diff options
| author | Paul Crowley <paulcrowley@google.com> | 2017-08-10 15:24:52 -0700 |
|---|---|---|
| committer | Paul Crowley <paulcrowley@google.com> | 2017-08-18 21:06:04 +0000 |
| commit | 4bebc6a04656ba1798b27d88e508b7b01c39f662 (patch) | |
| tree | f4f78f63252840ad87c704123ea45330e19f1761 | |
| parent | cc0ba53a9f974ccb33ece1b3b85fe57b95da9cca (diff) | |
| download | extras-4bebc6a04656ba1798b27d88e508b7b01c39f662.tar.gz | |
Try to encrypt /data/media/obb but ignore failures
Bug: 64566063
Test: We test whether it's encrypted by trying to move a file from
/data/unencrypted into it. Used this test to make sure directory was
encrypted before change. Left file in directory, rebooted with change,
tested that it was still unencrypted. Deleted all files in directory,
rebooted again, tested that unencrypted files could no longer be moved
into directory.
Change-Id: I50df4949fb495ca8996c8a54e238af56a71f5df9
| -rw-r--r-- | ext4_utils/ext4_crypt_init_extensions.cpp | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/ext4_utils/ext4_crypt_init_extensions.cpp b/ext4_utils/ext4_crypt_init_extensions.cpp index 2bf88012..35a1c219 100644 --- a/ext4_utils/ext4_crypt_init_extensions.cpp +++ b/ext4_utils/ext4_crypt_init_extensions.cpp @@ -41,6 +41,8 @@ static const std::string arbitrary_sequence_number = "42"; static const int vold_command_timeout_ms = 60 * 1000; +static int set_system_de_policy_on(char const* dir); + int e4crypt_install_keyring() { key_serial_t device_keyring = add_key("keyring", "e4crypt", 0, 0, @@ -58,11 +60,22 @@ int e4crypt_install_keyring() int e4crypt_set_directory_policy(const char* dir) { + if (!dir || strncmp(dir, "/data/", 6)) { + return 0; + } + + // Special-case /data/media/obb per b/64566063 + if (strcmp(dir, "/data/media/obb") == 0) { + // Try to set policy on this directory, but if it is non-empty this may fail. + set_system_de_policy_on(dir); + return 0; + } + // Only set policy on first level /data directories // To make this less restrictive, consider using a policy file. // However this is overkill for as long as the policy is simply // to apply a global policy to all /data folders created via makedir - if (!dir || strncmp(dir, "/data/", 6) || strchr(dir + 6, '/')) { + if (strchr(dir + 6, '/')) { return 0; } @@ -83,7 +96,10 @@ int e4crypt_set_directory_policy(const char* dir) return 0; } } + return set_system_de_policy_on(dir); +} +static int set_system_de_policy_on(char const* dir) { std::string ref_filename = std::string("/data") + e4crypt_key_ref; std::string policy; if (!android::base::ReadFileToString(ref_filename, &policy)) { |