With native FBE, lock user directories when framework is started
If the framework is restarted, the user must unlock their device in the
same way as after a reboot. But with FBE, vold was never told to lock
the credential-encrypted storage directories, so any that were unlocked
at the time the framework stopped remain unlocked, i.e. their keys are
still in the kernel. This is unexpected and differs from a reboot.
Fix this by locking all user directories when the framework is started.
This was already done for emulated FBE, but this change extends it to
native FBE too.
Test: Unlock device with PIN. Then in adb shell: 'stop; start;
sleep 10; ls /data/data/' shows filenames in ciphertext form.
Change-Id: If993d93d9837b09ff8029642f8641dec69af04e0
Loading
Please register or sign in to comment