diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2020-07-09 01:03:37 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-07-09 01:03:37 +0000 |
| commit | 547be2bddfb9dea41eb968940094e3fe1593fed9 (patch) | |
| tree | cb2762ef9c3a5db376fdccd9480c23e5c380148e | |
| parent | 108fb5dcdca9574c7eeac13a22350c7486087969 (diff) | |
| parent | 006eed8e3ad8b38915c55092346fb149298975a0 (diff) | |
| download | vold-android11-release.tar.gz | |
Snap for 6664334 from 006eed8e3ad8b38915c55092346fb149298975a0 to rvc-releaseandroid-vts-11.0_r9android-vts-11.0_r8android-vts-11.0_r7android-vts-11.0_r6android-vts-11.0_r5android-vts-11.0_r4android-vts-11.0_r3android-vts-11.0_r2android-vts-11.0_r16android-vts-11.0_r15android-vts-11.0_r14android-vts-11.0_r13android-vts-11.0_r12android-vts-11.0_r11android-vts-11.0_r10android-vts-11.0_r1android-security-11.0.0_r76android-security-11.0.0_r75android-security-11.0.0_r74android-security-11.0.0_r73android-security-11.0.0_r72android-security-11.0.0_r71android-security-11.0.0_r70android-security-11.0.0_r69android-security-11.0.0_r68android-security-11.0.0_r67android-security-11.0.0_r66android-security-11.0.0_r65android-security-11.0.0_r64android-security-11.0.0_r63android-security-11.0.0_r62android-security-11.0.0_r61android-security-11.0.0_r60android-security-11.0.0_r59android-security-11.0.0_r58android-security-11.0.0_r57android-security-11.0.0_r56android-security-11.0.0_r55android-security-11.0.0_r54android-security-11.0.0_r53android-security-11.0.0_r52android-security-11.0.0_r51android-security-11.0.0_r50android-security-11.0.0_r49android-security-11.0.0_r1android-platform-11.0.0_r2android-platform-11.0.0_r1android-cts-11.0_r9android-cts-11.0_r8android-cts-11.0_r7android-cts-11.0_r6android-cts-11.0_r5android-cts-11.0_r4android-cts-11.0_r3android-cts-11.0_r2android-cts-11.0_r16android-cts-11.0_r15android-cts-11.0_r14android-cts-11.0_r13android-cts-11.0_r12android-cts-11.0_r11android-cts-11.0_r10android-cts-11.0_r1android-11.0.0_r6android-11.0.0_r5android-11.0.0_r4android-11.0.0_r3android-11.0.0_r25android-11.0.0_r2android-11.0.0_r17android-11.0.0_r1android11-tests-releaseandroid11-security-releaseandroid11-s1-releaseandroid11-release
Change-Id: Ie48890ec9ee7eee32f3d404c6513ae71dd523bed
| -rw-r--r-- | FsCrypt.cpp | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/FsCrypt.cpp b/FsCrypt.cpp index 4d5cd335..e21524ac 100644 --- a/FsCrypt.cpp +++ b/FsCrypt.cpp @@ -52,6 +52,7 @@ #include <fscrypt/fscrypt.h> #include <keyutils.h> +#include <libdm/dm.h> #include <android-base/file.h> #include <android-base/logging.h> @@ -60,6 +61,9 @@ #include <android-base/strings.h> #include <android-base/unique_fd.h> +using android::base::Basename; +using android::base::Realpath; +using android::base::StartsWith; using android::base::StringPrintf; using android::fs_mgr::GetEntryForMountPoint; using android::vold::BuildDataPath; @@ -73,6 +77,7 @@ using android::vold::SetQuotaInherit; using android::vold::SetQuotaProjectId; using android::vold::writeStringToFile; using namespace android::fscrypt; +using namespace android::dm; namespace { @@ -203,6 +208,26 @@ static bool read_and_fixate_user_ce_key(userid_t user_id, return false; } +static bool IsEmmcStorage(const std::string& blk_device) { + // Handle symlinks. + std::string real_path; + if (!Realpath(blk_device, &real_path)) { + real_path = blk_device; + } + + // Handle logical volumes. + auto& dm = DeviceMapper::Instance(); + for (;;) { + auto parent = dm.GetParentBlockDeviceByPath(real_path); + if (!parent.has_value()) break; + real_path = *parent; + } + + // Now we should have the "real" block device. + LOG(DEBUG) << "IsEmmcStorage(): blk_device = " << blk_device << ", real_path=" << real_path; + return StartsWith(Basename(real_path), "mmcblk"); +} + // Retrieve the options to use for encryption policies on the /data filesystem. static bool get_data_file_encryption_options(EncryptionOptions* options) { auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT); @@ -215,6 +240,12 @@ static bool get_data_file_encryption_options(EncryptionOptions* options) { << entry->encryption_options; return false; } + if ((options->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) && + !IsEmmcStorage(entry->blk_device)) { + LOG(ERROR) << "The emmc_optimized encryption flag is only allowed on eMMC storage. Remove " + "this flag from the device's fstab"; + return false; + } return true; } @@ -248,6 +279,11 @@ static bool get_volume_file_encryption_options(EncryptionOptions* options) { LOG(ERROR) << "Unable to parse volume encryption options: " << options_string; return false; } + if (options->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) { + LOG(ERROR) << "The emmc_optimized encryption flag is only allowed on eMMC storage. Remove " + "this flag from ro.crypto.volume.options"; + return false; + } return true; } |