Merge "Add adb enable-verity"

6 files changed, 104 insertions, 31 deletions

diff --git a/adb/Android.mk b/adb/Android.mk
index 99a7ce61d..8ebcbf0d2 100644
--- a/adb/Android.mk
+++ b/adb/Android.mk
@@ -110,7 +110,7 @@ LOCAL_SRC_FILES := \
         jdwp_service.c \
         framebuffer_service.c \
         remount_service.c \
-        disable_verity_service.c \
+        set_verity_enable_state_service.c \
         usb_linux_client.c
 
 LOCAL_CFLAGS := \
diff --git a/adb/adb.h b/adb/adb.h
index 044760e24..35d8a4d10 100644
--- a/adb/adb.h
+++ b/adb/adb.h
@@ -328,8 +328,10 @@ int handle_forward_request(const char* service, transport_type ttype, char* seri
 
 #if !ADB_HOST
 void framebuffer_service(int fd, void *cookie);
+// Allow enable-verity to write to system and vendor block devices
+int make_system_and_vendor_block_devices_writable();
 void remount_service(int fd, void *cookie);
-void disable_verity_service(int fd, void* cookie);
+void set_verity_enabled_state_service(int fd, void* cookie);
 #endif
 
 /* packet allocator */
diff --git a/adb/commandline.c b/adb/commandline.c
index 21945d9eb..49f1b9585 100644
--- a/adb/commandline.c
+++ b/adb/commandline.c
@@ -190,10 +190,11 @@ void help()
         "\n"
         "  adb restore <file>           - restore device contents from the <file> backup archive\n"
         "\n"
+        "  adb disable-verity           - disable dm-verity checking on USERDEBUG builds\n"
+        "  adb enable-verity            - re-enable dm-verity checking on USERDEBUG builds\n"
         "  adb keygen <file>            - generate adb public/private key. The private key is stored in <file>,\n"
         "                                 and the public key is stored in <file>.pub. Any existing files\n"
         "                                 are overwritten.\n"
-        "  adb disable-verity           - disable dm-verity checking on USERDEBUG builds\n"
         "  adb help                     - show this help message\n"
         "  adb version                  - show version num\n"
         "\n"
@@ -1446,7 +1447,8 @@ top:
     if(!strcmp(argv[0], "remount") || !strcmp(argv[0], "reboot")
             || !strcmp(argv[0], "reboot-bootloader")
             || !strcmp(argv[0], "tcpip") || !strcmp(argv[0], "usb")
-            || !strcmp(argv[0], "root") || !strcmp(argv[0], "disable-verity")) {
+            || !strcmp(argv[0], "root") || !strcmp(argv[0], "disable-verity")
+            || !strcmp(argv[0], "enable-verity")) {
         char command[100];
         if (!strcmp(argv[0], "reboot-bootloader"))
             snprintf(command, sizeof(command), "reboot:bootloader");
diff --git a/adb/remount_service.c b/adb/remount_service.c
index 36367a73f..05d31691e 100644
--- a/adb/remount_service.c
+++ b/adb/remount_service.c
@@ -79,29 +79,57 @@ static int hasVendorPartition()
     return false;
 }
 
+static int make_block_device_writable(const char* dir)
+{
+    char *dev = 0;
+    int fd = -1;
+    int OFF = 0;
+    int rc = -1;
+
+    dev = find_mount(dir);
+    if (!dev)
+        goto errout;
+
+    fd = unix_open(dev, O_RDONLY | O_CLOEXEC);
+    if (fd < 0)
+        goto errout;
+
+    if (ioctl(fd, BLKROSET, &OFF)) {
+        goto errout;
+    }
+
+    rc = 0;
+
+errout:
+    if (fd >= 0) {
+        adb_close(fd);
+    }
+
+    if (dev) {
+        free(dev);
+    }
+    return rc;
+}
+
 /* Init mounts /system as read only, remount to enable writes. */
 static int remount(const char* dir, int* dir_ro)
 {
     char *dev;
-    int fd;
     int OFF = 0;
 
     if (dir_ro == 0) {
         return 0;
     }
 
+    if (make_block_device_writable(dir)) {
+        return -1;
+    }
+
     dev = find_mount(dir);
 
     if (!dev)
         return -1;
 
-    fd = unix_open(dev, O_RDONLY | O_CLOEXEC);
-    if (fd < 0)
-        return -1;
-
-    ioctl(fd, BLKROSET, &OFF);
-    adb_close(fd);
-
     *dir_ro = mount(dev, dir, "none", MS_REMOUNT, NULL);
 
     free(dev);
@@ -114,6 +142,28 @@ static void write_string(int fd, const char* str)
     writex(fd, str, strlen(str));
 }
 
+int make_system_and_vendor_block_devices_writable(int fd)
+{
+    char buffer[200];
+    if (make_block_device_writable("/system")) {
+        snprintf(buffer, sizeof(buffer),
+                 "Failed to make system block device writable %s\n",
+                 strerror(errno));
+        write_string(fd, buffer);
+        return -1;
+    }
+
+    if (hasVendorPartition() && make_block_device_writable("/vendor")) {
+        snprintf(buffer, sizeof(buffer),
+                 "Failed to make vendor block device writable: %s\n",
+                 strerror(errno));
+        write_string(fd, buffer);
+        return -1;
+    }
+
+    return 0;
+}
+
 void remount_service(int fd, void *cookie)
 {
     char buffer[200];
@@ -167,4 +217,3 @@ void remount_service(int fd, void *cookie)
 
     adb_close(fd);
 }
-
diff --git a/adb/services.c b/adb/services.c
index 1aeb37655..d5a464277 100644
--- a/adb/services.c
+++ b/adb/services.c
@@ -472,7 +472,9 @@ int service_to_fd(const char *name)
             }
         }
     } else if(!strncmp(name, "disable-verity:", 15)) {
-        ret = create_service_thread(disable_verity_service, NULL);
+        ret = create_service_thread(set_verity_enabled_state_service, (void*)0);
+    } else if(!strncmp(name, "enable-verity:", 15)) {
+        ret = create_service_thread(set_verity_enabled_state_service, (void*)1);
 #endif
     }
     if (ret >= 0) {
diff --git a/adb/disable_verity_service.c b/adb/set_verity_enable_state_service.c
index ed3da5210..6692ab757 100644
--- a/adb/disable_verity_service.c
+++ b/adb/set_verity_enable_state_service.c
@@ -78,11 +78,13 @@ static int get_target_device_size(int fd, const char *blk_device,
     return 0;
 }
 
-static int disable_verity(int fd, const char *block_device,
-                          const char* mount_point)
+/* Turn verity on/off */
+static int set_verity_enabled_state(int fd, const char *block_device,
+                                    const char* mount_point, bool enable)
 {
     uint32_t magic_number;
-    const uint32_t voff = VERITY_METADATA_MAGIC_DISABLE;
+    const uint32_t new_magic = enable ? VERITY_METADATA_MAGIC_NUMBER
+                                      : VERITY_METADATA_MAGIC_DISABLE;
     uint64_t device_length;
     int device;
     int retval = -1;
@@ -114,12 +116,18 @@ static int disable_verity(int fd, const char *block_device,
         goto errout;
     }
 
-    if (magic_number == VERITY_METADATA_MAGIC_DISABLE) {
+    if (!enable && magic_number == VERITY_METADATA_MAGIC_DISABLE) {
         write_console(fd, "Verity already disabled on %s\n", mount_point);
         goto errout;
     }
 
-    if (magic_number != VERITY_METADATA_MAGIC_NUMBER) {
+    if (enable && magic_number == VERITY_METADATA_MAGIC_NUMBER) {
+        write_console(fd, "Verity already enabled on %s\n", mount_point);
+        goto errout;
+    }
+
+    if (magic_number != VERITY_METADATA_MAGIC_NUMBER
+            && magic_number != VERITY_METADATA_MAGIC_DISABLE) {
         write_console(fd,
                       "Couldn't find verity metadata at offset %"PRIu64"!\n",
                       device_length);
@@ -132,13 +140,17 @@ static int disable_verity(int fd, const char *block_device,
         goto errout;
     }
 
-    if (adb_write(device, &voff, sizeof(voff)) != sizeof(voff)) {
-        write_console(fd, "Could not set verity disabled flag on device %s\n",
-                      block_device);
+    if (adb_write(device, &new_magic, sizeof(new_magic)) != sizeof(new_magic)) {
+        write_console(fd, "Could not set verity %s flag on device %s with error %s\n",
+                      enable ? "enabled" : "disabled",
+                      block_device,
+                      strerror(errno));
         goto errout;
     }
 
-    write_console(fd, "Verity disabled on %s\n", mount_point);
+    write_console(fd, "Verity %s on %s\n",
+                  enable ? "enabled" : "disabled",
+                  mount_point);
     retval = 0;
 errout:
     if (device != -1)
@@ -146,13 +158,14 @@ errout:
     return retval;
 }
 
-void disable_verity_service(int fd, void* cookie)
+void set_verity_enabled_state_service(int fd, void* cookie)
 {
+    bool enable = (cookie != NULL);
 #ifdef ALLOW_ADBD_DISABLE_VERITY
     char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)];
     char propbuf[PROPERTY_VALUE_MAX];
     int i;
-    bool any_disabled = false;
+    bool any_changed = false;
 
     property_get("ro.secure", propbuf, "0");
     if (strcmp(propbuf, "1")) {
@@ -162,7 +175,7 @@ void disable_verity_service(int fd, void* cookie)
 
     property_get("ro.debuggable", propbuf, "0");
     if (strcmp(propbuf, "1")) {
-        write_console(fd, "verity cannot be disabled - USER build\n");
+        write_console(fd, "verity cannot be disabled/enabled - USER build\n");
         goto errout;
     }
 
@@ -176,22 +189,27 @@ void disable_verity_service(int fd, void* cookie)
         goto errout;
     }
 
+    if (enable && make_system_and_vendor_block_devices_writable(fd)) {
+        goto errout;
+    }
+
     /* Loop through entries looking for ones that vold manages */
     for (i = 0; i < fstab->num_entries; i++) {
         if(fs_mgr_is_verified(&fstab->recs[i])) {
-            if (!disable_verity(fd, fstab->recs[i].blk_device,
-                                fstab->recs[i].mount_point)) {
-                any_disabled = true;
+            if (!set_verity_enabled_state(fd, fstab->recs[i].blk_device,
+                                          fstab->recs[i].mount_point, enable)) {
+                any_changed = true;
             }
        }
     }
 
-    if (any_disabled) {
+    if (any_changed) {
         write_console(fd,
                       "Now reboot your device for settings to take effect\n");
     }
 #else
-    write_console(fd, "disable-verity only works for userdebug builds\n");
+    write_console(fd, "%s-verity only works for userdebug builds\n",
+                  disabling ? "disable" : "enable");
 #endif
 
 errout: