#include <service_impl.h>
#include <check-proper-drop.h>
#include <utils.h>
+#include <ext4.h>
+#include <keyring.h>
+#include <yaca-lifetime.h>
#include <security-manager.h>
#include <client-offline.h>
return try_catch([&]() -> int {
std::vector<char> fek;
- // get key from key manager
+ // get FEK from key manager
int ret = security_manager_get_fek(app_id, password, fek);
if (ret != SECURITY_MANAGER_SUCCESS)
return ret;
- // TODO insert it into process keyring
+ // insert FEK into process keyring
+ EXT4::Key fekKey(fek);
+ fekKey.insertIntoKeyring(KeyRing::PROCESS_KEYRING);
return SECURITY_MANAGER_SUCCESS;
});
#include <sys/smack.h>
+#include <yaca_crypto.h>
+#include <yaca_error.h>
+
#include <config.h>
#include "protocols.h"
#include "privilege_db.h"
#include "privilege-info.h"
#include "fek-manager.h"
#include "encryption-access.h"
+#include "ext4.h"
+#include "keyring.h"
+#include "yaca-lifetime.h"
#include "service_impl.h"
ServiceImpl::~ServiceImpl()
{
- // TODO cleanup yaca if necessary
}
int ServiceImpl::validatePolicy(const Credentials &creds, policy_entry &policyEntry, CynaraAdminPolicy &cyap)
// enable encryption
// generate FEK
- std::vector<char> fek(64, 0);
+ std::vector<char> fek(EXT4::KEY_SIZE, 0);
- // TODO initialize yaca (on demand)
+ // initialize yaca for ext4 key operations
+ if (g_yacaLifetime.initialize() != YACA_ERROR_NONE)
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
- // TODO randomize FEK
+ // randomize FEK
+ ret = yaca_randomize_bytes(fek.data(), EXT4::KEY_SIZE);
+ if (ret != YACA_ERROR_NONE)
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
- // TODO insert FEK into keyring
+ // insert FEK into keyring
+ EXT4::Key fekKey(fek);
+ const std::string fekHash = fekKey.getHash();
+ int32_t fekId = fekKey.insertIntoKeyring(KeyRing::PROCESS_KEYRING);
for (const auto& p : paths) {
- (void)p;
- // TODO set policy for path
+ // encrypt directory
+ EXT4::Directory dir(p);
+ dir.encrypt(fekHash);
}
- // TODO remove FEK from keyring
+ // remove FEK from keyring
+ KeyRing::Key key(fekId);
+ key.revoke();
+ key.unlink(KeyRing::PROCESS_KEYRING);
// store FEK protected with password
return FEKmanager::saveFEK(creds.uid, creds.label, appName, newPw, fek);
return ret;
// insert FEK into keyring to decrypt existing data
+ EXT4::Key fekKey(fek);
+ int32_t fekId = fekKey.insertIntoKeyring(KeyRing::PROCESS_KEYRING);
for (const auto& p : paths) {
- (void)p;
- // TODO remove/decrypt directory
+ // decrypt directory
+ EXT4::Directory dir(p);
+ dir.decrypt();
}
- // TODO remove FEK from keyring
+ // remove FEK from keyring
+ KeyRing::Key key(fekId);
+ key.revoke();
+ key.unlink(KeyRing::PROCESS_KEYRING);
// remove FEK from key manager
return FEKmanager::removeFEK(creds.uid, creds.label, appName);
projects / platform / core / security / security-manager.git / commitdiff