Verify that it's OK to run the various cryptfs commands

Maintain and query some internal state to know if it's OK to run the various cryptfs commands. Do not allow enablecrypto to run if the device is already encrypted. Do no allow restart to run if we have already run it before or if the password has not been validated. Do not allow checkpw to run if not encrypted, or it has already validated the password. This is an extra layer of safety on top of the checks up in the UI code agains possible DoS attacks on the device. Change-Id: I9afc8d42773020e82a512e6b637feede101d1362
14 years ago · 0cc166385a
parent 7df84120b2
commit 0cc166385a
1 changed files with 31 additions and 1 deletions
--- a/cryptfs.c
+++ b/cryptfs.c
@ -528,6 +528,18 @@ int cryptfs_restart(void)
    unsigned long mnt_flags;
    struct stat statbuf;
    int rc = -1, i;
+    static int restart_successful = 0;
+
+    /* Validate that it's OK to call this routine */
+    if (! key_sha1_saved) {
+        SLOGE("Encrypted filesystem not validated, aborting");
+        return -1;
+    }
+
+    if (restart_successful) {
+        SLOGE("System already restarted with encrypted disk, aborting");
+        return -1;
+    }

    /* Here is where we shut down the framework.  The init scripts
     * start all services in one of three classes: core, main or late_start.
@ -580,6 +592,10 @@ int cryptfs_restart(void)
        }
    }

+    if (rc == 0) {
+        restart_successful = 1;
+    }
+
    return rc;
 }

@ -595,8 +611,15 @@ static int test_mount_encrypted_fs(char *passwd, char *mount_point)
  char tmp_mount_point[64];
  unsigned long mnt_flags;
  unsigned int orig_failed_decrypt_count;
+  char encrypted_state[32];
  int rc;

+  property_get("ro.crypto.state", encrypted_state, "");
+  if ( key_sha1_saved || strcmp(encrypted_state, "encrypted") ) {
+    SLOGE("encrypted fs already validated or not running with encryption, aborting");
+    return -1;
+  }
+
  if (get_orig_mount_parms(mount_point, fs_type, real_blkdev, &mnt_flags, fs_options)) {
    SLOGE("Error reading original mount parms for mount point %s\n", mount_point);
    return -1;
@ -816,6 +839,13 @@ int cryptfs_enable(char *howarg, char *passwd)
    int rc=-1, fd, i;
    struct crypt_mnt_ftr crypt_ftr;
    char tmpfs_options[80];
+    char encrypted_state[32];
+
+    property_get("ro.crypto.state", encrypted_state, "");
+    if (strcmp(encrypted_state, "unencrypted")) {
+        SLOGE("Device is already running encrypted, aborting");
+        return -1;
+    }

    if (!strcmp(howarg, "wipe")) {
      how = CRYPTO_ENABLE_WIPE;
@ -932,7 +962,7 @@ int cryptfs_changepw(char *oldpw, char *newpw)

    /* This is only allowed after we've successfully decrypted the master key */
    if (! key_sha1_saved) {
-        SLOGE("Key not saved");
+        SLOGE("Key not saved, aborting");
        return -1;
    }