EncFS and TrueCrypt mounted volumes not visible to other apps in Android 4.2

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Create a TrueCrypt volume on Windows formatted as FAT32 containing several 
files and place this on your phone (say in /sdcard/test.tc)
2. Start cryptonite; Launch terminal with Expert->Start root terminal
3. Issue the following command:
truecrypt --fs-options="uid=1000,gid=1000,umask=0002" /sdcard/test.tc 
/mnt/sdcard/tc
NOTE: I had to create the mount point /mnt/sdcard/tc before issuing this 
command or truecrypt would issue a mount error message.
  Enter password, etc.  Then the command and mount succeeds.
4. Examine the mounted directory using: ls -al /mnt/sdcard/tc
   Files are present there.
5. Launch ES File Explorer (root or otherwise).  Navigate to /mnt/sdcard/tc or 
/sdcard/tc and there are no files listed there.  The directory appears empty.

What is the expected output? What do you see instead?
I expected to see the files in the TrueCrypt volume at the mount location.  In 
fact I did see them from the terminal window started from cryptonite.  However, 
they're only visible in that terminal window.  Other apps can't see those 
mounted files.

What version of the product are you using? On what operating system?
0.7.6 with the updated truecrypt binary recently created for Android 4.2 
compaitibility (see issue #46).

Please provide any additional information below.
I don't think this really a bug in cryptonite's TrueCrypt binary. Feel free to 
close this issue as you see fit.  However, it significantly limits the 
usefulness of mounting TrueCrypt volumes under Android 4.2 since the files 
aren't visible to other apps.  

I've seen this problem with another Android encryption tool called LUKS 
Manager.  The issue is discussed here:
http://nemesis2.qx.net/forums/index.php/topic,143.0.html

There is apparantly a new Android 4.2 feature which makes mounts appear to be 
process or app bounded and not visible to other processes or apps.  This has 
been worked-around by the author of StickMount, but its not clear how he did 
that.  The thread is here:
http://forum.xda-developers.com/showthread.php?p=34417228#post34417228

Some kind of workaround or way to disable this new Android feature would be 
appreciated.

Original issue reported on code.google.com by anilkpa...@gmail.com on 28 Nov 2012 at 8:32

[GoogleCodeExporter]

Thanks for reporting this. This will be difficult for me to fix until I get my 
hands on a 4.2 device. Do you get the same problem with EncFS mounts?

Original comment by christoph.schmidthieber@gmail.com on 28 Nov 2012 at 8:42

[GoogleCodeExporter]

Difficulty understood.  Thanks for considering it.

I don't have any experience with EncFS, so I may not have the steps right.
I tried using cryptonite's local tab to "Create local volume".  This seemed to 
succeed.  Then I mounted it using "Mount EncFS" and selected "View mounted" and 
used the built-in file browser.  It showed an empty directory.  I switched to 
ES File Explorer and navigated to that same location shown in the browser 
(/storage/emulated/0/csh.cryptonite/mnt) and tried to create a file foo.  The 
file was created.  I unmounted in cryptonite and the in ES File Explorer the 
file was still there, with the same contents (I expected it to be encrypted).  
I also tried the original directory location for the EncFS I created (it wasn't 
/storage/..., but was /sdcard/Data/encFS).  Behavior was the same.

I'm not sure I amdoing this correctly.  If you have other steps, I'd be glad to 
try them out.

Original comment by anilkpa...@gmail.com on 28 Nov 2012 at 9:58

[GoogleCodeExporter]

Thanks for testing this. Sounds like the same issue is present in EncFS. You're 
essentially creating "foo" on top of a mount point that ES File Explorer is not 
aware of. That's why "foo" is not encrypted. I bet the same thing happens when 
you create "foo" in a TrueCrypt mount point.

Original comment by christoph.schmidthieber@gmail.com on 28 Nov 2012 at 10:03

[GoogleCodeExporter]

Changed the title to include EncFS.

Original comment by christoph.schmidthieber@gmail.com on 28 Nov 2012 at 10:04

• Changed title: EncFS and TrueCrypt mounted volumes not visible to other apps in Android 4.2
• Changed state: Accepted

[GoogleCodeExporter]

Checked this with an encfs encrypted folder on a Galaxy Nexus with 4.2.1.

If I mount an encrypted folder as user root in a terminal I can access (in the 
same terminal session) the decrypted folder even as normal user without root 
rights.

I can see this folder with some apps (like OI File Explorer) but not others 
(like ASTRA File Explorer). But all other apps can't access the folder (i.e. 
read the files).

The spooky thing: if I mount this folder with the Cryptonite GUI I even can't 
see the decrypted folder if I don't use the built-in file browser (check mark 
in settings not set). If I set the check mark and use the internal file browser 
I see the decrypted folder content.

Original comment by piecha...@gmail.com on 2 Dec 2012 at 7:37

[GoogleCodeExporter]

Affected, too. Awaiting solution. 

Original comment by triggon...@googlemail.com on 14 Dec 2012 at 1:57

[GoogleCodeExporter]

Still waiting for Android 4.2 for either LG O2X or Asus TF700T. Shouldn't take 
too long now.

Anyone knows whether LUKS Manager has been fixed on 4.2 in the meantime?

Original comment by christoph.schmidthieber@gmail.com on 15 Dec 2012 at 12:05

[GoogleCodeExporter]

No - not sure about LUKS but Chainfire fixed Stickmount. Version 2.10 works now 
on 4.2.1 again. Mounts are visible and accessible from different apps-

Original comment by piecha...@gmail.com on 16 Dec 2012 at 2:55

[GoogleCodeExporter]

@piecha.se: Is "Stickmount" open source? Any ideas how they did that? Anyone I 
could contact?

Original comment by christoph.schmidthieber@gmail.com on 16 Dec 2012 at 3:36

[GoogleCodeExporter]

Sent an email to market1@chainfire.eu. In the meantime: What are the ownerships 
and permissions on volumes that have been mounted with Stickmount on 4.2?

Original comment by christoph.schmidthieber@gmail.com on 16 Dec 2012 at 3:50

[GoogleCodeExporter]

Well, tried to contact Chainfire but got no feedback so far.
Here's the thread about Stickmount: 
http://forum.xda-developers.com/showthread.php?t=1400034&page=51. The 
interesting Android 4.2.1 related issues are around page 51 ff.
Asked today again how to fix the issue with invisible mounts in Android 4.2+.

Original comment by piecha...@gmail.com on 16 Dec 2012 at 3:52

[GoogleCodeExporter]

@comment 10:
a FAT formatted USB stick gets mounted in folder sda1 under /sdcard/usbStorage 
and has permissions 775.

Original comment by piecha...@gmail.com on 16 Dec 2012 at 3:56

[GoogleCodeExporter]

@piecha.se:
Who's the owner? Try for example

ls -la /sdcard/usbStorage

Also, what does the relevant line in /proc/mounts look like? Try

cat /proc/mounts

Thanks!

Original comment by christoph.schmidthieber@gmail.com on 16 Dec 2012 at 4:03

[GoogleCodeExporter]

Forgot to look for the owner...

Owner and group are root:sdcard_rw

Relevant entry from /proc/mounts
/dev/block/sda1 /data/media/0/usbStorage/sda1 vfat 
rw,nosuid,nodev,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,i
ocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0

Original comment by piecha...@gmail.com on 16 Dec 2012 at 4:09

[GoogleCodeExporter]

Thanks. What's the ownership of the mounted TrueCrypt volumes that are causing 
problems (from the root shell that you used to call truecrypt)?

Original comment by christoph.schmidthieber@gmail.com on 16 Dec 2012 at 4:26

[GoogleCodeExporter]

I don't use Truecrypt volumes but EncFS encrypted files.

Original comment by piecha...@gmail.com on 16 Dec 2012 at 7:50

[GoogleCodeExporter]

It seems SELinux is causing the troubles in Android 4.2.
It's being discussed in the thread I recommended before on page 62 
(http://forum.xda-developers.com/showthread.php?t=1400034&page=62).

Original comment by piecha...@gmail.com on 16 Dec 2012 at 7:54

[GoogleCodeExporter]

Comment 16 by piecha.se:
> > What's the ownership of the mounted TrueCrypt volumes?
> I don't use Truecrypt volumes but EncFS encrypted files.

What's the ownership of the mounted EncFS volume then?

Original comment by christoph.schmidthieber@gmail.com on 17 Dec 2012 at 12:18

[GoogleCodeExporter]

Owner of mounted EncFS volume: root:sdcard_rw
encfs options: --public -o allow_other,nonempty --stdinpass
/proc/mounts:
encfs /mnt/shell/emulated/0/docs/decrypted fuse.encfs 
rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other 0 
0

If I mount the EncFS volume from a terminal under /sdcard/whatever other apps 
don't see any content in the mounted folder.

If I mount the same EncFS volume again from a terminal under /system/decrypted 
(/system doesn't have to be rw for mounting, just for creating the folder 
decrypted the first time) other apps do see the content and can access the 
files. If I try to mount under /system/decrypted from other apps like Tasker or 
Gscript again other apps don't see the content.

Original comment by piecha...@gmail.com on 17 Dec 2012 at 2:11

[GoogleCodeExporter]

I've added a workaround (e74d1c8b5c19) to mount EncFS volumes so that they are 
visible to all apps with root permissions. You will still need a file browser 
with root permissions to see the files. The builtin file browse ("View 
mounted") won't work!
It's available in the latest alpha (0.7.7): 
https://code.google.com/p/cryptonite/downloads/list
Please test.

Original comment by christoph.schmidthieber@gmail.com on 1 Jan 2013 at 7:45

• Changed state: Started

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Tested! By using the V0.7.7-APK from your linked website, I can confirm that on 
my rooted Asus/Google Nexus 7 (Android 4.2) the decrypted content now also gets 
visible to my file explorer "Astro". (Which is great!) However, other 
applications such as Quickpic or the built-in image explorer see the mount 
point still empty. Keep up the good work, thanks a lot!

Original comment by triggon...@googlemail.com on 1 Jan 2013 at 9:40

[GoogleCodeExporter]

Thanks for your time trying to fix. But it not worked for me so far. In using 
CM 10.1 on Galaxy S3 international version (I9300). My encrypted data was in my 
external SD card. I tried to mount and I could read lots of operations being 
executed like MV, cup, chmod and others. But at the end it says: Failed to 
mount. I tried a clean install o cryptonite deleting cache and configs. Problem 
persists. Can you help me ?

Original comment by munhozdi...@gmail.com on 2 Jan 2013 at 11:59

[GoogleCodeExporter]

I'll try the Alpha version as well.

What's the issue? What is the workaround? Could you please shed some light on 
that?

Could anyone else please check and mount an EncFS volume (both from a terminal 
and GUI) in some folder under /system (like /system/decrypted)? /system doesn't 
have to be rw for mounting, just for creating the new mount folder the first 
time. Other apps should see the content and should be able to access the files.

Original comment by piecha...@gmail.com on 2 Jan 2013 at 9:17

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

To mount an EncFS directory from a terminal you can use the following command:

echo <password> | /data/data/csh.cryptonite/encfs -v --public -o 
allow_other,nonempty --stdinpass <EncFS directory> <mount point>

Please use as mount point some directory in /system, like /system/decrypted.

Original comment by piecha...@gmail.com on 3 Jan 2013 at 8:36

[GoogleCodeExporter]

Comment 24 by piecha.se:
> What's the issue?

In Android 4.2, a process needs to have privileges to perform a system-wide 
mount that is visible to all other apps. Apparently, these privileges are 
hard-coded.

> What is the workaround?

The ugly workaround is to temporarily "hijack" a process with appropriate 
privileges (/system/bin/debuggerd) to perform the mount. I suspect that's what 
stickmount is doing as well. You can reproduce these steps from the command 
line. The code is here:
https://code.google.com/p/cryptonite/source/browse/cryptonite/src/csh/cryptonite
/ShellUtils.java?#133

In detail:
1. Stop the debugger daemon ($ stop debuggerd)
2. Remount /system rw ($ mount -o rw,remount /system /system)
3. Copy the binary to a safe place ($ cp /system/bin/debuggerd 
/system/bin/debuggerd.bak)
4. Write a shell script to perform the mount and save it as 
/system/bin/debuggerd.
   Rather than spawning a daemon, EncFS needs to run in the foreground (-f) with that method.
5. Change the ownership (root:shell) and permissions (755) of that script
6. Start the hijacked debugger daemon (which will now be an EncFS daemon).
7. Once it's running, restore the original debuggerd binary ($ mv 
/system/bin/debuggerd.bak /system/bin/debuggerd)
8. Remount /system ro ($ mount -o ro,remount /system /system)

To unmount the EncFS volume, you'll have to stop the debugger daemon ($ stop 
debuggerd) and then unmount the EncFS volume using the method described above.

Original comment by christoph.schmidthieber@gmail.com on 3 Jan 2013 at 11:04

[GoogleCodeExporter]

Comment 24 by piecha.se:
> Could anyone else please check and mount an EncFS volume (both from a 
terminal and GUI) in some folder under /system (like /system/decrypted)? 
/system doesn't have to be rw for mounting, just for creating the new mount 
folder the first time. Other apps should see the content and should be able to 
access the files.

While this works, most non-root apps won't be able to access /system. Try the 
new CM file manager in "safe mode" for example.

Original comment by christoph.schmidthieber@gmail.com on 3 Jan 2013 at 11:29

[GoogleCodeExporter]

Re comment 27:

That's really an ugly workaround. Looks like Google will patch it within the 
next release, but hopefully they offer something to deal with privileges.

Re comment 28:
I wasn't aware there's a difference in root and non-root apps. Thought that for 
some functions root rights are required and then any app just asks for root 
permission.

If I mount the EncFS folder under /system I can access it for instance with 
ASTRO, ezPDF and KeePass which all don't ask for root permissions.

If you mean with 'CM file manager' the Cryptonite 0.7.6 built-in file manager I 
could see the decrypted content mounted under /system.

Original comment by piecha...@gmail.com on 3 Jan 2013 at 1:11

[GoogleCodeExporter]

So I have tested 0.7.7 on 4.2.1 without success. I was able to create a new 
EncFS, mount it, but when I copy anything inside, it is not being encrypted. I 
tried Solid Explorer and Total Commander with option "Use Root functions 
everywhere".

Original comment by skon...@gmail.com on 4 Jan 2013 at 2:09

[GoogleCodeExporter]

Given that root permissions are required anyway at this stage and the debuggerd 
hack doesn't work on all devices, it seems like piecha.se's solution of 
mounting under /system is a bit less ugly. It would be good to test piecha.se's 
solution on some more devices though. See his instructions 
(https://code.google.com/p/cryptonite/issues/detail?id=47#c26).

Original comment by christoph.schmidthieber@gmail.com on 4 Jan 2013 at 2:17

[GoogleCodeExporter]

So the /system hack is kind of working. It seems that only problem is that when 
I encrypt some files, they get wrong permissions and cannot be read again. They 
seem to get only read permission by owner which is root. If I manually change 
the permissions then I am able to read the files again.

I run the command from ADB. Also when running the command from terminal 
emulator it does not work (but no error message, it looks the same).

I guess that is not helpful much, but I suck with Linux :-D.

Original comment by skon...@gmail.com on 4 Jan 2013 at 4:03

[GoogleCodeExporter]

Just mounted Encfs volume under /sytem/decrypted. None of my apps was able to 
see files. Only Terminal was capable of viewing.

If i do a ls-l command on /system/decrypted files are there.
I hope someone can fix Cryptonite or bypass this new "feature" of android 4.2.

Im using CM 10.1 (android 4.2)

Original comment by munhozdi...@gmail.com on 4 Jan 2013 at 6:10

[GoogleCodeExporter]

=== System Info ===
Device: Nexus 10
OS: Stock JB 4.2.1, rooted
Cryptonite Version: 0.7.7

=== Command Ran (as root) ===
# /data/data/csh.cryptonite/truecrypt 
--fs-options="uid=1000,gid=1000,umask=0002" /storage/emulated/0/aaa.tc 
/storage/emulated/0/mountpoint

=== Result ===
Error: Failed to set up a loop device:
/sdcard/Android/data/csh.cryptonite/.truecrypt_aux_mnt1/volume

=== Notes ===
- I had to create the /sdcard/Android/data/csh.cryptonite folder as /sdcard 
does not exist on a Nexus 10.
- The loop device seems to work fine, as creating a file with a fat filesystem 
mounts via mount -o loop just fine.

Original comment by fmstrat on 5 Jan 2013 at 2:36

[GoogleCodeExporter]

Checked 0.7.7 Alpha.

- Cryptonite GUI: Saw how debuggerd got replaced by encfs and the remounting of 
/system. Finally got a mount error although my EncFS folder got mounted under 
/sdcard/csh.cryptonite/mnt. Could see the decrypted files with ASTRO file 
manager but not OI File Manager. Wasn't able to access files (like opening a 
pdf file witz ezPDF).

- Tried also to mount EncFS folder from command line. Folder got mounted under 
my folder in /sdcard but content wasn't to see from neither ASTRO nor OI.

Could you please add the ALPHA version string to the About menu? Got confused 
which version I had tested until I saw all the 'ugly workaround' commands in 
the GUI.

Original comment by piecha...@gmail.com on 6 Jan 2013 at 11:06

[GoogleCodeExporter]

Also checked to mount my EncFS folder with 0.7.7 Alpha under /system/decrypted. 
As long nothing is mounted my folder decrypted is owned by root:root with 
permissions 777.

After mounting from command line owner changes to root:sdcard_rw with 
permissions 775.

Can see and access content with different apps.

Original comment by piecha...@gmail.com on 6 Jan 2013 at 11:14

[GoogleCodeExporter]

Hey guys, still no clue how to bring mount back to work ? :( I C/C++ 
programmer. Maybe i'll take a look and try to figure out a solution. Wish me 
lucky, never developed an app for android before.

Original comment by munhozdi...@gmail.com on 14 Jan 2013 at 10:59

[GoogleCodeExporter]

munhozdi
It's a general Android 4.2 security issue. If you have any ideas, let us know. 
But I think you have to change the kernel or Google have to provide a solution.

Original comment by mediacen...@gmail.com on 21 Jan 2013 at 9:52

[GoogleCodeExporter]

Fear nothing mah Boys :) 

http://forum.xda-developers.com/showthread.php?p=36988155#post36988155

It was fixed this night. Tomorrow CM 10.1 nightly build will carry these 
modifications allowing any previous app to get back to work.

Other ROMS users, can patch their kernels with Info provided on this thread.

Original comment by munhozdi...@gmail.com on 21 Jan 2013 at 11:05

[GoogleCodeExporter]

Sounds to good to be true ;-)

Original comment by markus.g...@gmail.com on 21 Jan 2013 at 2:35

[GoogleCodeExporter]

That's because it is! Well sort of.

0.7.7 Alpha will mount it and I can see the files in other apps - Yaay! but for 
some reason when hitting unmount the app won't acknowledge that it's been 
umounted? It keeps saying that a volume is still mounted and would I like to 
unmount all volumes.

0.7.6 Will also mount but files are still only visible inside Cryptonite.

Original comment by robert.w...@gmail.com on 23 Jan 2013 at 3:56

[GoogleCodeExporter]

Fear nothing mah Boys :) Diego Munhóz here! and I got good news:

On CM 10.1 nightly *01/28/2013* the problem is almost fixed. Following these 
steps that I created you will be able to use Cryptonite and his mount features 
again. 

Sidenote: My tests and my knowledge about this FIX is tested only on cm 10.1, 
no guarantees that these steps will work on other roms.

1 - Download mountdir.sh file attached
2 - Using a File manage with root permissions, put downloaded file on 
/etc/init.d
3 - Restart your phone
4 - wait 70 secs.
5 - Open cryptonite and configure mount dir to /mnt/obb/cifs
6 - Choose your truecrypt/encfs container
7 - Mount it :D

That's it guys. It's not the best! But It's working!

Explanations:

CM 10.1 latest nightly tried to  workaround google recent changes  on android. 
In parts it works, but the only folder that I was able to mount dir using 
cryptonit was: /mnt/obb/cifs

So I wrote this shell script to create and set permissions on /mnt/obb/cifs at 
every boot. 

The sleep 70 on sh script: I used this option because I dont know the side 
effects of doing a remount in system right after system boots. So this .sh 
script will wait 70 secs to perform his actions.

That's It :D Good lucky to everyone

Original comment by munhozdi...@gmail.com on 28 Jan 2013 at 11:39

Attachments:

• mountdir.sh

[GoogleCodeExporter]

I saw your post on xda-developers 
(http://forum.xda-developers.com/showpost.php?p=37309793&postcount=47). This 
workaround only works on CM 10.1 latest nightly as there's a patch included to 
restrict the slave mountspace to just some directories and not the root 
directory / at all.

I wonder if you have some other idea how to circumvent this issue on stock ROM?

Original comment by piecha...@gmail.com on 29 Jan 2013 at 11:11

[GoogleCodeExporter]

Like I said on my post above, only cm 10.1 latest nightly. Other roms based on 
Cyanogem work may work. Stock rom ? there's no way at this moment.

Original comment by munhozdi...@gmail.com on 29 Jan 2013 at 11:15

[GoogleCodeExporter]

Do you have an idea how StickMount solves the issue on stock ROM?

Original comment by piecha...@gmail.com on 29 Jan 2013 at 11:17

[GoogleCodeExporter]

Hijacking a process with permissions to mount system wide. You can even do this 
manually using encfs command line + terminal. Sometimes it works, other's dont.

Original comment by munhozdi...@gmail.com on 29 Jan 2013 at 11:36

[GoogleCodeExporter]

Already checked process hijacking. Didn't work for me.

@all: Has anybody else with stock ROM checked to mount an EncFS folder under 
/system?

Original comment by piecha...@gmail.com on 30 Jan 2013 at 9:38

[GoogleCodeExporter]

I've just tried this after CM 10.1 was updated to Android 4.2.2 on my phone. 
Miraculously, I can now see mounted EncFS volumes both with the builtin file 
browser and with ES file explorer. Can anyone else confirm this?

Original comment by christoph.schmidthieber@gmail.com on 16 Feb 2013 at 11:48

[GoogleCodeExporter]

Tried what ? for me it's working for a long time now.

Original comment by munhozdi...@gmail.com on 17 Feb 2013 at 12:19

[GoogleCodeExporter]

Comment #49 by munhozdiego:
> Tried what ? for me it's working for a long time now.

Stock Cryptonite from the Play store (0.7.6), no hacks.

Original comment by christoph.schmidthieber@gmail.com on 17 Feb 2013 at 12:22