diff options
author | Elliott Hughes <enh@google.com> | 2014-12-10 01:05:20 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2014-12-10 01:05:20 +0000 |
commit | 18237c77c80c34919211e5984a40d27b03992759 (patch) | |
tree | 7eda12cfa1070bd52ab977b78ebb7f9c593e739c /adb | |
parent | b471f5249b8a8c627e8d7e96705d111cafdca50d (diff) | |
parent | 982089d83879c768eac3fd36f19665463a550b53 (diff) | |
download | system_core-18237c77c80c34919211e5984a40d27b03992759.zip system_core-18237c77c80c34919211e5984a40d27b03992759.tar.gz system_core-18237c77c80c34919211e5984a40d27b03992759.tar.bz2 |
Merge "Add adb enable-verity"
Diffstat (limited to 'adb')
-rw-r--r-- | adb/Android.mk | 2 | ||||
-rw-r--r-- | adb/adb.h | 4 | ||||
-rw-r--r-- | adb/commandline.c | 6 | ||||
-rw-r--r-- | adb/remount_service.c | 67 | ||||
-rw-r--r-- | adb/services.c | 4 | ||||
-rw-r--r-- | adb/set_verity_enable_state_service.c (renamed from adb/disable_verity_service.c) | 52 |
6 files changed, 104 insertions, 31 deletions
diff --git a/adb/Android.mk b/adb/Android.mk index 99a7ce6..8ebcbf0 100644 --- a/adb/Android.mk +++ b/adb/Android.mk @@ -110,7 +110,7 @@ LOCAL_SRC_FILES := \ jdwp_service.c \ framebuffer_service.c \ remount_service.c \ - disable_verity_service.c \ + set_verity_enable_state_service.c \ usb_linux_client.c LOCAL_CFLAGS := \ @@ -328,8 +328,10 @@ int handle_forward_request(const char* service, transport_type ttype, char* seri #if !ADB_HOST void framebuffer_service(int fd, void *cookie); +// Allow enable-verity to write to system and vendor block devices +int make_system_and_vendor_block_devices_writable(); void remount_service(int fd, void *cookie); -void disable_verity_service(int fd, void* cookie); +void set_verity_enabled_state_service(int fd, void* cookie); #endif /* packet allocator */ diff --git a/adb/commandline.c b/adb/commandline.c index 21945d9..49f1b95 100644 --- a/adb/commandline.c +++ b/adb/commandline.c @@ -190,10 +190,11 @@ void help() "\n" " adb restore <file> - restore device contents from the <file> backup archive\n" "\n" + " adb disable-verity - disable dm-verity checking on USERDEBUG builds\n" + " adb enable-verity - re-enable dm-verity checking on USERDEBUG builds\n" " adb keygen <file> - generate adb public/private key. The private key is stored in <file>,\n" " and the public key is stored in <file>.pub. Any existing files\n" " are overwritten.\n" - " adb disable-verity - disable dm-verity checking on USERDEBUG builds\n" " adb help - show this help message\n" " adb version - show version num\n" "\n" @@ -1446,7 +1447,8 @@ top: if(!strcmp(argv[0], "remount") || !strcmp(argv[0], "reboot") || !strcmp(argv[0], "reboot-bootloader") || !strcmp(argv[0], "tcpip") || !strcmp(argv[0], "usb") - || !strcmp(argv[0], "root") || !strcmp(argv[0], "disable-verity")) { + || !strcmp(argv[0], "root") || !strcmp(argv[0], "disable-verity") + || !strcmp(argv[0], "enable-verity")) { char command[100]; if (!strcmp(argv[0], "reboot-bootloader")) snprintf(command, sizeof(command), "reboot:bootloader"); diff --git a/adb/remount_service.c b/adb/remount_service.c index 36367a7..05d3169 100644 --- a/adb/remount_service.c +++ b/adb/remount_service.c @@ -79,29 +79,57 @@ static int hasVendorPartition() return false; } +static int make_block_device_writable(const char* dir) +{ + char *dev = 0; + int fd = -1; + int OFF = 0; + int rc = -1; + + dev = find_mount(dir); + if (!dev) + goto errout; + + fd = unix_open(dev, O_RDONLY | O_CLOEXEC); + if (fd < 0) + goto errout; + + if (ioctl(fd, BLKROSET, &OFF)) { + goto errout; + } + + rc = 0; + +errout: + if (fd >= 0) { + adb_close(fd); + } + + if (dev) { + free(dev); + } + return rc; +} + /* Init mounts /system as read only, remount to enable writes. */ static int remount(const char* dir, int* dir_ro) { char *dev; - int fd; int OFF = 0; if (dir_ro == 0) { return 0; } + if (make_block_device_writable(dir)) { + return -1; + } + dev = find_mount(dir); if (!dev) return -1; - fd = unix_open(dev, O_RDONLY | O_CLOEXEC); - if (fd < 0) - return -1; - - ioctl(fd, BLKROSET, &OFF); - adb_close(fd); - *dir_ro = mount(dev, dir, "none", MS_REMOUNT, NULL); free(dev); @@ -114,6 +142,28 @@ static void write_string(int fd, const char* str) writex(fd, str, strlen(str)); } +int make_system_and_vendor_block_devices_writable(int fd) +{ + char buffer[200]; + if (make_block_device_writable("/system")) { + snprintf(buffer, sizeof(buffer), + "Failed to make system block device writable %s\n", + strerror(errno)); + write_string(fd, buffer); + return -1; + } + + if (hasVendorPartition() && make_block_device_writable("/vendor")) { + snprintf(buffer, sizeof(buffer), + "Failed to make vendor block device writable: %s\n", + strerror(errno)); + write_string(fd, buffer); + return -1; + } + + return 0; +} + void remount_service(int fd, void *cookie) { char buffer[200]; @@ -167,4 +217,3 @@ void remount_service(int fd, void *cookie) adb_close(fd); } - diff --git a/adb/services.c b/adb/services.c index 1aeb376..d5a4642 100644 --- a/adb/services.c +++ b/adb/services.c @@ -472,7 +472,9 @@ int service_to_fd(const char *name) } } } else if(!strncmp(name, "disable-verity:", 15)) { - ret = create_service_thread(disable_verity_service, NULL); + ret = create_service_thread(set_verity_enabled_state_service, (void*)0); + } else if(!strncmp(name, "enable-verity:", 15)) { + ret = create_service_thread(set_verity_enabled_state_service, (void*)1); #endif } if (ret >= 0) { diff --git a/adb/disable_verity_service.c b/adb/set_verity_enable_state_service.c index ed3da52..6692ab7 100644 --- a/adb/disable_verity_service.c +++ b/adb/set_verity_enable_state_service.c @@ -78,11 +78,13 @@ static int get_target_device_size(int fd, const char *blk_device, return 0; } -static int disable_verity(int fd, const char *block_device, - const char* mount_point) +/* Turn verity on/off */ +static int set_verity_enabled_state(int fd, const char *block_device, + const char* mount_point, bool enable) { uint32_t magic_number; - const uint32_t voff = VERITY_METADATA_MAGIC_DISABLE; + const uint32_t new_magic = enable ? VERITY_METADATA_MAGIC_NUMBER + : VERITY_METADATA_MAGIC_DISABLE; uint64_t device_length; int device; int retval = -1; @@ -114,12 +116,18 @@ static int disable_verity(int fd, const char *block_device, goto errout; } - if (magic_number == VERITY_METADATA_MAGIC_DISABLE) { + if (!enable && magic_number == VERITY_METADATA_MAGIC_DISABLE) { write_console(fd, "Verity already disabled on %s\n", mount_point); goto errout; } - if (magic_number != VERITY_METADATA_MAGIC_NUMBER) { + if (enable && magic_number == VERITY_METADATA_MAGIC_NUMBER) { + write_console(fd, "Verity already enabled on %s\n", mount_point); + goto errout; + } + + if (magic_number != VERITY_METADATA_MAGIC_NUMBER + && magic_number != VERITY_METADATA_MAGIC_DISABLE) { write_console(fd, "Couldn't find verity metadata at offset %"PRIu64"!\n", device_length); @@ -132,13 +140,17 @@ static int disable_verity(int fd, const char *block_device, goto errout; } - if (adb_write(device, &voff, sizeof(voff)) != sizeof(voff)) { - write_console(fd, "Could not set verity disabled flag on device %s\n", - block_device); + if (adb_write(device, &new_magic, sizeof(new_magic)) != sizeof(new_magic)) { + write_console(fd, "Could not set verity %s flag on device %s with error %s\n", + enable ? "enabled" : "disabled", + block_device, + strerror(errno)); goto errout; } - write_console(fd, "Verity disabled on %s\n", mount_point); + write_console(fd, "Verity %s on %s\n", + enable ? "enabled" : "disabled", + mount_point); retval = 0; errout: if (device != -1) @@ -146,13 +158,14 @@ errout: return retval; } -void disable_verity_service(int fd, void* cookie) +void set_verity_enabled_state_service(int fd, void* cookie) { + bool enable = (cookie != NULL); #ifdef ALLOW_ADBD_DISABLE_VERITY char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)]; char propbuf[PROPERTY_VALUE_MAX]; int i; - bool any_disabled = false; + bool any_changed = false; property_get("ro.secure", propbuf, "0"); if (strcmp(propbuf, "1")) { @@ -162,7 +175,7 @@ void disable_verity_service(int fd, void* cookie) property_get("ro.debuggable", propbuf, "0"); if (strcmp(propbuf, "1")) { - write_console(fd, "verity cannot be disabled - USER build\n"); + write_console(fd, "verity cannot be disabled/enabled - USER build\n"); goto errout; } @@ -176,22 +189,27 @@ void disable_verity_service(int fd, void* cookie) goto errout; } + if (enable && make_system_and_vendor_block_devices_writable(fd)) { + goto errout; + } + /* Loop through entries looking for ones that vold manages */ for (i = 0; i < fstab->num_entries; i++) { if(fs_mgr_is_verified(&fstab->recs[i])) { - if (!disable_verity(fd, fstab->recs[i].blk_device, - fstab->recs[i].mount_point)) { - any_disabled = true; + if (!set_verity_enabled_state(fd, fstab->recs[i].blk_device, + fstab->recs[i].mount_point, enable)) { + any_changed = true; } } } - if (any_disabled) { + if (any_changed) { write_console(fd, "Now reboot your device for settings to take effect\n"); } #else - write_console(fd, "disable-verity only works for userdebug builds\n"); + write_console(fd, "%s-verity only works for userdebug builds\n", + disabling ? "disable" : "enable"); #endif errout: |