diff --git a/interfaces/innerkits/fs_manager/fstab.c b/interfaces/innerkits/fs_manager/fstab.c index f69d1b2c4515f33a748a168f684aacd995852d1a..67b4c4f480540f51efef4ad5b4fe2a4b7a8c6b1e 100644 --- a/interfaces/innerkits/fs_manager/fstab.c +++ b/interfaces/innerkits/fs_manager/fstab.c @@ -42,6 +42,12 @@ struct MountFlags { unsigned long flags; }; +#define POLICY_BUFFER (100) + +static const char *g_fscryptPre = "fscrypt="; +static const char *g_mountPoint = "/data"; +static char g_fscryptPolicy[POLICY_BUFFER] = { 0 }; + static unsigned int ConvertFlags(char *flagBuffer) { static struct FsManagerFlags fsFlags[] = { @@ -384,7 +390,40 @@ static unsigned long ParseDefaultMountFlag(const char *str) return flags; } -unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpecificDataSize) +static bool IsFscryptOption(const char *option) +{ + if (!option) { + return false; + } + if (strncmp(option, g_fscryptPre, strlen(g_fscryptPre)) == 0) { + return true; + } + return false; +} + +static void StoreFscryptPolicy(const char *option) +{ + if (!option) { + return; + } + if (strcpy_s(g_fscryptPolicy, POLICY_BUFFER - 1, option) != EOK) { + g_fscryptPolicy[0] = '\0'; + BEGET_LOGE("StoreFscryptPolicy: copy policy failed"); + return; + } + BEGET_LOGI("StoreFscryptPolicy:load fscrypt policy, %s", option); +} + +const char *LoadFscryptPolicy(void) +{ + if (strnlen(g_fscryptPolicy, POLICY_BUFFER - 1) == 0) { + return NULL; + } + return g_fscryptPolicy; +} + +unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpecificDataSize, + const char *mountPoint) { unsigned long flags = 0; BEGET_CHECK_RETURN_VALUE(mountFlag != NULL && fsSpecificData != NULL, 0); @@ -408,6 +447,11 @@ unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpec if (IsDefaultMountFlags(p)) { flags |= ParseDefaultMountFlag(p); } else { + if (IsFscryptOption(p) && + !strncmp(mountPoint, g_mountPoint, strlen(g_mountPoint))) { + StoreFscryptPolicy(p + strlen(g_fscryptPre)); + continue; + } if (strncat_s(fsSpecificData, fsSpecificDataSize - 1, p, strlen(p)) != EOK) { BEGET_LOGW("Failed to append mount flag \" %s \", ignore it.", p); continue; diff --git a/interfaces/innerkits/fs_manager/fstab_mount.c b/interfaces/innerkits/fs_manager/fstab_mount.c index 8ce8a3fc033958940a899261d50df13bf726a610..2ffa4120f0e109392270cd5d84ce47899996bd60 100644 --- a/interfaces/innerkits/fs_manager/fstab_mount.c +++ b/interfaces/innerkits/fs_manager/fstab_mount.c @@ -293,7 +293,8 @@ int MountOneItem(FstabItem *item) unsigned long mountFlags; char fsSpecificData[FS_MANAGER_BUFFER_SIZE] = {0}; - mountFlags = GetMountFlags(item->mountOptions, fsSpecificData, sizeof(fsSpecificData)); + mountFlags = GetMountFlags(item->mountOptions, fsSpecificData, sizeof(fsSpecificData), + item->mountPoint); if (!IsSupportedFilesystem(item->fsType)) { BEGET_LOGE("Unsupported file system \" %s \"", item->fsType); return 0; diff --git a/interfaces/innerkits/include/fs_manager/fs_manager.h b/interfaces/innerkits/include/fs_manager/fs_manager.h index bb078cf76690dac79fbf1c5f2f80abc511474dff..cef85d45dfcbe1c19142d80f1a62aee1e70f028d 100644 --- a/interfaces/innerkits/include/fs_manager/fs_manager.h +++ b/interfaces/innerkits/include/fs_manager/fs_manager.h @@ -70,9 +70,13 @@ MountStatus GetMountStatusForMountPoint(const char *mp); int MountAllWithFstabFile(const char *fstabFile, bool required); int MountAllWithFstab(const Fstab *fstab, bool required); int UmountAllWithFstabFile(const char *file); -unsigned long GetMountFlags(char *mountFlag, char *fsSpecificFlags, size_t fsSpecificFlagSize); +unsigned long GetMountFlags(char *mountFlag, char *fsSpecificFlags, size_t fsSpecificFlagSize, + const char *mountPoint); int GetBlockDevicePath(const char *partName, char *path, int size); + +// Get fscrypt policy if exist +const char *LoadFscryptPolicy(void); #ifdef __cplusplus #if __cplusplus } diff --git a/services/etc/init.cfg b/services/etc/init.cfg index 46db24388e23f4741792c8994e2ac359dfc217e2..9f0695bea6b2b093a19a76c52ad457cb274e0890 100755 --- a/services/etc/init.cfg +++ b/services/etc/init.cfg @@ -21,7 +21,8 @@ "load_persist_params ", "bootchart start", "chown access_token access_token /dev/access_token_id", - "chmod 0666 /dev/access_token_id" + "chmod 0666 /dev/access_token_id", + "start samgr" ] }, { "name" : "init", @@ -105,6 +106,7 @@ }, { "name" : "post-fs-data", "cmds" : [ + "init_global_key /data", "mkdir /data/app 0711 root root", "mkdir /data/app/el1 0711 root root", "mkdir /data/app/el1/bundle 0711 root root", @@ -121,6 +123,7 @@ "mkdir /data/chipset/el1 0711 root root", "mkdir /data/chipset/el1/public 0711 root root", "mkdir /data/chipset/el2 0711 root root", + "init_main_user ", "mkdir /data/app/el1/0 0711 root root", "mkdir /data/app/el1/0/base 0711 root root", "mkdir /data/app/el1/0/database 0711 system system", diff --git a/services/init/include/init_cmds.h b/services/init/include/init_cmds.h index 0c681950009da6e818ba63f740a6a31d2caba260..2108c0872ab895855eb23501ecc1170ed8997061 100644 --- a/services/init/include/init_cmds.h +++ b/services/init/include/init_cmds.h @@ -81,7 +81,7 @@ const struct CmdTable *GetCmdByName(const char *name); void ExecReboot(const char *value); char *BuildStringFromCmdArg(const struct CmdArgs *ctx, int startIndex); void ExecCmd(const struct CmdTable *cmd, const char *cmdContent); -int FileCryptEnable(char *fileCryptOption); +int SetFileCryptPolicy(const char *dir); void OpenHidebug(const char *name); #ifdef __cplusplus diff --git a/services/init/init_common_cmds.c b/services/init/init_common_cmds.c index 5c1427abed74938909ab3a77b6883e90e19baa4f..3ec6bd027b62b33a68d0f668489aa3dad0ae1c05 100644 --- a/services/init/init_common_cmds.c +++ b/services/init/init_common_cmds.c @@ -41,8 +41,6 @@ #endif #include "securec.h" -static char *g_fileCryptOptions = NULL; - static char *AddOneArg(const char *param, size_t paramLen) { int valueCount = 1; @@ -345,6 +343,11 @@ static void DoMkDir(const struct CmdArgs *ctx) if (ret != 0) { INIT_LOGE("Failed to change owner %s, err %d.", ctx->argv[0], errno); } + ret = SetFileCryptPolicy(ctx->argv[0]); + if (ret != 0) { + INIT_LOGW("failed to set file fscrypt"); + } + return; } @@ -397,16 +400,6 @@ static int GetMountFlag(unsigned long *mountflag, const char *targetStr, const c WaitForFile(source, WAIT_MAX_SECOND); return 1; } - const char *fileCryptPre = "filecrypt="; - size_t len = strlen(fileCryptPre); - if (strncmp(targetStr, fileCryptPre, len) == 0) { - size_t maxLen = strlen(targetStr) + 1; - g_fileCryptOptions = calloc(sizeof(char), maxLen); - INIT_ERROR_CHECK(g_fileCryptOptions != NULL, return 0, "Failed to alloc memory"); - int ret = snprintf_s(g_fileCryptOptions, maxLen, maxLen - 1, "%s", targetStr + len); - INIT_ERROR_CHECK(ret >= 0, return 0, "Failed to snprintf"); - return 1; - } return 0; } @@ -449,18 +442,6 @@ static void DoMount(const struct CmdArgs *ctx) if (ret != 0) { INIT_LOGE("Failed to mount for %s, err %d.", target, errno); } - if ((g_fileCryptOptions != NULL) && (strncmp(target, "/data", strlen("/data")) == 0)) { - ret = FileCryptEnable(g_fileCryptOptions); - if (ret < 0) { - INIT_LOGE("File Crypt enabled failed"); - free(g_fileCryptOptions); - g_fileCryptOptions = NULL; - return; - } - free(g_fileCryptOptions); - g_fileCryptOptions = NULL; - INIT_LOGI("File Crypt enabled success"); - } } static int DoWriteWithMultiArgs(const struct CmdArgs *ctx, int fd) diff --git a/services/init/lite/init_cmds.c b/services/init/lite/init_cmds.c index cde0433b4ea68b3c02cbab6b1b588b9b76149b45..5cee844bfae6e58c4c16432bcab539908f0d5acb 100644 --- a/services/init/lite/init_cmds.c +++ b/services/init/lite/init_cmds.c @@ -108,11 +108,6 @@ static void DoLoadCfg(const struct CmdArgs *ctx) (void)fclose(fp); } -int FileCryptEnable(char *fileCryptOption) -{ - return 0; -} - static const struct CmdTable g_cmdTable[] = { { "exec ", 1, 10, DoExec }, { "loadcfg ", 1, 1, DoLoadCfg }, @@ -133,4 +128,8 @@ void PluginExecCmdByCmdIndex(int index, const char *cmdContent) const char *PluginGetCmdIndex(const char *cmdStr, int *index) { return NULL; +} +int SetFileCryptPolicy(const char *dir) +{ + return 0; } \ No newline at end of file diff --git a/services/init/standard/BUILD.gn b/services/init/standard/BUILD.gn index 725f2ec8c398dd85630f36dc85088975bfb795d5..36328fc147f31842cf7c8fe8cb78f700a90f0040 100644 --- a/services/init/standard/BUILD.gn +++ b/services/init/standard/BUILD.gn @@ -24,6 +24,9 @@ init_common_sources = [ "../main.c", ] +FSCRYPT_PATH = + "//foundation/filemanagement/storage_service/services/storage_daemon" + import("//build/ohos.gni") import("//build/ohos/native_stub/native_stub.gni") @@ -51,7 +54,10 @@ ohos_executable("init") { sources += modulemgr_sources sources += init_common_sources - include_dirs = [ "//base/startup/init/services/init/include" ] + include_dirs = [ + "//base/startup/init/services/init/include", + "${FSCRYPT_PATH}/include/libfscrypt", + ] deps = [ "//base/startup/init/interfaces/innerkits/control_fd:libcontrolfd", @@ -76,6 +82,7 @@ ohos_executable("init") { deps += [ "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_stub_versionscript" ] deps += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_sources" ] deps += [ "//base/startup/init/services/modules:static_modules" ] + deps += [ "${FSCRYPT_PATH}/libfscrypt:libfscryptutils_static" ] cflags = [] diff --git a/services/init/standard/init_cmds.c b/services/init/standard/init_cmds.c index e634eaf718e8de1641c37684bbb8db1877f82dec..e2661868f3efa7894075ea67145232e3a6e9597e 100755 --- a/services/init/standard/init_cmds.c +++ b/services/init/standard/init_cmds.c @@ -44,8 +44,8 @@ #ifdef WITH_SELINUX #include #endif +#include "fscrypt_utils.h" -static const char *g_fscryptPolicyKey = "fscrypt.policy.config"; int GetParamValue(const char *symValue, unsigned int symLen, char *paramValue, unsigned int paramLen) { @@ -412,6 +412,18 @@ static void DoTimerStop(const struct CmdArgs *ctx) ServiceStopTimer(service); } +static bool InitFscryptPolicy(void) +{ + const char *policy = LoadFscryptPolicy(); + if (!policy) { + return false; + } + if (SetFscryptSysparam(policy) == 0) { + return true; + } + return false; +} + static void DoInitGlobalKey(const struct CmdArgs *ctx) { INIT_LOGI("DoInitGlobalKey: start"); @@ -424,6 +436,12 @@ static void DoInitGlobalKey(const struct CmdArgs *ctx) INIT_LOGE("DoInitGlobalKey: not data partitation"); return; } + + if (!InitFscryptPolicy()) { + INIT_LOGE("DoInitGlobalKey: init policy failed"); + return; + } + char * const argv[] = { "/system/bin/sdc", "filecrypt", @@ -442,6 +460,11 @@ static void DoInitMainUser(const struct CmdArgs *ctx) INIT_LOGE("DoInitMainUser: para invalid"); return; } + if (LoadFscryptPolicy() == NULL) { + INIT_LOGI("DoInitMainUser: file crypto is not enabled"); + return; + } + char * const argv[] = { "/system/bin/sdc", "filecrypt", @@ -453,23 +476,6 @@ static void DoInitMainUser(const struct CmdArgs *ctx) INIT_LOGI("DoInitMainUser: end, ret = %d", ret); } -int FileCryptEnable(char *fileCryptOption) -{ - INIT_LOGI("FileCryptEnable: start"); - if (fileCryptOption == NULL) { - INIT_LOGE("FileCryptEnable:option null"); - return -EINVAL; - } - int ret = SystemWriteParam(g_fscryptPolicyKey, fileCryptOption); - if (ret != 0) { - INIT_LOGE("FileCryptEnable:set fscrypt config failed"); - return ret; - } - INIT_LOGI("FileCryptEnable:set fscrypt config success, policy:%s", fileCryptOption); - - return ret; -} - static void DoMkswap(const struct CmdArgs *ctx) { INIT_LOGI("DoMkswap: start"); @@ -595,3 +601,13 @@ void OpenHidebug(const char *name) } while (0); #endif } + +int SetFileCryptPolicy(const char *dir) +{ + INIT_LOGI("SetFileCryptPolicy:start:%s", dir); + if (dir == NULL) { + INIT_LOGE("SetFileCryptPolicy:dir is null"); + return -EINVAL; + } + return FscryptPolicyEnable(dir); +} diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index 6c6c4615a42f28b9f923db6a86b92868814d1e92..eba837285b80112923588934ba6d716cac7bfda1 100755 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -30,6 +30,9 @@ config("utest_config") { ldflags = [ "--coverage" ] } +FSCRYPT_PATH = + "//foundation/filemanagement/storage_service/services/storage_daemon" + ohos_unittest("init_unittest") { module_out_path = "startup/init" sources = [ @@ -198,9 +201,11 @@ ohos_unittest("init_unittest") { "//base/security/access_token/interfaces/innerkits/nativetoken/include", "//base/startup/init/interfaces/innerkits/sandbox/include", "//base/startup/init/interfaces/innerkits/hals", + "${FSCRYPT_PATH}/include/libfscrypt", ] deps = [ + "${FSCRYPT_PATH}/libfscrypt:libfscryptutils_static", "//base/customization/config_policy/frameworks/config_policy:configpolicy_util_for_init_static", "//base/security/access_token/interfaces/innerkits/nativetoken:libnativetoken", "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc", diff --git a/test/unittest/init/cmds_unittest.cpp b/test/unittest/init/cmds_unittest.cpp index 6555ebbc790acbacd306419264a09180f5e3009b..c9f14f92a7072cd00369010a9aecb8b424f54961 100644 --- a/test/unittest/init/cmds_unittest.cpp +++ b/test/unittest/init/cmds_unittest.cpp @@ -269,8 +269,6 @@ HWTEST_F(CmdsUnitTest, TestGetCmdLinesFromJson, TestSize.Level1) } HWTEST_F(CmdsUnitTest, TestInitCmdFunc, TestSize.Level1) { - FileCryptEnable((char *)"test"); - FileCryptEnable(nullptr); int ret = GetBootModeFromMisc(); EXPECT_EQ(ret, 0); } diff --git a/test/unittest/innerkits/innerkits_unittest.cpp b/test/unittest/innerkits/innerkits_unittest.cpp index 286799b5787e4ee50bd3f0d19f33a85fba301f76..847c917ee9713a686d6ad3841e3963cb14eab44b 100644 --- a/test/unittest/innerkits/innerkits_unittest.cpp +++ b/test/unittest/innerkits/innerkits_unittest.cpp @@ -112,7 +112,7 @@ HWTEST_F(InnerkitsUnitTest, GetMountFlags_unitest, TestSize.Level1) } const int bufferSize = 512; char fsSpecificOptions[bufferSize] = {0}; - unsigned long flags = GetMountFlags(item->mountOptions, fsSpecificOptions, bufferSize); + unsigned long flags = GetMountFlags(item->mountOptions, fsSpecificOptions, bufferSize, item->mountPoint); EXPECT_EQ(flags, static_cast(MS_NOSUID | MS_NODEV | MS_NOATIME)); ReleaseFstab(fstab); fstab = nullptr;