/* * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ //! This crate implements AuthFS, a FUSE-based, non-generic filesystem where file access is //! authenticated. This filesystem assumes the underlying layer is not trusted, e.g. file may be //! provided by an untrusted host/VM, so that the content can't be simply trusted. However, with a //! known file hash from trusted party, this filesystem can still verify a (read-only) file even if //! the host/VM as the blob provider is malicious. With the Merkle tree, each read of file block can //! be verified individually only when needed. //! //! AuthFS only serve files that are specifically configured. Each remote file can be configured to //! appear as a local file at the mount point. A file configuration may include its remote file //! identifier and its verification method (e.g. by known digest). //! //! AuthFS also support remote directories. A remote directory may be defined by a manifest file, //! which contains file paths and their corresponding digests. //! //! AuthFS can also be configured for write, in which case the remote file server is treated as a //! (untrusted) storage. The file/directory integrity is maintained in memory in the VM. Currently, //! the state is not persistent, thus only new file/directory are supported. use anyhow::{anyhow, bail, Result}; use clap::Parser; use log::error; use protobuf::Message; use std::convert::TryInto; use std::fs::File; use std::num::NonZeroU8; use std::path::{Path, PathBuf}; mod common; mod file; mod fsstat; mod fsverity; mod fusefs; use file::{Attr, InMemoryDir, RemoteDirEditor, RemoteFileEditor, RemoteFileReader}; use fsstat::RemoteFsStatsReader; use fsverity::VerifiedFileEditor; use fsverity_digests_proto::fsverity_digests::FSVerityDigests; use fusefs::{AuthFs, AuthFsEntry, LazyVerifiedReadonlyFile}; #[derive(Parser)] struct Args { /// Mount point of AuthFS. mount_point: PathBuf, /// CID of the VM where the service runs. #[clap(long)] cid: u32, /// Extra options to FUSE #[clap(short = 'o')] extra_options: Option, /// Number of threads to serve FUSE requests. #[clap(short = 'j')] thread_number: Option, /// A read-only remote file with integrity check. Can be multiple. /// /// For example, `--remote-ro-file 5:sha256-1234abcd` tells the filesystem to associate the /// file $MOUNTPOINT/5 with a remote FD 5, and has a fs-verity digest with sha256 of the hex /// value 1234abcd. #[clap(long, value_parser = parse_remote_ro_file_option)] remote_ro_file: Vec, /// A read-only remote file without integrity check. Can be multiple. /// /// For example, `--remote-ro-file-unverified 5` tells the filesystem to associate the file /// $MOUNTPOINT/5 with a remote FD 5. #[clap(long)] remote_ro_file_unverified: Vec, /// A new read-writable remote file with integrity check. Can be multiple. /// /// For example, `--remote-new-rw-file 5` tells the filesystem to associate the file /// $MOUNTPOINT/5 with a remote FD 5. #[clap(long)] remote_new_rw_file: Vec, /// A read-only directory that represents a remote directory. The directory view is constructed /// and finalized during the filesystem initialization based on the provided mapping file /// (which is a serialized protobuf of android.security.fsverity.FSVerityDigests, which /// essentially provides mappings of exported files). The mapping /// file is supposed to come from a trusted location in order to provide a trusted view as well /// as verified access of included files with their fs-verity digest. Not all files on the /// remote host may be included in the mapping file, so the directory view may be partial. The /// directory structure won't change throughout the filesystem lifetime. /// /// For example, `--remote-ro-dir 5:/path/to/mapping:prefix/` tells the filesystem to /// construct a directory structure defined in the mapping file at $MOUNTPOINT/5, which may /// include a file like /5/system/framework/framework.jar. "prefix/" tells the filesystem to /// strip the path (e.g. "system/") from the mount point to match the expected location of the /// remote FD (e.g. a directory FD of "/system" in the remote). #[clap(long, value_parser = parse_remote_new_ro_dir_option)] remote_ro_dir: Vec, /// A new directory that is assumed empty in the backing filesystem. New files created in this /// directory are integrity-protected in the same way as --remote-new-verified-file. Can be /// multiple. /// /// For example, `--remote-new-rw-dir 5` tells the filesystem to associate $MOUNTPOINT/5 /// with a remote dir FD 5. #[clap(long)] remote_new_rw_dir: Vec, /// Enable debugging features. #[clap(long)] debug: bool, } #[derive(Clone)] struct OptionRemoteRoFile { /// ID to refer to the remote file. remote_fd: i32, /// Expected fs-verity digest (with sha256) for the remote file. digest: String, } #[derive(Clone)] struct OptionRemoteRoDir { /// ID to refer to the remote dir. remote_dir_fd: i32, /// A mapping file that describes the expecting file/directory structure and integrity metadata /// in the remote directory. The file contains serialized protobuf of /// android.security.fsverity.FSVerityDigests. mapping_file_path: PathBuf, prefix: String, } fn parse_remote_ro_file_option(option: &str) -> Result { let strs: Vec<&str> = option.split(':').collect(); if strs.len() != 2 { bail!("Invalid option: {}", option); } if let Some(digest) = strs[1].strip_prefix("sha256-") { Ok(OptionRemoteRoFile { remote_fd: strs[0].parse::()?, digest: String::from(digest) }) } else { bail!("Unsupported hash algorithm or invalid format: {}", strs[1]); } } fn parse_remote_new_ro_dir_option(option: &str) -> Result { let strs: Vec<&str> = option.split(':').collect(); if strs.len() != 3 { bail!("Invalid option: {}", option); } Ok(OptionRemoteRoDir { remote_dir_fd: strs[0].parse::().unwrap(), mapping_file_path: PathBuf::from(strs[1]), prefix: String::from(strs[2]), }) } fn new_remote_verified_file_entry( service: file::VirtFdService, remote_fd: i32, expected_digest: &str, ) -> Result { Ok(AuthFsEntry::VerifiedReadonly { reader: LazyVerifiedReadonlyFile::prepare_by_fd( service, remote_fd, hex::decode(expected_digest)?, ), }) } fn new_remote_unverified_file_entry( service: file::VirtFdService, remote_fd: i32, file_size: u64, ) -> Result { let reader = RemoteFileReader::new(service, remote_fd); Ok(AuthFsEntry::UnverifiedReadonly { reader, file_size }) } fn new_remote_new_verified_file_entry( service: file::VirtFdService, remote_fd: i32, ) -> Result { let remote_file = RemoteFileEditor::new(service.clone(), remote_fd); Ok(AuthFsEntry::VerifiedNew { editor: VerifiedFileEditor::new(remote_file), attr: Attr::new_file(service, remote_fd), }) } fn new_remote_new_verified_dir_entry( service: file::VirtFdService, remote_fd: i32, ) -> Result { let dir = RemoteDirEditor::new(service.clone(), remote_fd); let attr = Attr::new_dir(service, remote_fd); Ok(AuthFsEntry::VerifiedNewDirectory { dir, attr }) } fn prepare_root_dir_entries( service: file::VirtFdService, authfs: &mut AuthFs, args: &Args, ) -> Result<()> { for config in &args.remote_ro_file { authfs.add_entry_at_root_dir( remote_fd_to_path_buf(config.remote_fd), new_remote_verified_file_entry(service.clone(), config.remote_fd, &config.digest)?, )?; } for remote_fd in &args.remote_ro_file_unverified { let remote_fd = *remote_fd; authfs.add_entry_at_root_dir( remote_fd_to_path_buf(remote_fd), new_remote_unverified_file_entry( service.clone(), remote_fd, service.getFileSize(remote_fd)?.try_into()?, )?, )?; } for remote_fd in &args.remote_new_rw_file { let remote_fd = *remote_fd; authfs.add_entry_at_root_dir( remote_fd_to_path_buf(remote_fd), new_remote_new_verified_file_entry(service.clone(), remote_fd)?, )?; } for remote_fd in &args.remote_new_rw_dir { let remote_fd = *remote_fd; authfs.add_entry_at_root_dir( remote_fd_to_path_buf(remote_fd), new_remote_new_verified_dir_entry(service.clone(), remote_fd)?, )?; } for config in &args.remote_ro_dir { let dir_root_inode = authfs.add_entry_at_root_dir( remote_fd_to_path_buf(config.remote_dir_fd), AuthFsEntry::ReadonlyDirectory { dir: InMemoryDir::new() }, )?; // Build the directory tree based on the mapping file. let mut reader = File::open(&config.mapping_file_path)?; let proto = FSVerityDigests::parse_from_reader(&mut reader)?; for (path_str, digest) in &proto.digests { if digest.hash_alg != "sha256" { bail!("Unsupported hash algorithm: {}", digest.hash_alg); } let file_entry = { let remote_path_str = path_str.strip_prefix(&config.prefix).ok_or_else(|| { anyhow!("Expect path {} to match prefix {}", path_str, config.prefix) })?; AuthFsEntry::VerifiedReadonly { reader: LazyVerifiedReadonlyFile::prepare_by_path( service.clone(), config.remote_dir_fd, PathBuf::from(remote_path_str), digest.digest.clone(), ), } }; authfs.add_entry_at_ro_dir_by_path(dir_root_inode, Path::new(path_str), file_entry)?; } } Ok(()) } fn remote_fd_to_path_buf(fd: i32) -> PathBuf { PathBuf::from(fd.to_string()) } fn try_main() -> Result<()> { let args = Args::parse(); let log_level = if args.debug { log::LevelFilter::Debug } else { log::LevelFilter::Info }; android_logger::init_once( android_logger::Config::default().with_tag("authfs").with_max_level(log_level), ); let service = file::get_rpc_binder_service(args.cid)?; let mut authfs = AuthFs::new(RemoteFsStatsReader::new(service.clone())); prepare_root_dir_entries(service, &mut authfs, &args)?; fusefs::mount_and_enter_message_loop( authfs, &args.mount_point, &args.extra_options, args.thread_number, )?; bail!("Unexpected exit after the handler loop") } fn main() { if let Err(e) = try_main() { error!("failed with {:?}", e); std::process::exit(1); } }