Commit graph

4493 commits

Author SHA1 Message Date
Satya Tangirala
08873d0d7d Merge changes from topic "vold-use-keystore2"
* changes:
  Remove Keymaster::isSecure() and simplify callers
  Make vold use keystore2 instead of keymaster
  Remove HardwareAuthToken support from vold::Keymaster
2021-04-08 00:48:19 +00:00
Satya Tangirala
23452c1e3a Remove Keymaster::isSecure() and simplify callers
Now that isSecure() always returns true, we can remove it and simplify
all the callers (i.e. cryptfs). Refer to the commit description for
Iaebfef082eca0da8a305043fafb6d85e5de14cf8 for why this function always
return true.

Bug: 181910578
Test: Cuttlefish and bramble boot
Change-Id: I185dd8180bd7842b05295263f0b1aa7205329a88
2021-04-08 00:47:54 +00:00
Satya Tangirala
e8de4ffd73 Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.

Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.

The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).

A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
 - 1) that the keys generated by the keymaster were "standalone" keys -
      i.e. that the keymaster could operate on those keys without
      requiring /data or any other service to be available.
 - 2) that the keymaster was a non-SOFTWARE implementation so that things
      would still work in case a "real" TEE keymaster was ever somehow
      added to the device after first boot.

Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.

We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.

There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.

Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
      and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-04-08 00:16:01 +00:00
Satya Tangirala
e13617100d Remove HardwareAuthToken support from vold::Keymaster
HardwareAuthTokens are no longer used by vold since Android P. So remove
the auth token parameter from vold. This patch doesn't remove the token
from IVold.aidl, and the methods in VoldNativeService.cpp return an
error if a non-empty auth token is passed to them.

Bug: 181910578
Test: cuttlefish and bramble boot with patch
Change-Id: I1a9f54e10f9efdda9973906afd0a5de5a699ada5
2021-04-07 02:05:35 -07:00
Alan Stokes
00a48a7a99 Merge "Vold will always bind mount obb and data dirs to lowerfs" am: 159a11f600 am: fab8b2835b
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1647187

Change-Id: I1cba8f70b47d325e7dd8ae005bff12db7a8f3b3f
2021-03-23 18:52:12 +00:00
Alan Stokes
fab8b2835b Merge "Vold will always bind mount obb and data dirs to lowerfs" am: 159a11f600
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1647187

Change-Id: I23b628c92b76f84511f0c8fc87b7b8aa52eb20a6
2021-03-23 18:12:19 +00:00
Alan Stokes
159a11f600 Merge "Vold will always bind mount obb and data dirs to lowerfs" 2021-03-23 17:25:18 +00:00
Ricky Wai
259a49ae15 Vold will always bind mount obb and data dirs to lowerfs
So shell / root will always access to them directly not via fuse.
And zygote will be unmount these directories to prevent them being
abused for leaking app visibility.

Also, /mnt/androidwritable is not very useful now as it's the same as
/mnt/installer, but we should make shell / root to access /mnt/androidwritable
later and /mnt/installer should only access obb but not data dir.

Bug: 182997439
Test: Able to boot without errors
Test: df on /sdcard/Android/data shows it's no on fuse.
Change-Id: I2ad10b1e80c135f637d37ddf502ee010f89f4946
2021-03-22 16:12:50 +00:00
Martijn Coenen
c678a95db2 Merge "vold: do not acquire lock when abort fuse" am: 717c1926fc am: d616d6e1ba
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1639945

Change-Id: Id114cc272baabc99d6d9985761f7cec578dcd896
2021-03-19 09:01:27 +00:00
Martijn Coenen
d616d6e1ba Merge "vold: do not acquire lock when abort fuse" am: 717c1926fc
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1639945

Change-Id: I137677f0625e3d46cc8d5a50aa3327e274676589
2021-03-19 08:42:45 +00:00
Martijn Coenen
717c1926fc Merge "vold: do not acquire lock when abort fuse" 2021-03-19 08:21:00 +00:00
lijiazi
ffe7622d83 vold: do not acquire lock when abort fuse
reboot maybe cause a deadlock scenario:

1:init->vdc->vold for abort_fuse blocked on futex hold by another
vold binder_x

2:binder_x blocked in binder_ioctl_write_read wait a dead service's
response

3:dead service is exiting and schedule a deferred work for put files
in binder_vma_close, after put files is completed, the binder_x will
eventually wake up

4:kworker execute binder_deferred_work is blocked on fuse request:
crash> bt 1707
PID: 1707   TASK: ffffffe366175e80  CPU: 2   COMMAND: "kworker/2:4"
 #0 [ffffff801b8b3ac0] __switch_to at ffffff962ce88a60
 #1 [ffffff801b8b3b10] __schedule at ffffff962e2d3d30
 #2 [ffffff801b8b3b70] schedule at ffffff962e2d3ff4
 #3 [ffffff801b8b3bc0] __fuse_request_send at ffffff962d20e008
 #4 [ffffff801b8b3c00] fuse_request_send at ffffff962d20deac
 #5 [ffffff801b8b3c30] fuse_flush at ffffff962d217fa4
 #6 [ffffff801b8b3c80] filp_close at ffffff962d0bd7b4
 #7 [ffffff801b8b3cb0] put_files_struct at ffffff962d0e7658
 #8 [ffffff801b8b3d30] binder_deferred_func at ffffff962dc9e60c
 #9 [ffffff801b8b3d90] process_one_work at ffffff962cee761c
 #10 [ffffff801b8b3e00] worker_thread at ffffff962cee7a68
 #11 [ffffff801b8b3e60] kthread at ffffff962ceecc14
waiting for init abort_fuse

suggested by maco, do not acquire lock when abort fuse.

Test: reboot stress test

Change-Id: If6dd7f5e9c413a16ba047204c33d82d6ff41c4ae
Signed-off-by: lijiazi <lijiazi@xiaomi.com>
2021-03-17 10:11:18 +00:00
Eric Biggers
514cce99b8 Merge "KeyStorage: improve logging for key generation" am: 759022d0f1 am: 209084f877
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1638259

Change-Id: I1982ef32bdf67ccfa655f2f973a70dacbba284d4
2021-03-16 00:56:21 +00:00
Eric Biggers
209084f877 Merge "KeyStorage: improve logging for key generation" am: 759022d0f1
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1638259

Change-Id: I7d44cdbf632751092ed63ca7084b6ce26180a2bc
2021-03-16 00:17:24 +00:00
Eric Biggers
759022d0f1 Merge "KeyStorage: improve logging for key generation" 2021-03-15 23:46:54 +00:00
Eric Biggers
b2024e0349 KeyStorage: improve logging for key generation
The error messages that are printed when probing for rollback resistance
support on a device that doesn't support rollback-resistant keys can
make it sound like something is going wrong.  Print a WARNING message
afterwards to try to make it clear what is going on.  Also adjust or add
DEBUG messages when starting to generate each key so that it's easier to
distinguish the log messages for different key generation operations.

Bug: 182815123
Test: boot on device that doesn't support rollback-resistant keys and
      check log.
Change-Id: I37a13eb5c1e839fb94581f3e7ec1cd8da0263d2b
2021-03-15 12:44:36 -07:00
Treehugger Robot
a02960e5ed Merge "Avoid killing the FUSE daemon during unmount" am: 05bb5cc71e am: 5e953c70fc
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1614817

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I769ded970fbf021c241043063e34758bfebada98
2021-03-05 19:57:22 +00:00
Treehugger Robot
5e953c70fc Merge "Avoid killing the FUSE daemon during unmount" am: 05bb5cc71e
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1614817

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I25ce3bb0d699478ac00ca25a72d3b4dd0c63d2c1
2021-03-05 18:47:05 +00:00
Treehugger Robot
05bb5cc71e Merge "Avoid killing the FUSE daemon during unmount" 2021-03-05 18:08:14 +00:00
Zim
75273001a2 Avoid killing the FUSE daemon during unmount
The FUSE daemon is often holding fds on behalf of other apps and if a
volume is ejected the daemon would often get killed first while vold
is walking /proc/<pid>/fd to kill pids with open fds on the
volume. This is required for the volume unmount successfully.

To mitigate this, we avoid killing the FUSE daemon during the usual
/proc walk. This ensures that we first send SIGINT, SIGTERM and
SIGKILL to other apps first. There is an additional SIGKILL attempt
and on that last attempt, we kill the FUSE daemon as a last resort

Test: Manual
Bug: 171673908
Change-Id: I100d2ce4cb4c145cbb49e0696842e97dfba2c1c9
2021-03-05 11:05:16 +00:00
Abhijeet Kaur
7d0b75e407 Merge "Remove unused mount modes and re-number the modes for consistency" am: 2d0ea90538 am: 6111dc99fe
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1605433

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ic29cce9e12067fdc7ea4827bb25210af7420cd4e
2021-03-03 13:02:43 +00:00
Abhijeet Kaur
6111dc99fe Merge "Remove unused mount modes and re-number the modes for consistency" am: 2d0ea90538
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1605433

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I958437ce02963f69c3498ef829e9bcbef27dabd4
2021-03-03 11:12:54 +00:00
Abhijeet Kaur
2d0ea90538 Merge "Remove unused mount modes and re-number the modes for consistency" 2021-03-03 10:09:46 +00:00
Treehugger Robot
541c8e03f2 Merge "Set a default ACL on /data/media/userId." am: f6546171af am: ca3fbd1e4b
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1603534

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ib4f7ecc6b6e53fc9f61a4e83027ebb7a86b69b86
2021-03-02 19:47:14 +00:00
Treehugger Robot
ca3fbd1e4b Merge "Set a default ACL on /data/media/userId." am: f6546171af
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1603534

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I13d1ee215c805b25d73e3d39508ea05cdc60b703
2021-03-02 19:03:54 +00:00
Treehugger Robot
f6546171af Merge "Set a default ACL on /data/media/userId." 2021-03-02 09:25:52 +00:00
Treehugger Robot
c0bd8a260d Merge "[vold] expose binder headers to dependent modules" am: 51ff06df22 am: b06061cace
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1607482

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ie3321467c877bf1518594ea190cc109be9a0e483
2021-02-26 05:24:15 +00:00
Treehugger Robot
b06061cace Merge "[vold] expose binder headers to dependent modules" am: 51ff06df22
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1607482

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I32b3d8d656a07491b644c8fd05aa38b8031597a4
2021-02-26 04:33:56 +00:00
Treehugger Robot
51ff06df22 Merge "[vold] expose binder headers to dependent modules" 2021-02-26 03:35:10 +00:00
Songchun Fan
f77beb516b [vold] expose binder headers to dependent modules
This allows libincremental_aidl-cpp to be built via cc_library instead
of aidl_interface.

BUG: 181266844
Test: builds
Change-Id: I4f0bc82629c0df758467aa074274b30f9dc6718d
2021-02-25 15:32:16 -08:00
Kalesh Singh
bda3d905bd Merge "vold: Use Wakelock::tryGet()" am: 8439ab27d6 am: c08bc3b0b8
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1600813

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ib0eb444a328513b3fbe4b9818268cff319c53ae3
2021-02-24 22:58:01 +00:00
Kalesh Singh
c08bc3b0b8 Merge "vold: Use Wakelock::tryGet()" am: 8439ab27d6
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1600813

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I4b028c047da40cbbd20c0a99d4c957d87bfcf0c2
2021-02-24 22:14:06 +00:00
Kalesh Singh
8439ab27d6 Merge "vold: Use Wakelock::tryGet()" 2021-02-24 18:49:58 +00:00
Abhijeet Kaur
e715ec1364 Remove unused mount modes and re-number the modes for consistency
Also, add REMOUNT_MODE_ANDROID_WRITABLE to return "/mnt/runtime/write".

Bug: 148454884
Test: builds
Change-Id: I5a38c88f46034c494604bb001cf4d4c400c8f73e
2021-02-24 14:52:37 +00:00
Martijn Coenen
5adf92a988 Set a default ACL on /data/media/userId.
This directory is used as a root for external storage on adopted storage
devices. It needs to be writable by processes holding the AID_MEDIA_RW
GID permission; in particular, it should be writable by the FUSE daemon.

On devices with sdcardfs, this was ensured automatically, because
sdcardfs presented a view of this directory that was writable, that we
could use for the FUSE daemon. But on devices without sdcardfs, the FUSE
daemon sees the raw filesystem and its permissions. This also means that
files created by the FUSE daemon will have their uid/gid set to the uid
of the FUSE daemon; to ensure these files stay writable to other system
applications that have AID_MEDIA_RW, use a default ACL to make sure the
gid stays AID_MEDIA_RW.

In particular, this fixes an issue with app cloning, where we want the
FUSE daemon of user 0 to be able to access the files of the app clone
user, and vice versa.

Bug: 154057120
Test: inspect uid/gid of /data/media/0 and contents
Change-Id: Ic5d63457ec917ea407b900dbb7773d89311780c6
2021-02-24 12:45:09 +01:00
Kalesh Singh
98062dcd89 vold: Use Wakelock::tryGet()
Acquiring a wakelock can fail if the suspend service is unavailable.
Explicitly check that wakelock was acquired before performing
operations that require the device to stay on.

Bug: b/179229598
Test: Boot test on Pixel 4 device
Change-Id: If30087223e44098801a31d1bfd239ac22e891abe
2021-02-22 17:24:51 -05:00
Xin Li
9ee62187e7 [automerger skipped] Mark ab/7061308 as merged in stage. am: 0ee13dfc4f -s ours
am skip reason: Change-Id I7124285f41c6a854ad5c86677bc94d78ddca5a97 with SHA-1 60537dad69 is in history

Original change: undetermined

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I50546bc29bc2fcd0dee816ded8d45d9b355c4eb1
2021-02-20 12:28:42 +00:00
Xin Li
0ee13dfc4f Mark ab/7061308 as merged in stage.
Bug: 180401296
Merged-In: I7124285f41c6a854ad5c86677bc94d78ddca5a97
Change-Id: Icf8db3d8557a3835e0834eec134bb4b111ec3af0
2021-02-20 00:24:42 -08:00
Treehugger Robot
85956f9525 Merge changes from topic "fsync-fixes" am: 6c36c6f421 am: 2a3e67a9e0
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1590896

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ibf2e04c47b38e917bf58afcfbd78b7a0a395c141
2021-02-19 20:42:12 +00:00
Treehugger Robot
2a3e67a9e0 Merge changes from topic "fsync-fixes" am: 6c36c6f421
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1590896

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ifacc42ef9b4abe897a598e3cd8dcef4650b8f5ff
2021-02-19 19:54:09 +00:00
Treehugger Robot
6c36c6f421 Merge changes from topic "fsync-fixes"
* changes:
  Add syncs when creating parent directories
  Sync parent directory in storeKeyAtomically()
  Move pathExists() to Utils.cpp
2021-02-19 19:23:47 +00:00
Dhiraj Jadhav
e5d8fe2474 Merge "Revert "Revert "Revert "Set a default ACL on /data/media/userId."""" am: a98846d8d5 am: 375884bd0a
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1592902

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I38ed5d51a2f7712bf6a72b01f35e4c99a4edb43f
2021-02-18 19:13:34 +00:00
Dhiraj Jadhav
375884bd0a Merge "Revert "Revert "Revert "Set a default ACL on /data/media/userId."""" am: a98846d8d5
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1592902

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I7c3c8bd230bcc14471d127ddc2276634cd2b2a43
2021-02-18 18:45:58 +00:00
Dhiraj Jadhav
a98846d8d5 Merge "Revert "Revert "Revert "Set a default ACL on /data/media/userId."""" 2021-02-18 17:38:20 +00:00
Dhiraj Jadhav
72005fd1e6 Revert "Revert "Revert "Set a default ACL on /data/media/userId."""
This reverts commit ea9681e4cd.

Reason for revert: storage Permission causing b/179362637 adb push to fail

Change-Id: Ibc1d8b5b685c22545b7e2d15de58059960b87e14
2021-02-18 04:57:03 +00:00
Eric Biggers
fec0c0e472 Add syncs when creating parent directories
vold creates some directories for storing encryption keys if they don't
already exist, potentially including parent directories:

    /metadata/vold/metadata_encryption
    /data/misc/vold/volume_keys/$volume_uuid
    /data/misc_de/$user/vold/volume_keys/$volume_uuid
    /data/misc_ce/$user/vold/volume_keys/$volume_uuid

Currently fs_mkdirs() is used for this.  However, fs_mkdirs() doesn't
include the fsync()s of the parent directories that are needed to ensure
that the new directories are persisted to disk right away -- which is
important for encryption keys.

Add a utility function MkdirsSync() which does what is needed, and make
the appropriate places call it.

Test: Booted and checked log for "Created directory" message.
      Also ran 'atest vold_tests' to run the new unit test.
Change-Id: Ie9917b616433080139b8db3fd6877203ee6faf77
2021-02-16 16:18:53 -08:00
Eric Biggers
3345a2a98c Sync parent directory in storeKeyAtomically()
When an FBE or metadata encryption key is created, it's important that
it be persisted to disk right away; otherwise the device may fail to
boot after an unclean shutdown.  storeKey() has the needed fsync()s.
However, storeKeyAtomically() doesn't, as it doesn't fsync() the parent
directory of key_path after it renames tmp_path to it.

Two callers do fsync() the parent directory themselves, but others
don't.  E.g., the metadata encryption key doesn't get properly synced.

Therefore, add the needed fsync() to storeKeyAtomically() so that it
gets done for everyone.

Also remove the now-unneeded fsync()s from the two callers that did it
themselves.

Change-Id: I342ebd94f0a3d2bf3a7a443c35b6bda0f12e1ab2
2021-02-16 16:05:38 -08:00
Eric Biggers
bd138dd08a Move pathExists() to Utils.cpp
This is useful as a general utility function.

Change-Id: Id43fc106dc6c544c6e4ce65f10c7d4246b99e54a
2021-02-16 16:05:38 -08:00
Treehugger Robot
64d5e281ad Merge "[LSC] Add LOCAL_LICENSE_KINDS to system/vold" am: 810bcca4d0 am: c7c9cfbf9f
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1589008

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ib8dbb252b72c8c7c102ed39747be613d16707121
2021-02-16 00:31:33 +00:00
Treehugger Robot
c7c9cfbf9f Merge "[LSC] Add LOCAL_LICENSE_KINDS to system/vold" am: 810bcca4d0
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1589008

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: If9313dcc2a75e117374543fb9050aa1a7e0410f4
2021-02-15 23:48:04 +00:00