1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define TRACE_TAG ADB 18 19 #include "sysdeps.h" 20 21 #include <fcntl.h> 22 #include <inttypes.h> 23 #include <stdarg.h> 24 #include <stdio.h> 25 #include <sys/stat.h> 26 27 #include "cutils/properties.h" 28 29 #include "adb.h" 30 #include "adb_io.h" 31 #include "fs_mgr.h" 32 #include "remount_service.h" 33 34 #include "fec/io.h" 35 36 #define FSTAB_PREFIX "/fstab." 37 struct fstab *fstab; 38 39 #ifdef ALLOW_ADBD_DISABLE_VERITY 40 static const bool kAllowDisableVerity = true; 41 #else 42 static const bool kAllowDisableVerity = false; 43 #endif 44 45 /* Turn verity on/off */ 46 static int set_verity_enabled_state(int fd, const char *block_device, 47 const char* mount_point, bool enable) 48 { 49 if (!make_block_device_writable(block_device)) { 50 WriteFdFmt(fd, "Could not make block device %s writable (%s).\n", 51 block_device, strerror(errno)); 52 return -1; 53 } 54 55 fec::io fh(block_device, O_RDWR); 56 57 if (!fh) { 58 WriteFdFmt(fd, "Could not open block device %s (%s).\n", block_device, strerror(errno)); 59 WriteFdFmt(fd, "Maybe run adb root?\n"); 60 return -1; 61 } 62 63 fec_verity_metadata metadata; 64 65 if (!fh.get_verity_metadata(metadata)) { 66 WriteFdFmt(fd, "Couldn't find verity metadata!\n"); 67 return -1; 68 } 69 70 if (!enable && metadata.disabled) { 71 WriteFdFmt(fd, "Verity already disabled on %s\n", mount_point); 72 return -1; 73 } 74 75 if (enable && !metadata.disabled) { 76 WriteFdFmt(fd, "Verity already enabled on %s\n", mount_point); 77 return -1; 78 } 79 80 if (!fh.set_verity_status(enable)) { 81 WriteFdFmt(fd, "Could not set verity %s flag on device %s with error %s\n", 82 enable ? "enabled" : "disabled", 83 block_device, strerror(errno)); 84 return -1; 85 } 86 87 WriteFdFmt(fd, "Verity %s on %s\n", enable ? "enabled" : "disabled", mount_point); 88 return 0; 89 } 90 91 void set_verity_enabled_state_service(int fd, void* cookie) 92 { 93 bool enable = (cookie != NULL); 94 if (kAllowDisableVerity) { 95 char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)]; 96 char propbuf[PROPERTY_VALUE_MAX]; 97 int i; 98 bool any_changed = false; 99 100 property_get("ro.secure", propbuf, "0"); 101 if (strcmp(propbuf, "1")) { 102 WriteFdFmt(fd, "verity not enabled - ENG build\n"); 103 goto errout; 104 } 105 106 property_get("ro.debuggable", propbuf, "0"); 107 if (strcmp(propbuf, "1")) { 108 WriteFdFmt(fd, "verity cannot be disabled/enabled - USER build\n"); 109 goto errout; 110 } 111 112 property_get("ro.hardware", propbuf, ""); 113 snprintf(fstab_filename, sizeof(fstab_filename), FSTAB_PREFIX"%s", 114 propbuf); 115 116 fstab = fs_mgr_read_fstab(fstab_filename); 117 if (!fstab) { 118 WriteFdFmt(fd, "Failed to open %s\nMaybe run adb root?\n", fstab_filename); 119 goto errout; 120 } 121 122 /* Loop through entries looking for ones that vold manages */ 123 for (i = 0; i < fstab->num_entries; i++) { 124 if(fs_mgr_is_verified(&fstab->recs[i])) { 125 if (!set_verity_enabled_state(fd, fstab->recs[i].blk_device, 126 fstab->recs[i].mount_point, 127 enable)) { 128 any_changed = true; 129 } 130 } 131 } 132 133 if (any_changed) { 134 WriteFdFmt(fd, "Now reboot your device for settings to take effect\n"); 135 } 136 } else { 137 WriteFdFmt(fd, "%s-verity only works for userdebug builds\n", 138 enable ? "enable" : "disable"); 139 } 140 141 errout: 142 adb_close(fd); 143 } 144
