_ref, media_ce_path)) return false;
+ if (!ensure_policy(ce_ref, user_ce_path)) return false;
}
if (volume_uuid.empty()) {
diff --git a/IdleMaint.cpp b/IdleMaint.cpp
index 2b5a8f1..bca22f6 100644
--- a/IdleMaint.cpp
+++ b/IdleMaint.cpp
@@ -29,8 +29,8 @@
#include <android-base/strings.h>
#include <android/hardware/health/storage/1.0/IStorage.h>
#include <fs_mgr.h>
+#include <hardware_legacy/power.h>
#include <private/android_filesystem_config.h>
-#include <wakelock/wakelock.h>
#include <dirent.h>
#include <fcntl.h>
@@ -145,7 +145,7 @@
}
void Trim(const android::sp<android::os::IVoldTaskListener>& listener) {
- android::wakelock::WakeLock wl{kWakeLock};
+ acquire_wake_lock(PARTIAL_WAKE_LOCK, kWakeLock);
// Collect both fstab and vold volumes
std::list<std::string> paths;
@@ -195,6 +195,7 @@
listener->onFinished(0, extras);
}
+ release_wake_lock(kWakeLock);
}
static bool waitForGc(const std::list<std::string>& paths) {
@@ -369,7 +370,7 @@
LOG(DEBUG) << "idle maintenance started";
- android::wakelock::WakeLock wl{kWakeLock};
+ acquire_wake_lock(PARTIAL_WAKE_LOCK, kWakeLock);
std::list<std::string> paths;
addFromFstab(&paths, PathTypes::kBlkDevice);
@@ -399,11 +400,13 @@
LOG(DEBUG) << "idle maintenance completed";
+ release_wake_lock(kWakeLock);
+
return android::OK;
}
int AbortIdleMaint(const android::sp<android::os::IVoldTaskListener>& listener) {
- android::wakelock::WakeLock wl{kWakeLock};
+ acquire_wake_lock(PARTIAL_WAKE_LOCK, kWakeLock);
std::unique_lock<std::mutex> lk(cv_m);
if (idle_maint_stat != IdleMaintStats::kStopped) {
@@ -421,6 +424,8 @@
listener->onFinished(0, extras);
}
+ release_wake_lock(kWakeLock);
+
LOG(DEBUG) << "idle maintenance stopped";
return android::OK;
diff --git a/KeyStorage.cpp b/KeyStorage.cpp
index d5ac7d0..0290086 100644
--- a/KeyStorage.cpp
+++ b/KeyStorage.cpp
@@ -16,10 +16,10 @@
#include "KeyStorage.h"
-#include "Checkpoint.h"
#include "Keymaster.h"
#include "ScryptParameters.h"
#include "Utils.h"
+#include "Checkpoint.h"
#include <thread>
#include <vector>
@@ -37,8 +37,8 @@
#include <android-base/file.h>
#include <android-base/logging.h>
-#include <android-base/properties.h>
#include <android-base/unique_fd.h>
+#include <android-base/properties.h>
#include <cutils/properties.h>
@@ -126,13 +126,7 @@
paramBuilder.Authorization(km::TAG_USER_AUTH_TYPE, km::HardwareAuthenticatorType::PASSWORD);
paramBuilder.Authorization(km::TAG_AUTH_TIMEOUT, AUTH_TIMEOUT);
}
-
- auto paramsWithRollback = paramBuilder;
- paramsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
-
- // Generate rollback-resistant key if possible.
- return keymaster.generateKey(paramsWithRollback, key) ||
- keymaster.generateKey(paramBuilder, key);
+ return keymaster.generateKey(paramBuilder, key);
}
static std::pair<km::AuthorizationSet, km::HardwareAuthToken> beginParams(
diff --git a/KeyUtil.cpp b/KeyUtil.cpp
index f822377..12cae9b 100644
--- a/KeyUtil.cpp
+++ b/KeyUtil.cpp
@@ -16,14 +16,12 @@
#include "KeyUtil.h"
+#include <linux/fs.h>
#include <iomanip>
#include <sstream>
#include <string>
-#include <fcntl.h>
-#include <linux/fs.h>
#include <openssl/sha.h>
-#include <sys/ioctl.h>
#include <android-base/file.h>
#include <android-base/logging.h>
@@ -31,7 +29,6 @@
#include "KeyStorage.h"
#include "Utils.h"
-#include "fscrypt_uapi.h"
namespace android {
namespace vold {
@@ -48,42 +45,6 @@
return true;
}
-// Return true if the kernel supports the ioctls to add/remove fscrypt keys
-// directly to/from the filesystem.
-bool isFsKeyringSupported(void) {
- static bool initialized = false;
- static bool supported;
-
- if (!initialized) {
- android::base::unique_fd fd(open("/data", O_RDONLY | O_DIRECTORY | O_CLOEXEC));
-
- // FS_IOC_ADD_ENCRYPTION_KEY with a NULL argument will fail with ENOTTY
- // if the ioctl isn't supported. Otherwise it will fail with another
- // error code such as EFAULT.
- errno = 0;
- (void)ioctl(fd, FS_IOC_ADD_ENCRYPTION_KEY, NULL);
- if (errno == ENOTTY) {
- LOG(INFO) << "Kernel doesn't support FS_IOC_ADD_ENCRYPTION_KEY. Falling back to "
- "session keyring";
- supported = false;
- } else {
- if (errno != EFAULT) {
- PLOG(WARNING) << "Unexpected error from FS_IOC_ADD_ENCRYPTION_KEY";
- }
- LOG(DEBUG) << "Detected support for FS_IOC_ADD_ENCRYPTION_KEY";
- supported = true;
- }
- // There's no need to check for FS_IOC_REMOVE_ENCRYPTION_KEY, since it's
- // guaranteed to be available if FS_IOC_ADD_ENCRYPTION_KEY is. There's
- // also no need to check for support on external volumes separately from
- // /data, since either the kernel supports the ioctls on all
- // fscrypt-capable filesystems or it doesn't.
-
- initialized = true;
- }
- return supported;
-}
-
// Get raw keyref - used to make keyname and to pass to ioctl
static std::string generateKeyRef(const uint8_t* key, int length) {
SHA512_CTX c;
@@ -117,20 +78,16 @@
static char const* const NAME_PREFIXES[] = {"ext4", "f2fs", "fscrypt", nullptr};
-static std::string keyrefstring(const std::string& raw_ref) {
+static std::string keyname(const std::string& prefix, const std::string& raw_ref) {
std::ostringstream o;
+ o << prefix << ":";
for (unsigned char i : raw_ref) {
o << std::hex << std::setw(2) << std::setfill('0') << (int)i;
}
return o.str();
}
-static std::string buildLegacyKeyName(const std::string& prefix, const std::string& raw_ref) {
- return prefix + ":" + keyrefstring(raw_ref);
-}
-
-// Get the ID of the keyring we store all fscrypt keys in when the kernel is too
-// old to support FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY.
+// Get the keyring we store all keys in
static bool fscryptKeyring(key_serial_t* device_keyring) {
*device_keyring = keyctl_search(KEY_SPEC_SESSION_KEYRING, "keyring", "fscrypt", 0);
if (*device_keyring == -1) {
@@ -140,17 +97,19 @@
return true;
}
-// Add an encryption key to the legacy global session keyring.
-static bool installKeyLegacy(const KeyBuffer& key, const std::string& raw_ref) {
+// Install password into global keyring
+// Return raw key reference for use in policy
+bool installKey(const KeyBuffer& key, std::string* raw_ref) {
// Place fscrypt_key into automatically zeroing buffer.
KeyBuffer fsKeyBuffer(sizeof(fscrypt_key));
fscrypt_key& fs_key = *reinterpret_cast<fscrypt_key*>(fsKeyBuffer.data());
if (!fillKey(key, &fs_key)) return false;
+ *raw_ref = generateKeyRef(fs_key.raw, fs_key.size);
key_serial_t device_keyring;
if (!fscryptKeyring(&device_keyring)) return false;
for (char const* const* name_prefix = NAME_PREFIXES; *name_prefix != nullptr; name_prefix++) {
- auto ref = buildLegacyKeyName(*name_prefix, raw_ref);
+ auto ref = keyname(*name_prefix, *raw_ref);
key_serial_t key_id =
add_key("logon", ref.c_str(), (void*)&fs_key, sizeof(fs_key), device_keyring);
if (key_id == -1) {
@@ -163,110 +122,12 @@
return true;
}
-// Build a struct fscrypt_key_specifier for use in the key management ioctls.
-static bool buildKeySpecifier(fscrypt_key_specifier* spec, const std::string& raw_ref,
- int policy_version) {
- switch (policy_version) {
- case 1:
- if (raw_ref.size() != FSCRYPT_KEY_DESCRIPTOR_SIZE) {
- LOG(ERROR) << "Invalid key specifier size for v1 encryption policy: "
- << raw_ref.size();
- return false;
- }
- spec->type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR;
- memcpy(spec->u.descriptor, raw_ref.c_str(), FSCRYPT_KEY_DESCRIPTOR_SIZE);
- return true;
- case 2:
- if (raw_ref.size() != FSCRYPT_KEY_IDENTIFIER_SIZE) {
- LOG(ERROR) << "Invalid key specifier size for v2 encryption policy: "
- << raw_ref.size();
- return false;
- }
- spec->type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
- memcpy(spec->u.identifier, raw_ref.c_str(), FSCRYPT_KEY_IDENTIFIER_SIZE);
- return true;
- default:
- LOG(ERROR) << "Invalid encryption policy version: " << policy_version;
- return false;
- }
-}
-
-// Install a file-based encryption key to the kernel, for use by encrypted files
-// on the specified filesystem using the specified encryption policy version.
-//
-// For v1 policies, we use FS_IOC_ADD_ENCRYPTION_KEY if the kernel supports it.
-// Otherwise we add the key to the legacy global session keyring.
-//
-// For v2 policies, we always use FS_IOC_ADD_ENCRYPTION_KEY; it's the only way
-// the kernel supports.
-//
-// Returns %true on success, %false on failure. On success also sets *raw_ref
-// to the raw key reference for use in the encryption policy.
-bool installKey(const KeyBuffer& key, const std::string& mountpoint, int policy_version,
- std::string* raw_ref) {
- // Put the fscrypt_add_key_arg in an automatically-zeroing buffer, since we
- // have to copy the raw key into it.
- KeyBuffer arg_buf(sizeof(struct fscrypt_add_key_arg) + key.size(), 0);
- struct fscrypt_add_key_arg* arg = (struct fscrypt_add_key_arg*)arg_buf.data();
-
- // Initialize the "key specifier", which is like a name for the key.
- switch (policy_version) {
- case 1:
- // A key for a v1 policy is specified by an arbitrary 8-byte
- // "descriptor", which must be provided by userspace. We use the
- // first 8 bytes from the double SHA-512 of the key itself.
- *raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size());
- if (!isFsKeyringSupported()) {
- return installKeyLegacy(key, *raw_ref);
- }
- if (!buildKeySpecifier(&arg->key_spec, *raw_ref, policy_version)) {
- return false;
- }
- break;
- case 2:
- // A key for a v2 policy is specified by an 16-byte "identifier",
- // which is a cryptographic hash of the key itself which the kernel
- // computes and returns. Any user-provided value is ignored; we
- // just need to set the specifier type to indicate that we're adding
- // this type of key.
- arg->key_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
- break;
- default:
- LOG(ERROR) << "Invalid encryption policy version: " << policy_version;
- return false;
- }
-
- // Provide the raw key.
- arg->raw_size = key.size();
- memcpy(arg->raw, key.data(), key.size());
-
- android::base::unique_fd fd(open(mountpoint.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC));
- if (fd == -1) {
- PLOG(ERROR) << "Failed to open " << mountpoint << " to install key";
- return false;
- }
-
- if (ioctl(fd, FS_IOC_ADD_ENCRYPTION_KEY, arg) != 0) {
- PLOG(ERROR) << "Failed to install fscrypt key to " << mountpoint;
- return false;
- }
-
- if (arg->key_spec.type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) {
- // Retrieve the key identifier that the kernel computed.
- *raw_ref = std::string((char*)arg->key_spec.u.identifier, FSCRYPT_KEY_IDENTIFIER_SIZE);
- }
- LOG(DEBUG) << "Installed fscrypt key with ref " << keyrefstring(*raw_ref) << " to "
- << mountpoint;
- return true;
-}
-
-// Remove an encryption key from the legacy global session keyring.
-static bool evictKeyLegacy(const std::string& raw_ref) {
+bool evictKey(const std::string& raw_ref) {
key_serial_t device_keyring;
if (!fscryptKeyring(&device_keyring)) return false;
bool success = true;
for (char const* const* name_prefix = NAME_PREFIXES; *name_prefix != nullptr; name_prefix++) {
- auto ref = buildLegacyKeyName(*name_prefix, raw_ref);
+ auto ref = keyname(*name_prefix, raw_ref);
auto key_serial = keyctl_search(device_keyring, "logon", ref.c_str(), 0);
// Unlink the key from the keyring. Prefer unlinking to revoking or
@@ -283,51 +144,8 @@
return success;
}
-// Evict a file-based encryption key from the kernel.
-//
-// We use FS_IOC_REMOVE_ENCRYPTION_KEY if the kernel supports it. Otherwise we
-// remove the key from the legacy global session keyring.
-//
-// In the latter case, the caller is responsible for dropping caches.
-bool evictKey(const std::string& mountpoint, const std::string& raw_ref, int policy_version) {
- if (policy_version == 1 && !isFsKeyringSupported()) {
- return evictKeyLegacy(raw_ref);
- }
-
- android::base::unique_fd fd(open(mountpoint.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC));
- if (fd == -1) {
- PLOG(ERROR) << "Failed to open " << mountpoint << " to evict key";
- return false;
- }
-
- struct fscrypt_remove_key_arg arg;
- memset(&arg, 0, sizeof(arg));
-
- if (!buildKeySpecifier(&arg.key_spec, raw_ref, policy_version)) {
- return false;
- }
-
- std::string ref = keyrefstring(raw_ref);
-
- if (ioctl(fd, FS_IOC_REMOVE_ENCRYPTION_KEY, &arg) != 0) {
- PLOG(ERROR) << "Failed to evict fscrypt key with ref " << ref << " from " << mountpoint;
- return false;
- }
-
- LOG(DEBUG) << "Evicted fscrypt key with ref " << ref << " from " << mountpoint;
- if (arg.removal_status_flags & FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS) {
- // Should never happen because keys are only added/removed as root.
- LOG(ERROR) << "Unexpected case: key with ref " << ref << " is still added by other users!";
- } else if (arg.removal_status_flags & FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY) {
- LOG(ERROR) << "Files still open after removing key with ref " << ref
- << ". These files were not locked!";
- }
- return true;
-}
-
bool retrieveAndInstallKey(bool create_if_absent, const KeyAuthentication& key_authentication,
const std::string& key_path, const std::string& tmp_path,
- const std::string& volume_uuid, int policy_version,
std::string* key_ref) {
KeyBuffer key;
if (pathExists(key_path)) {
@@ -343,7 +161,7 @@
if (!storeKeyAtomically(key_path, tmp_path, key_authentication, key)) return false;
}
- if (!installKey(key, BuildDataPath(volume_uuid), policy_version, key_ref)) {
+ if (!installKey(key, key_ref)) {
LOG(ERROR) << "Failed to install key in " << key_path;
return false;
}
diff --git a/KeyUtil.h b/KeyUtil.h
index f6799d9..7ee6725 100644
--- a/KeyUtil.h
+++ b/KeyUtil.h
@@ -27,15 +27,10 @@
namespace vold {
bool randomKey(KeyBuffer* key);
-
-bool isFsKeyringSupported(void);
-
-bool installKey(const KeyBuffer& key, const std::string& mountpoint, int policy_version,
- std::string* raw_ref);
-bool evictKey(const std::string& mountpoint, const std::string& raw_ref, int policy_version);
+bool installKey(const KeyBuffer& key, std::string* raw_ref);
+bool evictKey(const std::string& raw_ref);
bool retrieveAndInstallKey(bool create_if_absent, const KeyAuthentication& key_authentication,
const std::string& key_path, const std::string& tmp_path,
- const std::string& volume_uuid, int policy_version,
std::string* key_ref);
bool retrieveKey(bool create_if_absent, const std::string& key_path, const std::string& tmp_path,
KeyBuffer* key, bool keepOld = true);
diff --git a/Loop.cpp b/Loop.cpp
index 9fa876c..f5d2481 100644
--- a/Loop.cpp
+++ b/Loop.cpp
@@ -32,12 +32,12 @@
#include <linux/kdev_t.h>
#include <chrono>
+#include <thread>
#include <android-base/logging.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
-#include <fs_mgr/file_wait.h>
#include <utils/Trace.h>
#include "Loop.h"
@@ -51,6 +51,22 @@
static const char* kVoldPrefix = "vold:";
static constexpr size_t kLoopDeviceRetryAttempts = 3u;
+static bool wait_for_file(const std::string& filename,
+ const std::chrono::milliseconds relative_timeout) {
+ auto start_time = std::chrono::steady_clock::now();
+
+ while (true) {
+ int rv = access(filename.c_str(), F_OK);
+ if (!rv || errno != ENOENT) return true;
+
+ std::this_thread::sleep_for(50ms);
+
+ auto now = std::chrono::steady_clock::now();
+ auto time_elapsed = std::chrono::duration_cast<std::chrono::milliseconds>(now - start_time);
+ if (time_elapsed > relative_timeout) return false;
+ }
+}
+
int Loop::create(const std::string& target, std::string& out_device) {
unique_fd ctl_fd(open("/dev/loop-control", O_RDWR | O_CLOEXEC));
if (ctl_fd.get() == -1) {
@@ -78,10 +94,12 @@
PLOG(ERROR) << "Failed to open " << target;
return -errno;
}
- if (!android::fs_mgr::WaitForFile(out_device, 2s)) {
+
+ if (!wait_for_file(out_device, 2s)) {
LOG(ERROR) << "Failed to find " << out_device;
return -ENOENT;
}
+
unique_fd device_fd(open(out_device.c_str(), O_RDWR | O_CLOEXEC));
if (device_fd.get() == -1) {
PLOG(ERROR) << "Failed to open " << out_device;
diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp
index abcf6db..35cf3e2 100644
--- a/MetadataCrypt.cpp
+++ b/MetadataCrypt.cpp
@@ -23,17 +23,19 @@
#include <vector>
#include <fcntl.h>
+#include <sys/ioctl.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <linux/dm-ioctl.h>
+
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/properties.h>
#include <android-base/unique_fd.h>
#include <cutils/fs.h>
#include <fs_mgr.h>
-#include <libdm/dm.h>
#include "Checkpoint.h"
#include "EncryptInplace.h"
@@ -43,12 +45,13 @@
#include "Utils.h"
#include "VoldUtil.h"
+#define DM_CRYPT_BUF_SIZE 4096
#define TABLE_LOAD_RETRIES 10
+#define DEFAULT_KEY_TARGET_TYPE "default-key"
using android::fs_mgr::FstabEntry;
using android::fs_mgr::GetEntryForMountPoint;
using android::vold::KeyBuffer;
-using namespace android::dm;
static const std::string kDmNameUserdata = "userdata";
@@ -143,6 +146,16 @@
} // namespace vold
} // namespace android
+static KeyBuffer default_key_params(const std::string& real_blkdev, const KeyBuffer& key) {
+ KeyBuffer hex_key;
+ if (android::vold::StrToHex(key, hex_key) != android::OK) {
+ LOG(ERROR) << "Failed to turn key to hex";
+ return KeyBuffer();
+ }
+ auto res = KeyBuffer() + "AES-256-XTS " + hex_key + " " + real_blkdev.c_str() + " 0";
+ return res;
+}
+
static bool get_number_of_sectors(const std::string& real_blkdev, uint64_t* nr_sec) {
if (android::vold::GetBlockDev512Sectors(real_blkdev, nr_sec) != android::OK) {
PLOG(ERROR) << "Unable to measure size of " << real_blkdev;
@@ -151,35 +164,86 @@
return true;
}
-static bool create_crypto_blk_dev(const std::string& dm_name, uint64_t nr_sec,
- const std::string& real_blkdev, const KeyBuffer& key,
- std::string* crypto_blkdev, bool set_dun) {
- auto& dm = DeviceMapper::Instance();
+static struct dm_ioctl* dm_ioctl_init(char* buffer, size_t buffer_size, const std::string& dm_name) {
+ if (buffer_size < sizeof(dm_ioctl)) {
+ LOG(ERROR) << "dm_ioctl buffer too small";
+ return nullptr;
+ }
- KeyBuffer hex_key_buffer;
- if (android::vold::StrToHex(key, hex_key_buffer) != android::OK) {
- LOG(ERROR) << "Failed to turn key to hex";
+ memset(buffer, 0, buffer_size);
+ struct dm_ioctl* io = (struct dm_ioctl*)buffer;
+ io->data_size = buffer_size;
+ io->data_start = sizeof(struct dm_ioctl);
+ io->version[0] = 4;
+ io->version[1] = 0;
+ io->version[2] = 0;
+ io->flags = 0;
+ dm_name.copy(io->name, sizeof(io->name));
+ return io;
+}
+
+static bool create_crypto_blk_dev(const std::string& dm_name, uint64_t nr_sec,
+ const std::string& target_type, const KeyBuffer& crypt_params,
+ std::string* crypto_blkdev) {
+ android::base::unique_fd dm_fd(
+ TEMP_FAILURE_RETRY(open("/dev/device-mapper", O_RDWR | O_CLOEXEC, 0)));
+ if (dm_fd == -1) {
+ PLOG(ERROR) << "Cannot open device-mapper";
return false;
}
- std::string hex_key(hex_key_buffer.data(), hex_key_buffer.size());
+ alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
+ auto io = dm_ioctl_init(buffer, sizeof(buffer), dm_name);
+ if (!io || ioctl(dm_fd.get(), DM_DEV_CREATE, io) != 0) {
+ PLOG(ERROR) << "Cannot create dm-crypt device " << dm_name;
+ return false;
+ }
- DmTable table;
- table.Emplace<DmTargetDefaultKey>(0, nr_sec, "AES-256-XTS", hex_key, real_blkdev, 0, set_dun);
+ // Get the device status, in particular, the name of its device file
+ io = dm_ioctl_init(buffer, sizeof(buffer), dm_name);
+ if (ioctl(dm_fd.get(), DM_DEV_STATUS, io) != 0) {
+ PLOG(ERROR) << "Cannot retrieve dm-crypt device status " << dm_name;
+ return false;
+ }
+ *crypto_blkdev = std::string() + "/dev/block/dm-" +
+ std::to_string((io->dev & 0xff) | ((io->dev >> 12) & 0xfff00));
+
+ io = dm_ioctl_init(buffer, sizeof(buffer), dm_name);
+ size_t paramix = io->data_start + sizeof(struct dm_target_spec);
+ size_t nullix = paramix + crypt_params.size();
+ size_t endix = (nullix + 1 + 7) & 8; // Add room for \0 and align to 8 byte boundary
+
+ if (endix > sizeof(buffer)) {
+ LOG(ERROR) << "crypt_params too big for DM_CRYPT_BUF_SIZE";
+ return false;
+ }
+
+ io->target_count = 1;
+ auto tgt = (struct dm_target_spec*)(buffer + io->data_start);
+ tgt->status = 0;
+ tgt->sector_start = 0;
+ tgt->length = nr_sec;
+ target_type.copy(tgt->target_type, sizeof(tgt->target_type));
+ memcpy(buffer + paramix, crypt_params.data(),
+ std::min(crypt_params.size(), sizeof(buffer) - paramix));
+ buffer[nullix] = '\0';
+ tgt->next = endix;
for (int i = 0;; i++) {
- if (dm.CreateDevice(dm_name, table)) {
+ if (ioctl(dm_fd.get(), DM_TABLE_LOAD, io) == 0) {
break;
}
if (i + 1 >= TABLE_LOAD_RETRIES) {
- LOG(ERROR) << "Could not create default-key device " << dm_name;
+ PLOG(ERROR) << "DM_TABLE_LOAD ioctl failed";
return false;
}
- PLOG(INFO) << "Could not create default-key device, retrying";
+ PLOG(INFO) << "DM_TABLE_LOAD ioctl failed, retrying";
usleep(500000);
}
- if (!dm.GetDmDevicePathByName(dm_name, crypto_blkdev)) {
- LOG(ERROR) << "Cannot retrieve default-key device status " << dm_name;
+ // Resume this device to activate it
+ io = dm_ioctl_init(buffer, sizeof(buffer), dm_name);
+ if (ioctl(dm_fd.get(), DM_DEV_SUSPEND, io)) {
+ PLOG(ERROR) << "Cannot resume dm-crypt device " << dm_name;
return false;
}
return true;
@@ -203,14 +267,9 @@
if (!read_key(*data_rec, needs_encrypt, &key)) return false;
uint64_t nr_sec;
if (!get_number_of_sectors(data_rec->blk_device, &nr_sec)) return false;
- bool set_dun = android::base::GetBoolProperty("ro.crypto.set_dun", false);
- if (!set_dun && data_rec->fs_mgr_flags.checkpoint_blk) {
- LOG(ERROR) << "Block checkpoints and metadata encryption require setdun option!";
- return false;
- }
-
std::string crypto_blkdev;
- if (!create_crypto_blk_dev(kDmNameUserdata, nr_sec, blk_device, key, &crypto_blkdev, set_dun))
+ if (!create_crypto_blk_dev(kDmNameUserdata, nr_sec, DEFAULT_KEY_TARGET_TYPE,
+ default_key_params(blk_device, key), &crypto_blkdev))
return false;
// FIXME handle the corrupt case
diff --git a/MoveStorage.cpp b/MoveStorage.cpp
index 2447cce..79a47ae 100644
--- a/MoveStorage.cpp
+++ b/MoveStorage.cpp
@@ -21,8 +21,8 @@
#include <android-base/logging.h>
#include <android-base/properties.h>
#include <android-base/stringprintf.h>
+#include <hardware_legacy/power.h>
#include <private/android_filesystem_config.h>
-#include <wakelock/wakelock.h>
#include <thread>
@@ -258,13 +258,15 @@
void MoveStorage(const std::shared_ptr<VolumeBase>& from, const std::shared_ptr<VolumeBase>& to,
const android::sp<android::os::IVoldTaskListener>& listener) {
- android::wakelock::WakeLock wl{kWakeLock};
+ acquire_wake_lock(PARTIAL_WAKE_LOCK, kWakeLock);
android::os::PersistableBundle extras;
status_t res = moveStorageInternal(from, to, listener);
if (listener) {
listener->onFinished(res, extras);
}
+
+ release_wake_lock(kWakeLock);
}
} // namespace vold
diff --git a/OWNERS b/OWNERS
index 7779c20..4e45284 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,6 +1,3 @@
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
-
diff --git a/Utils.cpp b/Utils.cpp
index 1616d80..df50658 100644
--- a/Utils.cpp
+++ b/Utils.cpp
@@ -43,7 +43,6 @@
#include <sys/sysmacros.h>
#include <sys/types.h>
#include <sys/wait.h>
-#include <unistd.h>
#include <list>
#include <mutex>
diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
index f17f59f..7f7f289 100644
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@@ -92,7 +92,7 @@
}
}
-binder::Status checkUidOrRoot(uid_t expectedUid) {
+binder::Status checkUid(uid_t expectedUid) {
uid_t uid = IPCThreadState::self()->getCallingUid();
if (uid == expectedUid || uid == AID_ROOT) {
return ok();
@@ -147,12 +147,12 @@
return ok();
}
-#define ENFORCE_SYSTEM_OR_ROOT \
- { \
- binder::Status status = checkUidOrRoot(AID_SYSTEM); \
- if (!status.isOk()) { \
- return status; \
- } \
+#define ENFORCE_UID(uid) \
+ { \
+ binder::Status status = checkUid((uid)); \
+ if (!status.isOk()) { \
+ return status; \
+ } \
}
#define CHECK_ARGUMENT_ID(id) \
@@ -217,7 +217,7 @@
binder::Status VoldNativeService::setListener(
const android::sp<android::os::IVoldListener>& listener) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
VolumeManager::Instance()->setListener(listener);
@@ -225,7 +225,7 @@
}
binder::Status VoldNativeService::monitor() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
// Simply acquire/release each lock for watchdog
{ ACQUIRE_LOCK; }
@@ -235,42 +235,42 @@
}
binder::Status VoldNativeService::reset() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translate(VolumeManager::Instance()->reset());
}
binder::Status VoldNativeService::shutdown() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translate(VolumeManager::Instance()->shutdown());
}
binder::Status VoldNativeService::onUserAdded(int32_t userId, int32_t userSerial) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translate(VolumeManager::Instance()->onUserAdded(userId, userSerial));
}
binder::Status VoldNativeService::onUserRemoved(int32_t userId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translate(VolumeManager::Instance()->onUserRemoved(userId));
}
binder::Status VoldNativeService::onUserStarted(int32_t userId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translate(VolumeManager::Instance()->onUserStarted(userId));
}
binder::Status VoldNativeService::onUserStopped(int32_t userId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translate(VolumeManager::Instance()->onUserStopped(userId));
@@ -287,7 +287,7 @@
}
binder::Status VoldNativeService::onSecureKeyguardStateChanged(bool isShowing) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translate(VolumeManager::Instance()->onSecureKeyguardStateChanged(isShowing));
@@ -295,7 +295,7 @@
binder::Status VoldNativeService::partition(const std::string& diskId, int32_t partitionType,
int32_t ratio) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_ID(diskId);
ACQUIRE_LOCK;
@@ -317,7 +317,7 @@
binder::Status VoldNativeService::forgetPartition(const std::string& partGuid,
const std::string& fsUuid) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_HEX(partGuid);
CHECK_ARGUMENT_HEX(fsUuid);
ACQUIRE_LOCK;
@@ -327,7 +327,7 @@
binder::Status VoldNativeService::mount(const std::string& volId, int32_t mountFlags,
int32_t mountUserId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_ID(volId);
ACQUIRE_LOCK;
@@ -353,7 +353,7 @@
}
binder::Status VoldNativeService::unmount(const std::string& volId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_ID(volId);
ACQUIRE_LOCK;
@@ -365,7 +365,7 @@
}
binder::Status VoldNativeService::format(const std::string& volId, const std::string& fsType) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_ID(volId);
ACQUIRE_LOCK;
@@ -400,7 +400,7 @@
binder::Status VoldNativeService::benchmark(
const std::string& volId, const android::sp<android::os::IVoldTaskListener>& listener) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_ID(volId);
ACQUIRE_LOCK;
@@ -413,7 +413,7 @@
}
binder::Status VoldNativeService::checkEncryption(const std::string& volId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_ID(volId);
ACQUIRE_LOCK;
@@ -426,7 +426,7 @@
binder::Status VoldNativeService::moveStorage(
const std::string& fromVolId, const std::string& toVolId,
const android::sp<android::os::IVoldTaskListener>& listener) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_ID(fromVolId);
CHECK_ARGUMENT_ID(toVolId);
ACQUIRE_LOCK;
@@ -444,14 +444,14 @@
}
binder::Status VoldNativeService::remountUid(int32_t uid, int32_t remountMode) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translate(VolumeManager::Instance()->remountUid(uid, remountMode));
}
binder::Status VoldNativeService::mkdirs(const std::string& path) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_PATH(path);
ACQUIRE_LOCK;
@@ -461,7 +461,7 @@
binder::Status VoldNativeService::createObb(const std::string& sourcePath,
const std::string& sourceKey, int32_t ownerGid,
std::string* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_PATH(sourcePath);
CHECK_ARGUMENT_HEX(sourceKey);
ACQUIRE_LOCK;
@@ -471,7 +471,7 @@
}
binder::Status VoldNativeService::destroyObb(const std::string& volId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_ID(volId);
ACQUIRE_LOCK;
@@ -481,7 +481,7 @@
binder::Status VoldNativeService::createStubVolume(
const std::string& sourcePath, const std::string& mountPath, const std::string& fsType,
const std::string& fsUuid, const std::string& fsLabel, std::string* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_PATH(sourcePath);
CHECK_ARGUMENT_PATH(mountPath);
CHECK_ARGUMENT_HEX(fsUuid);
@@ -494,7 +494,7 @@
}
binder::Status VoldNativeService::destroyStubVolume(const std::string& volId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_ID(volId);
ACQUIRE_LOCK;
@@ -503,7 +503,7 @@
binder::Status VoldNativeService::fstrim(
int32_t fstrimFlags, const android::sp<android::os::IVoldTaskListener>& listener) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
std::thread([=]() { android::vold::Trim(listener); }).detach();
@@ -512,7 +512,7 @@
binder::Status VoldNativeService::runIdleMaint(
const android::sp<android::os::IVoldTaskListener>& listener) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
std::thread([=]() { android::vold::RunIdleMaint(listener); }).detach();
@@ -521,7 +521,7 @@
binder::Status VoldNativeService::abortIdleMaint(
const android::sp<android::os::IVoldTaskListener>& listener) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
std::thread([=]() { android::vold::AbortIdleMaint(listener); }).detach();
@@ -530,14 +530,14 @@
binder::Status VoldNativeService::mountAppFuse(int32_t uid, int32_t mountId,
android::base::unique_fd* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translate(VolumeManager::Instance()->mountAppFuse(uid, mountId, _aidl_return));
}
binder::Status VoldNativeService::unmountAppFuse(int32_t uid, int32_t mountId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translate(VolumeManager::Instance()->unmountAppFuse(uid, mountId));
@@ -546,7 +546,7 @@
binder::Status VoldNativeService::openAppFuseFile(int32_t uid, int32_t mountId, int32_t fileId,
int32_t flags,
android::base::unique_fd* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
int fd = VolumeManager::Instance()->openAppFuseFile(uid, mountId, fileId, flags);
@@ -561,14 +561,14 @@
}
binder::Status VoldNativeService::fdeCheckPassword(const std::string& password) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translate(cryptfs_check_passwd(password.c_str()));
}
binder::Status VoldNativeService::fdeRestart() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
// Spawn as thread so init can issue commands back to vold without
@@ -578,7 +578,7 @@
}
binder::Status VoldNativeService::fdeComplete(int32_t* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
*_aidl_return = cryptfs_crypto_complete();
@@ -609,7 +609,7 @@
binder::Status VoldNativeService::fdeEnable(int32_t passwordType, const std::string& password,
int32_t encryptionFlags) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
LOG(DEBUG) << "fdeEnable(" << passwordType << ", *, " << encryptionFlags << ")";
@@ -627,21 +627,21 @@
binder::Status VoldNativeService::fdeChangePassword(int32_t passwordType,
const std::string& password) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translate(cryptfs_changepw(passwordType, password.c_str()));
}
binder::Status VoldNativeService::fdeVerifyPassword(const std::string& password) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translate(cryptfs_verify_passwd(password.c_str()));
}
binder::Status VoldNativeService::fdeGetField(const std::string& key, std::string* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
char buf[PROPERTY_VALUE_MAX];
@@ -654,14 +654,14 @@
}
binder::Status VoldNativeService::fdeSetField(const std::string& key, const std::string& value) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translate(cryptfs_setfield(key.c_str(), value.c_str()));
}
binder::Status VoldNativeService::fdeGetPasswordType(int32_t* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
*_aidl_return = cryptfs_get_password_type();
@@ -669,7 +669,7 @@
}
binder::Status VoldNativeService::fdeGetPassword(std::string* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
const char* res = cryptfs_get_password();
@@ -680,7 +680,7 @@
}
binder::Status VoldNativeService::fdeClearPassword() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
cryptfs_clear_password();
@@ -688,14 +688,14 @@
}
binder::Status VoldNativeService::fbeEnable() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_initialize_systemwide_keys());
}
binder::Status VoldNativeService::mountDefaultEncrypted() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
if (!fscrypt_is_native()) {
@@ -707,14 +707,14 @@
}
binder::Status VoldNativeService::initUser0() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_init_user0());
}
binder::Status VoldNativeService::isConvertibleToFbe(bool* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
*_aidl_return = cryptfs_isConvertibleToFBE() != 0;
@@ -723,7 +723,7 @@
binder::Status VoldNativeService::mountFstab(const std::string& blkDevice,
const std::string& mountPoint) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translateBool(fscrypt_mount_metadata_encrypted(blkDevice, mountPoint, false));
@@ -731,21 +731,21 @@
binder::Status VoldNativeService::encryptFstab(const std::string& blkDevice,
const std::string& mountPoint) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return translateBool(fscrypt_mount_metadata_encrypted(blkDevice, mountPoint, true));
}
binder::Status VoldNativeService::createUserKey(int32_t userId, int32_t userSerial, bool ephemeral) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_vold_create_user_key(userId, userSerial, ephemeral));
}
binder::Status VoldNativeService::destroyUserKey(int32_t userId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_destroy_user_key(userId));
@@ -754,14 +754,14 @@
binder::Status VoldNativeService::addUserKeyAuth(int32_t userId, int32_t userSerial,
const std::string& token,
const std::string& secret) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_add_user_key_auth(userId, userSerial, token, secret));
}
binder::Status VoldNativeService::fixateNewestUserKeyAuth(int32_t userId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_fixate_newest_user_key_auth(userId));
@@ -770,14 +770,14 @@
binder::Status VoldNativeService::unlockUserKey(int32_t userId, int32_t userSerial,
const std::string& token,
const std::string& secret) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_unlock_user_key(userId, userSerial, token, secret));
}
binder::Status VoldNativeService::lockUserKey(int32_t userId) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_lock_user_key(userId));
@@ -786,7 +786,7 @@
binder::Status VoldNativeService::prepareUserStorage(const std::unique_ptr<std::string>& uuid,
int32_t userId, int32_t userSerial,
int32_t flags) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
std::string empty_string = "";
auto uuid_ = uuid ? *uuid : empty_string;
CHECK_ARGUMENT_HEX(uuid_);
@@ -797,7 +797,7 @@
binder::Status VoldNativeService::destroyUserStorage(const std::unique_ptr<std::string>& uuid,
int32_t userId, int32_t flags) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
std::string empty_string = "";
auto uuid_ = uuid ? *uuid : empty_string;
CHECK_ARGUMENT_HEX(uuid_);
@@ -819,14 +819,14 @@
}
binder::Status VoldNativeService::startCheckpoint(int32_t retry) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return cp_startCheckpoint(retry);
}
binder::Status VoldNativeService::needsRollback(bool* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
*_aidl_return = cp_needsRollback();
@@ -834,7 +834,7 @@
}
binder::Status VoldNativeService::needsCheckpoint(bool* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
*_aidl_return = cp_needsCheckpoint();
@@ -842,21 +842,21 @@
}
binder::Status VoldNativeService::commitChanges() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return cp_commitChanges();
}
binder::Status VoldNativeService::prepareCheckpoint() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return cp_prepareCheckpoint();
}
binder::Status VoldNativeService::restoreCheckpoint(const std::string& mountPoint) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_PATH(mountPoint);
ACQUIRE_LOCK;
@@ -864,7 +864,7 @@
}
binder::Status VoldNativeService::restoreCheckpointPart(const std::string& mountPoint, int count) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
CHECK_ARGUMENT_PATH(mountPoint);
ACQUIRE_LOCK;
@@ -872,14 +872,14 @@
}
binder::Status VoldNativeService::markBootAttempt() {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return cp_markBootAttempt();
}
binder::Status VoldNativeService::abortChanges(const std::string& message, bool retry) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
cp_abortChanges(message, retry);
@@ -887,33 +887,25 @@
}
binder::Status VoldNativeService::supportsCheckpoint(bool* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return cp_supportsCheckpoint(*_aidl_return);
}
binder::Status VoldNativeService::supportsBlockCheckpoint(bool* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return cp_supportsBlockCheckpoint(*_aidl_return);
}
binder::Status VoldNativeService::supportsFileCheckpoint(bool* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
+ ENFORCE_UID(AID_SYSTEM);
ACQUIRE_LOCK;
return cp_supportsFileCheckpoint(*_aidl_return);
}
-binder::Status VoldNativeService::resetCheckpoint() {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_LOCK;
-
- cp_resetCheckpoint();
- return ok();
-}
-
} // namespace vold
} // namespace android
diff --git a/VoldNativeService.h b/VoldNativeService.h
index 13137c5..07a0b9f 100644
--- a/VoldNativeService.h
+++ b/VoldNativeService.h
@@ -140,7 +140,6 @@
binder::Status supportsCheckpoint(bool* _aidl_return);
binder::Status supportsBlockCheckpoint(bool* _aidl_return);
binder::Status supportsFileCheckpoint(bool* _aidl_return);
- binder::Status resetCheckpoint();
};
} // namespace vold
diff --git a/binder/android/os/IVold.aidl b/binder/android/os/IVold.aidl
index 8e5c53d..03fe258 100644
--- a/binder/android/os/IVold.aidl
+++ b/binder/android/os/IVold.aidl
@@ -116,7 +116,6 @@
boolean supportsCheckpoint();
boolean supportsBlockCheckpoint();
boolean supportsFileCheckpoint();
- void resetCheckpoint();
@utf8InCpp String createStubVolume(@utf8InCpp String sourcePath,
@utf8InCpp String mountPath, @utf8InCpp String fsType,
diff --git a/cryptfs.cpp b/cryptfs.cpp
index 403282e..07617e9 100644
--- a/cryptfs.cpp
+++ b/cryptfs.cpp
@@ -44,24 +44,25 @@
#include <f2fs_sparseblock.h>
#include <fs_mgr.h>
#include <fscrypt/fscrypt.h>
-#include <libdm/dm.h>
+#include <hardware_legacy/power.h>
#include <log/log.h>
#include <logwrap/logwrap.h>
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <selinux/selinux.h>
-#include <wakelock/wakelock.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <inttypes.h>
#include <libgen.h>
+#include <linux/dm-ioctl.h>
#include <linux/kdev_t.h>
#include <math.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/param.h>
#include <sys/stat.h>
@@ -77,11 +78,12 @@
using android::base::ParseUint;
using android::base::StringPrintf;
using android::fs_mgr::GetEntryForMountPoint;
-using namespace android::dm;
using namespace std::chrono_literals;
#define UNUSED __attribute__((unused))
+#define DM_CRYPT_BUF_SIZE 4096
+
#define HASH_COUNT 2000
constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
@@ -251,6 +253,19 @@
return;
}
+static void ioctl_init(struct dm_ioctl* io, size_t dataSize, const char* name, unsigned flags) {
+ memset(io, 0, dataSize);
+ io->data_size = dataSize;
+ io->data_start = sizeof(struct dm_ioctl);
+ io->version[0] = 4;
+ io->version[1] = 0;
+ io->version[2] = 0;
+ io->flags = flags;
+ if (name) {
+ strlcpy(io->name, name, sizeof(io->name));
+ }
+}
+
namespace {
struct CryptoType;
@@ -958,12 +973,109 @@
master_key_ascii[a] = '\0';
}
+static int load_crypto_mapping_table(struct crypt_mnt_ftr* crypt_ftr,
+ const unsigned char* master_key, const char* real_blk_name,
+ const char* name, int fd, const char* extra_params) {
+ alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
+ struct dm_ioctl* io;
+ struct dm_target_spec* tgt;
+ char* crypt_params;
+ // We need two ASCII characters to represent each byte, and need space for
+ // the '\0' terminator.
+ char master_key_ascii[MAX_KEY_LEN * 2 + 1];
+ size_t buff_offset;
+ int i;
+
+ io = (struct dm_ioctl*)buffer;
+
+ /* Load the mapping table for this device */
+ tgt = (struct dm_target_spec*)&buffer[sizeof(struct dm_ioctl)];
+
+ ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
+ io->target_count = 1;
+ tgt->status = 0;
+ tgt->sector_start = 0;
+ tgt->length = crypt_ftr->fs_size;
+ strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
+
+ crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
+ convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
+
+ buff_offset = crypt_params - buffer;
+ SLOGI(
+ "Creating crypto dev \"%s\"; cipher=%s, keysize=%u, real_dev=%s, len=%llu, params=\"%s\"\n",
+ name, crypt_ftr->crypto_type_name, crypt_ftr->keysize, real_blk_name, tgt->length * 512,
+ extra_params);
+ snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
+ crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name, extra_params);
+ crypt_params += strlen(crypt_params) + 1;
+ crypt_params =
+ (char*)(((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
+ tgt->next = crypt_params - buffer;
+
+ for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
+ if (!ioctl(fd, DM_TABLE_LOAD, io)) {
+ break;
+ }
+ usleep(500000);
+ }
+
+ if (i == TABLE_LOAD_RETRIES) {
+ /* We failed to load the table, return an error */
+ return -1;
+ } else {
+ return i + 1;
+ }
+}
+
+static int get_dm_crypt_version(int fd, const char* name, int* version) {
+ char buffer[DM_CRYPT_BUF_SIZE];
+ struct dm_ioctl* io;
+ struct dm_target_versions* v;
+
+ io = (struct dm_ioctl*)buffer;
+
+ ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
+
+ if (ioctl(fd, DM_LIST_VERSIONS, io)) {
+ return -1;
+ }
+
+ /* Iterate over the returned versions, looking for name of "crypt".
+ * When found, get and return the version.
+ */
+ v = (struct dm_target_versions*)&buffer[sizeof(struct dm_ioctl)];
+ while (v->next) {
+ if (!strcmp(v->name, "crypt")) {
+ /* We found the crypt driver, return the version, and get out */
+ version[0] = v->version[0];
+ version[1] = v->version[1];
+ version[2] = v->version[2];
+ return 0;
+ }
+ v = (struct dm_target_versions*)(((char*)v) + v->next);
+ }
+
+ return -1;
+}
+
+static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) {
+ if (extra_params_vec.empty()) return "";
+ std::string extra_params = std::to_string(extra_params_vec.size());
+ for (const auto& p : extra_params_vec) {
+ extra_params.append(" ");
+ extra_params.append(p);
+ }
+ return extra_params;
+}
+
/*
* If the ro.crypto.fde_sector_size system property is set, append the
* parameters to make dm-crypt use the specified crypto sector size and round
* the crypto device size down to a crypto sector boundary.
*/
-static int add_sector_size_param(DmTargetCrypt* target, struct crypt_mnt_ftr* ftr) {
+static int add_sector_size_param(std::vector<std::string>* extra_params_vec,
+ struct crypt_mnt_ftr* ftr) {
constexpr char DM_CRYPT_SECTOR_SIZE[] = "ro.crypto.fde_sector_size";
char value[PROPERTY_VALUE_MAX];
@@ -977,11 +1089,12 @@
return -1;
}
- target->SetSectorSize(sector_size);
+ std::string param = StringPrintf("sector_size:%u", sector_size);
+ extra_params_vec->push_back(std::move(param));
// With this option, IVs will match the sector numbering, instead
// of being hard-coded to being based on 512-byte sectors.
- target->SetIvLargeSectors();
+ extra_params_vec->emplace_back("iv_large_sectors");
// Round the crypto device size down to a crypto sector boundary.
ftr->fs_size &= ~((sector_size / 512) - 1);
@@ -992,67 +1105,112 @@
static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
const char* real_blk_name, char* crypto_blk_name, const char* name,
uint32_t flags) {
- auto& dm = DeviceMapper::Instance();
+ char buffer[DM_CRYPT_BUF_SIZE];
+ struct dm_ioctl* io;
+ unsigned int minor;
+ int fd = 0;
+ int err;
+ int retval = -1;
+ int version[3];
+ int load_count;
+ std::vector<std::string> extra_params_vec;
- // We need two ASCII characters to represent each byte, and need space for
- // the '\0' terminator.
- char master_key_ascii[MAX_KEY_LEN * 2 + 1];
- convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
-
- auto target = std::make_unique<DmTargetCrypt>(0, crypt_ftr->fs_size,
- (const char*)crypt_ftr->crypto_type_name,
- master_key_ascii, 0, real_blk_name, 0);
- target->AllowDiscards();
-
- if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
- target->AllowEncryptOverride();
- }
- if (add_sector_size_param(target.get(), crypt_ftr)) {
- SLOGE("Error processing dm-crypt sector size param\n");
- return -1;
+ if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
+ SLOGE("Cannot open device-mapper\n");
+ goto errout;
}
- DmTable table;
- table.AddTarget(std::move(target));
+ io = (struct dm_ioctl*)buffer;
- int load_count = 1;
- while (load_count < TABLE_LOAD_RETRIES) {
- if (dm.CreateDevice(name, table)) {
- break;
+ ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
+ err = ioctl(fd, DM_DEV_CREATE, io);
+ if (err) {
+ SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno));
+ goto errout;
+ }
+
+ /* Get the device status, in particular, the name of it's device file */
+ ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
+ if (ioctl(fd, DM_DEV_STATUS, io)) {
+ SLOGE("Cannot retrieve dm-crypt device status\n");
+ goto errout;
+ }
+ minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
+ snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
+
+ if (!get_dm_crypt_version(fd, name, version)) {
+ /* Support for allow_discards was added in version 1.11.0 */
+ if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
+ extra_params_vec.emplace_back("allow_discards");
}
- load_count++;
}
-
- if (load_count >= TABLE_LOAD_RETRIES) {
+ if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
+ extra_params_vec.emplace_back("allow_encrypt_override");
+ }
+ if (add_sector_size_param(&extra_params_vec, crypt_ftr)) {
+ SLOGE("Error processing dm-crypt sector size param\n");
+ goto errout;
+ }
+ load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
+ extra_params_as_string(extra_params_vec).c_str());
+ if (load_count < 0) {
SLOGE("Cannot load dm-crypt mapping table.\n");
- return -1;
- }
- if (load_count > 1) {
+ goto errout;
+ } else if (load_count > 1) {
SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
}
- std::string path;
- if (!dm.GetDmDevicePathByName(name, &path)) {
- SLOGE("Cannot determine dm-crypt path for %s.\n", name);
- return -1;
+ /* Resume this device to activate it */
+ ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
+
+ if (ioctl(fd, DM_DEV_SUSPEND, io)) {
+ SLOGE("Cannot resume the dm-crypt device\n");
+ goto errout;
}
- snprintf(crypto_blk_name, MAXPATHLEN, "%s", path.c_str());
/* Ensure the dm device has been created before returning. */
if (android::vold::WaitForFile(crypto_blk_name, 1s) < 0) {
// WaitForFile generates a suitable log message
- return -1;
+ goto errout;
}
- return 0;
+
+ /* We made it here with no errors. Woot! */
+ retval = 0;
+
+errout:
+ close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
+
+ return retval;
}
-static int delete_crypto_blk_dev(const std::string& name) {
- auto& dm = DeviceMapper::Instance();
- if (!dm.DeleteDevice(name)) {
- SLOGE("Cannot remove dm-crypt device %s: %s\n", name.c_str(), strerror(errno));
- return -1;
+static int delete_crypto_blk_dev(const char* name) {
+ int fd;
+ char buffer[DM_CRYPT_BUF_SIZE];
+ struct dm_ioctl* io;
+ int retval = -1;
+ int err;
+
+ if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
+ SLOGE("Cannot open device-mapper\n");
+ goto errout;
}
- return 0;
+
+ io = (struct dm_ioctl*)buffer;
+
+ ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
+ err = ioctl(fd, DM_DEV_REMOVE, io);
+ if (err) {
+ SLOGE("Cannot remove dm-crypt device %s: %s\n", name, strerror(errno));
+ goto errout;
+ }
+
+ /* We made it here with no errors. Woot! */
+ retval = 0;
+
+errout:
+ close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
+
+ return retval;
}
static int pbkdf2(const char* passwd, const unsigned char* salt, unsigned char* ikey,
@@ -1766,7 +1924,7 @@
* storage volume.
*/
int cryptfs_revert_ext_volume(const char* label) {
- return delete_crypto_blk_dev(label);
+ return delete_crypto_blk_dev((char*)label);
}
int cryptfs_crypto_complete(void) {
@@ -2007,7 +2165,6 @@
off64_t previously_encrypted_upto = 0;
bool rebootEncryption = false;
bool onlyCreateHeader = false;
- std::unique_ptr<android::wakelock::WakeLock> wakeLock = nullptr;
if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
@@ -2074,7 +2231,7 @@
* wants to keep the screen on, it can grab a full wakelock.
*/
snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int)getpid());
- wakeLock = std::make_unique<android::wakelock::WakeLock>(lockid);
+ acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
/* The init files are setup to stop the class main and late start when
* vold sets trigger_shutdown_framework.
@@ -2107,7 +2264,6 @@
* /data, set a property saying we're doing inplace encryption,
* and restart the framework.
*/
- wait_and_unmount(DATA_MNT_POINT, true);
if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
goto error_shutting_down;
}
@@ -2255,7 +2411,7 @@
/* default encryption - continue first boot sequence */
property_set("ro.crypto.state", "encrypted");
property_set("ro.crypto.type", "block");
- wakeLock.reset(nullptr);
+ release_wake_lock(lockid);
if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
// Bring up cryptkeeper that will check the password and set it
property_set("vold.decrypt", "trigger_shutdown_framework");
@@ -2292,6 +2448,7 @@
} else {
/* set property to trigger dialog */
property_set("vold.encrypt_progress", "error_partially_encrypted");
+ release_wake_lock(lockid);
}
return -1;
}
@@ -2301,10 +2458,14 @@
* Set the property and return. Hope the framework can deal with it.
*/
property_set("vold.encrypt_progress", "error_reboot_failed");
+ release_wake_lock(lockid);
return rc;
error_unencrypted:
property_set("vold.encrypt_progress", "error_not_encrypted");
+ if (lockid[0]) {
+ release_wake_lock(lockid);
+ }
return -1;
error_shutting_down:
@@ -2319,6 +2480,9 @@
/* shouldn't get here */
property_set("vold.encrypt_progress", "error_shutting_down");
+ if (lockid[0]) {
+ release_wake_lock(lockid);
+ }
return -1;
}
diff --git a/fs/Exfat.cpp b/fs/Exfat.cpp
index 34f1024..c624eb9 100644
--- a/fs/Exfat.cpp
+++ b/fs/Exfat.cpp
@@ -41,7 +41,6 @@
status_t Check(const std::string& source) {
std::vector<std::string> cmd;
cmd.push_back(kFsckPath);
- cmd.push_back("-a");
cmd.push_back(source);
int rc = ForkExecvp(cmd, nullptr, sFsckUntrustedContext);
diff --git a/fscrypt_uapi.h b/fscrypt_uapi.h
deleted file mode 100644
index 3999036..0000000
--- a/fscrypt_uapi.h
+++ /dev/null
@@ -1,48 +0,0 @@
-#ifndef _UAPI_LINUX_FSCRYPT_H
-#define _UAPI_LINUX_FSCRYPT_H
-
-// Definitions for FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY
-
-// TODO: switch to <linux/fscrypt.h> once it's in Bionic
-
-#ifndef FS_IOC_ADD_ENCRYPTION_KEY
-
-#include <linux/types.h>
-
-#define FSCRYPT_KEY_DESCRIPTOR_SIZE 8
-#define FSCRYPT_KEY_IDENTIFIER_SIZE 16
-
-#define FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR 1
-#define FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER 2
-
-struct fscrypt_key_specifier {
- __u32 type;
- __u32 __reserved;
- union {
- __u8 __reserved[32];
- __u8 descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE];
- __u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE];
- } u;
-};
-
-struct fscrypt_add_key_arg {
- struct fscrypt_key_specifier key_spec;
- __u32 raw_size;
- __u32 __reserved[9];
- __u8 raw[];
-};
-
-struct fscrypt_remove_key_arg {
- struct fscrypt_key_specifier key_spec;
-#define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY 0x00000001
-#define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS 0x00000002
- __u32 removal_status_flags;
- __u32 __reserved[5];
-};
-
-#define FS_IOC_ADD_ENCRYPTION_KEY _IOWR('f', 23, struct fscrypt_add_key_arg)
-#define FS_IOC_REMOVE_ENCRYPTION_KEY _IOWR('f', 24, struct fscrypt_remove_key_arg)
-
-#endif /* FS_IOC_ADD_ENCRYPTION_KEY */
-
-#endif /* _UAPI_LINUX_FSCRYPT_H */
diff --git a/main.cpp b/main.cpp
index 7555276..27a701b 100644
--- a/main.cpp
+++ b/main.cpp
@@ -152,7 +152,6 @@
{"blkid_untrusted_context", required_argument, 0, 'B'},
{"fsck_context", required_argument, 0, 'f'},
{"fsck_untrusted_context", required_argument, 0, 'F'},
- {nullptr, 0, nullptr, 0},
};
int c;
diff --git a/vdc.cpp b/vdc.cpp
index c1b7781..f05d2af 100644
--- a/vdc.cpp
+++ b/vdc.cpp
@@ -32,7 +32,6 @@
#include <android-base/logging.h>
#include <android-base/parseint.h>
-#include <android-base/strings.h>
#include <android-base/stringprintf.h>
#include <binder/IServiceManager.h>
#include <binder/Status.h>
@@ -56,10 +55,9 @@
return res;
}
-static void checkStatus(std::vector<std::string>& cmd, android::binder::Status status) {
+static void checkStatus(android::binder::Status status) {
if (status.isOk()) return;
- std::string command = ::android::base::Join(cmd, " ");
- LOG(ERROR) << "Command: " << command << " Failed: " << status.toString8().string();
+ LOG(ERROR) << "Failed: " << status.toString8().string();
exit(ENOTTY);
}
@@ -90,65 +88,63 @@
auto vold = android::interface_cast<android::os::IVold>(binder);
if (args[0] == "cryptfs" && args[1] == "enablefilecrypto") {
- checkStatus(args, vold->fbeEnable());
+ checkStatus(vold->fbeEnable());
} else if (args[0] == "cryptfs" && args[1] == "init_user0") {
- checkStatus(args, vold->initUser0());
+ checkStatus(vold->initUser0());
} else if (args[0] == "cryptfs" && args[1] == "enablecrypto") {
int passwordType = android::os::IVold::PASSWORD_TYPE_DEFAULT;
int encryptionFlags = android::os::IVold::ENCRYPTION_FLAG_NO_UI;
- checkStatus(args, vold->fdeEnable(passwordType, "", encryptionFlags));
+ checkStatus(vold->fdeEnable(passwordType, "", encryptionFlags));
} else if (args[0] == "cryptfs" && args[1] == "mountdefaultencrypted") {
- checkStatus(args, vold->mountDefaultEncrypted());
+ checkStatus(vold->mountDefaultEncrypted());
} else if (args[0] == "volume" && args[1] == "shutdown") {
- checkStatus(args, vold->shutdown());
+ checkStatus(vold->shutdown());
} else if (args[0] == "cryptfs" && args[1] == "checkEncryption" && args.size() == 3) {
- checkStatus(args, vold->checkEncryption(args[2]));
+ checkStatus(vold->checkEncryption(args[2]));
} else if (args[0] == "cryptfs" && args[1] == "mountFstab" && args.size() == 4) {
- checkStatus(args, vold->mountFstab(args[2], args[3]));
+ checkStatus(vold->mountFstab(args[2], args[3]));
} else if (args[0] == "cryptfs" && args[1] == "encryptFstab" && args.size() == 4) {
- checkStatus(args, vold->encryptFstab(args[2], args[3]));
+ checkStatus(vold->encryptFstab(args[2], args[3]));
} else if (args[0] == "checkpoint" && args[1] == "supportsCheckpoint" && args.size() == 2) {
bool supported = false;
- checkStatus(args, vold->supportsCheckpoint(&supported));
+ checkStatus(vold->supportsCheckpoint(&supported));
return supported ? 1 : 0;
} else if (args[0] == "checkpoint" && args[1] == "supportsBlockCheckpoint" && args.size() == 2) {
bool supported = false;
- checkStatus(args, vold->supportsBlockCheckpoint(&supported));
+ checkStatus(vold->supportsBlockCheckpoint(&supported));
return supported ? 1 : 0;
} else if (args[0] == "checkpoint" && args[1] == "supportsFileCheckpoint" && args.size() == 2) {
bool supported = false;
- checkStatus(args, vold->supportsFileCheckpoint(&supported));
+ checkStatus(vold->supportsFileCheckpoint(&supported));
return supported ? 1 : 0;
} else if (args[0] == "checkpoint" && args[1] == "startCheckpoint" && args.size() == 3) {
int retry;
if (!android::base::ParseInt(args[2], &retry)) exit(EINVAL);
- checkStatus(args, vold->startCheckpoint(retry));
+ checkStatus(vold->startCheckpoint(retry));
} else if (args[0] == "checkpoint" && args[1] == "needsCheckpoint" && args.size() == 2) {
bool enabled = false;
- checkStatus(args, vold->needsCheckpoint(&enabled));
+ checkStatus(vold->needsCheckpoint(&enabled));
return enabled ? 1 : 0;
} else if (args[0] == "checkpoint" && args[1] == "needsRollback" && args.size() == 2) {
bool enabled = false;
- checkStatus(args, vold->needsRollback(&enabled));
+ checkStatus(vold->needsRollback(&enabled));
return enabled ? 1 : 0;
} else if (args[0] == "checkpoint" && args[1] == "commitChanges" && args.size() == 2) {
- checkStatus(args, vold->commitChanges());
+ checkStatus(vold->commitChanges());
} else if (args[0] == "checkpoint" && args[1] == "prepareCheckpoint" && args.size() == 2) {
- checkStatus(args, vold->prepareCheckpoint());
+ checkStatus(vold->prepareCheckpoint());
} else if (args[0] == "checkpoint" && args[1] == "restoreCheckpoint" && args.size() == 3) {
- checkStatus(args, vold->restoreCheckpoint(args[2]));
+ checkStatus(vold->restoreCheckpoint(args[2]));
} else if (args[0] == "checkpoint" && args[1] == "restoreCheckpointPart" && args.size() == 4) {
int count;
if (!android::base::ParseInt(args[3], &count)) exit(EINVAL);
- checkStatus(args, vold->restoreCheckpointPart(args[2], count));
+ checkStatus(vold->restoreCheckpointPart(args[2], count));
} else if (args[0] == "checkpoint" && args[1] == "markBootAttempt" && args.size() == 2) {
- checkStatus(args, vold->markBootAttempt());
+ checkStatus(vold->markBootAttempt());
} else if (args[0] == "checkpoint" && args[1] == "abortChanges" && args.size() == 4) {
int retry;
if (!android::base::ParseInt(args[2], &retry)) exit(EINVAL);
- checkStatus(args, vold->abortChanges(args[2], retry != 0));
- } else if (args[0] == "checkpoint" && args[1] == "resetCheckpoint") {
- checkStatus(args, vold->resetCheckpoint());
+ checkStatus(vold->abortChanges(args[2], retry != 0));
} else {
LOG(ERROR) << "Raw commands are no longer supported";
exit(EINVAL);
