From 214f33b8c095feedfdbaa680ff6ffb763f47d375 Mon Sep 17 00:00:00 2001 From: Sami Tolvanen Date: Thu, 18 Dec 2014 16:15:30 +0000 Subject: Set underlying block device RO when enabling verity Currently, when verity is set up on a block device, the underlying device is still accessible directly. Change the existing function fs_set_blk_ro visible to other fs_mgr modules, change the behavior to match the comment above the function definition, and call it to disable write access to the block device when setting up verity. Bug: 18609347 Change-Id: I7884175df15f9161174788d74d20a08e4cd472ca --- fs_mgr/fs_mgr.c | 15 +++++++++------ fs_mgr/fs_mgr_priv.h | 2 ++ fs_mgr/fs_mgr_verity.c | 3 +++ 3 files changed, 14 insertions(+), 6 deletions(-) (limited to 'fs_mgr') diff --git a/fs_mgr/fs_mgr.c b/fs_mgr/fs_mgr.c index a1391e0..f9a6ba2 100644 --- a/fs_mgr/fs_mgr.c +++ b/fs_mgr/fs_mgr.c @@ -185,19 +185,22 @@ static void remove_trailing_slashes(char *n) * Mark the given block device as read-only, using the BLKROSET ioctl. * Return 0 on success, and -1 on error. */ -static void fs_set_blk_ro(const char *blockdev) +int fs_mgr_set_blk_ro(const char *blockdev) { int fd; + int rc = -1; int ON = 1; - fd = open(blockdev, O_RDONLY); + fd = TEMP_FAILURE_RETRY(open(blockdev, O_RDONLY | O_CLOEXEC)); if (fd < 0) { // should never happen - return; + return rc; } - ioctl(fd, BLKROSET, &ON); - close(fd); + rc = ioctl(fd, BLKROSET, &ON); + TEMP_FAILURE_RETRY(close(fd)); + + return rc; } /* @@ -223,7 +226,7 @@ static int __mount(const char *source, const char *target, const struct fstab_re save_errno = errno; INFO("%s(source=%s,target=%s,type=%s)=%d\n", __func__, source, target, rec->fs_type, ret); if ((ret == 0) && (mountflags & MS_RDONLY) != 0) { - fs_set_blk_ro(source); + fs_mgr_set_blk_ro(source); } errno = save_errno; return ret; diff --git a/fs_mgr/fs_mgr_priv.h b/fs_mgr/fs_mgr_priv.h index 4ba6f92..88a1040 100644 --- a/fs_mgr/fs_mgr_priv.h +++ b/fs_mgr/fs_mgr_priv.h @@ -79,5 +79,7 @@ #define DM_BUF_SIZE 4096 +int fs_mgr_set_blk_ro(const char *blockdev); + #endif /* __CORE_FS_MGR_PRIV_H */ diff --git a/fs_mgr/fs_mgr_verity.c b/fs_mgr/fs_mgr_verity.c index 4683acb..db63bcc 100644 --- a/fs_mgr/fs_mgr_verity.c +++ b/fs_mgr/fs_mgr_verity.c @@ -442,6 +442,9 @@ int fs_mgr_setup_verity(struct fstab_rec *fstab) { goto out; } + // mark the underlying block device as read-only + fs_mgr_set_blk_ro(fstab->blk_device); + // assign the new verity block device as the block device free(fstab->blk_device); fstab->blk_device = verity_blk_name; -- cgit v1.1