Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2015 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 17 | #include "Ext4Crypt.h" |
| 18 | |
Paul Crowley | 1ef2558 | 2016-01-21 20:26:12 +0000 | [diff] [blame] | 19 | #include "KeyStorage.h" |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 20 | #include "Utils.h" |
| 21 | |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 22 | #include <iomanip> |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 23 | #include <map> |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 24 | #include <set> |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 25 | #include <string> |
| 26 | #include <sstream> |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 27 | |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 28 | #include <stdio.h> |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 29 | #include <errno.h> |
Paul Crowley | 95376d6 | 2015-05-06 15:04:43 +0100 | [diff] [blame] | 30 | #include <dirent.h> |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 31 | #include <sys/mount.h> |
Paul Crowley | 95376d6 | 2015-05-06 15:04:43 +0100 | [diff] [blame] | 32 | #include <sys/types.h> |
| 33 | #include <sys/stat.h> |
| 34 | #include <fcntl.h> |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 35 | #include <cutils/properties.h> |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 36 | #include <openssl/sha.h> |
Jeff Sharkey | 7a9dd95 | 2016-01-12 16:52:16 -0700 | [diff] [blame] | 37 | #include <selinux/android.h> |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 38 | |
Paul Crowley | 480fcd2 | 2015-08-24 14:53:28 +0100 | [diff] [blame] | 39 | #include <private/android_filesystem_config.h> |
| 40 | |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 41 | #include "unencrypted_properties.h" |
| 42 | #include "key_control.h" |
| 43 | #include "cryptfs.h" |
Paul Crowley | 95376d6 | 2015-05-06 15:04:43 +0100 | [diff] [blame] | 44 | #include "ext4_crypt_init_extensions.h" |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 45 | |
| 46 | #define LOG_TAG "Ext4Crypt" |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 47 | |
Jeff Sharkey | 7a9dd95 | 2016-01-12 16:52:16 -0700 | [diff] [blame] | 48 | #define EMULATED_USES_SELINUX 0 |
| 49 | |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 50 | #include <cutils/fs.h> |
| 51 | #include <cutils/log.h> |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 52 | #include <cutils/klog.h> |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 53 | |
Elliott Hughes | 7e128fb | 2015-12-04 15:50:53 -0800 | [diff] [blame] | 54 | #include <android-base/file.h> |
Elliott Hughes | 6bf0547 | 2015-12-04 17:55:33 -0800 | [diff] [blame] | 55 | #include <android-base/logging.h> |
Elliott Hughes | 7e128fb | 2015-12-04 15:50:53 -0800 | [diff] [blame] | 56 | #include <android-base/stringprintf.h> |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 57 | |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 58 | using android::base::StringPrintf; |
| 59 | |
Jeff Sharkey | fc505c3 | 2015-12-07 17:27:01 -0700 | [diff] [blame] | 60 | static bool e4crypt_is_native() { |
| 61 | char value[PROPERTY_VALUE_MAX]; |
| 62 | property_get("ro.crypto.type", value, "none"); |
| 63 | return !strcmp(value, "file"); |
| 64 | } |
| 65 | |
| 66 | static bool e4crypt_is_emulated() { |
| 67 | return property_get_bool("persist.sys.emulate_fbe", false); |
| 68 | } |
Jeff Sharkey | c79fb89 | 2015-11-12 20:18:02 -0800 | [diff] [blame] | 69 | |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 70 | namespace { |
| 71 | // Key length in bits |
| 72 | const int key_length = 128; |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 73 | static_assert(key_length % 8 == 0, |
| 74 | "Key length must be multiple of 8 bits"); |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 75 | |
Paul Lawrence | 5a06a64 | 2016-02-03 13:39:13 -0800 | [diff] [blame^] | 76 | const std::string device_key_leaf = "/unencrypted/key"; |
| 77 | const std::string device_key_temp = "/unencrypted/temp"; |
| 78 | |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 79 | const std::string user_key_dir = std::string() + DATA_MNT_POINT + "/misc/vold/user_keys"; |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 80 | const std::string user_key_temp = user_key_dir + "/temp"; |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 81 | |
Paul Lawrence | 7b6b565 | 2016-02-02 11:14:59 -0800 | [diff] [blame] | 82 | bool s_enabled = false; |
| 83 | |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 84 | // Some users are ephemeral, don't try to wipe their keys from disk |
| 85 | std::set<userid_t> s_ephemeral_users; |
Paul Lawrence | aec34df | 2016-02-03 10:52:41 -0800 | [diff] [blame] | 86 | |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 87 | // Map user ids to key references |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 88 | std::map<userid_t, std::string> s_de_key_raw_refs; |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 89 | std::map<userid_t, std::string> s_ce_key_raw_refs; |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 90 | |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 91 | // ext4enc:TODO get this const from somewhere good |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 92 | const int EXT4_KEY_DESCRIPTOR_SIZE = 8; |
| 93 | |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 94 | // ext4enc:TODO Include structure from somewhere sensible |
| 95 | // MUST be in sync with ext4_crypto.c in kernel |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 96 | const int EXT4_MAX_KEY_SIZE = 64; |
| 97 | const int EXT4_ENCRYPTION_MODE_AES_256_XTS = 1; |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 98 | struct ext4_encryption_key { |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 99 | uint32_t mode; |
| 100 | char raw[EXT4_MAX_KEY_SIZE]; |
| 101 | uint32_t size; |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 102 | }; |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 103 | } |
| 104 | |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 105 | static bool install_key(const std::string &key, std::string &raw_ref); |
Paul Crowley | f25a35a | 2015-05-06 13:38:53 +0100 | [diff] [blame] | 106 | |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 107 | static UnencryptedProperties GetProps(const char* path) |
| 108 | { |
| 109 | return UnencryptedProperties(path); |
| 110 | } |
| 111 | |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 112 | int e4crypt_crypto_complete(const char* path) |
| 113 | { |
| 114 | SLOGI("ext4 crypto complete called on %s", path); |
Paul Lawrence | aec34df | 2016-02-03 10:52:41 -0800 | [diff] [blame] | 115 | if (GetProps(path).Get<std::string>(properties::ref).empty()) { |
| 116 | SLOGI("No key reference, so not ext4enc"); |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 117 | return -1; |
| 118 | } |
| 119 | |
| 120 | return 0; |
| 121 | } |
| 122 | |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 123 | // Get raw keyref - used to make keyname and to pass to ioctl |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 124 | static std::string generate_key_ref(const char* key, int length) |
| 125 | { |
| 126 | SHA512_CTX c; |
| 127 | |
| 128 | SHA512_Init(&c); |
| 129 | SHA512_Update(&c, key, length); |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 130 | unsigned char key_ref1[SHA512_DIGEST_LENGTH]; |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 131 | SHA512_Final(key_ref1, &c); |
| 132 | |
| 133 | SHA512_Init(&c); |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 134 | SHA512_Update(&c, key_ref1, SHA512_DIGEST_LENGTH); |
| 135 | unsigned char key_ref2[SHA512_DIGEST_LENGTH]; |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 136 | SHA512_Final(key_ref2, &c); |
| 137 | |
| 138 | return std::string((char*)key_ref2, EXT4_KEY_DESCRIPTOR_SIZE); |
| 139 | } |
| 140 | |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 141 | static ext4_encryption_key fill_key(const std::string &key) |
Paul Crowley | f25a35a | 2015-05-06 13:38:53 +0100 | [diff] [blame] | 142 | { |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 143 | // ext4enc:TODO Currently raw key is required to be of length |
| 144 | // sizeof(ext4_key.raw) == EXT4_MAX_KEY_SIZE, so zero pad to |
| 145 | // this length. Change when kernel bug is fixed. |
| 146 | ext4_encryption_key ext4_key = {EXT4_ENCRYPTION_MODE_AES_256_XTS, |
| 147 | {0}, |
| 148 | sizeof(ext4_key.raw)}; |
| 149 | memset(ext4_key.raw, 0, sizeof(ext4_key.raw)); |
| 150 | static_assert(key_length / 8 <= sizeof(ext4_key.raw), |
| 151 | "Key too long!"); |
Paul Crowley | 95376d6 | 2015-05-06 15:04:43 +0100 | [diff] [blame] | 152 | memcpy(ext4_key.raw, &key[0], key.size()); |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 153 | return ext4_key; |
| 154 | } |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 155 | |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 156 | static std::string keyname(const std::string &raw_ref) |
| 157 | { |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 158 | std::ostringstream o; |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 159 | o << "ext4:"; |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 160 | for (auto i = raw_ref.begin(); i != raw_ref.end(); ++i) { |
| 161 | o << std::hex << std::setw(2) << std::setfill('0') << (int)*i; |
| 162 | } |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 163 | return o.str(); |
| 164 | } |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 165 | |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 166 | // Get the keyring we store all keys in |
| 167 | static key_serial_t e4crypt_keyring() |
| 168 | { |
| 169 | return keyctl_search(KEY_SPEC_SESSION_KEYRING, "keyring", "e4crypt", 0); |
| 170 | } |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 171 | |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 172 | // Install password into global keyring |
| 173 | // Return raw key reference for use in policy |
| 174 | static bool install_key(const std::string &key, std::string &raw_ref) |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 175 | { |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 176 | if (key.size() != key_length/8) { |
| 177 | LOG(ERROR) << "Wrong size key " << key.size(); |
| 178 | return false; |
| 179 | } |
| 180 | auto ext4_key = fill_key(key); |
| 181 | raw_ref = generate_key_ref(ext4_key.raw, ext4_key.size); |
| 182 | auto ref = keyname(raw_ref); |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 183 | key_serial_t device_keyring = e4crypt_keyring(); |
Paul Lawrence | fd7db73 | 2015-04-10 07:48:51 -0700 | [diff] [blame] | 184 | key_serial_t key_id = add_key("logon", ref.c_str(), |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 185 | (void*)&ext4_key, sizeof(ext4_key), |
| 186 | device_keyring); |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 187 | if (key_id == -1) { |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 188 | PLOG(ERROR) << "Failed to insert key into keyring " << device_keyring; |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 189 | return false; |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 190 | } |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 191 | LOG(INFO) << "Added key " << key_id << " (" << ref << ") to keyring " |
| 192 | << device_keyring << " in process " << getpid(); |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 193 | return true; |
Paul Lawrence | 731a7a2 | 2015-04-28 22:14:15 +0000 | [diff] [blame] | 194 | } |
| 195 | |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 196 | static std::string get_de_key_path(userid_t user_id) { |
| 197 | return StringPrintf("%s/de/%d", user_key_dir.c_str(), user_id); |
| 198 | } |
| 199 | |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 200 | static std::string get_ce_key_path(userid_t user_id) { |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 201 | return StringPrintf("%s/ce/%d/current", user_key_dir.c_str(), user_id); |
Paul Crowley | b33e887 | 2015-05-19 12:34:09 +0100 | [diff] [blame] | 202 | } |
| 203 | |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 204 | static bool read_and_install_key(const std::string &key_path, std::string &raw_ref) |
| 205 | { |
| 206 | std::string key; |
| 207 | if (!android::vold::retrieveKey(key_path, key)) return false; |
| 208 | if (!install_key(key, raw_ref)) return false; |
| 209 | return true; |
Lenka Trochtova | 395039f | 2015-11-25 10:13:03 +0100 | [diff] [blame] | 210 | } |
| 211 | |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 212 | static bool read_and_install_user_ce_key(userid_t user_id) |
Paul Crowley | b33e887 | 2015-05-19 12:34:09 +0100 | [diff] [blame] | 213 | { |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 214 | if (s_ce_key_raw_refs.count(user_id) != 0) return true; |
| 215 | const auto key_path = get_ce_key_path(user_id); |
| 216 | std::string raw_ref; |
| 217 | if (!read_and_install_key(key_path, raw_ref)) return false; |
| 218 | s_ce_key_raw_refs[user_id] = raw_ref; |
| 219 | LOG(DEBUG) << "Installed ce key for user " << user_id; |
Paul Crowley | 1ef2558 | 2016-01-21 20:26:12 +0000 | [diff] [blame] | 220 | return true; |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 221 | } |
| 222 | |
Paul Crowley | 13ffd8e | 2016-01-27 14:30:22 +0000 | [diff] [blame] | 223 | static bool prepare_dir(const std::string &dir, mode_t mode, uid_t uid, gid_t gid) { |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 224 | LOG(DEBUG) << "Preparing: " << dir; |
Paul Crowley | 13ffd8e | 2016-01-27 14:30:22 +0000 | [diff] [blame] | 225 | if (fs_prepare_dir(dir.c_str(), mode, uid, gid) != 0) { |
| 226 | PLOG(ERROR) << "Failed to prepare " << dir; |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 227 | return false; |
| 228 | } |
Paul Crowley | 13ffd8e | 2016-01-27 14:30:22 +0000 | [diff] [blame] | 229 | return true; |
| 230 | } |
| 231 | |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 232 | static bool random_key(std::string &key) { |
Paul Crowley | 1ef2558 | 2016-01-21 20:26:12 +0000 | [diff] [blame] | 233 | if (android::vold::ReadRandomBytes(key_length / 8, key) != 0) { |
| 234 | // TODO status_t plays badly with PLOG, fix it. |
| 235 | LOG(ERROR) << "Random read failed"; |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 236 | return false; |
| 237 | } |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 238 | return true; |
| 239 | } |
| 240 | |
| 241 | static bool path_exists(const std::string &path) { |
| 242 | return access(path.c_str(), F_OK) == 0; |
| 243 | } |
| 244 | |
| 245 | // NB this assumes that there is only one thread listening for crypt commands, because |
| 246 | // it creates keys in a fixed location. |
| 247 | static bool store_key(const std::string &key_path, const std::string &key) { |
| 248 | if (path_exists(key_path)) { |
| 249 | LOG(ERROR) << "Already exists, cannot create key at: " << key_path; |
| 250 | return false; |
| 251 | } |
| 252 | if (path_exists(user_key_temp)) { |
| 253 | android::vold::destroyKey(user_key_temp); |
| 254 | } |
| 255 | if (!android::vold::storeKey(user_key_temp, key)) return false; |
| 256 | if (rename(user_key_temp.c_str(), key_path.c_str()) != 0) { |
| 257 | PLOG(ERROR) << "Unable to move new key to location: " << key_path; |
| 258 | return false; |
Paul Crowley | 95376d6 | 2015-05-06 15:04:43 +0100 | [diff] [blame] | 259 | } |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 260 | LOG(DEBUG) << "Created key " << key_path; |
Paul Crowley | 95376d6 | 2015-05-06 15:04:43 +0100 | [diff] [blame] | 261 | return true; |
| 262 | } |
| 263 | |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 264 | static bool create_and_install_user_keys(userid_t user_id, bool create_ephemeral) { |
| 265 | std::string de_key, ce_key; |
| 266 | if (!random_key(de_key)) return false; |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 267 | if (!random_key(ce_key)) return false; |
| 268 | if (create_ephemeral) { |
| 269 | // If the key should be created as ephemeral, don't store it. |
| 270 | s_ephemeral_users.insert(user_id); |
| 271 | } else { |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 272 | if (!store_key(get_de_key_path(user_id), de_key)) return false; |
| 273 | if (!prepare_dir(user_key_dir + "/ce/" + std::to_string(user_id), |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 274 | 0700, AID_ROOT, AID_ROOT)) return false; |
| 275 | if (!store_key(get_ce_key_path(user_id), ce_key)) return false; |
Paul Crowley | 95376d6 | 2015-05-06 15:04:43 +0100 | [diff] [blame] | 276 | } |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 277 | std::string de_raw_ref; |
| 278 | if (!install_key(de_key, de_raw_ref)) return false; |
| 279 | s_de_key_raw_refs[user_id] = de_raw_ref; |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 280 | std::string ce_raw_ref; |
| 281 | if (!install_key(ce_key, ce_raw_ref)) return false; |
| 282 | s_ce_key_raw_refs[user_id] = ce_raw_ref; |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 283 | LOG(DEBUG) << "Created keys for user " << user_id; |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 284 | return true; |
| 285 | } |
| 286 | |
| 287 | static bool lookup_key_ref(const std::map<userid_t, std::string> &key_map, |
| 288 | userid_t user_id, std::string &raw_ref) { |
| 289 | auto refi = key_map.find(user_id); |
| 290 | if (refi == key_map.end()) { |
| 291 | LOG(ERROR) << "Cannot find key for " << user_id; |
| 292 | return false; |
| 293 | } |
| 294 | raw_ref = refi->second; |
| 295 | return true; |
| 296 | } |
| 297 | |
| 298 | static bool set_policy(const std::string &raw_ref, const std::string& path) { |
| 299 | if (do_policy_set(path.c_str(), raw_ref.data(), raw_ref.size()) != 0) { |
| 300 | LOG(ERROR) << "Failed to set policy on: " << path; |
| 301 | return false; |
| 302 | } |
| 303 | return true; |
Paul Crowley | 95376d6 | 2015-05-06 15:04:43 +0100 | [diff] [blame] | 304 | } |
Paul Crowley | b33e887 | 2015-05-19 12:34:09 +0100 | [diff] [blame] | 305 | |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 306 | static bool is_numeric(const char *name) { |
| 307 | for (const char *p = name; *p != '\0'; p++) { |
| 308 | if (!isdigit(*p)) |
| 309 | return false; |
| 310 | } |
| 311 | return true; |
| 312 | } |
| 313 | |
| 314 | static bool load_all_de_keys() { |
| 315 | auto de_dir = user_key_dir + "/de"; |
| 316 | auto dirp = std::unique_ptr<DIR, int(*)(DIR*)>(opendir(de_dir.c_str()), closedir); |
| 317 | if (!dirp) { |
| 318 | PLOG(ERROR) << "Unable to read de key directory"; |
| 319 | return false; |
| 320 | } |
| 321 | for (;;) { |
| 322 | errno = 0; |
| 323 | auto entry = readdir(dirp.get()); |
| 324 | if (!entry) { |
| 325 | if (errno) { |
| 326 | PLOG(ERROR) << "Unable to read de key directory"; |
| 327 | return false; |
| 328 | } |
| 329 | break; |
| 330 | } |
| 331 | if (entry->d_type != DT_DIR || !is_numeric(entry->d_name)) { |
| 332 | LOG(DEBUG) << "Skipping non-de-key " << entry->d_name; |
| 333 | continue; |
| 334 | } |
| 335 | userid_t user_id = atoi(entry->d_name); |
| 336 | if (s_de_key_raw_refs.count(user_id) == 0) { |
| 337 | std::string raw_ref; |
| 338 | if (!read_and_install_key(de_dir + "/" + entry->d_name, raw_ref)) return false; |
| 339 | s_de_key_raw_refs[user_id] = raw_ref; |
| 340 | LOG(DEBUG) << "Installed de key for user " << user_id; |
| 341 | } |
| 342 | } |
| 343 | // ext4enc:TODO: go through all DE directories, ensure that all user dirs have the |
| 344 | // correct policy set on them, and that no rogue ones exist. |
| 345 | return true; |
| 346 | } |
| 347 | |
Paul Lawrence | aec34df | 2016-02-03 10:52:41 -0800 | [diff] [blame] | 348 | int e4crypt_enable(const char* path) |
| 349 | { |
| 350 | LOG(INFO) << "e4crypt_enable"; |
| 351 | |
| 352 | if (s_enabled) { |
| 353 | LOG(INFO) << "Already enabled"; |
| 354 | return 0; |
| 355 | } |
| 356 | |
| 357 | std::string device_key; |
Paul Lawrence | 5a06a64 | 2016-02-03 13:39:13 -0800 | [diff] [blame^] | 358 | std::string device_key_path = std::string(path) + device_key_leaf; |
Paul Lawrence | aec34df | 2016-02-03 10:52:41 -0800 | [diff] [blame] | 359 | if (!android::vold::retrieveKey(device_key_path, device_key)) { |
| 360 | LOG(INFO) << "Creating new key"; |
| 361 | if (!random_key(device_key)) { |
| 362 | return -1; |
| 363 | } |
| 364 | |
Paul Lawrence | 5a06a64 | 2016-02-03 13:39:13 -0800 | [diff] [blame^] | 365 | std::string key_temp = std::string(path) + device_key_temp; |
| 366 | if (path_exists(key_temp)) { |
| 367 | android::vold::destroyKey(key_temp); |
| 368 | } |
| 369 | |
| 370 | if (!android::vold::storeKey(key_temp, device_key)) return false; |
| 371 | if (rename(key_temp.c_str(), device_key_path.c_str()) != 0) { |
| 372 | PLOG(ERROR) << "Unable to move new key to location: " |
| 373 | << device_key_path; |
| 374 | return false; |
Paul Lawrence | aec34df | 2016-02-03 10:52:41 -0800 | [diff] [blame] | 375 | } |
| 376 | } |
| 377 | |
| 378 | std::string device_key_ref; |
| 379 | if (!install_key(device_key, device_key_ref)) { |
| 380 | LOG(ERROR) << "Failed to install device key"; |
| 381 | return -1; |
| 382 | } |
| 383 | |
| 384 | UnencryptedProperties props(path); |
| 385 | if (!props.Remove(properties::ref)) { |
Paul Lawrence | 5a06a64 | 2016-02-03 13:39:13 -0800 | [diff] [blame^] | 386 | LOG(ERROR) << "Failed to remove key ref"; |
Paul Lawrence | aec34df | 2016-02-03 10:52:41 -0800 | [diff] [blame] | 387 | return -1; |
| 388 | } |
| 389 | |
| 390 | if (!props.Set(properties::ref, device_key_ref)) { |
Paul Lawrence | 5a06a64 | 2016-02-03 13:39:13 -0800 | [diff] [blame^] | 391 | LOG(ERROR) << "Cannot save key reference"; |
Paul Lawrence | aec34df | 2016-02-03 10:52:41 -0800 | [diff] [blame] | 392 | return -1; |
| 393 | } |
| 394 | |
| 395 | s_enabled = true; |
| 396 | return 0; |
| 397 | } |
| 398 | |
Paul Crowley | 8fb12fd | 2016-02-01 14:28:12 +0000 | [diff] [blame] | 399 | int e4crypt_init_user0() { |
| 400 | LOG(DEBUG) << "e4crypt_init_user0"; |
| 401 | if (e4crypt_is_native()) { |
| 402 | if (!prepare_dir(user_key_dir, 0700, AID_ROOT, AID_ROOT)) return -1; |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 403 | if (!prepare_dir(user_key_dir + "/ce", 0700, AID_ROOT, AID_ROOT)) return -1; |
| 404 | if (!prepare_dir(user_key_dir + "/de", 0700, AID_ROOT, AID_ROOT)) return -1; |
| 405 | auto de_path = get_de_key_path(0); |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 406 | auto ce_path = get_ce_key_path(0); |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 407 | if (!path_exists(de_path) || !path_exists(ce_path)) { |
| 408 | if (path_exists(de_path)) { |
| 409 | android::vold::destroyKey(de_path); // Ignore failure |
| 410 | } |
| 411 | if (path_exists(ce_path)) { |
| 412 | android::vold::destroyKey(ce_path); // Ignore failure |
| 413 | } |
| 414 | if (!create_and_install_user_keys(0, false)) return -1; |
Paul Crowley | 8fb12fd | 2016-02-01 14:28:12 +0000 | [diff] [blame] | 415 | } |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 416 | if (!load_all_de_keys()) return -1; |
Paul Crowley | 8fb12fd | 2016-02-01 14:28:12 +0000 | [diff] [blame] | 417 | } |
| 418 | // Ignore failures. FIXME this is horrid |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 419 | // FIXME: we need an idempotent policy-setting call, which simply verifies the |
| 420 | // policy is already set on a second run, even if the directory is nonempty. |
| 421 | // Then we need to call it all the time. |
Paul Crowley | 8fb12fd | 2016-02-01 14:28:12 +0000 | [diff] [blame] | 422 | e4crypt_prepare_user_storage(nullptr, 0, 0, false); |
| 423 | return 0; |
| 424 | } |
| 425 | |
Paul Crowley | 27cbce9 | 2015-12-10 14:51:30 +0000 | [diff] [blame] | 426 | int e4crypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral) { |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 427 | LOG(DEBUG) << "e4crypt_vold_create_user_key for " << user_id << " serial " << serial; |
Paul Crowley | ea62e26 | 2016-01-28 12:23:53 +0000 | [diff] [blame] | 428 | if (!e4crypt_is_native()) { |
| 429 | return 0; |
| 430 | } |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 431 | // FIXME test for existence of key that is not loaded yet |
| 432 | if (s_ce_key_raw_refs.count(user_id) != 0) { |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 433 | LOG(ERROR) << "Already exists, can't e4crypt_vold_create_user_key for " |
| 434 | << user_id << " serial " << serial; |
| 435 | // FIXME should we fail the command? |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 436 | return 0; |
| 437 | } |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 438 | if (!create_and_install_user_keys(user_id, ephemeral)) { |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 439 | return -1; |
| 440 | } |
| 441 | // TODO: create second key for user_de data |
| 442 | return 0; |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 443 | } |
| 444 | |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 445 | static bool evict_key(const std::string &raw_ref) { |
| 446 | auto ref = keyname(raw_ref); |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 447 | auto key_serial = keyctl_search(e4crypt_keyring(), "logon", ref.c_str(), 0); |
Paul Crowley | 1ef2558 | 2016-01-21 20:26:12 +0000 | [diff] [blame] | 448 | if (keyctl_revoke(key_serial) != 0) { |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 449 | PLOG(ERROR) << "Failed to revoke key with serial " << key_serial << " ref " << ref; |
Paul Crowley | 1ef2558 | 2016-01-21 20:26:12 +0000 | [diff] [blame] | 450 | return false; |
Paul Crowley | 9336348 | 2015-07-07 15:17:22 +0100 | [diff] [blame] | 451 | } |
Paul Crowley | 1ef2558 | 2016-01-21 20:26:12 +0000 | [diff] [blame] | 452 | LOG(DEBUG) << "Revoked key with serial " << key_serial << " ref " << ref; |
| 453 | return true; |
| 454 | } |
| 455 | |
| 456 | int e4crypt_destroy_user_key(userid_t user_id) { |
| 457 | LOG(DEBUG) << "e4crypt_destroy_user_key(" << user_id << ")"; |
Paul Crowley | ea62e26 | 2016-01-28 12:23:53 +0000 | [diff] [blame] | 458 | if (!e4crypt_is_native()) { |
| 459 | return 0; |
| 460 | } |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 461 | bool success = true; |
| 462 | std::string raw_ref; |
| 463 | success &= lookup_key_ref(s_ce_key_raw_refs, user_id, raw_ref) && evict_key(raw_ref); |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 464 | success &= lookup_key_ref(s_de_key_raw_refs, user_id, raw_ref) && evict_key(raw_ref); |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 465 | auto it = s_ephemeral_users.find(user_id); |
| 466 | if (it != s_ephemeral_users.end()) { |
| 467 | s_ephemeral_users.erase(it); |
Paul Crowley | 1ef2558 | 2016-01-21 20:26:12 +0000 | [diff] [blame] | 468 | } else { |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 469 | success &= android::vold::destroyKey(get_ce_key_path(user_id)); |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 470 | success &= android::vold::destroyKey(get_de_key_path(user_id)); |
Lenka Trochtova | 395039f | 2015-11-25 10:13:03 +0100 | [diff] [blame] | 471 | } |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 472 | return success ? 0 : -1; |
Paul Crowley | b33e887 | 2015-05-19 12:34:09 +0100 | [diff] [blame] | 473 | } |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 474 | |
Jeff Sharkey | 7a9dd95 | 2016-01-12 16:52:16 -0700 | [diff] [blame] | 475 | static int emulated_lock(const std::string& path) { |
| 476 | if (chmod(path.c_str(), 0000) != 0) { |
| 477 | PLOG(ERROR) << "Failed to chmod " << path; |
| 478 | return -1; |
| 479 | } |
| 480 | #if EMULATED_USES_SELINUX |
| 481 | if (setfilecon(path.c_str(), "u:object_r:storage_stub_file:s0") != 0) { |
| 482 | PLOG(WARNING) << "Failed to setfilecon " << path; |
| 483 | return -1; |
| 484 | } |
| 485 | #endif |
| 486 | return 0; |
| 487 | } |
| 488 | |
| 489 | static int emulated_unlock(const std::string& path, mode_t mode) { |
| 490 | if (chmod(path.c_str(), mode) != 0) { |
| 491 | PLOG(ERROR) << "Failed to chmod " << path; |
Paul Crowley | a042cb5 | 2016-01-21 17:24:49 +0000 | [diff] [blame] | 492 | // FIXME temporary workaround for b/26713622 |
| 493 | if (e4crypt_is_emulated()) return -1; |
Jeff Sharkey | 7a9dd95 | 2016-01-12 16:52:16 -0700 | [diff] [blame] | 494 | } |
| 495 | #if EMULATED_USES_SELINUX |
| 496 | if (selinux_android_restorecon(path.c_str(), SELINUX_ANDROID_RESTORECON_FORCE) != 0) { |
| 497 | PLOG(WARNING) << "Failed to restorecon " << path; |
Paul Crowley | a042cb5 | 2016-01-21 17:24:49 +0000 | [diff] [blame] | 498 | // FIXME temporary workaround for b/26713622 |
| 499 | if (e4crypt_is_emulated()) return -1; |
Jeff Sharkey | 7a9dd95 | 2016-01-12 16:52:16 -0700 | [diff] [blame] | 500 | } |
| 501 | #endif |
| 502 | return 0; |
| 503 | } |
| 504 | |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 505 | int e4crypt_unlock_user_key(userid_t user_id, int serial, const char* token) { |
| 506 | LOG(DEBUG) << "e4crypt_unlock_user_key " << user_id << " " << (token != nullptr); |
Jeff Sharkey | fc505c3 | 2015-12-07 17:27:01 -0700 | [diff] [blame] | 507 | if (e4crypt_is_native()) { |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 508 | if (!read_and_install_user_ce_key(user_id)) { |
Paul Crowley | 8fb12fd | 2016-02-01 14:28:12 +0000 | [diff] [blame] | 509 | LOG(ERROR) << "Couldn't read key for " << user_id; |
| 510 | return -1; |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 511 | } |
Jeff Sharkey | fc505c3 | 2015-12-07 17:27:01 -0700 | [diff] [blame] | 512 | } else { |
| 513 | // When in emulation mode, we just use chmod. However, we also |
| 514 | // unlock directories when not in emulation mode, to bring devices |
| 515 | // back into a known-good state. |
Jeff Sharkey | 7a9dd95 | 2016-01-12 16:52:16 -0700 | [diff] [blame] | 516 | if (emulated_unlock(android::vold::BuildDataSystemCePath(user_id), 0771) || |
| 517 | emulated_unlock(android::vold::BuildDataMediaPath(nullptr, user_id), 0770) || |
| 518 | emulated_unlock(android::vold::BuildDataUserPath(nullptr, user_id), 0771)) { |
| 519 | LOG(ERROR) << "Failed to unlock user " << user_id; |
Jeff Sharkey | fc505c3 | 2015-12-07 17:27:01 -0700 | [diff] [blame] | 520 | return -1; |
| 521 | } |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 522 | } |
| 523 | return 0; |
| 524 | } |
| 525 | |
| 526 | int e4crypt_lock_user_key(userid_t user_id) { |
Jeff Sharkey | fc505c3 | 2015-12-07 17:27:01 -0700 | [diff] [blame] | 527 | if (e4crypt_is_native()) { |
| 528 | // TODO: remove from kernel keyring |
| 529 | } else if (e4crypt_is_emulated()) { |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 530 | // When in emulation mode, we just use chmod |
Jeff Sharkey | 7a9dd95 | 2016-01-12 16:52:16 -0700 | [diff] [blame] | 531 | if (emulated_lock(android::vold::BuildDataSystemCePath(user_id)) || |
| 532 | emulated_lock(android::vold::BuildDataMediaPath(nullptr, user_id)) || |
| 533 | emulated_lock(android::vold::BuildDataUserPath(nullptr, user_id))) { |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 534 | PLOG(ERROR) << "Failed to lock user " << user_id; |
| 535 | return -1; |
| 536 | } |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 537 | } |
Jeff Sharkey | fc505c3 | 2015-12-07 17:27:01 -0700 | [diff] [blame] | 538 | |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 539 | return 0; |
| 540 | } |
| 541 | |
Lenka Trochtova | 9ad4369 | 2015-12-11 13:27:26 +0100 | [diff] [blame] | 542 | int e4crypt_prepare_user_storage(const char* volume_uuid, |
| 543 | userid_t user_id, |
| 544 | int serial, |
| 545 | bool ephemeral) { |
Paul Crowley | 285956f | 2016-01-20 13:12:38 +0000 | [diff] [blame] | 546 | if (volume_uuid) { |
| 547 | LOG(DEBUG) << "e4crypt_prepare_user_storage " << volume_uuid << " " << user_id; |
| 548 | } else { |
| 549 | LOG(DEBUG) << "e4crypt_prepare_user_storage, null volume " << user_id; |
| 550 | } |
Paul Crowley | 13ffd8e | 2016-01-27 14:30:22 +0000 | [diff] [blame] | 551 | auto system_ce_path = android::vold::BuildDataSystemCePath(user_id); |
| 552 | auto media_ce_path = android::vold::BuildDataMediaPath(volume_uuid, user_id); |
| 553 | auto user_ce_path = android::vold::BuildDataUserPath(volume_uuid, user_id); |
| 554 | auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id); |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 555 | |
Paul Crowley | 8fb12fd | 2016-02-01 14:28:12 +0000 | [diff] [blame] | 556 | // FIXME: should this be 0770 or 0700? |
| 557 | if (!prepare_dir(system_ce_path, 0770, AID_SYSTEM, AID_SYSTEM)) return -1; |
Paul Crowley | 13ffd8e | 2016-01-27 14:30:22 +0000 | [diff] [blame] | 558 | if (!prepare_dir(media_ce_path, 0770, AID_MEDIA_RW, AID_MEDIA_RW)) return -1; |
| 559 | if (!prepare_dir(user_ce_path, 0771, AID_SYSTEM, AID_SYSTEM)) return -1; |
| 560 | if (!prepare_dir(user_de_path, 0771, AID_SYSTEM, AID_SYSTEM)) return -1; |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 561 | |
| 562 | if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 563 | std::string ce_raw_ref, de_raw_ref; |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 564 | if (!lookup_key_ref(s_ce_key_raw_refs, user_id, ce_raw_ref)) return -1; |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 565 | if (!lookup_key_ref(s_de_key_raw_refs, user_id, de_raw_ref)) return -1; |
Paul Crowley | b1f3d24 | 2016-01-28 10:09:46 +0000 | [diff] [blame] | 566 | if (!set_policy(ce_raw_ref, system_ce_path)) return -1; |
| 567 | if (!set_policy(ce_raw_ref, media_ce_path)) return -1; |
| 568 | if (!set_policy(ce_raw_ref, user_ce_path)) return -1; |
Paul Crowley | b92f83c | 2016-02-01 14:10:43 +0000 | [diff] [blame] | 569 | if (!set_policy(de_raw_ref, user_de_path)) return -1; |
| 570 | // FIXME I thought there were more DE directories than this |
Jeff Sharkey | d2c96e7 | 2015-11-08 17:56:23 -0800 | [diff] [blame] | 571 | } |
| 572 | |
| 573 | return 0; |
| 574 | } |