1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define TRACE_TAG ADB 18 19 #include "sysdeps.h" 20 21 #include <fcntl.h> 22 #include <inttypes.h> 23 #include <stdarg.h> 24 #include <stdio.h> 25 #include <sys/stat.h> 26 27 #include "android-base/properties.h" 28 #include "android-base/stringprintf.h" 29 #include <log/log_properties.h> 30 31 #include "adb.h" 32 #include "adb_io.h" 33 #include "adb_unique_fd.h" 34 #include "fs_mgr.h" 35 #include "remount_service.h" 36 37 #include "fec/io.h" 38 39 struct fstab *fstab; 40 41 #ifdef ALLOW_ADBD_DISABLE_VERITY 42 static const bool kAllowDisableVerity = true; 43 #else 44 static const bool kAllowDisableVerity = false; 45 #endif 46 47 /* Turn verity on/off */ 48 static int set_verity_enabled_state(int fd, const char *block_device, 49 const char* mount_point, bool enable) 50 { 51 if (!make_block_device_writable(block_device)) { 52 WriteFdFmt(fd, "Could not make block device %s writable (%s).\n", 53 block_device, strerror(errno)); 54 return -1; 55 } 56 57 fec::io fh(block_device, O_RDWR); 58 59 if (!fh) { 60 WriteFdFmt(fd, "Could not open block device %s (%s).\n", block_device, strerror(errno)); 61 WriteFdFmt(fd, "Maybe run adb root?\n"); 62 return -1; 63 } 64 65 fec_verity_metadata metadata; 66 67 if (!fh.get_verity_metadata(metadata)) { 68 WriteFdFmt(fd, "Couldn't find verity metadata!\n"); 69 return -1; 70 } 71 72 if (!enable && metadata.disabled) { 73 WriteFdFmt(fd, "Verity already disabled on %s\n", mount_point); 74 return -1; 75 } 76 77 if (enable && !metadata.disabled) { 78 WriteFdFmt(fd, "Verity already enabled on %s\n", mount_point); 79 return -1; 80 } 81 82 if (!fh.set_verity_status(enable)) { 83 WriteFdFmt(fd, "Could not set verity %s flag on device %s with error %s\n", 84 enable ? "enabled" : "disabled", 85 block_device, strerror(errno)); 86 return -1; 87 } 88 89 WriteFdFmt(fd, "Verity %s on %s\n", enable ? "enabled" : "disabled", mount_point); 90 return 0; 91 } 92 93 void set_verity_enabled_state_service(int fd, void* cookie) { 94 unique_fd closer(fd); 95 96 bool enable = (cookie != NULL); 97 if (!kAllowDisableVerity) { 98 WriteFdFmt(fd, "%s-verity only works for userdebug builds\n", 99 enable ? "enable" : "disable"); 100 } 101 102 if (!android::base::GetBoolProperty("ro.secure", false)) { 103 WriteFdFmt(fd, "verity not enabled - ENG build\n"); 104 return; 105 } 106 if (!__android_log_is_debuggable()) { 107 WriteFdFmt(fd, "verity cannot be disabled/enabled - USER build\n"); 108 return; 109 } 110 111 // read all fstab entries at once from all sources 112 fstab = fs_mgr_read_fstab_default(); 113 if (!fstab) { 114 WriteFdFmt(fd, "Failed to read fstab\nMaybe run adb root?\n"); 115 return; 116 } 117 118 // Loop through entries looking for ones that vold manages. 119 bool any_changed = false; 120 for (int i = 0; i < fstab->num_entries; i++) { 121 if (fs_mgr_is_verified(&fstab->recs[i])) { 122 if (!set_verity_enabled_state(fd, fstab->recs[i].blk_device, 123 fstab->recs[i].mount_point, 124 enable)) { 125 any_changed = true; 126 } 127 } 128 } 129 130 if (any_changed) { 131 WriteFdFmt(fd, "Now reboot your device for settings to take effect\n"); 132 } 133 } 134
