platform_system_vold/Android.bp

276 lines
5.6 KiB
Text
Raw Normal View History

package {
default_applicable_licenses: ["Android-Apache-2.0"],
}
cc_defaults {
name: "vold_default_flags",
cflags: [
"-Wall",
"-Werror",
"-Wextra",
"-Wno-missing-field-initializers",
"-Wno-unused-parameter",
"-Wno-unused-variable",
],
clang: true,
tidy: true,
tidy_checks: [
"-*",
"cert-*",
"clang-analyzer-security*",
"android-*",
],
tidy_flags: [
"-warnings-as-errors=clang-analyzer-security*,cert-*",
],
}
cc_defaults {
name: "vold_default_libs",
static_libs: [
"libasync_safe",
"libavb",
"libbootloader_message",
"libdm",
"libext2_uuid",
"libfec",
"libfec_rs",
"libfs_avb",
"libfs_mgr",
"libsquashfs_utils",
"libvold_binder",
],
shared_libs: [
"android.hardware.boot@1.0",
"libbase",
"libbinder",
"libcrypto",
"libcrypto_utils",
"libcutils",
"libdiskconfig",
"libext4_utils",
"libf2fs_sparseblock",
"libgsi",
"libhardware",
"libhardware_legacy",
"libincfs",
"libhidlbase",
"libkeyutils",
"liblog",
"liblogwrap",
"libselinux",
"libsysutils",
"libutils",
],
}
cc_library_static {
name: "libvold_binder",
defaults: ["vold_default_flags"],
srcs: [
":vold_aidl",
],
shared_libs: [
"libbinder",
"libutils",
],
aidl: {
local_include_dirs: ["binder"],
include_dirs: [
"frameworks/native/aidl/binder",
"frameworks/base/core/java",
],
export_aidl_headers: true,
},
whole_static_libs: [
"libincremental_aidl-cpp",
],
export_shared_lib_headers: [
"libbinder",
],
}
cc_library_headers {
name: "libvold_headers",
recovery_available: true,
export_include_dirs: ["."],
}
// Static library factored out to support testing
cc_library_static {
name: "libvold",
defaults: [
"vold_default_flags",
"vold_default_libs",
],
srcs: [
"AppFuseUtil.cpp",
"Benchmark.cpp",
"Checkpoint.cpp",
"CryptoType.cpp",
"Devmapper.cpp",
"EncryptInplace.cpp",
"FileDeviceUtils.cpp",
"FsCrypt.cpp",
"IdleMaint.cpp",
"KeyBuffer.cpp",
"KeyStorage.cpp",
"KeyUtil.cpp",
"Keystore.cpp",
"Loop.cpp",
"MetadataCrypt.cpp",
"MoveStorage.cpp",
"NetlinkHandler.cpp",
"NetlinkManager.cpp",
"Process.cpp",
"Utils.cpp",
"VoldNativeService.cpp",
"VoldNativeServiceValidation.cpp",
"VoldUtil.cpp",
"VolumeManager.cpp",
"cryptfs.cpp",
"fs/Exfat.cpp",
"fs/Ext4.cpp",
"fs/F2fs.cpp",
"fs/Vfat.cpp",
"model/Disk.cpp",
"model/EmulatedVolume.cpp",
"model/ObbVolume.cpp",
"model/PrivateVolume.cpp",
"model/PublicVolume.cpp",
"model/StubVolume.cpp",
"model/VolumeBase.cpp",
"model/VolumeEncryption.cpp",
],
product_variables: {
arc: {
exclude_srcs: [
"model/StubVolume.cpp",
],
static_libs: [
"libarcvolume",
],
},
debuggable: {
cppflags: ["-D__ANDROID_DEBUGGABLE__"],
},
},
shared_libs: [
"android.hardware.health.storage@1.0",
"android.hardware.health.storage-V1-ndk",
"android.system.keystore2-V1-ndk",
"android.security.maintenance-ndk",
"libbinder_ndk",
Make vold use keystore2 instead of keymaster Make vold use keystore2 for all its operations instead of directly using keymaster. This way, we won't have any clients that bypass keystore2, and we'll no longer need to reserve a keymaster operation for vold. Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE) when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX. Keystore2 presents any SOFTWARE implementation as a TEE to callers when no "real" TEE is present. As far as storage encryption is concerned, there's no advantage to using a STRONGBOX when a "real" TEE is present, and a STRONGBOX can't be present if a "real" TEE isn't, so asking Keystore2 for a TEE is the best we can do in any situation. The difference in behaviour only really affects the full disk encryption code in cryptfs.cpp, which used to explicitly check that the keymaster device is a "real" TEE (as opposed to a SOFTWARE implementation) before using it (it can no longer do so since Keystore2 doesn't provide a way to do this). A little code history digging (7c49ab0a0b in particular) shows that cryptfs.cpp cared about two things when using a keymaster. - 1) that the keys generated by the keymaster were "standalone" keys - i.e. that the keymaster could operate on those keys without requiring /data or any other service to be available. - 2) that the keymaster was a non-SOFTWARE implementation so that things would still work in case a "real" TEE keymaster was ever somehow added to the device after first boot. Today, all "real" TEE keymasters always generate "standalone" keys, and a TEE has been required in Android devices since at least Android N. The only two exceptions are Goldfish and ARC++, which have SOFTWARE keymasters, but both those keymasters also generate "standalone" keys. We're also no longer worried about possibly adding a "real" TEE KM to either of those devices after first boot. So there's no longer a reason cryptfs.cpp can't use the SOFTWARE keymaster on those devices. There's also already an upgrade path in place (see test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's being used once a TEE keymaster is added to the device. So it's safe for cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it blindly, without checking whether or not it's a "real" TEE, which is why Keymaster::isSecure() just returns true now. A future patch will remove that function and simplify its callers. Bug: 181910578 Test: cuttlefish and bramble boot. Adding, switching between, stopping and removing users work. Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
"libkeymint_support",
],
Don't unmount /storage for early native processes Motivation: Early processes launched before the runtime APEX - that hosts the bionic libs - is activated can't use the bionic libs from the APEX, but from the system partition (which we call the bootstrap bionic). Other processes after the APEX activation should use the bionic libs from the APEX. In order to let both types of processes to access the bionic libs via the same standard paths /system/lib/{libc|libdl|libm}.so, some mount namespace magic is used. To be specific, when the device boots, the init initially bind-mounts the bootstrap bionic libs to the standard paths with MS_PRIVATE. Early processes are then executed with their own mount namespaces (via unshare(CLONE_NEWNS)). After the runtime APEX is activated, init bind-mounts the bionic libs in the APEX to the same standard paths. Processes launched thereafter use the bionic libs from the APEX (which can be updated.) Important thing is that, since the propagation type of the mount points (the standard paths) is 'private', the new bind-mount events for the updated bionic libs should not affect the early processes. Otherwise, they would experience sudden change of bionic libs at runtime. However, other mount/unmounts events outside of the private mount points are still shared across early/late processes as before. This is made possible because the propagation type of / is 'shared' . Problem: vold uses the equality of the mount namespace to filter-out processes that share the global mount namespace (the namespace of the init). However, due to the aforementioned change, the early processes are not filtered out because they have different mount namespaces. As a result, umount2("/storage/") is executed on them and this unmount event becomes visible to the global mount namespace (because as mentioned before / is 'shared'). Solution: Fiter-out the early processes by skipping a native (non-Java) process whose UID is < AID_APP. The former condition is because all early processes are native ones; i.e., zygote is started after the runtime APEX is activated. The latter condition is to not filter-out native processes created locally by apps. Bug: 120266448 Test: m; device boots Change-Id: I054deedc4af8421854cf35be84e14995523a259a
2019-01-04 05:35:25 +01:00
whole_static_libs: [
"com.android.sysprop.apex",
"libc++fs"
Don't unmount /storage for early native processes Motivation: Early processes launched before the runtime APEX - that hosts the bionic libs - is activated can't use the bionic libs from the APEX, but from the system partition (which we call the bootstrap bionic). Other processes after the APEX activation should use the bionic libs from the APEX. In order to let both types of processes to access the bionic libs via the same standard paths /system/lib/{libc|libdl|libm}.so, some mount namespace magic is used. To be specific, when the device boots, the init initially bind-mounts the bootstrap bionic libs to the standard paths with MS_PRIVATE. Early processes are then executed with their own mount namespaces (via unshare(CLONE_NEWNS)). After the runtime APEX is activated, init bind-mounts the bionic libs in the APEX to the same standard paths. Processes launched thereafter use the bionic libs from the APEX (which can be updated.) Important thing is that, since the propagation type of the mount points (the standard paths) is 'private', the new bind-mount events for the updated bionic libs should not affect the early processes. Otherwise, they would experience sudden change of bionic libs at runtime. However, other mount/unmounts events outside of the private mount points are still shared across early/late processes as before. This is made possible because the propagation type of / is 'shared' . Problem: vold uses the equality of the mount namespace to filter-out processes that share the global mount namespace (the namespace of the init). However, due to the aforementioned change, the early processes are not filtered out because they have different mount namespaces. As a result, umount2("/storage/") is executed on them and this unmount event becomes visible to the global mount namespace (because as mentioned before / is 'shared'). Solution: Fiter-out the early processes by skipping a native (non-Java) process whose UID is < AID_APP. The former condition is because all early processes are native ones; i.e., zygote is started after the runtime APEX is activated. The latter condition is to not filter-out native processes created locally by apps. Bug: 120266448 Test: m; device boots Change-Id: I054deedc4af8421854cf35be84e14995523a259a
2019-01-04 05:35:25 +01:00
],
}
cc_binary {
name: "vold",
defaults: [
"vold_default_flags",
"vold_default_libs",
],
srcs: ["main.cpp"],
static_libs: ["libvold"],
init_rc: [
"vold.rc",
],
required: [
"mke2fs",
"vold_prepare_subdirs",
],
shared_libs: [
"android.hardware.health.storage@1.0",
"android.hardware.health.storage-V1-ndk",
"android.system.keystore2-V1-ndk",
"android.security.maintenance-ndk",
"libbinder_ndk",
Make vold use keystore2 instead of keymaster Make vold use keystore2 for all its operations instead of directly using keymaster. This way, we won't have any clients that bypass keystore2, and we'll no longer need to reserve a keymaster operation for vold. Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE) when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX. Keystore2 presents any SOFTWARE implementation as a TEE to callers when no "real" TEE is present. As far as storage encryption is concerned, there's no advantage to using a STRONGBOX when a "real" TEE is present, and a STRONGBOX can't be present if a "real" TEE isn't, so asking Keystore2 for a TEE is the best we can do in any situation. The difference in behaviour only really affects the full disk encryption code in cryptfs.cpp, which used to explicitly check that the keymaster device is a "real" TEE (as opposed to a SOFTWARE implementation) before using it (it can no longer do so since Keystore2 doesn't provide a way to do this). A little code history digging (7c49ab0a0b in particular) shows that cryptfs.cpp cared about two things when using a keymaster. - 1) that the keys generated by the keymaster were "standalone" keys - i.e. that the keymaster could operate on those keys without requiring /data or any other service to be available. - 2) that the keymaster was a non-SOFTWARE implementation so that things would still work in case a "real" TEE keymaster was ever somehow added to the device after first boot. Today, all "real" TEE keymasters always generate "standalone" keys, and a TEE has been required in Android devices since at least Android N. The only two exceptions are Goldfish and ARC++, which have SOFTWARE keymasters, but both those keymasters also generate "standalone" keys. We're also no longer worried about possibly adding a "real" TEE KM to either of those devices after first boot. So there's no longer a reason cryptfs.cpp can't use the SOFTWARE keymaster on those devices. There's also already an upgrade path in place (see test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's being used once a TEE keymaster is added to the device. So it's safe for cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it blindly, without checking whether or not it's a "real" TEE, which is why Keymaster::isSecure() just returns true now. A future patch will remove that function and simplify its callers. Bug: 181910578 Test: cuttlefish and bramble boot. Adding, switching between, stopping and removing users work. Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
"libkeymint_support",
],
product_variables: {
arc: {
exclude_srcs: [
"model/StubVolume.cpp",
],
static_libs: [
"libarcvolume",
],
},
},
}
cc_binary {
name: "vdc",
defaults: ["vold_default_flags"],
srcs: [
"vdc.cpp",
"Utils.cpp",
],
shared_libs: [
"libbase",
"libbinder",
"libcutils",
"liblogwrap",
"libselinux",
"libutils",
],
static_libs: [
"libvold_binder",
],
}
cc_binary {
name: "secdiscard",
defaults: ["vold_default_flags"],
srcs: [
"FileDeviceUtils.cpp",
"secdiscard.cpp",
],
shared_libs: ["libbase"],
}
cc_binary {
name: "vold_prepare_subdirs",
defaults: ["vold_default_flags"],
srcs: ["vold_prepare_subdirs.cpp", "Utils.cpp"],
shared_libs: [
"libbase",
"libcutils",
"liblogwrap",
"libselinux",
"libutils",
],
static_libs: [
"libvold_binder",
],
}
filegroup {
name: "vold_aidl",
srcs: [
"binder/android/os/IVold.aidl",
"binder/android/os/IVoldListener.aidl",
"binder/android/os/IVoldMountCallback.aidl",
"binder/android/os/IVoldTaskListener.aidl",
],
path: "binder",
}