neurodroid / cryptonite

EncFS and TrueCrypt on Android
GNU General Public License v2.0
205 stars 49 forks source link

EncFS and TrueCrypt mounted volumes not visible to other apps in Android 4.2 #47

Open neurodroid opened 10 years ago

neurodroid commented 10 years ago

From anilkpa...@gmail.com on November 28, 2012 20:32:45

What steps will reproduce the problem? 1. Create a TrueCrypt volume on Windows formatted as FAT32 containing several files and place this on your phone (say in /sdcard/test.tc)

  1. Start cryptonite; Launch terminal with Expert->Start root terminal
  2. Issue the following command: truecrypt --fs-options="uid=1000,gid=1000,umask=0002" /sdcard/test.tc /mnt/sdcard/tc NOTE: I had to create the mount point /mnt/sdcard/tc before issuing this command or truecrypt would issue a mount error message. Enter password, etc. Then the command and mount succeeds.
  3. Examine the mounted directory using: ls -al /mnt/sdcard/tc Files are present there.
  4. Launch ES File Explorer (root or otherwise). Navigate to /mnt/sdcard/tc or /sdcard/tc and there are no files listed there. The directory appears empty. What is the expected output? What do you see instead? I expected to see the files in the TrueCrypt volume at the mount location. In fact I did see them from the terminal window started from cryptonite. However, they're only visible in that terminal window. Other apps can't see those mounted files. What version of the product are you using? On what operating system? 0.7.6 with the updated truecrypt binary recently created for Android 4.2 compaitibility (see issue #46 ). Please provide any additional information below. I don't think this really a bug in cryptonite's TrueCrypt binary. Feel free to close this issue as you see fit. However, it significantly limits the usefulness of mounting TrueCrypt volumes under Android 4.2 since the files aren't visible to other apps.

I've seen this problem with another Android encryption tool called LUKS Manager. The issue is discussed here: http://nemesis2.qx.net/forums/index.php/topic,143.0.html There is apparantly a new Android 4.2 feature which makes mounts appear to be process or app bounded and not visible to other processes or apps. This has been worked-around by the author of StickMount, but its not clear how he did that. The thread is here: http://forum.xda-developers.com/showthread.php?p=34417228#post34417228 Some kind of workaround or way to disable this new Android feature would be appreciated.

Original issue: http://code.google.com/p/cryptonite/issues/detail?id=47

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on November 28, 2012 12:42:33

Thanks for reporting this. This will be difficult for me to fix until I get my hands on a 4.2 device. Do you get the same problem with EncFS mounts?

neurodroid commented 10 years ago

From anilkpa...@gmail.com on November 28, 2012 13:58:54

Difficulty understood. Thanks for considering it.

I don't have any experience with EncFS, so I may not have the steps right. I tried using cryptonite's local tab to "Create local volume". This seemed to succeed. Then I mounted it using "Mount EncFS" and selected "View mounted" and used the built-in file browser. It showed an empty directory. I switched to ES File Explorer and navigated to that same location shown in the browser (/storage/emulated/0/csh.cryptonite/mnt) and tried to create a file foo. The file was created. I unmounted in cryptonite and the in ES File Explorer the file was still there, with the same contents (I expected it to be encrypted). I also tried the original directory location for the EncFS I created (it wasn't /storage/..., but was /sdcard/Data/encFS). Behavior was the same.

I'm not sure I amdoing this correctly. If you have other steps, I'd be glad to try them out.

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on November 28, 2012 14:03:44

Thanks for testing this. Sounds like the same issue is present in EncFS. You're essentially creating "foo" on top of a mount point that ES File Explorer is not aware of. That's why "foo" is not encrypted. I bet the same thing happens when you create "foo" in a TrueCrypt mount point.

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on November 28, 2012 14:04:38

Changed the title to include EncFS.

Summary: EncFS and TrueCrypt mounted volumes not visible to other apps in Android 4.2 (was: TrueCrypt mounted volumes not accessible by other apps in Android 4.2)
Status: Accepted

neurodroid commented 10 years ago

From piecha...@gmail.com on December 02, 2012 11:37:09

Checked this with an encfs encrypted folder on a Galaxy Nexus with 4.2.1.

If I mount an encrypted folder as user root in a terminal I can access (in the same terminal session) the decrypted folder even as normal user without root rights.

I can see this folder with some apps (like OI File Explorer) but not others (like ASTRA File Explorer). But all other apps can't access the folder (i.e. read the files).

The spooky thing: if I mount this folder with the Cryptonite GUI I even can't see the decrypted folder if I don't use the built-in file browser (check mark in settings not set). If I set the check mark and use the internal file browser I see the decrypted folder content.

neurodroid commented 10 years ago

From triggon...@googlemail.com on December 13, 2012 17:57:53

Affected, too. Awaiting solution.

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on December 15, 2012 04:05:00

Still waiting for Android 4.2 for either LG O2X or Asus TF700T. Shouldn't take too long now.

Anyone knows whether LUKS Manager has been fixed on 4.2 in the meantime?

neurodroid commented 10 years ago

From piecha...@gmail.com on December 16, 2012 06:55:51

No - not sure about LUKS but Chainfire fixed Stickmount. Version 2.10 works now on 4.2.1 again. Mounts are visible and accessible from different apps-

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on December 16, 2012 07:36:30

@piecha.se: Is "Stickmount" open source? Any ideas how they did that? Anyone I could contact?

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on December 16, 2012 07:50:11

Sent an email to market1@chainfire.eu. In the meantime: What are the ownerships and permissions on volumes that have been mounted with Stickmount on 4.2?

neurodroid commented 10 years ago

From piecha...@gmail.com on December 16, 2012 07:52:39

Well, tried to contact Chainfire but got no feedback so far. Here's the thread about Stickmount: http://forum.xda-developers.com/showthread.php?t=1400034&page=51 . The interesting Android 4.2.1 related issues are around page 51 ff. Asked today again how to fix the issue with invisible mounts in Android 4.2+.

neurodroid commented 10 years ago

From piecha...@gmail.com on December 16, 2012 07:56:24

@comment 10: a FAT formatted USB stick gets mounted in folder sda1 under /sdcard/usbStorage and has permissions 775.

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on December 16, 2012 08:03:32

@piecha.se: Who's the owner? Try for example

ls -la /sdcard/usbStorage

Also, what does the relevant line in /proc/mounts look like? Try

cat /proc/mounts

Thanks!

neurodroid commented 10 years ago

From piecha...@gmail.com on December 16, 2012 08:09:22

Forgot to look for the owner...

Owner and group are root:sdcard_rw

Relevant entry from /proc/mounts /dev/block/sda1 /data/media/0/usbStorage/sda1 vfat rw,nosuid,nodev,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on December 16, 2012 08:26:45

Thanks. What's the ownership of the mounted TrueCrypt volumes that are causing problems (from the root shell that you used to call truecrypt)?

neurodroid commented 10 years ago

From piecha...@gmail.com on December 16, 2012 11:50:09

I don't use Truecrypt volumes but EncFS encrypted files.

neurodroid commented 10 years ago

From piecha...@gmail.com on December 16, 2012 11:54:00

It seems SELinux is causing the troubles in Android 4.2. It's being discussed in the thread I recommended before on page 62 ( http://forum.xda-developers.com/showthread.php?t=1400034&page=62 ).

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on December 17, 2012 04:18:59

Comment 16 by piecha.se:

What's the ownership of the mounted TrueCrypt volumes? I don't use Truecrypt volumes but EncFS encrypted files.

What's the ownership of the mounted EncFS volume then?

neurodroid commented 10 years ago

From piecha...@gmail.com on December 17, 2012 06:11:01

Owner of mounted EncFS volume: root:sdcard_rw encfs options: --public -o allow_other,nonempty --stdinpass /proc/mounts: encfs /mnt/shell/emulated/0/docs/decrypted fuse.encfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other 0 0

If I mount the EncFS volume from a terminal under /sdcard/whatever other apps don't see any content in the mounted folder.

If I mount the same EncFS volume again from a terminal under /system/decrypted (/system doesn't have to be rw for mounting, just for creating the folder decrypted the first time) other apps do see the content and can access the files. If I try to mount under /system/decrypted from other apps like Tasker or Gscript again other apps don't see the content.

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on January 01, 2013 11:45:57

I've added a workaround (e74d1c8b5c19) to mount EncFS volumes so that they are visible to all apps with root permissions. You will still need a file browser with root permissions to see the files. The builtin file browse ("View mounted") won't work! It's available in the latest alpha (0.7.7): https://code.google.com/p/cryptonite/downloads/list Please test.

Status: Started

neurodroid commented 10 years ago

From triggon...@googlemail.com on January 01, 2013 13:40:07

Tested! By using the V0.7.7-APK from your linked website, I can confirm that on my rooted Asus/Google Nexus 7 (Android 4.2) the decrypted content now also gets visible to my file explorer "Astro". (Which is great!) However, other applications such as Quickpic or the built-in image explorer see the mount point still empty. Keep up the good work, thanks a lot!

neurodroid commented 10 years ago

From munhozdi...@gmail.com on January 02, 2013 03:59:54

Thanks for your time trying to fix. But it not worked for me so far. In using CM 10.1 on Galaxy S3 international version (I9300). My encrypted data was in my external SD card. I tried to mount and I could read lots of operations being executed like MV, cup, chmod and others. But at the end it says: Failed to mount. I tried a clean install o cryptonite deleting cache and configs. Problem persists. Can you help me ?

neurodroid commented 10 years ago

From piecha...@gmail.com on January 02, 2013 13:17:44

I'll try the Alpha version as well.

What's the issue? What is the workaround? Could you please shed some light on that?

Could anyone else please check and mount an EncFS volume (both from a terminal and GUI) in some folder under /system (like /system/decrypted)? /system doesn't have to be rw for mounting, just for creating the new mount folder the first time. Other apps should see the content and should be able to access the files.

neurodroid commented 10 years ago

From piecha...@gmail.com on January 03, 2013 00:36:47

To mount an EncFS directory from a terminal you can use the following command:

echo | /data/data/csh.cryptonite/encfs -v --public -o allow_other,nonempty --stdinpass

Please use as mount point some directory in /system, like /system/decrypted.

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on January 03, 2013 03:04:17

Comment 24 by piecha.se:

What's the issue?

In Android 4.2, a process needs to have privileges to perform a system-wide mount that is visible to all other apps. Apparently, these privileges are hard-coded.

What is the workaround?

The ugly workaround is to temporarily "hijack" a process with appropriate privileges (/system/bin/debuggerd) to perform the mount. I suspect that's what stickmount is doing as well. You can reproduce these steps from the command line. The code is here: https://code.google.com/p/cryptonite/source/browse/cryptonite/src/csh/cryptonite/ShellUtils.java?#133 In detail:

  1. Stop the debugger daemon ($ stop debuggerd)
  2. Remount /system rw ($ mount -o rw,remount /system /system)
  3. Copy the binary to a safe place ($ cp /system/bin/debuggerd /system/bin/debuggerd.bak)
  4. Write a shell script to perform the mount and save it as /system/bin/debuggerd. Rather than spawning a daemon, EncFS needs to run in the foreground (-f) with that method.
  5. Change the ownership (root:shell) and permissions (755) of that script
  6. Start the hijacked debugger daemon (which will now be an EncFS daemon).
  7. Once it's running, restore the original debuggerd binary ($ mv /system/bin/debuggerd.bak /system/bin/debuggerd)
  8. Remount /system ro ($ mount -o ro,remount /system /system)

To unmount the EncFS volume, you'll have to stop the debugger daemon ($ stop debuggerd) and then unmount the EncFS volume using the method described above.

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on January 03, 2013 03:29:02

Comment 24 by piecha.se:

Could anyone else please check and mount an EncFS volume (both from a terminal and GUI) in some folder under /system (like /system/decrypted)? /system doesn't have to be rw for mounting, just for creating the new mount folder the first time. Other apps should see the content and should be able to access the files.

While this works, most non-root apps won't be able to access /system. Try the new CM file manager in "safe mode" for example.

neurodroid commented 10 years ago

From piecha...@gmail.com on January 03, 2013 05:11:23

Re comment 27:

That's really an ugly workaround. Looks like Google will patch it within the next release, but hopefully they offer something to deal with privileges.

Re comment 28: I wasn't aware there's a difference in root and non-root apps. Thought that for some functions root rights are required and then any app just asks for root permission.

If I mount the EncFS folder under /system I can access it for instance with ASTRO, ezPDF and KeePass which all don't ask for root permissions.

If you mean with 'CM file manager' the Cryptonite 0.7.6 built-in file manager I could see the decrypted content mounted under /system.

neurodroid commented 10 years ago

From skon...@gmail.com on January 04, 2013 06:09:17

So I have tested 0.7.7 on 4.2.1 without success. I was able to create a new EncFS, mount it, but when I copy anything inside, it is not being encrypted. I tried Solid Explorer and Total Commander with option "Use Root functions everywhere".

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on January 04, 2013 06:17:03

Given that root permissions are required anyway at this stage and the debuggerd hack doesn't work on all devices, it seems like piecha.se's solution of mounting under /system is a bit less ugly. It would be good to test piecha.se's solution on some more devices though. See his instructions ( https://code.google.com/p/cryptonite/issues/detail?id=47#c26 ).

neurodroid commented 10 years ago

From skon...@gmail.com on January 04, 2013 08:03:15

So the /system hack is kind of working. It seems that only problem is that when I encrypt some files, they get wrong permissions and cannot be read again. They seem to get only read permission by owner which is root. If I manually change the permissions then I am able to read the files again.

I run the command from ADB. Also when running the command from terminal emulator it does not work (but no error message, it looks the same).

I guess that is not helpful much, but I suck with Linux :-D.

neurodroid commented 10 years ago

From munhozdi...@gmail.com on January 04, 2013 10:10:03

Just mounted Encfs volume under /sytem/decrypted. None of my apps was able to see files. Only Terminal was capable of viewing.

If i do a ls-l command on /system/decrypted files are there. I hope someone can fix Cryptonite or bypass this new "feature" of android 4.2.

Im using CM 10.1 (android 4.2)

neurodroid commented 10 years ago

From fmstrat on January 04, 2013 18:36:51

=== System Info === Device: Nexus 10 OS: Stock JB 4.2.1, rooted Cryptonite Version: 0.7.7

=== Command Ran (as root) ===

/data/data/csh.cryptonite/truecrypt --fs-options="uid=1000,gid=1000,umask=0002" /storage/emulated/0/aaa.tc /storage/emulated/0/mountpoint

=== Result === Error: Failed to set up a loop device: /sdcard/Android/data/csh.cryptonite/.truecrypt_aux_mnt1/volume

=== Notes ===

neurodroid commented 10 years ago

From piecha...@gmail.com on January 06, 2013 15:06:04

Checked 0.7.7 Alpha.

Could you please add the ALPHA version string to the About menu? Got confused which version I had tested until I saw all the 'ugly workaround' commands in the GUI.

neurodroid commented 10 years ago

From piecha...@gmail.com on January 06, 2013 15:14:52

Also checked to mount my EncFS folder with 0.7.7 Alpha under /system/decrypted. As long nothing is mounted my folder decrypted is owned by root:root with permissions 777.

After mounting from command line owner changes to root:sdcard_rw with permissions 775.

Can see and access content with different apps.

neurodroid commented 10 years ago

From munhozdi...@gmail.com on January 14, 2013 02:59:02

Hey guys, still no clue how to bring mount back to work ? :( I C/C++ programmer. Maybe i'll take a look and try to figure out a solution. Wish me lucky, never developed an app for android before.

neurodroid commented 10 years ago

From mediacen...@gmail.com on January 21, 2013 01:52:51

munhozdi It's a general Android 4.2 security issue. If you have any ideas, let us know. But I think you have to change the kernel or Google have to provide a solution.

neurodroid commented 10 years ago

From munhozdi...@gmail.com on January 21, 2013 03:05:08

Fear nothing mah Boys :) http://forum.xda-developers.com/showthread.php?p=36988155#post36988155 It was fixed this night. Tomorrow CM 10.1 nightly build will carry these modifications allowing any previous app to get back to work.

Other ROMS users, can patch their kernels with Info provided on this thread.

neurodroid commented 10 years ago

From markus.g...@gmail.com on January 21, 2013 06:35:19

Sounds to good to be true ;-)

neurodroid commented 10 years ago

From robert.w...@gmail.com on January 22, 2013 19:56:39

That's because it is! Well sort of.

0.7.7 Alpha will mount it and I can see the files in other apps - Yaay! but for some reason when hitting unmount the app won't acknowledge that it's been umounted? It keeps saying that a volume is still mounted and would I like to unmount all volumes.

0.7.6 Will also mount but files are still only visible inside Cryptonite.

neurodroid commented 10 years ago

From munhozdi...@gmail.com on January 28, 2013 15:39:02

Fear nothing mah Boys :) Diego Munhóz here! and I got good news:

On CM 10.1 nightly 01/28/2013 the problem is almost fixed. Following these steps that I created you will be able to use Cryptonite and his mount features again.

Sidenote: My tests and my knowledge about this FIX is tested only on cm 10.1, no guarantees that these steps will work on other roms.

1 - Download mountdir.sh file attached 2 - Using a File manage with root permissions, put downloaded file on /etc/init.d 3 - Restart your phone 4 - wait 70 secs. 5 - Open cryptonite and configure mount dir to /mnt/obb/cifs 6 - Choose your truecrypt/encfs container 7 - Mount it :D

That's it guys. It's not the best! But It's working!

Explanations:

CM 10.1 latest nightly tried to workaround google recent changes on android. In parts it works, but the only folder that I was able to mount dir using cryptonit was: /mnt/obb/cifs

So I wrote this shell script to create and set permissions on /mnt/obb/cifs at every boot.

The sleep 70 on sh script: I used this option because I dont know the side effects of doing a remount in system right after system boots. So this .sh script will wait 70 secs to perform his actions.

That's It :D Good lucky to everyone

Attachment: mountdir.sh

neurodroid commented 10 years ago

From piecha...@gmail.com on January 29, 2013 15:11:33

I saw your post on xda-developers ( http://forum.xda-developers.com/showpost.php?p=37309793&postcount=47 ). This workaround only works on CM 10.1 latest nightly as there's a patch included to restrict the slave mountspace to just some directories and not the root directory / at all.

I wonder if you have some other idea how to circumvent this issue on stock ROM?

neurodroid commented 10 years ago

From munhozdi...@gmail.com on January 29, 2013 15:15:14

Like I said on my post above, only cm 10.1 latest nightly. Other roms based on Cyanogem work may work. Stock rom ? there's no way at this moment.

neurodroid commented 10 years ago

From piecha...@gmail.com on January 29, 2013 15:17:33

Do you have an idea how StickMount solves the issue on stock ROM?

neurodroid commented 10 years ago

From munhozdi...@gmail.com on January 29, 2013 15:36:29

Hijacking a process with permissions to mount system wide. You can even do this manually using encfs command line + terminal. Sometimes it works, other's dont.

neurodroid commented 10 years ago

From piecha...@gmail.com on January 30, 2013 01:38:10

Already checked process hijacking. Didn't work for me.

@all: Has anybody else with stock ROM checked to mount an EncFS folder under /system?

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on February 16, 2013 15:48:24

I've just tried this after CM 10.1 was updated to Android 4.2.2 on my phone. Miraculously, I can now see mounted EncFS volumes both with the builtin file browser and with ES file explorer. Can anyone else confirm this?

neurodroid commented 10 years ago

From munhozdi...@gmail.com on February 16, 2013 16:19:20

Tried what ? for me it's working for a long time now.

neurodroid commented 10 years ago

From christoph.schmidthieber@gmail.com on February 16, 2013 16:22:54

Comment #49 by munhozdiego:

Tried what ? for me it's working for a long time now.

Stock Cryptonite from the Play store (0.7.6), no hacks.

neurodroid commented 10 years ago

From piecha...@gmail.com on February 17, 2013 15:29:50

CM contains hacks to allow mounting app-wide. But 4.2.2 on stock ROM makes things even worse as adb loopback doesn't work anymore.

neurodroid commented 10 years ago

From piecha...@gmail.com on February 25, 2013 11:23:46

Adb loopback mode works - see https://code.google.com/p/android/issues/detail?id=48126