!933 fscrypt: add file crypto implementation

Merge pull request !933 from qilongzhang/dev_0713

!933 fscrypt: add file crypto implementation
Merge pull request !933 from qilongzhang/dev_0713
e8a8502c · openharmony_ci · Gitee · 19efb3c8 · 3d01c25c · e8a8502c
12 changed file
--- a/interfaces/innerkits/fs_manager/fstab.c
+++ b/interfaces/innerkits/fs_manager/fstab.c
@@ -42,6 +42,8 @@ struct MountFlags {
    unsigned long flags;
 };

+static char *g_fscryptPolicy = NULL;
+
 static unsigned int ConvertFlags(char *flagBuffer)
 {
    static struct FsManagerFlags fsFlags[] = {
@@ -384,7 +386,60 @@ static unsigned long ParseDefaultMountFlag(const char *str)
    return flags;
 }

-unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpecificDataSize)
+static bool IsFscryptOption(const char *option)
+{
+    BEGET_LOGI("IsFscryptOption start");
+    if (!option) {
+        return false;
+    }
+    char *fscryptPre = "fscrypt=";
+    if (strncmp(option, fscryptPre, strlen(fscryptPre)) == 0) {
+        return true;
+    }
+    return false;
+}
+
+static void StoreFscryptPolicy(const char *option)
+{
+    if (option == NULL) {
+        return;
+    }
+    if (g_fscryptPolicy != NULL) {
+        BEGET_LOGW("StoreFscryptPolicy:inited policy is not empty");
+        free(g_fscryptPolicy);
+    }
+    g_fscryptPolicy = strdup(option);
+    if (g_fscryptPolicy == NULL) {
+        BEGET_LOGE("StoreFscryptPolicy:no memory");
+        return;
+    }
+    BEGET_LOGI("StoreFscryptPolicy:store fscrypt policy, %s", option);
+}
+
+int LoadFscryptPolicy(char *buf, size_t size)
+{
+    BEGET_LOGI("LoadFscryptPolicy start");
+    if (buf == NULL || g_fscryptPolicy == NULL) {
+        BEGET_LOGE("LoadFscryptPolicy:buf or fscrypt policy is empty");
+        return -ENOMEM;
+    }
+    if (size <= 0) {
+        BEGET_LOGE("LoadFscryptPloicy:size is invalid");
+        return -EINVAL;
+    }
+    if (strcpy_s(buf, size, g_fscryptPolicy) != 0) {
+        BEGET_LOGE("loadFscryptPolicy:strcmp failed, error = %d", errno);
+        return -EFAULT;
+    }
+    free(g_fscryptPolicy);
+    g_fscryptPolicy = NULL;
+    BEGET_LOGI("LoadFscryptPolicy success");
+
+    return 0;
+}
+
+unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpecificDataSize,
+    const char *mountPoint)
 {
    unsigned long flags = 0;
    BEGET_CHECK_RETURN_VALUE(mountFlag != NULL && fsSpecificData != NULL, 0);
@@ -408,6 +463,11 @@ unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpec
        if (IsDefaultMountFlags(p)) {
            flags |= ParseDefaultMountFlag(p);
        } else {
+            if (IsFscryptOption(p) &&
+                !strncmp(mountPoint, "/data", strlen("/data"))) {
+                StoreFscryptPolicy(p + strlen("fscrypt="));
+                continue;
+            }
            if (strncat_s(fsSpecificData, fsSpecificDataSize - 1, p, strlen(p)) != EOK) {
                BEGET_LOGW("Failed to append mount flag \" %s \", ignore it.", p);
                continue;

--- a/interfaces/innerkits/fs_manager/fstab_mount.c
+++ b/interfaces/innerkits/fs_manager/fstab_mount.c
@@ -293,7 +293,8 @@ int MountOneItem(FstabItem *item)
    unsigned long mountFlags;
    char fsSpecificData[FS_MANAGER_BUFFER_SIZE] = {0};

-    mountFlags = GetMountFlags(item->mountOptions, fsSpecificData, sizeof(fsSpecificData));
+    mountFlags = GetMountFlags(item->mountOptions, fsSpecificData, sizeof(fsSpecificData),
+        item->mountPoint);
    if (!IsSupportedFilesystem(item->fsType)) {
        BEGET_LOGE("Unsupported file system \" %s \"", item->fsType);
        return 0;

--- a/interfaces/innerkits/include/fs_manager/fs_manager.h
+++ b/interfaces/innerkits/include/fs_manager/fs_manager.h
@@ -70,9 +70,13 @@ MountStatus GetMountStatusForMountPoint(const char *mp);
 int MountAllWithFstabFile(const char *fstabFile, bool required);
 int MountAllWithFstab(const Fstab *fstab, bool required);
 int UmountAllWithFstabFile(const char *file);
-unsigned long GetMountFlags(char *mountFlag, char *fsSpecificFlags, size_t fsSpecificFlagSize);
+unsigned long GetMountFlags(char *mountFlag, char *fsSpecificFlags, size_t fsSpecificFlagSize,
+    const char *mountPoint);

 int GetBlockDevicePath(const char *partName, char *path, int size);
+
+// Get fscrypt policy if exist
+int LoadFscryptPolicy(char *buf, size_t size);
 #ifdef __cplusplus
 #if __cplusplus
 }

--- a/services/etc/init.cfg
+++ b/services/etc/init.cfg
@@ -21,7 +21,8 @@
                "load_persist_params ",
                "bootchart start",
                "chown access_token access_token /dev/access_token_id",
-                "chmod 0666 /dev/access_token_id"
+                "chmod 0666 /dev/access_token_id",
+                "start samgr"
            ]
        }, {
            "name" : "init",
@@ -105,6 +106,7 @@
        }, {
            "name" : "post-fs-data",
            "cmds" : [
+                "init_global_key /data",
                "mkdir /data/app 0711 root root",
                "mkdir /data/app/el1 0711 root root",
                "mkdir /data/app/el1/bundle 0711 root root",
@@ -121,6 +123,7 @@
                "mkdir /data/chipset/el1 0711 root root",
                "mkdir /data/chipset/el1/public 0711 root root",
                "mkdir /data/chipset/el2 0711 root root",
+                "init_main_user ",
                "mkdir /data/app/el1/0 0711 root root",
                "mkdir /data/app/el1/0/base 0711 root root",
                "mkdir /data/app/el1/0/database 0711 system system",

--- a/services/init/include/init_cmds.h
+++ b/services/init/include/init_cmds.h
@@ -81,7 +81,7 @@ const struct CmdTable *GetCmdByName(const char *name);
 void ExecReboot(const char *value);
 char *BuildStringFromCmdArg(const struct CmdArgs *ctx, int startIndex);
 void ExecCmd(const struct CmdTable *cmd, const char *cmdContent);
-int FileCryptEnable(char *fileCryptOption);
+int SetFileCryptPolicy(const char *dir);

 void OpenHidebug(const char *name);
 #ifdef __cplusplus

--- a/services/init/init_common_cmds.c
+++ b/services/init/init_common_cmds.c
@@ -41,8 +41,6 @@
 #endif
 #include "securec.h"

-static char *g_fileCryptOptions = NULL;
-
 static char *AddOneArg(const char *param, size_t paramLen)
 {
    int valueCount = 1;
@@ -345,6 +343,11 @@ static void DoMkDir(const struct CmdArgs *ctx)
    if (ret != 0) {
        INIT_LOGE("Failed to change owner %s, err %d.", ctx->argv[0], errno);
    }
+    ret = SetFileCryptPolicy(ctx->argv[0]);
+    if (ret != 0) {
+        INIT_LOGW("failed to set file fscrypt");
+    }
+
    return;
 }

@@ -397,16 +400,6 @@ static int GetMountFlag(unsigned long *mountflag, const char *targetStr, const c
        WaitForFile(source, WAIT_MAX_SECOND);
        return 1;
    }
-    const char *fileCryptPre = "filecrypt=";
-    size_t len = strlen(fileCryptPre);
-    if (strncmp(targetStr, fileCryptPre, len) == 0) {
-        size_t maxLen = strlen(targetStr) + 1;
-        g_fileCryptOptions = calloc(sizeof(char), maxLen);
-        INIT_ERROR_CHECK(g_fileCryptOptions != NULL, return 0, "Failed to alloc memory");
-        int ret = snprintf_s(g_fileCryptOptions, maxLen, maxLen - 1, "%s", targetStr + len);
-        INIT_ERROR_CHECK(ret >= 0, return 0, "Failed to snprintf");
-        return 1;
-    }

    return 0;
 }
@@ -449,18 +442,6 @@ static void DoMount(const struct CmdArgs *ctx)
    if (ret != 0) {
        INIT_LOGE("Failed to mount for %s, err %d.", target, errno);
    }
-    if ((g_fileCryptOptions != NULL) && (strncmp(target, "/data", strlen("/data")) == 0)) {
-        ret = FileCryptEnable(g_fileCryptOptions);
-        if (ret < 0) {
-            INIT_LOGE("File Crypt enabled failed");
-            free(g_fileCryptOptions);
-            g_fileCryptOptions = NULL;
-            return;
-        }
-        free(g_fileCryptOptions);
-        g_fileCryptOptions = NULL;
-        INIT_LOGI("File Crypt enabled success");
-    }
 }

 static int DoWriteWithMultiArgs(const struct CmdArgs *ctx, int fd)

--- a/services/init/lite/init_cmds.c
+++ b/services/init/lite/init_cmds.c
@@ -108,11 +108,6 @@ static void DoLoadCfg(const struct CmdArgs *ctx)
    (void)fclose(fp);
 }

-int FileCryptEnable(char *fileCryptOption)
-{
-    return 0;
-}
-
 static const struct CmdTable g_cmdTable[] = {
    { "exec ", 1, 10, DoExec },
    { "loadcfg ", 1, 1, DoLoadCfg },
@@ -133,4 +128,8 @@ void PluginExecCmdByCmdIndex(int index, const char *cmdContent)
 const char *PluginGetCmdIndex(const char *cmdStr, int *index)
 {
    return NULL;
+}
+int SetFileCryptPolicy(const char *dir)
+{
+    return 0;
 }
\ No newline at end of file
--- a/services/init/standard/BUILD.gn
+++ b/services/init/standard/BUILD.gn
@@ -24,6 +24,9 @@ init_common_sources = [
  "../main.c",
 ]

+FSCRYPT_PATH =
+    "//foundation/filemanagement/storage_service/services/storage_daemon"
+
 import("//build/ohos.gni")
 import("//build/ohos/native_stub/native_stub.gni")

@@ -51,7 +54,10 @@ ohos_executable("init") {
  sources += modulemgr_sources
  sources += init_common_sources

-  include_dirs = [ "//base/startup/init/services/init/include" ]
+  include_dirs = [
+    "//base/startup/init/services/init/include",
+    "${FSCRYPT_PATH}/include/libfscrypt",
+  ]

  deps = [
    "//base/startup/init/interfaces/innerkits/control_fd:libcontrolfd",
@@ -76,6 +82,7 @@ ohos_executable("init") {
  deps += [ "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_stub_versionscript" ]
  deps += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_sources" ]
  deps += [ "//base/startup/init/services/modules:static_modules" ]
+  deps += [ "${FSCRYPT_PATH}/libfscrypt:libfscryptutils_static" ]

  cflags = []


--- a/services/init/standard/init_cmds.c
+++ b/services/init/standard/init_cmds.c
@@ -44,8 +44,9 @@
 #ifdef WITH_SELINUX
 #include <policycoreutils.h>
 #endif
+#include "fscrypt_utils.h"

-static const char *g_fscryptPolicyKey = "fscrypt.policy.config";
+#define FSCRYPT_POLICY_BUF_SIZE (60)

 int GetParamValue(const char *symValue, unsigned int symLen, char *paramValue, unsigned int paramLen)
 {
@@ -412,6 +413,18 @@ static void DoTimerStop(const struct CmdArgs *ctx)
    ServiceStopTimer(service);
 }

+static bool InitFscryptPolicy(void)
+{
+    char policy[FSCRYPT_POLICY_BUF_SIZE];
+    if (LoadFscryptPolicy(policy, FSCRYPT_POLICY_BUF_SIZE) != 0) {
+        return false;
+    }
+    if (SetFscryptSysparam(policy) == 0) {
+        return true;
+    }
+    return false;
+}
+
 static void DoInitGlobalKey(const struct CmdArgs *ctx)
 {
    INIT_LOGI("DoInitGlobalKey: start");
@@ -424,6 +437,11 @@ static void DoInitGlobalKey(const struct CmdArgs *ctx)
        INIT_LOGE("DoInitGlobalKey: not data partitation");
        return;
    }
+    if (!InitFscryptPolicy()) {
+        INIT_LOGI("DoInitGlobalKey:init fscrypt failed,not enable fscrypt");
+        return;
+    }
+
    char * const argv[] = {
        "/system/bin/sdc",
        "filecrypt",
@@ -442,6 +460,7 @@ static void DoInitMainUser(const struct CmdArgs *ctx)
        INIT_LOGE("DoInitMainUser: para invalid");
        return;
    }
+
    char * const argv[] = {
        "/system/bin/sdc",
        "filecrypt",
@@ -453,23 +472,6 @@ static void DoInitMainUser(const struct CmdArgs *ctx)
    INIT_LOGI("DoInitMainUser: end, ret = %d", ret);
 }

-int FileCryptEnable(char *fileCryptOption)
-{
-    INIT_LOGI("FileCryptEnable: start");
-    if (fileCryptOption == NULL) {
-        INIT_LOGE("FileCryptEnable:option null");
-        return -EINVAL;
-    }
-    int ret = SystemWriteParam(g_fscryptPolicyKey, fileCryptOption);
-    if (ret != 0) {
-        INIT_LOGE("FileCryptEnable:set fscrypt config failed");
-        return ret;
-    }
-    INIT_LOGI("FileCryptEnable:set fscrypt config success, policy:%s", fileCryptOption);
-
-    return ret;
-}
-
 static void DoMkswap(const struct CmdArgs *ctx)
 {
    INIT_LOGI("DoMkswap: start");
@@ -595,3 +597,12 @@ void OpenHidebug(const char *name)
    } while (0);
 #endif
 }
+
+int SetFileCryptPolicy(const char *dir)
+{
+    if (dir == NULL) {
+        INIT_LOGE("SetFileCryptPolicy:dir is null");
+        return -EINVAL;
+    }
+    return FscryptPolicyEnable(dir);
+}
--- a/test/unittest/BUILD.gn
+++ b/test/unittest/BUILD.gn
@@ -30,6 +30,9 @@ config("utest_config") {
  ldflags = [ "--coverage" ]
 }

+FSCRYPT_PATH =
+    "//foundation/filemanagement/storage_service/services/storage_daemon"
+
 ohos_unittest("init_unittest") {
  module_out_path = "startup/init"
  sources = [
@@ -105,6 +108,13 @@ ohos_unittest("init_unittest") {
    "//base/startup/init/ueventd/ueventd_socket.c",
  ]

+  sources += [
+    "${FSCRYPT_PATH}/libfscrypt/src/fscrypt_control.c",
+    "${FSCRYPT_PATH}/libfscrypt/src/fscrypt_utils.c",
+    "${FSCRYPT_PATH}/libfscrypt/src/key_control.c",
+    "${FSCRYPT_PATH}/libfscrypt/src/sysparam_static.c",
+  ]
+
  if (defined(build_selinux) && build_selinux) {
    sources += [ "//base/startup/init/services/param/adapter/param_selinux.c" ]
  }
@@ -198,6 +208,7 @@ ohos_unittest("init_unittest") {
    "//base/security/access_token/interfaces/innerkits/nativetoken/include",
    "//base/startup/init/interfaces/innerkits/sandbox/include",
    "//base/startup/init/interfaces/innerkits/hals",
+    "${FSCRYPT_PATH}/include/libfscrypt",
  ]

  deps = [

--- a/test/unittest/init/cmds_unittest.cpp
+++ b/test/unittest/init/cmds_unittest.cpp
@@ -269,8 +269,6 @@ HWTEST_F(CmdsUnitTest, TestGetCmdLinesFromJson, TestSize.Level1)
 }
 HWTEST_F(CmdsUnitTest, TestInitCmdFunc, TestSize.Level1)
 {
-    FileCryptEnable((char *)"test");
-    FileCryptEnable(nullptr);
    int ret = GetBootModeFromMisc();
    EXPECT_EQ(ret, 0);
 }

--- a/test/unittest/innerkits/innerkits_unittest.cpp
+++ b/test/unittest/innerkits/innerkits_unittest.cpp
@@ -112,7 +112,7 @@ HWTEST_F(InnerkitsUnitTest, GetMountFlags_unitest, TestSize.Level1)
    }
    const int bufferSize = 512;
    char fsSpecificOptions[bufferSize] = {0};
-    unsigned long flags = GetMountFlags(item->mountOptions, fsSpecificOptions, bufferSize);
+    unsigned long flags = GetMountFlags(item->mountOptions, fsSpecificOptions, bufferSize, item->mountPoint);
    EXPECT_EQ(flags, static_cast<unsigned long>(MS_NOSUID | MS_NODEV | MS_NOATIME));
    ReleaseFstab(fstab);
    fstab = nullptr;