%manifest ode.manifest
%defattr(644,root,root,755)
%attr(755,root,root) %{_bindir}/oded
+%attr(700,root,root) %{_sbindir}/ode-mount-external.sh
%{_unitdir}/ode.service
%{_unitdir}/multi-user.target.wants/ode.service
+%{_unitdir}/ode-mount-external.path
+%{_unitdir}/ode-mount-external.service
+%{_unitdir}/multi-user.target.wants/ode-mount-external.path
%attr(700,root,root) %{_sbindir}/ode-admin-cli
%prep
%make_install
mkdir -p %{buildroot}/%{_unitdir}/multi-user.target.wants
ln -s ../ode.service %{buildroot}/%{_unitdir}/multi-user.target.wants/ode.service
+ln -s ../ode-mount-external.path %{buildroot}/%{_unitdir}/multi-user.target.wants/ode-mount-external.path
%find_lang secure-erase
%find_lang ode
)
CONFIGURE_FILE(systemd/${PROJECT_NAME}.service.in systemd/${PROJECT_NAME}.service)
+CONFIGURE_FILE(systemd/${PROJECT_NAME}-mount-external.service.in systemd/${PROJECT_NAME}-mount-external.service)
INSTALL(TARGETS ${SERVER_NAME} DESTINATION ${BIN_DIR})
INSTALL(FILES systemd/${PROJECT_NAME}.service DESTINATION ${SYSTEMD_UNIT_DIR})
+INSTALL(FILES systemd/${PROJECT_NAME}-mount-external.path DESTINATION ${SYSTEMD_UNIT_DIR})
+INSTALL(FILES systemd/${PROJECT_NAME}-mount-external.service DESTINATION ${SYSTEMD_UNIT_DIR})
#include <klay/exception.h>
#include <klay/filesystem.h>
+#include "../../key-manager/key-generator.h"
#include "../../kernel-keyring.h"
#include "../../file-footer.h"
#include "../../logger.h"
::memcpy(payload.token.password.sessionKeyEncryptionKey, key.data(),
payload.token.password.sessionKeyEncryptionKeySize);
+ KeyGenerator::data sigdata = KeyGenerator::MD5(KeyGenerator::data(destination.begin(), destination.end()));
std::stringstream signature;
signature<< std::hex << std::setfill('0') << std::setw(2);
- for (unsigned int byte : key) {
+ for (unsigned int byte : sigdata) {
signature << byte;
}
+
for (int i = key.size(); i < ECRYPTFS_SIGNATURE_SIZE / 2; i++) {
signature << (unsigned int) 0;
}
#include <fstream>
#include <sstream>
+#include <fcntl.h>
#include <signal.h>
#include <unistd.h>
#include <sys/mount.h>
#define EXTERNAL_STATE_VCONF_KEY VCONFKEY_SDE_CRYPTO_STATE
#define EXTERNAL_OPTION_ONLY_NEW_FILE_VCONF_KEY VCONFKEY_SDE_ENCRYPT_NEWFILE
#define EXTERNAL_OPTION_EXCEPT_FOR_MEDIA_FILE_VCONF_KEY VCONFKEY_SDE_EXCLUDE_MEDIAFILE
+#define EXTERNAL_SYSTEMD_UNIT "ode-mount-external.service"
#define PRIVILEGE_PLATFORM "http://tizen.org/privilege/internal/default/platform"
engine->mount(mountKey, getOptions());
mountKey.clear();
+ //For smackfsroot, smackfsdef option without CAP_MAC_ADMIN
+ runtime::File fileToTouch("/tmp/.ode-mount-external");
+ try {
+ fileToTouch.remove();
+ } catch(runtime::Exception &e) {}
+ fileToTouch.create(O_WRONLY);
+
context.notify("ExternalEncryption::mount");
return 0;
return 0;
}
+ INFO(SINK, "Close all user sessions...");
+ stopSystemdUserSessions();
INFO(SINK, "Close all processes using internal storage...");
stopDependedSystemdServices();
INFO(SINK, "Umount internal storage...");
--- /dev/null
+[Path]
+PathExists=/tmp/.ode-mount-external
--- /dev/null
+[Unit]
+Description=@PROJECT_NAME@ mount for external encrypted storage
+After=@PROJECT_NAME@.service
+
+[Service]
+Type=oneshot
+SmackProcessLabel=System::Privileged
+ExecStart=/sbin/ode-mount-external.sh
+CapabilityBoundingSet=~CAP_MAC_OVERRIDE
TARGET_LINK_LIBRARIES(${CLI_NAME} ${CLI_DEPS_LIBRARIES} ${PROJECT_NAME} ode)
INSTALL(TARGETS ${CLI_NAME} DESTINATION sbin)
+INSTALL(FILES ${PROJECT_NAME}-mount-external.sh DESTINATION sbin)
--- /dev/null
+#!/bin/bash
+PATH="/usr/bin:/bin:/usr/sbin:/sbin"
+
+STORAGE="/opt/media/SDCardA1"
+
+OPTION=`cat /proc/mounts | grep "${STORAGE} ${STORAGE} ecryptfs" | gawk '{print $4}'`
+
+if [ -z ${OPTION} ]; then
+ exit -1
+fi
+
+umount ${STORAGE}
+
+mount -t ecryptfs -o ${OPTION},smackfsroot=*,smackfsdef=* ${STORAGE} ${STORAGE}