New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 688256 link

Starred by 1 user
Status: Verified
Owner:
kinaba@chromium.org
Closed: Feb 2017
Cc:
gwendal@chromium.org
uekawa@chromium.org
hashimoto@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug

Blocking:
issue 682951



Sign in to add a comment

ext4crypto: security_StatefulPermissions test fails.

Project Member Reported by kinaba@chromium.org, Feb 3 2017 
With ext4crypto enabled, this test fails on a device that had run ARC.

The purpose of the test is to verify that there's no writable file owned by a non-whitelisted uid.
What's failing is a file under android-data written by Android apps.

We have an exemption list for those files already...
https://chromium.git.corp.google.com/chromiumos/third_party/autotest/+/395b34785fabfb7d7e95c73f4e5973631c8e10b0/client/site_tests/security_StatefulPermissions/security_StatefulPermissions.py#113
but the problem is in the filtering regex.

'STATEFUL_ROOT/home/.shadow/[[:alnum:]]{40}/vault/root/[^/]*/[^/]'


After switching we don't use /vault/ anymore, and files are directly located on /mount/.
(and a more subtle issue is that the directory name /root/ is now also encrypted.)

Comment 1 by kinaba@chromium.org, Feb 3 2017 

security_ProfilePermissions is checking further detailed permissions
under if cryptohome.is_vault_mounted():, so once we fix  Bug 688258 ,
we may see more instances like this.

Comment 2 by kinaba@chromium.org, Feb 6 2017

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/770b373e0e5c6cd6c9fbc10872de071fa3d9b9d5

commit 770b373e0e5c6cd6c9fbc10872de071fa3d9b9d5
Author: Kazuhiro Inaba <kinaba@chromium.org>
Date: Tue Feb 07 18:29:17 2017

ext4crypto: Update pruning regex in security_StatefulPermissions test.

The Android user data path changes when we switch the underlying filesystem
encryption (mainly because on ecryptfs we need to mount the encrypted tree
elsewhere as a decrypted tree, but on ext4 encryption the tree id decrypted
in-place.) The test needs to take both the cases into account during the
transition period.

BUG= chromium:688256 
TEST=Run the test on both ecryptfs and ext4crypto backends.

Change-Id: I402819f63864803d1cc328589d70be2da5a71888
Reviewed-on: https://chromium-review.googlesource.com/438148
Commit-Ready: Kazuhiro Inaba <kinaba@chromium.org>
Tested-by: Kazuhiro Inaba <kinaba@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Ryo Hashimoto <hashimoto@chromium.org>

[modify] https://crrev.com/770b373e0e5c6cd6c9fbc10872de071fa3d9b9d5/client/site_tests/security_StatefulPermissions/security_StatefulPermissions.py

Comment 4 by kinaba@chromium.org, Feb 7 2017

Status: Fixed (was: Started)

Comment 5 by dhadd...@chromium.org, Apr 11 2017

Status: Verified (was: Fixed)
Test is passing on M58 caroline

Sign in to add a comment