Commit graph

42 commits

Author SHA1 Message Date
Alan Stokes
be3db7b7ae Enable vold to set level from user.
We want various per-user directories to have their SELinux MLS level
set to restrict access from other users, as an improvement to user
isolation.

We extend vold_prepare_subdirs to implement this if a flag is
set. vold itself then sets the flag based on a new property,
ro.vold.level_from_user. This is to allow testing of further
incremental work to ensure system apps correctly handle the new
restriction on different devices rather than causing immediate
breakage. Eventually this will go away and the restriction will apply
everywhere.

Bug: 141677108
Test: Manual, with and without propery set.
Change-Id: I8e2207bd94b487bdcc09fd4d80b031027dfea1e3
2020-10-02 14:49:25 +01:00
Xin Li
24ae202734 Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709)
Bug: 166295507
Merged-In: Id417587a550b0f4abf5a6a3e4b4535011b21f627
Change-Id: Ibb5e8cf5f36dad408cf047dd0498aba24249b695
2020-08-27 10:17:42 -07:00
Eric Biggers
72d07130ac vold: use __ANDROID_API_Q__ instead of pre_gki_level
The name "pre_gki_level" is causing some confusion because not all
devices launching with Android R are subject to the GKI requirement.
(See b/161563110#comment11.)  E.g., devices that use a 4.14-based kernel
are exempt from GKI.  However, the encryption requirements still apply.

Just use __ANDROID_API_Q__ directly instead.

No change in behavior.

Change-Id: Id02ae1140845ac1ae7cf78be4e57fe34da028abf
2020-08-10 11:45:08 -07:00
Eric Biggers
09f789e227 Merge "vold: only allow emmc_optimized on eMMC storage" am: 428ae6e90a am: 7a1c4ccb96
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1356175

Change-Id: Ie124c2cec8e4235ae999463d5c03615880e0c01e
2020-07-07 17:37:34 +00:00
Eric Biggers
eb566d0a7c vold: only allow emmc_optimized on eMMC storage
The emmc_optimized encryption flag is specifically designed for the
limitations of inline encryption hardware that follows the eMMC
standard.  It isn't appropriate to use on other types of storage.
So, make vold enforce that it's not used on other types of storage.

Bug: 160639344
Test:
  - Enabled emmc_optimized on Cuttlefish and verified it no longer boots
  - Using a modified version of this change, verified that
    IsEmmcStorage() works as expected on various devices including
    Cuttlefish, Cuttlefish booted in GSI image mode, a device with eMMC
    storage, and a device with UFS storage.
  - Verified that VtsKernelEncryptionTest still passes
Change-Id: Ie27b80658db53b1a4207b3cbb4e309d05130812e
2020-07-06 19:11:43 -07:00
TreeHugger Robot
cbd458bb35 Merge "Only set quota project ID inheritance on app-private dirs." into rvc-dev 2020-03-11 12:54:58 +00:00
Nikita Ioffe
1c6731c649 fskeyring & userspace reboot: support CE keys
During userspace reboot /data might be unmounted & remounted, meaning
that CE keys stored in fs-level keyring will be lost. In order to be
able to restore them, when installing new key to fs-level keyring, it's
also added to session-level keyring with type "fscrypt-provisioning".

Then when init_user0 is called during userspace reboot, vold will try to
load CE keys from the session-level keyring back into fs-level keyring
for all the users that were unlocked before the reboot.

If for any user vold fails to install the key, init_user0 will fail and
fallback to hard reboot will be triggered.

Test: set a pin pattern
Test: adb shell setprop sys.init.userdata_remount.force_umount 1
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 143970043
Change-Id: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
Merged-In: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
(cherry picked from commit 1ee35cf002)
2020-03-11 11:46:46 +00:00
Martijn Coenen
9171fcc984 Only set quota project ID inheritance on app-private dirs.
Previously every directory on external storage had project ID quota
inheritance enabled; this means that if any new file/directory is
created under such a directory, it will inherit the project ID from the
parent. We use a default project ID of 1000 for generic directories, and
application-specific project IDs for app-specific directories.

MediaProvider is responsible for updating the quota type in the generic
directories, as it scans all files there. However, there is a problem
with this approach: if you move a file to a directory with project ID
inheritance set, and the project ID of that file differs from the
project ID of the dir, that results in an EXDEV error, and requires a
copy instead. For example, if /sdcard/DCIM/test.jpg has a project ID of
1003 (for images), and you try to move it to /sdcard/Pictures/test.jpg,
that would require a copy, because the project ID of /sdcard/Pictures is
1000.

While this is not a very common scenario, it's still better to avoid it.
Luckily we can - since MediaProvider anyway scans all files, it will set
the project ID on individual files correctly - there's no need to
inherit them.

We then only need to inherit quota in application-specific directories,
since in those directories the app can create files itself, and those
need to be tagged correctly.

This change enables that, by removing quota inheritance setting from the
top-level directory, and instead doing it for app-specific directories
instead.

Bug: 151078664
Test: atest StorageHostTest
      atest com.android.tests.fused.host.FuseDaemonHostTest#testRenameAndReplaceFile
Change-Id: I38a057ec61cb627e39a3ff7ac58c7218dc251bdc
2020-03-11 11:51:45 +01:00
Nikita Ioffe
1ee35cf002 fskeyring & userspace reboot: support CE keys
During userspace reboot /data might be unmounted & remounted, meaning
that CE keys stored in fs-level keyring will be lost. In order to be
able to restore them, when installing new key to fs-level keyring, it's
also added to session-level keyring with type "fscrypt-provisioning".

Then when init_user0 is called during userspace reboot, vold will try to
load CE keys from the session-level keyring back into fs-level keyring
for all the users that were unlocked before the reboot.

If for any user vold fails to install the key, init_user0 will fail and
fallback to hard reboot will be triggered.

Test: set a pin pattern
Test: adb shell setprop sys.init.userdata_remount.force_umount 1
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 143970043
Change-Id: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
2020-03-07 01:19:42 +00:00
Nikita Ioffe
f0550af103 fskeyring & userspace reboot: support DE keys
During userspace reboot /data might be unmounted, which means that if
device supports filesystem keyring, DE keys will be lost and are needed
to be re-installed.

Test: adb shell setprop sys.init.userdata_remount.force_umount 1
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 143970043
Change-Id: I153caa1d7c373b3c906a34f1184c681e52854a9d
Merged-In: I153caa1d7c373b3c906a34f1184c681e52854a9d
(cherry picked from commit 1eaea5a6a2)
2020-03-04 12:18:53 +00:00
Nikita Ioffe
1eaea5a6a2 fskeyring & userspace reboot: support DE keys
During userspace reboot /data might be unmounted, which means that if
device supports filesystem keyring, DE keys will be lost and are needed
to be re-installed.

Test: adb shell setprop sys.init.userdata_remount.force_umount 1
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 143970043
Change-Id: I153caa1d7c373b3c906a34f1184c681e52854a9d
2020-02-27 21:42:08 +00:00
Martijn Coenen
6a4d95d08e Merge "Switch to new project ID constants." 2020-02-20 08:58:56 +00:00
Automerger Merge Worker
d80d53e31f Merge "Make CTS not HEH the default post Q" am: 39969f0288 am: 17d85205bd am: f0bea38daa
Change-Id: I3cf8f261ce7ecf41315ffddbf4964cf47bca1655
2020-02-20 00:22:25 +00:00
Martijn Coenen
aee40511ae Switch to new project ID constants.
Use new constants, instead of reusing previous sdcardfs values.

Bug: 146419093
Test: lsattr -pR
Change-Id: I7409d86cac5360e125e843cc79f3c5f41d74dd1e
2020-02-20 00:39:05 +01:00
Automerger Merge Worker
7489ab6961 Merge changes from topics "metadata_wrapped_key_aosp", "volume_metadata" am: 36fd1ebfae am: 6891eb7e2d am: c14f46d114
Change-Id: I89f51bfaeb61c235aeccbe8a5a5a447ab14c46cb
2020-02-19 22:19:26 +00:00
Paul Crowley
eb241a1d65 Make CTS not HEH the default post Q
Making HEH the default was always a mistake and a giant foot-gun.
Let's make life easier for people by making the default depend on
first_api_level, so it's automatically set up right for new devices
without breaking old ones. Also use v2 fscrypt keys instead of v1 post
Q.

Bug: 147107322
Test: Various Cuttlefish configurations
Change-Id: I5432bdfd6fec6ed34e7f9ab7cdd32cdeb2a03472
2020-02-19 10:27:48 -08:00
Paul Crowley
249c2fb4aa Refactor: make makeGen local
No need for KeyUtil to know how to make a KeyGeneration, it's cleaner
if each module handles it separately. Also, create a CryptoOptions
structure to track metadata encryption options, and simplify legacy
cipher/option handling.

Test: Treehugger
Bug: 147814592
Change-Id: I740063882914097329ff72348d0c0855c26c7aab
2020-02-18 12:49:36 -08:00
Paul Crowley
4eac264727 Refactor key generation to handle both normal and metadata encryption.
Bug: 147733587
Test: Treehugger
Change-Id: Iee176037dec2621c84da325c2627f988fcebbc8d
Merged-In: Iee176037dec2621c84da325c2627f988fcebbc8d
2020-02-14 13:59:06 -08:00
Paul Crowley
b3d018a62c Refactor key generation to handle both normal and metadata encryption.
Bug: 147733587
Test: Treehugger
Change-Id: Iee176037dec2621c84da325c2627f988fcebbc8d
2020-02-14 13:39:19 -08:00
Automerger Merge Worker
30b1a73b3a Merge "vold: Support Storage keys for FBE" am: 8cfb530357 am: aafbd4066a am: 54d5e5ca1e
Change-Id: I7232b8c40cd5606ce6ec801d88df9768405ffa3b
2020-02-13 00:06:10 +00:00
Barani Muthukumaran
3dfb094cb2 vold: Support Storage keys for FBE
To prevent keys from being compromised if an attacker
acquires read access to kernel memory, some inline
encryption hardware supports protecting the keys in
hardware without software having access to or the
ability to set the plaintext keys.  Instead, software
only sees "wrapped keys", which may differ on every boot.

'wrappedkey_v0' fileencryption flag is used to denote
that the device supports inline encryption hardware that
supports this feature. On such devices keymaster is used
to generate keys with STORAGE_KEY tag and export a
per-boot ephemerally wrapped storage key to install it in
the kernel.

The wrapped key framework in the linux kernel ensures the
wrapped key is provided to the inline encryption hardware
where it is unwrapped and the file contents key is derived
to encrypt contents without revealing the plaintext key in
the clear.

Test: FBE validation with Fscrypt v2 + inline crypt + wrapped
key changes kernel.

Bug: 147733587

Change-Id: I1f0de61b56534ec1df9baef075acb74bacd00758
2020-02-12 14:26:26 -08:00
Martijn Coenen
fd9cdbf124 Set quota project ID and inheritance on top-level storage directory.
When creating external storage directories like /data/media/0, make sure
we set the quota project ID correctly, and enable project ID
inheritance. This ensures that all directories/files under this will be
created with the correct project ID and inheritance as well.

Bug: 146419093
Test: lsattr -p on /data/media
Change-Id: I32bfced0d67eb8c1865897b085324f00c55926a0
2020-02-12 13:18:46 +01:00
Paul Crowley
73be12dcd5 Refactor: make cryptfs.h smaller
Move most of it into cryptfs.cpp, and include cryptfs.h in fewer files.

Bug: 147814592
Test: Treehugger
Change-Id: Ia3592d73e7abc1f07a60538e0978a3033bdea7de
2020-02-07 11:16:12 -08:00
Paul Crowley
77df7f207d Refactor to use EncryptionPolicy everywhere we used to use raw_ref
Test: Boots, no bad log messages: Cuttlefish with v2 policies, Taimen
Bug: 147733587
Change-Id: Ice4acac3236b6b7d90e60a2f57b46814aa1949f5
2020-01-28 11:17:58 -08:00
Barani Muthukumaran
b1927c2a0a vold: Do not cache CE keys in vold
CE keys were cached in vold to support untrusted reset
by a device admin, this is now supported by Locksettingservice
using synthetic password. This change requires a secret to be
provided to retrieve the CE key and re-wrap without the secret
when user removes the credential.

Test: Set credential, remove credential, swipe to none
and vice-versa.
Bug: 26948053
Merged-In: I4cb1c035a472477e70c1ff5bf0b2c3fcfad495e5
Change-Id: I4cb1c035a472477e70c1ff5bf0b2c3fcfad495e5
2020-01-24 00:20:22 +00:00
Paul Crowley
a50f6c3c2c Use new encryption_options fstab entry
Bug: 143307095
Test: change cuttlefish fstab
Change-Id: Ia40daafc9b573c40f29c74dc2ef513fba3fc2bf9
2019-10-28 13:36:35 -07:00
Paul Crowley
f612b8b5ab Replace "flags" property with "options" with same format as fstab
Bug: 143307095
Test: Set override, check policy is as expected with sm set-virtual-disk
Change-Id: Iec31d7530b15d6d4564100816c821394e0708d53
2019-10-24 23:24:27 -07:00
Paul Crowley
5e53ff6e8f Use new C++ libfscrypt interface.
Bug: 143307095
Test: treehugger
Change-Id: I420ba6223bd67d6fec5382a11a72b7aa124294c9
2019-10-24 20:49:52 -07:00
Eric Biggers
83a73d7d50 vold: support v2 encryption policies
Add support for setting v2 encryption policies when configured in the
fstab (for internal storage) or in system properties (for adoptable
storage), and for installing and evicting the keys for such policies.

v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF.  Due
to this, some future features will be supported by v2 policies only.

Bug: 140500999
Test: Configured a device to use v2 encryption policies (applied the
      needed kernel patches and added
      "fileencryption=aes-256-xts:aes-256-cts:v2" to fstab, and set the
      corresponding system properties for adoptable storage).  Wiped
      userdata, booted device and checked logs to verify that v2
      policies were being used.

      Also enabled virtual SD card and formatted as adoptable storage;
      verified it works and that v2 policies were being used on it.

      Also created, started, and stopped a 2nd user and verified their
      keys were evicted.

      Also verified that the device comes up again after rebooting.

      Also verified that a device using v1 encryption policies continues
      to work, both with and without an updated kernel -- including
      stopping a user so that their keys get evicted.

Change-Id: If64028d8580584b2c33c614cabd5d6b93657f608
2019-10-04 16:04:36 -07:00
Eric Biggers
f3dc4203dd vold: use new ioctls to add/remove fscrypt keys when supported
When the kernel supports the new fscrypt key management ioctls, use them
instead of add_key() and keyctl_unlink().

This will be needed in order to support v2 encryption policies, since v2
encryption policies only support the new ioctls.

The new ioctls have other advantages too.  For example,
FS_IOC_REMOVE_ENCRYPTION_KEY automatically evicts exactly the necessary
kernel objects, so the drop_caches sysctl is no longer needed.  This
makes evicting keys faster and more reliable.
FS_IOC_REMOVE_ENCRYPTION_KEY also detects if any files are still open
and therefore couldn't be "locked", whereas this went undetected before.

Therefore, to start out this patch adds support for using the new ioctls
for v1 encryption policies, i.e. on existing devices.

(Originally based on a patch by Satya Tangirala <satyat@google.com>)

Bug: 140500828
Test: tested that a device using v1 policies continues to work, both
      with and without an updated kernel.  See
      If64028d8580584b2c33c614cabd5d6b93657f608 for more details.
      Also checked via the log that the filesystem-level keyring is in
      fact used when supported.
Change-Id: I296ef78138578a3fd773797ac0cd46af1296b959
2019-09-30 13:11:42 -07:00
Paul Crowley
c8a3ef3f3c Create a per-boot key on each boot
Bug: 140882488
Test: Booted twice, checked logs to ensure encryption
    is different each time, adb created files in directory.
Change-Id: I74077bf8f727dab726c25f512ed7406a74cbe0bf
2019-09-13 15:46:48 -07:00
Nick Kralevich
a9b07fd2c0 FsCrypt.cpp: Do delayed restorecon on /data/vendor_ce
am: 6a3ef488e5

Change-Id: I900196a62e3fb2bd806a0f2980dca5aad138a7dd
2019-05-15 09:17:58 -07:00
Nick Kralevich
6a3ef488e5 FsCrypt.cpp: Do delayed restorecon on /data/vendor_ce
When Android boots after file_contexts has changed, the boot process
walks the entire /data partition, updating any changed SELinux labels as
appropriate. However, credential encrypted ("ce") directories are
deliberately excluded from this early boot directory walk. Files within
ce directories have their filenames encrypted, and as a result, cannot
match the file_contexts entries. Only after the user has unlocked their
device are the unencrypted filenames available and a restorecon
appropriate.

Ensure that we do a post-unlock restorecon on /data/vendor_ce, like we
do for /data/system_ce and /data/misc_ce. This ensures the labels on
files within these directories are correct after the device has been
unlocked.

Bug: 132349934
Test: See bug 132349934 comment #12 for test procedure
Change-Id: Ifcbef5fdfb236ec6dea418efa9d965db3a3b782f
2019-05-14 09:30:29 -07:00
Eric Biggers
d019a2950a Merge "Don't drop as many caches when evicting CE key" am: a057b27f2a
am: a30a907c65

Change-Id: Idaab2ccd2e6ad8afd8f45c20a27d1f34333970c1
2019-04-09 04:11:42 -07:00
Eric Biggers
ce36868316 Don't drop as many caches when evicting CE key
When a user's CE key is removed, write "2" to /proc/sys/vm/drop_caches
rather than "3".  This avoids unnecessarily evicting the pagecache of
in-use inodes.  It's only necessary to evict the inodes of the relevant
encrypted files, and these are already sync'ed and no longer in-use.
For this mode "2" suffices, as this evicts "reclaimable slab objects",
including inodes; and evicting an inode implies evicting its pagecache.

This matches the recommendation I've made in the documentation for the
fscrypt kernel feature at
https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html#online-attacks

Test: Sanity check that directories are still "locked" properly:
      Unlock device with PIN.  Then in adb shell: 'stop; start;
      sleep 10; ls /data/data/' still shows filenames in ciphertext form.
Change-Id: I1bdf3c420ebf63e98cc314498211061ea36f2942
2019-04-05 12:19:46 -07:00
Tommy Chiu
11621353f2 vold: fsync both file and directory after write keys
Use vold version of writeStringToFile which fsync files, and
manually fsync directories after initialize global DE

(cherry picked from commit a98464f688)

Bug: 71810347
Test: Build pass and reboot stress test.
      Original boot failure symptom is NOT reproducible.
Change-Id: I1ca8f8cf0ccfd01075a9c33f79042e58d99aea26
Merged-In: I1ca8f8cf0ccfd01075a9c33f79042e58d99aea26
2019-04-05 04:06:38 -07:00
Eric Biggers
d103404985 vold: downgrade lookup_key_ref() failure message to DEBUG level
Now that lockUserKey() will be called for every user each time the
framework is started, it's a normal case that the key being removed
doesn't exist.  So downgrade the log message about being unable to find
a key from ERROR to DEBUG.

Test: build and boot, message is now debug level.
Change-Id: I2d1dce8dd8825b02982eab1c902aa10fe5b54b84
2019-04-02 11:13:57 -07:00
Tommy Chiu
a98464f688 vold: fsync both file and directory after write keys
Use vold version of writeStringToFile which fsync files, and
manually fsync directories after initialize global DE

Bug: 71810347
Test: Build pass and reboot stress test.
      Original boot failure symptom is NOT reproducible.

Change-Id: I1ca8f8cf0ccfd01075a9c33f79042e58d99aea26
2019-03-28 08:43:24 +00:00
Tom Cherry
4c5bde2b92 Move over to the C++ Fstab class
Test: build and boot
Change-Id: Id3850c9c133f6644073a2439368501253a2a94a9
2019-01-31 12:34:39 -08:00
Paul Crowley
621d9b9732 Fsync directories after creating files
Bug: 120248692
Test: adb shell locksettings set-pin 1111 && \
    adb shell "echo b > /proc/sysrq-trigger"
Change-Id: I53d252942c21365983b4f8b6e0948b1864f195c1
2019-01-07 04:30:08 -08:00
Jie
b6698d56ac Add fsync for renaming user ce key path
Device can't start up after the following steps:
1. set screen lock to PIN/Pattern/Password
2. set screen lock to Swipe/None
3. power down immediately after pressing "YES, REMOVE"
4. reboot

failed log:
Failed to read from /data/misc/vold/user_keys/ce/0/current/keymaster_key_blob

root cause:
flushing data failed because of power down

issue:
https://partnerissuetracker.corp.google.com/u/1/issues/119382750
2018-11-15 06:25:37 +00:00
Eric Biggers
a701c458ca vold: rename from "ext4 encryption" to fscrypt
We support file-based encryption on both ext4 and f2fs now, and the
kernel API is the same.  So rename things appropriately in vold:

    e4crypt => fscrypt
    ext4enc => fscrypt
    Ext4Crypt => FsCrypt
    EXT4_* => FS_*
    ext4_encryption_key => fscrypt_key

Additionally, the common functions shared by 'vold' and 'init' are now
in libfscrypt rather than ext4_utils.  So update vold to link to
libfscrypt and include the renamed headers.

Note: there's a chance of 'fscrypt' being confused with the dm-crypt
based encryption code in vold which is called 'cryptfs'.  However,
fscrypt is the name used in the kernel for ext4/f2fs/ubifs encryption,
and it's preferable to use the same name in userspace.

Test: built, booted device with f2fs encryption
Change-Id: I2a46a49f30d9c0b73d6f6fe09e4a4904d4138ff6
2018-10-25 17:12:32 -07:00
Renamed from Ext4Crypt.cpp (Browse further)