Since Android platform codespace doesn't support exception handling, we
use strtoll() instead of stoll for direct error handling.
Bug: 274369737
Test: check smart idle maintenace service log
Change-Id: I57c709b1e329228790e0a883edb64dc023135a24
Since commit 08f4bdfe98 ("Don't use a secdiscardable file for keys
encrypted by SP") (https://r.android.com/2242561), some keys don't use a
secdiscardable file. Currently if such a key is destroyed, an ERROR
message like the following is logged:
E secdiscard: Secure discard open failed for: /data/misc/vold/user_keys/ce/14/current/secdiscardable
This case is expected, so it should not be an ERROR. Fix this by only
passing the secdiscardable file to the secdiscard program if it exists.
Bug: 232452368
Change-Id: I490289dfdaf0db6c3f4fb507509095e0033e2f69
It's essential that files created by vold get the correct SELinux
labels, so make sure to check for errors when setting them.
ENOENT (no label defined) is expected on some files such as
/mnt/appfuse/*, so allow ENOENT but log a DEBUG message.
This will help debug b/269567270. This is not a fix for b/269567270.
Bug: 269567270
Test: Created user and checked SELinux labels of user's directories
Test: atest CtsBlobStoreHostTestCases
Change-Id: Ife005bdd896952653943c57336deb33456f7c5d8
It's essential that files created by vold get the correct SELinux
labels, so make sure to check for errors when setting them.
This will help debug b/269567270. This is not a fix for b/269567270.
Bug: 269567270
Test: Created user and checked SELinux labels of user's directories
Change-Id: I99e4d530a00f9401532c9cb0990df254b7a12a80
Due to frameworks/base commit 5c65b1ee1023 ("Don't prepare CE storage on
user creation") (http://ag/20241697), removing a user immediately after
creating it causes the user's directories to be destroyed before CE
storage was prepared.
Functionally this works fine; however, it causes some error messages to
be spammed to the log because 'vold_prepare_subdirs destroy' doesn't
like that /data/misc_ce/$userId and /data/vendor_ce/$userId don't exist.
vold_prepare_subdirs logs two error messages itself, but it also exits
with a failure status, which bubbles up and causes a Slog.wtf with a
stack trace in StorageManagerService.
Fix this by making rmrf_contents() simply return true if the directory
doesn't exist.
Bug: 232452368
Test: 'pm create-user 10 && pm remove-user 10' and check logcat
Change-Id: I867a915f4b25e1a5f0603fbd84680b673ff5eb96
There is a race condition between key eviction and killing user
processes. The race condition is difficult to properly fix without
significantly degrading UI performance.
If the race condition occurs, decrypted filesystem data is left in
various kernel caches. To mitigate, we try to ensure the caches are
flushed by evicting the keys again in a worker thread.
Test: Checked that the correct log messages appear when evicting a
user's keys
Bug: 140762419
Change-Id: I9e39e5bb0f5190284552bcd252b6213a22a51e91
Some devices isolate CPUs under low battery. It causes
low performance and 5 sec timeout is soemtimes too short
for dm device ready.
Bug: 267989884
Change-Id: I52e1140b961ac42401a409e3264a5facc0f60cc4
Signed-off-by: Masaya Takahashi <masaya.a.takahashi@sony.com>
This reverts commit 564f6c649a.
Reason for revert: Un-backporting.
Note: This is not a direct revert. We should keep the minor refactoring
in PublicVolume.cpp; no point making the code worse.
Test: Revert.
Change-Id: Ic03ed25ad15a2da974921542a20cd27224347f68
This CR, when paired with a functional NTFS implementation and the
corresponding SEPolicy updates, will allow NTFS USB drives to be mounted
on Android.
Bug: 254407246
Test: Extensive testing with an ADT-4 and NTFS USB drives.
Merged-In: If4197c4c588866c611cd6ba3483707d3cb0e0cf8
Change-Id: If4197c4c588866c611cd6ba3483707d3cb0e0cf8
We should not delete keys, once the first one was created.
Bug: 197782466
Change-Id: Ia895c140aa16553b422748531b01931737a0ea94
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
When userdata partition is the type of ext4, checkpoint and metadata
encryption are enabled, boot up the images, if the slot currently
in use is not marked as "successful" and userdata is wiped, a reboot
will be triggered because of "Checkpoint commit failed"
In this patch, do not create checkpoint when the preceding condition
occurs, otherwise "dm-default-key" sits below "dm-bow".
Because cp_needsCheckpoint(), cp_prepareCheckpoint() and cp_commitChanges()
are always executed when the system boots up, and now there is a condition
that BOW device is not created while the slot in use is not marked as
"successful", set "isBow" to be "false" if BOW state fails to be set to
1, if "isBow" is false, then there is no need to commit the checkpoint,
and the system won't automatically reboot.
Bug: 193457319
Test: i.MX 8M Plus EVK, images flashed to board, misc and userdata
partitions are wiped, checkpoint and metadata encryption are
enabled for ext4 userdata partition.
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
Change-Id: I4ad47a9504f1be0407f0fd196001a0e96919be33
If a service doesn't specify any capabilities in it's definition in the
.rc file, then it will inherit all the capabilities from the init.
Although whether a process can use capabilities is actually controlled
by selinux (so inheriting all the init capabilities is not actually a
security vulnerability), it's better for defense-in-depth and just
bookkeeping to explicitly specify the capabilities that vold needs.
The list of capabilities that vold is allowed to use was obtained via:
```
$ adb pull /sys/fs/selinux/policy /tmp/selinux.policy
$ sesearch --allow -s vold -c capability,capability2 /tmp/selinux.policy
allow vold vold:capability { chown dac_override dac_read_search fowner fsetid kill mknod net_admin sys_admin sys_chroot sys_nice sys_ptrace };
allow vold vold:capability2 block_suspend
```
In addition, since vold execs the /system/bin/sdcard, which transitions
into sdcardd domain, we also need to add capabilities that are required
by /system/bin/sdcard:
```
sesearch --allow -s sdcardd -c capability,capability2 /tmp/selinux.policy
allow sdcardd sdcardd:capability { dac_override dac_read_search setgid setuid sys_admin sys_resource };
```
vold can also transform into the following domains which don't seem to
need any capabilities: blkid, blkid_untrusted, fsck, fsck_untrusted
vold can also transform into sgdisk domain, which only needs
CAP_SYS_ADMIN:
```
sesearch --allow -s sgdisk -c capability,capability2 /tmp/selinux.policy
allow sgdisk sgdisk:capability sys_admin
```
Bug: 249796710
Test: device boots
Test: prebumit
Change-Id: Ic2a35fd62d6ed8c7b305c23607e6c24b197cf6bc
