!933 fscrypt: add file crypto implementation

Merge pull request !933 from qilongzhang/dev_0713

interfaces/innerkits/fs_manager/fstab.c

@@ -42,6 +42,8 @@ struct MountFlags {
     unsigned long flags;
 };
 
+static char *g_fscryptPolicy = NULL;
+
 static unsigned int ConvertFlags(char *flagBuffer)
 {
     static struct FsManagerFlags fsFlags[] = {
@@ -384,7 +386,60 @@ static unsigned long ParseDefaultMountFlag(const char *str)
     return flags;
 }
 
-unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpecificDataSize)
+static bool IsFscryptOption(const char *option)
+{
+    BEGET_LOGI("IsFscryptOption start");
+    if (!option) {
+        return false;
+    }
+    char *fscryptPre = "fscrypt=";
+    if (strncmp(option, fscryptPre, strlen(fscryptPre)) == 0) {
+        return true;
+    }
+    return false;
+}
+
+static void StoreFscryptPolicy(const char *option)
+{
+    if (option == NULL) {
+        return;
+    }
+    if (g_fscryptPolicy != NULL) {
+        BEGET_LOGW("StoreFscryptPolicy:inited policy is not empty");
+        free(g_fscryptPolicy);
+    }
+    g_fscryptPolicy = strdup(option);
+    if (g_fscryptPolicy == NULL) {
+        BEGET_LOGE("StoreFscryptPolicy:no memory");
+        return;
+    }
+    BEGET_LOGI("StoreFscryptPolicy:store fscrypt policy, %s", option);
+}
+
+int LoadFscryptPolicy(char *buf, size_t size)
+{
+    BEGET_LOGI("LoadFscryptPolicy start");
+    if (buf == NULL || g_fscryptPolicy == NULL) {
+        BEGET_LOGE("LoadFscryptPolicy:buf or fscrypt policy is empty");
+        return -ENOMEM;
+    }
+    if (size <= 0) {
+        BEGET_LOGE("LoadFscryptPloicy:size is invalid");
+        return -EINVAL;
+    }
+    if (strcpy_s(buf, size, g_fscryptPolicy) != 0) {
+        BEGET_LOGE("loadFscryptPolicy:strcmp failed, error = %d", errno);
+        return -EFAULT;
+    }
+    free(g_fscryptPolicy);
+    g_fscryptPolicy = NULL;
+    BEGET_LOGI("LoadFscryptPolicy success");
+
+    return 0;
+}
+
+unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpecificDataSize,
+    const char *mountPoint)
 {
     unsigned long flags = 0;
     BEGET_CHECK_RETURN_VALUE(mountFlag != NULL && fsSpecificData != NULL, 0);
@@ -408,6 +463,11 @@ unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpec
         if (IsDefaultMountFlags(p)) {
             flags |= ParseDefaultMountFlag(p);
         } else {
+            if (IsFscryptOption(p) &&
+                !strncmp(mountPoint, "/data", strlen("/data"))) {
+                StoreFscryptPolicy(p + strlen("fscrypt="));
+                continue;
+            }
             if (strncat_s(fsSpecificData, fsSpecificDataSize - 1, p, strlen(p)) != EOK) {
                 BEGET_LOGW("Failed to append mount flag \" %s \", ignore it.", p);
                 continue;

interfaces/innerkits/fs_manager/fstab_mount.c

@@ -293,7 +293,8 @@ int MountOneItem(FstabItem *item)
     unsigned long mountFlags;
     char fsSpecificData[FS_MANAGER_BUFFER_SIZE] = {0};
 
-    mountFlags = GetMountFlags(item->mountOptions, fsSpecificData, sizeof(fsSpecificData));
+    mountFlags = GetMountFlags(item->mountOptions, fsSpecificData, sizeof(fsSpecificData),
+        item->mountPoint);
     if (!IsSupportedFilesystem(item->fsType)) {
         BEGET_LOGE("Unsupported file system \" %s \"", item->fsType);
         return 0;

interfaces/innerkits/include/fs_manager/fs_manager.h

@@ -70,9 +70,13 @@ MountStatus GetMountStatusForMountPoint(const char *mp);
 int MountAllWithFstabFile(const char *fstabFile, bool required);
 int MountAllWithFstab(const Fstab *fstab, bool required);
 int UmountAllWithFstabFile(const char *file);
-unsigned long GetMountFlags(char *mountFlag, char *fsSpecificFlags, size_t fsSpecificFlagSize);
+unsigned long GetMountFlags(char *mountFlag, char *fsSpecificFlags, size_t fsSpecificFlagSize,
+    const char *mountPoint);
 
 int GetBlockDevicePath(const char *partName, char *path, int size);
+
+// Get fscrypt policy if exist
+int LoadFscryptPolicy(char *buf, size_t size);
 #ifdef __cplusplus
 #if __cplusplus
 }

services/etc/init.cfg

@@ -21,7 +21,8 @@
                 "load_persist_params ",
                 "bootchart start",
                 "chown access_token access_token /dev/access_token_id",
-                "chmod 0666 /dev/access_token_id"
+                "chmod 0666 /dev/access_token_id",
+                "start samgr"
             ]
         }, {
             "name" : "init",
@@ -105,6 +106,7 @@
         }, {
             "name" : "post-fs-data",
             "cmds" : [
+                "init_global_key /data",
                 "mkdir /data/app 0711 root root",
                 "mkdir /data/app/el1 0711 root root",
                 "mkdir /data/app/el1/bundle 0711 root root",
@@ -121,6 +123,7 @@
                 "mkdir /data/chipset/el1 0711 root root",
                 "mkdir /data/chipset/el1/public 0711 root root",
                 "mkdir /data/chipset/el2 0711 root root",
+                "init_main_user ",
                 "mkdir /data/app/el1/0 0711 root root",
                 "mkdir /data/app/el1/0/base 0711 root root",
                 "mkdir /data/app/el1/0/database 0711 system system",

services/init/include/init_cmds.h

@@ -81,7 +81,7 @@ const struct CmdTable *GetCmdByName(const char *name);
 void ExecReboot(const char *value);
 char *BuildStringFromCmdArg(const struct CmdArgs *ctx, int startIndex);
 void ExecCmd(const struct CmdTable *cmd, const char *cmdContent);
-int FileCryptEnable(char *fileCryptOption);
+int SetFileCryptPolicy(const char *dir);
 
 void OpenHidebug(const char *name);
 #ifdef __cplusplus

services/init/init_common_cmds.c

@@ -41,8 +41,6 @@
 #endif
 #include "securec.h"
 
-static char *g_fileCryptOptions = NULL;
-
 static char *AddOneArg(const char *param, size_t paramLen)
 {
     int valueCount = 1;
@@ -345,6 +343,11 @@ static void DoMkDir(const struct CmdArgs *ctx)
     if (ret != 0) {
         INIT_LOGE("Failed to change owner %s, err %d.", ctx->argv[0], errno);
     }
+    ret = SetFileCryptPolicy(ctx->argv[0]);
+    if (ret != 0) {
+        INIT_LOGW("failed to set file fscrypt");
+    }
+
     return;
 }
 
@@ -397,16 +400,6 @@ static int GetMountFlag(unsigned long *mountflag, const char *targetStr, const c
         WaitForFile(source, WAIT_MAX_SECOND);
         return 1;
     }
-    const char *fileCryptPre = "filecrypt=";
-    size_t len = strlen(fileCryptPre);
-    if (strncmp(targetStr, fileCryptPre, len) == 0) {
-        size_t maxLen = strlen(targetStr) + 1;
-        g_fileCryptOptions = calloc(sizeof(char), maxLen);
-        INIT_ERROR_CHECK(g_fileCryptOptions != NULL, return 0, "Failed to alloc memory");
-        int ret = snprintf_s(g_fileCryptOptions, maxLen, maxLen - 1, "%s", targetStr + len);
-        INIT_ERROR_CHECK(ret >= 0, return 0, "Failed to snprintf");
-        return 1;
-    }
 
     return 0;
 }
@@ -449,18 +442,6 @@ static void DoMount(const struct CmdArgs *ctx)
     if (ret != 0) {
         INIT_LOGE("Failed to mount for %s, err %d.", target, errno);
     }
-    if ((g_fileCryptOptions != NULL) && (strncmp(target, "/data", strlen("/data")) == 0)) {
-        ret = FileCryptEnable(g_fileCryptOptions);
-        if (ret < 0) {
-            INIT_LOGE("File Crypt enabled failed");
-            free(g_fileCryptOptions);
-            g_fileCryptOptions = NULL;
-            return;
-        }
-        free(g_fileCryptOptions);
-        g_fileCryptOptions = NULL;
-        INIT_LOGI("File Crypt enabled success");
-    }
 }
 
 static int DoWriteWithMultiArgs(const struct CmdArgs *ctx, int fd)

services/init/lite/init_cmds.c

@@ -108,11 +108,6 @@ static void DoLoadCfg(const struct CmdArgs *ctx)
     (void)fclose(fp);
 }
 
-int FileCryptEnable(char *fileCryptOption)
-{
-    return 0;
-}
-
 static const struct CmdTable g_cmdTable[] = {
     { "exec ", 1, 10, DoExec },
     { "loadcfg ", 1, 1, DoLoadCfg },
@@ -134,3 +129,7 @@ const char *PluginGetCmdIndex(const char *cmdStr, int *index)
 {
     return NULL;
 }
+int SetFileCryptPolicy(const char *dir)
+{
+    return 0;
+}
\ No newline at end of file

services/init/standard/BUILD.gn

@@ -24,6 +24,9 @@ init_common_sources = [
   "../main.c",
 ]
 
+FSCRYPT_PATH =
+    "//foundation/filemanagement/storage_service/services/storage_daemon"
+
 import("//build/ohos.gni")
 import("//build/ohos/native_stub/native_stub.gni")
 
@@ -51,7 +54,10 @@ ohos_executable("init") {
   sources += modulemgr_sources
   sources += init_common_sources
 
-  include_dirs = [ "//base/startup/init/services/init/include" ]
+  include_dirs = [
+    "//base/startup/init/services/init/include",
+    "${FSCRYPT_PATH}/include/libfscrypt",
+  ]
 
   deps = [
     "//base/startup/init/interfaces/innerkits/control_fd:libcontrolfd",
@@ -76,6 +82,7 @@ ohos_executable("init") {
   deps += [ "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_stub_versionscript" ]
   deps += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_sources" ]
   deps += [ "//base/startup/init/services/modules:static_modules" ]
+  deps += [ "${FSCRYPT_PATH}/libfscrypt:libfscryptutils_static" ]
 
   cflags = []
 

services/init/standard/init_cmds.c

@@ -44,8 +44,9 @@
 #ifdef WITH_SELINUX
 #include <policycoreutils.h>
 #endif
+#include "fscrypt_utils.h"
 
-static const char *g_fscryptPolicyKey = "fscrypt.policy.config";
+#define FSCRYPT_POLICY_BUF_SIZE (60)
 
 int GetParamValue(const char *symValue, unsigned int symLen, char *paramValue, unsigned int paramLen)
 {
@@ -412,6 +413,18 @@ static void DoTimerStop(const struct CmdArgs *ctx)
     ServiceStopTimer(service);
 }
 
+static bool InitFscryptPolicy(void)
+{
+    char policy[FSCRYPT_POLICY_BUF_SIZE];
+    if (LoadFscryptPolicy(policy, FSCRYPT_POLICY_BUF_SIZE) != 0) {
+        return false;
+    }
+    if (SetFscryptSysparam(policy) == 0) {
+        return true;
+    }
+    return false;
+}
+
 static void DoInitGlobalKey(const struct CmdArgs *ctx)
 {
     INIT_LOGI("DoInitGlobalKey: start");
@@ -424,6 +437,11 @@ static void DoInitGlobalKey(const struct CmdArgs *ctx)
         INIT_LOGE("DoInitGlobalKey: not data partitation");
         return;
     }
+    if (!InitFscryptPolicy()) {
+        INIT_LOGI("DoInitGlobalKey:init fscrypt failed,not enable fscrypt");
+        return;
+    }
+
     char * const argv[] = {
         "/system/bin/sdc",
         "filecrypt",
@@ -442,6 +460,7 @@ static void DoInitMainUser(const struct CmdArgs *ctx)
         INIT_LOGE("DoInitMainUser: para invalid");
         return;
     }
+
     char * const argv[] = {
         "/system/bin/sdc",
         "filecrypt",
@@ -453,23 +472,6 @@ static void DoInitMainUser(const struct CmdArgs *ctx)
     INIT_LOGI("DoInitMainUser: end, ret = %d", ret);
 }
 
-int FileCryptEnable(char *fileCryptOption)
-{
-    INIT_LOGI("FileCryptEnable: start");
-    if (fileCryptOption == NULL) {
-        INIT_LOGE("FileCryptEnable:option null");
-        return -EINVAL;
-    }
-    int ret = SystemWriteParam(g_fscryptPolicyKey, fileCryptOption);
-    if (ret != 0) {
-        INIT_LOGE("FileCryptEnable:set fscrypt config failed");
-        return ret;
-    }
-    INIT_LOGI("FileCryptEnable:set fscrypt config success, policy:%s", fileCryptOption);
-
-    return ret;
-}
-
 static void DoMkswap(const struct CmdArgs *ctx)
 {
     INIT_LOGI("DoMkswap: start");
@@ -595,3 +597,12 @@ void OpenHidebug(const char *name)
     } while (0);
 #endif
 }
+
+int SetFileCryptPolicy(const char *dir)
+{
+    if (dir == NULL) {
+        INIT_LOGE("SetFileCryptPolicy:dir is null");
+        return -EINVAL;
+    }
+    return FscryptPolicyEnable(dir);
+}

test/unittest/BUILD.gn

@@ -30,6 +30,9 @@ config("utest_config") {
   ldflags = [ "--coverage" ]
 }
 
+FSCRYPT_PATH =
+    "//foundation/filemanagement/storage_service/services/storage_daemon"
+
 ohos_unittest("init_unittest") {
   module_out_path = "startup/init"
   sources = [
@@ -105,6 +108,13 @@ ohos_unittest("init_unittest") {
     "//base/startup/init/ueventd/ueventd_socket.c",
   ]
 
+  sources += [
+    "${FSCRYPT_PATH}/libfscrypt/src/fscrypt_control.c",
+    "${FSCRYPT_PATH}/libfscrypt/src/fscrypt_utils.c",
+    "${FSCRYPT_PATH}/libfscrypt/src/key_control.c",
+    "${FSCRYPT_PATH}/libfscrypt/src/sysparam_static.c",
+  ]
+
   if (defined(build_selinux) && build_selinux) {
     sources += [ "//base/startup/init/services/param/adapter/param_selinux.c" ]
   }
@@ -198,6 +208,7 @@ ohos_unittest("init_unittest") {
     "//base/security/access_token/interfaces/innerkits/nativetoken/include",
     "//base/startup/init/interfaces/innerkits/sandbox/include",
     "//base/startup/init/interfaces/innerkits/hals",
+    "${FSCRYPT_PATH}/include/libfscrypt",
   ]
 
   deps = [

test/unittest/init/cmds_unittest.cpp

@@ -269,8 +269,6 @@ HWTEST_F(CmdsUnitTest, TestGetCmdLinesFromJson, TestSize.Level1)
 }
 HWTEST_F(CmdsUnitTest, TestInitCmdFunc, TestSize.Level1)
 {
-    FileCryptEnable((char *)"test");
-    FileCryptEnable(nullptr);
     int ret = GetBootModeFromMisc();
     EXPECT_EQ(ret, 0);
 }

test/unittest/innerkits/innerkits_unittest.cpp

@@ -112,7 +112,7 @@ HWTEST_F(InnerkitsUnitTest, GetMountFlags_unitest, TestSize.Level1)
     }
     const int bufferSize = 512;
     char fsSpecificOptions[bufferSize] = {0};
-    unsigned long flags = GetMountFlags(item->mountOptions, fsSpecificOptions, bufferSize);
+    unsigned long flags = GetMountFlags(item->mountOptions, fsSpecificOptions, bufferSize, item->mountPoint);
     EXPECT_EQ(flags, static_cast<unsigned long>(MS_NOSUID | MS_NODEV | MS_NOATIME));
     ReleaseFstab(fstab);
     fstab = nullptr;