On FBE devices, the filenames inside credential-encrypted directories
are mangled until the key is installed. This means the initial
restorecon at boot needs to skip these directories until the keys
are installed.
This CL uses an existing facility to request that init run a
recursive restorecon over a given path, and it requests that
operation for the CE directories that would have been omitted by
the SKIPCE flag earlier during boot.
Bug: 30126557
Change-Id: I8c7abea27215075a091f615a7185a82a2f4a4a95
am: a363036b44
* commit 'a363036b44f7f140aa9a943578f56abff5880a60':
Two phases to set the password for disk encryption
Change-Id: Ia28823079d8c0bda220238339f28095b234a0ae5
Revert "Revert "Two phases to set the password for disk encryption""
This reverts commit d402389290.
In addition, fix the bug in the original commit.
Bug: 28154455
Bug: 28694324
Change-Id: I885f1d73e739416347c135d79979941c2bbdbe62
am: cfa03d4a4c
* commit 'cfa03d4a4c53acf41dca2c41a2efd00de06043bb':
e4crypt_is_native has been moved into system/extras.
Change-Id: I345475c44fb2d8812a25c9f2195c748cddc55bfe
am: d402389290
* commit 'd402389290eeef86be7eb9241e20fdd125d44eb1':
Revert "Two phases to set the password for disk encryption"
Change-Id: I53a3804fc7bff9c99840aeee36fc4b7ff8e46ac1
am: 92c5eeb467
* commit '92c5eeb46779f0fa1c9e6db6b0d632d960cbb2e4':
Two phases to set the password for disk encryption
Change-Id: I82c1cfa2874ac4709e42f5c2047c832cbcaccb91
In one phase, we make the new password work, and in the second we make
it the only one which works ("fixation"). This means that we can set
the password in Gatekeeper between these two phases, and a crash
doesn't break things. Unlocking a user automatically fixates the
presented credential.
Bug: 28154455
Change-Id: I54623c8652f0c9f72dd60388a7dc0ab2d48e81c7
Preparing and destroying users currently needs to be split across
installd, system_server, and vold, since no single party has all the
required SELinux permissions.
Bug: 27896918, 25861755
Change-Id: Ieec14ccacfc7a3a5ab00df47ace7318feb900c38
Users don't have to be unlocked to be deleted, so don't worry if we
don't have their key to evict.
Bug: 26847403
Bug: 27441228
Change-Id: Ifd93f620926630aa102a3bb4a5d2d45d34f9b75d
The formatting here is inconsistent with Android house style; use
clang-format to bring it back into line.
Change-Id: Id1fe6ff54e9b668ca88c3fc021ae0a5bdd1327eb
Google/Android C++ style requires that arguments passed in for writing
should be pointers, not references, so that it's visible in the caller
that they'll be written to.
Bug: 27566014
Change-Id: I5cd55906cc4b2f61c8b97b223786be0b3ce28862
- catch errors in looking for the keyring
- static_assert to prevent a buffer overrun
- remove obsolete, misleading comment
- dial down priority of some log messages
- explain why we ignore some errors
- idiomatic C++11
Bug: 27552432
Change-Id: Ic3ee05b41eae45e7c6b571a459b326a483663526
This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide if the apks should be fully compiled instead of
profile guide compiled.
Bug: 27334750
Bug: 26080105
Change-Id: Ib18f20cf78a8dbfc465610ec6ceec52699c5420a
Added a new call change_user_key which changes the way that disk
encryption keys are protected; a key can now be protected with a
combination of an auth token and a secret which is a hashed password.
Both of these are passed to unlock_user_key.
This change introduces a security bug, b/26948053, which must be fixed
before we ship.
Bug: 22950892
Change-Id: Iac1e45bb6f86f2af5c472c70a0fe3228b02115bf
Add new misc directories to list of paths that we lock/unlock in
emulation mode. When booting a device without native-FBE and without
emulation, make sure we "unlock" any emulated settings on user 0;
MountService handles this for secondary users later during boot.
Bug: 27069522
Change-Id: I15c7cf00a7231ce99b2e4e11a25106d7b87e70cc
Give callers the option of preparing CE and/or DE storage. The
framework will only prepare CE storage after the CE keys have been
unlocked for that user.
When init is calling enablecrypto, kick off the work in a thread so
that we can make other calls back into vold without causing
deadlock. Leaves blocking call intact for framework callers.
Clean up 'vdc' tool to send useful transaction numbers, and
actually watch for the matching result to come back. This fixes
race conditions when there are multiple 'vdc' callers.
Also add other system and misc directories to match spec.
Bug: 25796509
Change-Id: Ie4f853db6e387916b845d2b5fb92925d743b063d
Mainly a refactor, but with a substantive change: Keys are created in
a temporary location, then moved to their final destination, for
atomicity.
Bug: 26704408
Change-Id: I0b2dc70d6bfa1f8a65536dd05b73c4b36a4699cf
Our code for creating disk encryption keys doesn't work everywhere,
and it doesn't need to; only on platforms that support FBE. Don't
create them elsewhere.
Bug: 26842807
Change-Id: I686d0ffd7cb3adbddfce661c22ce18f66acb1aba
The key storage module didn't comply with Android coding standards
and had room for improvemnet in a few other ways, so have cleaned up.
Change-Id: I260ccff316423169cf887e538113b5ea400892f2
Instead of writing raw keys, encrypt the keys with keymaster. This
paves the way to protecting them with auth tokens and passwords later.
In addition, fold in the hash of a 16k file into their encryption, to
ensure secure deletion works properly.
Now even C++ier!
Bug: 22502684
Bug: 22950892
Change-Id: If70f139e342373533c42d5a298444b8438428322
As a precaution, we do the work of emulating an unlock even on devices
that aren't emulating FBE. However, we don't care if it fails, so
don't fail the calling command in that instance.
Bug: 26713622
Change-Id: I8c5fb4b9a130335ecbb9b8ea6367f1c59835c0f1
Major rework and refactor of FBE code to load the keys at the right
time and in a natural way. The old code was aimed at our goals for M,
with patches on top, and didn't quite work.
Bug: 22358539
Change-Id: I9bf7a0a86ee3f2abf0edbd5966f93efac2474c2c
Paul Crowley
Jeff Sharkey
Paul Lawrence
Calin Juravle