diff --git a/interfaces/innerkits/fs_manager/fstab.c b/interfaces/innerkits/fs_manager/fstab.c index f69d1b2c4515f33a748a168f684aacd995852d1a..a35878f3fe58bf8ce13238b7680c8eaedd2323cc 100644 --- a/interfaces/innerkits/fs_manager/fstab.c +++ b/interfaces/innerkits/fs_manager/fstab.c @@ -42,6 +42,8 @@ struct MountFlags { unsigned long flags; }; +static char *g_fscryptPolicy = NULL; + static unsigned int ConvertFlags(char *flagBuffer) { static struct FsManagerFlags fsFlags[] = { @@ -384,7 +386,60 @@ static unsigned long ParseDefaultMountFlag(const char *str) return flags; } -unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpecificDataSize) +static bool IsFscryptOption(const char *option) +{ + BEGET_LOGI("IsFscryptOption start"); + if (!option) { + return false; + } + char *fscryptPre = "fscrypt="; + if (strncmp(option, fscryptPre, strlen(fscryptPre)) == 0) { + return true; + } + return false; +} + +static void StoreFscryptPolicy(const char *option) +{ + if (option == NULL) { + return; + } + if (g_fscryptPolicy != NULL) { + BEGET_LOGW("StoreFscryptPolicy:inited policy is not empty"); + free(g_fscryptPolicy); + } + g_fscryptPolicy = strdup(option); + if (g_fscryptPolicy == NULL) { + BEGET_LOGE("StoreFscryptPolicy:no memory"); + return; + } + BEGET_LOGI("StoreFscryptPolicy:store fscrypt policy, %s", option); +} + +int LoadFscryptPolicy(char *buf, size_t size) +{ + BEGET_LOGI("LoadFscryptPolicy start"); + if (buf == NULL || g_fscryptPolicy == NULL) { + BEGET_LOGE("LoadFscryptPolicy:buf or fscrypt policy is empty"); + return -ENOMEM; + } + if (size <= 0) { + BEGET_LOGE("LoadFscryptPloicy:size is invalid"); + return -EINVAL; + } + if (strcpy_s(buf, size, g_fscryptPolicy) != 0) { + BEGET_LOGE("loadFscryptPolicy:strcmp failed, error = %d", errno); + return -EFAULT; + } + free(g_fscryptPolicy); + g_fscryptPolicy = NULL; + BEGET_LOGI("LoadFscryptPolicy success"); + + return 0; +} + +unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpecificDataSize, + const char *mountPoint) { unsigned long flags = 0; BEGET_CHECK_RETURN_VALUE(mountFlag != NULL && fsSpecificData != NULL, 0); @@ -408,6 +463,11 @@ unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpec if (IsDefaultMountFlags(p)) { flags |= ParseDefaultMountFlag(p); } else { + if (IsFscryptOption(p) && + !strncmp(mountPoint, "/data", strlen("/data"))) { + StoreFscryptPolicy(p + strlen("fscrypt=")); + continue; + } if (strncat_s(fsSpecificData, fsSpecificDataSize - 1, p, strlen(p)) != EOK) { BEGET_LOGW("Failed to append mount flag \" %s \", ignore it.", p); continue; diff --git a/interfaces/innerkits/fs_manager/fstab_mount.c b/interfaces/innerkits/fs_manager/fstab_mount.c index 8ce8a3fc033958940a899261d50df13bf726a610..2ffa4120f0e109392270cd5d84ce47899996bd60 100644 --- a/interfaces/innerkits/fs_manager/fstab_mount.c +++ b/interfaces/innerkits/fs_manager/fstab_mount.c @@ -293,7 +293,8 @@ int MountOneItem(FstabItem *item) unsigned long mountFlags; char fsSpecificData[FS_MANAGER_BUFFER_SIZE] = {0}; - mountFlags = GetMountFlags(item->mountOptions, fsSpecificData, sizeof(fsSpecificData)); + mountFlags = GetMountFlags(item->mountOptions, fsSpecificData, sizeof(fsSpecificData), + item->mountPoint); if (!IsSupportedFilesystem(item->fsType)) { BEGET_LOGE("Unsupported file system \" %s \"", item->fsType); return 0; diff --git a/interfaces/innerkits/include/fs_manager/fs_manager.h b/interfaces/innerkits/include/fs_manager/fs_manager.h index bb078cf76690dac79fbf1c5f2f80abc511474dff..225557a2b044e745756ab468d52ecc70a561d149 100644 --- a/interfaces/innerkits/include/fs_manager/fs_manager.h +++ b/interfaces/innerkits/include/fs_manager/fs_manager.h @@ -70,9 +70,13 @@ MountStatus GetMountStatusForMountPoint(const char *mp); int MountAllWithFstabFile(const char *fstabFile, bool required); int MountAllWithFstab(const Fstab *fstab, bool required); int UmountAllWithFstabFile(const char *file); -unsigned long GetMountFlags(char *mountFlag, char *fsSpecificFlags, size_t fsSpecificFlagSize); +unsigned long GetMountFlags(char *mountFlag, char *fsSpecificFlags, size_t fsSpecificFlagSize, + const char *mountPoint); int GetBlockDevicePath(const char *partName, char *path, int size); + +// Get fscrypt policy if exist +int LoadFscryptPolicy(char *buf, size_t size); #ifdef __cplusplus #if __cplusplus } diff --git a/services/etc/init.cfg b/services/etc/init.cfg index 46db24388e23f4741792c8994e2ac359dfc217e2..9f0695bea6b2b093a19a76c52ad457cb274e0890 100755 --- a/services/etc/init.cfg +++ b/services/etc/init.cfg @@ -21,7 +21,8 @@ "load_persist_params ", "bootchart start", "chown access_token access_token /dev/access_token_id", - "chmod 0666 /dev/access_token_id" + "chmod 0666 /dev/access_token_id", + "start samgr" ] }, { "name" : "init", @@ -105,6 +106,7 @@ }, { "name" : "post-fs-data", "cmds" : [ + "init_global_key /data", "mkdir /data/app 0711 root root", "mkdir /data/app/el1 0711 root root", "mkdir /data/app/el1/bundle 0711 root root", @@ -121,6 +123,7 @@ "mkdir /data/chipset/el1 0711 root root", "mkdir /data/chipset/el1/public 0711 root root", "mkdir /data/chipset/el2 0711 root root", + "init_main_user ", "mkdir /data/app/el1/0 0711 root root", "mkdir /data/app/el1/0/base 0711 root root", "mkdir /data/app/el1/0/database 0711 system system", diff --git a/services/init/include/init_cmds.h b/services/init/include/init_cmds.h index 0c681950009da6e818ba63f740a6a31d2caba260..2108c0872ab895855eb23501ecc1170ed8997061 100644 --- a/services/init/include/init_cmds.h +++ b/services/init/include/init_cmds.h @@ -81,7 +81,7 @@ const struct CmdTable *GetCmdByName(const char *name); void ExecReboot(const char *value); char *BuildStringFromCmdArg(const struct CmdArgs *ctx, int startIndex); void ExecCmd(const struct CmdTable *cmd, const char *cmdContent); -int FileCryptEnable(char *fileCryptOption); +int SetFileCryptPolicy(const char *dir); void OpenHidebug(const char *name); #ifdef __cplusplus diff --git a/services/init/init_common_cmds.c b/services/init/init_common_cmds.c index 5c1427abed74938909ab3a77b6883e90e19baa4f..3ec6bd027b62b33a68d0f668489aa3dad0ae1c05 100644 --- a/services/init/init_common_cmds.c +++ b/services/init/init_common_cmds.c @@ -41,8 +41,6 @@ #endif #include "securec.h" -static char *g_fileCryptOptions = NULL; - static char *AddOneArg(const char *param, size_t paramLen) { int valueCount = 1; @@ -345,6 +343,11 @@ static void DoMkDir(const struct CmdArgs *ctx) if (ret != 0) { INIT_LOGE("Failed to change owner %s, err %d.", ctx->argv[0], errno); } + ret = SetFileCryptPolicy(ctx->argv[0]); + if (ret != 0) { + INIT_LOGW("failed to set file fscrypt"); + } + return; } @@ -397,16 +400,6 @@ static int GetMountFlag(unsigned long *mountflag, const char *targetStr, const c WaitForFile(source, WAIT_MAX_SECOND); return 1; } - const char *fileCryptPre = "filecrypt="; - size_t len = strlen(fileCryptPre); - if (strncmp(targetStr, fileCryptPre, len) == 0) { - size_t maxLen = strlen(targetStr) + 1; - g_fileCryptOptions = calloc(sizeof(char), maxLen); - INIT_ERROR_CHECK(g_fileCryptOptions != NULL, return 0, "Failed to alloc memory"); - int ret = snprintf_s(g_fileCryptOptions, maxLen, maxLen - 1, "%s", targetStr + len); - INIT_ERROR_CHECK(ret >= 0, return 0, "Failed to snprintf"); - return 1; - } return 0; } @@ -449,18 +442,6 @@ static void DoMount(const struct CmdArgs *ctx) if (ret != 0) { INIT_LOGE("Failed to mount for %s, err %d.", target, errno); } - if ((g_fileCryptOptions != NULL) && (strncmp(target, "/data", strlen("/data")) == 0)) { - ret = FileCryptEnable(g_fileCryptOptions); - if (ret < 0) { - INIT_LOGE("File Crypt enabled failed"); - free(g_fileCryptOptions); - g_fileCryptOptions = NULL; - return; - } - free(g_fileCryptOptions); - g_fileCryptOptions = NULL; - INIT_LOGI("File Crypt enabled success"); - } } static int DoWriteWithMultiArgs(const struct CmdArgs *ctx, int fd) diff --git a/services/init/lite/init_cmds.c b/services/init/lite/init_cmds.c index cde0433b4ea68b3c02cbab6b1b588b9b76149b45..5cee844bfae6e58c4c16432bcab539908f0d5acb 100644 --- a/services/init/lite/init_cmds.c +++ b/services/init/lite/init_cmds.c @@ -108,11 +108,6 @@ static void DoLoadCfg(const struct CmdArgs *ctx) (void)fclose(fp); } -int FileCryptEnable(char *fileCryptOption) -{ - return 0; -} - static const struct CmdTable g_cmdTable[] = { { "exec ", 1, 10, DoExec }, { "loadcfg ", 1, 1, DoLoadCfg }, @@ -133,4 +128,8 @@ void PluginExecCmdByCmdIndex(int index, const char *cmdContent) const char *PluginGetCmdIndex(const char *cmdStr, int *index) { return NULL; +} +int SetFileCryptPolicy(const char *dir) +{ + return 0; } \ No newline at end of file diff --git a/services/init/standard/BUILD.gn b/services/init/standard/BUILD.gn index 725f2ec8c398dd85630f36dc85088975bfb795d5..36328fc147f31842cf7c8fe8cb78f700a90f0040 100644 --- a/services/init/standard/BUILD.gn +++ b/services/init/standard/BUILD.gn @@ -24,6 +24,9 @@ init_common_sources = [ "../main.c", ] +FSCRYPT_PATH = + "//foundation/filemanagement/storage_service/services/storage_daemon" + import("//build/ohos.gni") import("//build/ohos/native_stub/native_stub.gni") @@ -51,7 +54,10 @@ ohos_executable("init") { sources += modulemgr_sources sources += init_common_sources - include_dirs = [ "//base/startup/init/services/init/include" ] + include_dirs = [ + "//base/startup/init/services/init/include", + "${FSCRYPT_PATH}/include/libfscrypt", + ] deps = [ "//base/startup/init/interfaces/innerkits/control_fd:libcontrolfd", @@ -76,6 +82,7 @@ ohos_executable("init") { deps += [ "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_stub_versionscript" ] deps += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_sources" ] deps += [ "//base/startup/init/services/modules:static_modules" ] + deps += [ "${FSCRYPT_PATH}/libfscrypt:libfscryptutils_static" ] cflags = [] diff --git a/services/init/standard/init_cmds.c b/services/init/standard/init_cmds.c index e634eaf718e8de1641c37684bbb8db1877f82dec..5492580071099c93bc5c06566688a9b815d6cc22 100755 --- a/services/init/standard/init_cmds.c +++ b/services/init/standard/init_cmds.c @@ -44,8 +44,9 @@ #ifdef WITH_SELINUX #include #endif +#include "fscrypt_utils.h" -static const char *g_fscryptPolicyKey = "fscrypt.policy.config"; +#define FSCRYPT_POLICY_BUF_SIZE (60) int GetParamValue(const char *symValue, unsigned int symLen, char *paramValue, unsigned int paramLen) { @@ -412,6 +413,18 @@ static void DoTimerStop(const struct CmdArgs *ctx) ServiceStopTimer(service); } +static bool InitFscryptPolicy(void) +{ + char policy[FSCRYPT_POLICY_BUF_SIZE]; + if (LoadFscryptPolicy(policy, FSCRYPT_POLICY_BUF_SIZE) != 0) { + return false; + } + if (SetFscryptSysparam(policy) == 0) { + return true; + } + return false; +} + static void DoInitGlobalKey(const struct CmdArgs *ctx) { INIT_LOGI("DoInitGlobalKey: start"); @@ -424,6 +437,11 @@ static void DoInitGlobalKey(const struct CmdArgs *ctx) INIT_LOGE("DoInitGlobalKey: not data partitation"); return; } + if (!InitFscryptPolicy()) { + INIT_LOGI("DoInitGlobalKey:init fscrypt failed,not enable fscrypt"); + return; + } + char * const argv[] = { "/system/bin/sdc", "filecrypt", @@ -442,6 +460,7 @@ static void DoInitMainUser(const struct CmdArgs *ctx) INIT_LOGE("DoInitMainUser: para invalid"); return; } + char * const argv[] = { "/system/bin/sdc", "filecrypt", @@ -453,23 +472,6 @@ static void DoInitMainUser(const struct CmdArgs *ctx) INIT_LOGI("DoInitMainUser: end, ret = %d", ret); } -int FileCryptEnable(char *fileCryptOption) -{ - INIT_LOGI("FileCryptEnable: start"); - if (fileCryptOption == NULL) { - INIT_LOGE("FileCryptEnable:option null"); - return -EINVAL; - } - int ret = SystemWriteParam(g_fscryptPolicyKey, fileCryptOption); - if (ret != 0) { - INIT_LOGE("FileCryptEnable:set fscrypt config failed"); - return ret; - } - INIT_LOGI("FileCryptEnable:set fscrypt config success, policy:%s", fileCryptOption); - - return ret; -} - static void DoMkswap(const struct CmdArgs *ctx) { INIT_LOGI("DoMkswap: start"); @@ -595,3 +597,12 @@ void OpenHidebug(const char *name) } while (0); #endif } + +int SetFileCryptPolicy(const char *dir) +{ + if (dir == NULL) { + INIT_LOGE("SetFileCryptPolicy:dir is null"); + return -EINVAL; + } + return FscryptPolicyEnable(dir); +} diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index fd412b243a58d5e7e91273762fc8a6e8b0ce2715..a837aa57c66086dc90ec26b462893a22f41cf342 100755 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -30,6 +30,9 @@ config("utest_config") { ldflags = [ "--coverage" ] } +FSCRYPT_PATH = + "//foundation/filemanagement/storage_service/services/storage_daemon" + ohos_unittest("init_unittest") { module_out_path = "startup/init" sources = [ @@ -105,6 +108,13 @@ ohos_unittest("init_unittest") { "//base/startup/init/ueventd/ueventd_socket.c", ] + sources += [ + "${FSCRYPT_PATH}/libfscrypt/src/fscrypt_control.c", + "${FSCRYPT_PATH}/libfscrypt/src/fscrypt_utils.c", + "${FSCRYPT_PATH}/libfscrypt/src/key_control.c", + "${FSCRYPT_PATH}/libfscrypt/src/sysparam_static.c", + ] + if (defined(build_selinux) && build_selinux) { sources += [ "//base/startup/init/services/param/adapter/param_selinux.c" ] } @@ -198,6 +208,7 @@ ohos_unittest("init_unittest") { "//base/security/access_token/interfaces/innerkits/nativetoken/include", "//base/startup/init/interfaces/innerkits/sandbox/include", "//base/startup/init/interfaces/innerkits/hals", + "${FSCRYPT_PATH}/include/libfscrypt", ] deps = [ diff --git a/test/unittest/init/cmds_unittest.cpp b/test/unittest/init/cmds_unittest.cpp index 6555ebbc790acbacd306419264a09180f5e3009b..c9f14f92a7072cd00369010a9aecb8b424f54961 100644 --- a/test/unittest/init/cmds_unittest.cpp +++ b/test/unittest/init/cmds_unittest.cpp @@ -269,8 +269,6 @@ HWTEST_F(CmdsUnitTest, TestGetCmdLinesFromJson, TestSize.Level1) } HWTEST_F(CmdsUnitTest, TestInitCmdFunc, TestSize.Level1) { - FileCryptEnable((char *)"test"); - FileCryptEnable(nullptr); int ret = GetBootModeFromMisc(); EXPECT_EQ(ret, 0); } diff --git a/test/unittest/innerkits/innerkits_unittest.cpp b/test/unittest/innerkits/innerkits_unittest.cpp index 286799b5787e4ee50bd3f0d19f33a85fba301f76..847c917ee9713a686d6ad3841e3963cb14eab44b 100644 --- a/test/unittest/innerkits/innerkits_unittest.cpp +++ b/test/unittest/innerkits/innerkits_unittest.cpp @@ -112,7 +112,7 @@ HWTEST_F(InnerkitsUnitTest, GetMountFlags_unitest, TestSize.Level1) } const int bufferSize = 512; char fsSpecificOptions[bufferSize] = {0}; - unsigned long flags = GetMountFlags(item->mountOptions, fsSpecificOptions, bufferSize); + unsigned long flags = GetMountFlags(item->mountOptions, fsSpecificOptions, bufferSize, item->mountPoint); EXPECT_EQ(flags, static_cast(MS_NOSUID | MS_NODEV | MS_NOATIME)); ReleaseFstab(fstab); fstab = nullptr;