Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / vold / 0cc166385a7e1d3026bbcb62f094e419f779e872^! / . / cryptfs.c
commit0cc166385a7e1d3026bbcb62f094e419f779e872[log] [tgz]
authorKen Sumrall <ksumrall@android.com>Tue Jan 18 20:32:26 2011 -0800
committerKen Sumrall <ksumrall@android.com>Tue Jan 18 20:32:26 2011 -0800
tree7b4888cca701f91746a6e56a010ddede82bdd8fd
parent7df84120b25dca713f623528801385b00208c2aa [diff] [blame]
Verify that it's OK to run the various cryptfs commands

Maintain and query some internal state to know if it's OK to run
the various cryptfs commands.  Do not allow enablecrypto to run if
the device is already encrypted.  Do no allow restart to run if
we have already run it before or if the password has not been
validated.  Do not allow checkpw to run if not encrypted, or it
has already validated the password.

This is an extra layer of safety on top of the checks up in the
UI code agains possible DoS attacks on the device.

Change-Id: I9afc8d42773020e82a512e6b637feede101d1362

diff --git a/cryptfs.c b/cryptfs.c
index a6f5b4b..5df9cb0 100644
--- a/cryptfs.c
+++ b/cryptfs.c

@@ -528,6 +528,18 @@
     unsigned long mnt_flags;
     struct stat statbuf;
     int rc = -1, i;
+    static int restart_successful = 0;
+
+    /* Validate that it's OK to call this routine */
+    if (! key_sha1_saved) {
+        SLOGE("Encrypted filesystem not validated, aborting");
+        return -1;
+    }
+
+    if (restart_successful) {
+        SLOGE("System already restarted with encrypted disk, aborting");
+        return -1;
+    }
 
     /* Here is where we shut down the framework.  The init scripts
      * start all services in one of three classes: core, main or late_start.
@@ -580,6 +592,10 @@
         }
     }
 
+    if (rc == 0) {
+        restart_successful = 1;
+    }
+
     return rc;
 }
 
@@ -595,8 +611,15 @@
   char tmp_mount_point[64];
   unsigned long mnt_flags;
   unsigned int orig_failed_decrypt_count;
+  char encrypted_state[32];
   int rc;
 
+  property_get("ro.crypto.state", encrypted_state, "");
+  if ( key_sha1_saved || strcmp(encrypted_state, "encrypted") ) {
+    SLOGE("encrypted fs already validated or not running with encryption, aborting");
+    return -1;
+  }
+
   if (get_orig_mount_parms(mount_point, fs_type, real_blkdev, &mnt_flags, fs_options)) {
     SLOGE("Error reading original mount parms for mount point %s\n", mount_point);
     return -1;
@@ -816,6 +839,13 @@
     int rc=-1, fd, i;
     struct crypt_mnt_ftr crypt_ftr;
     char tmpfs_options[80];
+    char encrypted_state[32];
+
+    property_get("ro.crypto.state", encrypted_state, "");
+    if (strcmp(encrypted_state, "unencrypted")) {
+        SLOGE("Device is already running encrypted, aborting");
+        return -1;
+    }
 
     if (!strcmp(howarg, "wipe")) {
       how = CRYPTO_ENABLE_WIPE;
@@ -932,7 +962,7 @@
 
     /* This is only allowed after we've successfully decrypted the master key */
     if (! key_sha1_saved) {
-        SLOGE("Key not saved");
+        SLOGE("Key not saved, aborting");
         return -1;
     }