Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 05699b3e authored by Geremy Condra's avatar Geremy Condra
Browse files

fs_mgr: Set the 'partition.*.verified' property for verified partitions. 

This modifies fs_mgr to set the partition.*.verified properties.
Each of these should be used as a weak indicator that a given partition
is verified. For instance, if the 'partition.system.verified' property
is set to '1', this could indicate that the system partition is verified
and therefore should not be modified by, e.g., adb sync.

Note that these properties can be mutated by the system, and so
should not be used as the basis for security decisions.

Change-Id: I27215a3d3628a1b1e184df9eaad90541b9d8b841
parent ddda7626

fs_mgr/fs_mgr_verity.c

+30 −1
Original line number Diff line number Diff line
@@ -30,6 +30,7 @@ 
#include <time.h>



#include <private/android_filesystem_config.h>

#include <cutils/properties.h>

#include <logwrap/logwrap.h>



#include "mincrypt/rsa.h"
@@ -335,6 +336,26 @@ static int test_access(char *device) { 
    return -1;

}



static int set_verified_property(char *name) {

    int ret;

    char *key;

    ret = asprintf(&key, "partition.%s.verified", name);

    if (ret < 0) {

        ERROR("Error formatting verified property");

        return ret;

    }

    ret = PROP_NAME_MAX - strlen(key);

    if (ret < 0) {

        ERROR("Verified property name is too long");

        return -1;

    }

    ret = property_set(key, "1");

    if (ret < 0)

        ERROR("Error setting verified property %s: %d", key, ret);

    free(key);

    return ret;

}



int fs_mgr_setup_verity(struct fstab_rec *fstab) {



    int retval = -1;
@@ -351,6 +372,13 @@ int fs_mgr_setup_verity(struct fstab_rec *fstab) { 
    io->flags |= 1;

    io->target_count = 1;



    // check to ensure that the verity device is ext4

    // TODO: support non-ext4 filesystems

    if (strcmp(fstab->fs_type, "ext4")) {

        ERROR("Cannot verify non-ext4 device (%s)", fstab->fs_type);

        return retval;

    }



    // get the device mapper fd

    int fd;

    if ((fd = open("/dev/device-mapper", O_RDWR)) < 0) {
@@ -403,7 +431,8 @@ int fs_mgr_setup_verity(struct fstab_rec *fstab) { 
        goto out;

    }



    retval = 0;

    // set the property indicating that the partition is verified

    retval = set_verified_property(mount_point);



out:

    close(fd);