Closed GoogleCodeExporter closed 8 years ago
Thanks for reporting this. This will be difficult for me to fix until I get my
hands on a 4.2 device. Do you get the same problem with EncFS mounts?
Original comment by christoph.schmidthieber@gmail.com
on 28 Nov 2012 at 8:42
Difficulty understood. Thanks for considering it.
I don't have any experience with EncFS, so I may not have the steps right.
I tried using cryptonite's local tab to "Create local volume". This seemed to
succeed. Then I mounted it using "Mount EncFS" and selected "View mounted" and
used the built-in file browser. It showed an empty directory. I switched to
ES File Explorer and navigated to that same location shown in the browser
(/storage/emulated/0/csh.cryptonite/mnt) and tried to create a file foo. The
file was created. I unmounted in cryptonite and the in ES File Explorer the
file was still there, with the same contents (I expected it to be encrypted).
I also tried the original directory location for the EncFS I created (it wasn't
/storage/..., but was /sdcard/Data/encFS). Behavior was the same.
I'm not sure I amdoing this correctly. If you have other steps, I'd be glad to
try them out.
Original comment by anilkpa...@gmail.com
on 28 Nov 2012 at 9:58
Thanks for testing this. Sounds like the same issue is present in EncFS. You're
essentially creating "foo" on top of a mount point that ES File Explorer is not
aware of. That's why "foo" is not encrypted. I bet the same thing happens when
you create "foo" in a TrueCrypt mount point.
Original comment by christoph.schmidthieber@gmail.com
on 28 Nov 2012 at 10:03
Changed the title to include EncFS.
Original comment by christoph.schmidthieber@gmail.com
on 28 Nov 2012 at 10:04
Checked this with an encfs encrypted folder on a Galaxy Nexus with 4.2.1.
If I mount an encrypted folder as user root in a terminal I can access (in the
same terminal session) the decrypted folder even as normal user without root
rights.
I can see this folder with some apps (like OI File Explorer) but not others
(like ASTRA File Explorer). But all other apps can't access the folder (i.e.
read the files).
The spooky thing: if I mount this folder with the Cryptonite GUI I even can't
see the decrypted folder if I don't use the built-in file browser (check mark
in settings not set). If I set the check mark and use the internal file browser
I see the decrypted folder content.
Original comment by piecha...@gmail.com
on 2 Dec 2012 at 7:37
Affected, too. Awaiting solution.
Original comment by triggon...@googlemail.com
on 14 Dec 2012 at 1:57
Still waiting for Android 4.2 for either LG O2X or Asus TF700T. Shouldn't take
too long now.
Anyone knows whether LUKS Manager has been fixed on 4.2 in the meantime?
Original comment by christoph.schmidthieber@gmail.com
on 15 Dec 2012 at 12:05
No - not sure about LUKS but Chainfire fixed Stickmount. Version 2.10 works now
on 4.2.1 again. Mounts are visible and accessible from different apps-
Original comment by piecha...@gmail.com
on 16 Dec 2012 at 2:55
@piecha.se: Is "Stickmount" open source? Any ideas how they did that? Anyone I
could contact?
Original comment by christoph.schmidthieber@gmail.com
on 16 Dec 2012 at 3:36
Sent an email to market1@chainfire.eu. In the meantime: What are the ownerships
and permissions on volumes that have been mounted with Stickmount on 4.2?
Original comment by christoph.schmidthieber@gmail.com
on 16 Dec 2012 at 3:50
Well, tried to contact Chainfire but got no feedback so far.
Here's the thread about Stickmount:
http://forum.xda-developers.com/showthread.php?t=1400034&page=51. The
interesting Android 4.2.1 related issues are around page 51 ff.
Asked today again how to fix the issue with invisible mounts in Android 4.2+.
Original comment by piecha...@gmail.com
on 16 Dec 2012 at 3:52
@comment 10:
a FAT formatted USB stick gets mounted in folder sda1 under /sdcard/usbStorage
and has permissions 775.
Original comment by piecha...@gmail.com
on 16 Dec 2012 at 3:56
@piecha.se:
Who's the owner? Try for example
ls -la /sdcard/usbStorage
Also, what does the relevant line in /proc/mounts look like? Try
cat /proc/mounts
Thanks!
Original comment by christoph.schmidthieber@gmail.com
on 16 Dec 2012 at 4:03
Forgot to look for the owner...
Owner and group are root:sdcard_rw
Relevant entry from /proc/mounts
/dev/block/sda1 /data/media/0/usbStorage/sda1 vfat
rw,nosuid,nodev,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,i
ocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
Original comment by piecha...@gmail.com
on 16 Dec 2012 at 4:09
Thanks. What's the ownership of the mounted TrueCrypt volumes that are causing
problems (from the root shell that you used to call truecrypt)?
Original comment by christoph.schmidthieber@gmail.com
on 16 Dec 2012 at 4:26
I don't use Truecrypt volumes but EncFS encrypted files.
Original comment by piecha...@gmail.com
on 16 Dec 2012 at 7:50
It seems SELinux is causing the troubles in Android 4.2.
It's being discussed in the thread I recommended before on page 62
(http://forum.xda-developers.com/showthread.php?t=1400034&page=62).
Original comment by piecha...@gmail.com
on 16 Dec 2012 at 7:54
Comment 16 by piecha.se:
> > What's the ownership of the mounted TrueCrypt volumes?
> I don't use Truecrypt volumes but EncFS encrypted files.
What's the ownership of the mounted EncFS volume then?
Original comment by christoph.schmidthieber@gmail.com
on 17 Dec 2012 at 12:18
Owner of mounted EncFS volume: root:sdcard_rw
encfs options: --public -o allow_other,nonempty --stdinpass
/proc/mounts:
encfs /mnt/shell/emulated/0/docs/decrypted fuse.encfs
rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other 0
0
If I mount the EncFS volume from a terminal under /sdcard/whatever other apps
don't see any content in the mounted folder.
If I mount the same EncFS volume again from a terminal under /system/decrypted
(/system doesn't have to be rw for mounting, just for creating the folder
decrypted the first time) other apps do see the content and can access the
files. If I try to mount under /system/decrypted from other apps like Tasker or
Gscript again other apps don't see the content.
Original comment by piecha...@gmail.com
on 17 Dec 2012 at 2:11
I've added a workaround (e74d1c8b5c19) to mount EncFS volumes so that they are
visible to all apps with root permissions. You will still need a file browser
with root permissions to see the files. The builtin file browse ("View
mounted") won't work!
It's available in the latest alpha (0.7.7):
https://code.google.com/p/cryptonite/downloads/list
Please test.
Original comment by christoph.schmidthieber@gmail.com
on 1 Jan 2013 at 7:45
[deleted comment]
Tested! By using the V0.7.7-APK from your linked website, I can confirm that on
my rooted Asus/Google Nexus 7 (Android 4.2) the decrypted content now also gets
visible to my file explorer "Astro". (Which is great!) However, other
applications such as Quickpic or the built-in image explorer see the mount
point still empty. Keep up the good work, thanks a lot!
Original comment by triggon...@googlemail.com
on 1 Jan 2013 at 9:40
Thanks for your time trying to fix. But it not worked for me so far. In using
CM 10.1 on Galaxy S3 international version (I9300). My encrypted data was in my
external SD card. I tried to mount and I could read lots of operations being
executed like MV, cup, chmod and others. But at the end it says: Failed to
mount. I tried a clean install o cryptonite deleting cache and configs. Problem
persists. Can you help me ?
Original comment by munhozdi...@gmail.com
on 2 Jan 2013 at 11:59
I'll try the Alpha version as well.
What's the issue? What is the workaround? Could you please shed some light on
that?
Could anyone else please check and mount an EncFS volume (both from a terminal
and GUI) in some folder under /system (like /system/decrypted)? /system doesn't
have to be rw for mounting, just for creating the new mount folder the first
time. Other apps should see the content and should be able to access the files.
Original comment by piecha...@gmail.com
on 2 Jan 2013 at 9:17
[deleted comment]
To mount an EncFS directory from a terminal you can use the following command:
echo <password> | /data/data/csh.cryptonite/encfs -v --public -o
allow_other,nonempty --stdinpass <EncFS directory> <mount point>
Please use as mount point some directory in /system, like /system/decrypted.
Original comment by piecha...@gmail.com
on 3 Jan 2013 at 8:36
Comment 24 by piecha.se:
> What's the issue?
In Android 4.2, a process needs to have privileges to perform a system-wide
mount that is visible to all other apps. Apparently, these privileges are
hard-coded.
> What is the workaround?
The ugly workaround is to temporarily "hijack" a process with appropriate
privileges (/system/bin/debuggerd) to perform the mount. I suspect that's what
stickmount is doing as well. You can reproduce these steps from the command
line. The code is here:
https://code.google.com/p/cryptonite/source/browse/cryptonite/src/csh/cryptonite
/ShellUtils.java?#133
In detail:
1. Stop the debugger daemon ($ stop debuggerd)
2. Remount /system rw ($ mount -o rw,remount /system /system)
3. Copy the binary to a safe place ($ cp /system/bin/debuggerd
/system/bin/debuggerd.bak)
4. Write a shell script to perform the mount and save it as
/system/bin/debuggerd.
Rather than spawning a daemon, EncFS needs to run in the foreground (-f) with that method.
5. Change the ownership (root:shell) and permissions (755) of that script
6. Start the hijacked debugger daemon (which will now be an EncFS daemon).
7. Once it's running, restore the original debuggerd binary ($ mv
/system/bin/debuggerd.bak /system/bin/debuggerd)
8. Remount /system ro ($ mount -o ro,remount /system /system)
To unmount the EncFS volume, you'll have to stop the debugger daemon ($ stop
debuggerd) and then unmount the EncFS volume using the method described above.
Original comment by christoph.schmidthieber@gmail.com
on 3 Jan 2013 at 11:04
Comment 24 by piecha.se:
> Could anyone else please check and mount an EncFS volume (both from a
terminal and GUI) in some folder under /system (like /system/decrypted)?
/system doesn't have to be rw for mounting, just for creating the new mount
folder the first time. Other apps should see the content and should be able to
access the files.
While this works, most non-root apps won't be able to access /system. Try the
new CM file manager in "safe mode" for example.
Original comment by christoph.schmidthieber@gmail.com
on 3 Jan 2013 at 11:29
Re comment 27:
That's really an ugly workaround. Looks like Google will patch it within the
next release, but hopefully they offer something to deal with privileges.
Re comment 28:
I wasn't aware there's a difference in root and non-root apps. Thought that for
some functions root rights are required and then any app just asks for root
permission.
If I mount the EncFS folder under /system I can access it for instance with
ASTRO, ezPDF and KeePass which all don't ask for root permissions.
If you mean with 'CM file manager' the Cryptonite 0.7.6 built-in file manager I
could see the decrypted content mounted under /system.
Original comment by piecha...@gmail.com
on 3 Jan 2013 at 1:11
So I have tested 0.7.7 on 4.2.1 without success. I was able to create a new
EncFS, mount it, but when I copy anything inside, it is not being encrypted. I
tried Solid Explorer and Total Commander with option "Use Root functions
everywhere".
Original comment by skon...@gmail.com
on 4 Jan 2013 at 2:09
Given that root permissions are required anyway at this stage and the debuggerd
hack doesn't work on all devices, it seems like piecha.se's solution of
mounting under /system is a bit less ugly. It would be good to test piecha.se's
solution on some more devices though. See his instructions
(https://code.google.com/p/cryptonite/issues/detail?id=47#c26).
Original comment by christoph.schmidthieber@gmail.com
on 4 Jan 2013 at 2:17
So the /system hack is kind of working. It seems that only problem is that when
I encrypt some files, they get wrong permissions and cannot be read again. They
seem to get only read permission by owner which is root. If I manually change
the permissions then I am able to read the files again.
I run the command from ADB. Also when running the command from terminal
emulator it does not work (but no error message, it looks the same).
I guess that is not helpful much, but I suck with Linux :-D.
Original comment by skon...@gmail.com
on 4 Jan 2013 at 4:03
Just mounted Encfs volume under /sytem/decrypted. None of my apps was able to
see files. Only Terminal was capable of viewing.
If i do a ls-l command on /system/decrypted files are there.
I hope someone can fix Cryptonite or bypass this new "feature" of android 4.2.
Im using CM 10.1 (android 4.2)
Original comment by munhozdi...@gmail.com
on 4 Jan 2013 at 6:10
=== System Info ===
Device: Nexus 10
OS: Stock JB 4.2.1, rooted
Cryptonite Version: 0.7.7
=== Command Ran (as root) ===
# /data/data/csh.cryptonite/truecrypt
--fs-options="uid=1000,gid=1000,umask=0002" /storage/emulated/0/aaa.tc
/storage/emulated/0/mountpoint
=== Result ===
Error: Failed to set up a loop device:
/sdcard/Android/data/csh.cryptonite/.truecrypt_aux_mnt1/volume
=== Notes ===
- I had to create the /sdcard/Android/data/csh.cryptonite folder as /sdcard
does not exist on a Nexus 10.
- The loop device seems to work fine, as creating a file with a fat filesystem
mounts via mount -o loop just fine.
Original comment by fmstrat
on 5 Jan 2013 at 2:36
Checked 0.7.7 Alpha.
- Cryptonite GUI: Saw how debuggerd got replaced by encfs and the remounting of
/system. Finally got a mount error although my EncFS folder got mounted under
/sdcard/csh.cryptonite/mnt. Could see the decrypted files with ASTRO file
manager but not OI File Manager. Wasn't able to access files (like opening a
pdf file witz ezPDF).
- Tried also to mount EncFS folder from command line. Folder got mounted under
my folder in /sdcard but content wasn't to see from neither ASTRO nor OI.
Could you please add the ALPHA version string to the About menu? Got confused
which version I had tested until I saw all the 'ugly workaround' commands in
the GUI.
Original comment by piecha...@gmail.com
on 6 Jan 2013 at 11:06
Also checked to mount my EncFS folder with 0.7.7 Alpha under /system/decrypted.
As long nothing is mounted my folder decrypted is owned by root:root with
permissions 777.
After mounting from command line owner changes to root:sdcard_rw with
permissions 775.
Can see and access content with different apps.
Original comment by piecha...@gmail.com
on 6 Jan 2013 at 11:14
Hey guys, still no clue how to bring mount back to work ? :( I C/C++
programmer. Maybe i'll take a look and try to figure out a solution. Wish me
lucky, never developed an app for android before.
Original comment by munhozdi...@gmail.com
on 14 Jan 2013 at 10:59
munhozdi
It's a general Android 4.2 security issue. If you have any ideas, let us know.
But I think you have to change the kernel or Google have to provide a solution.
Original comment by mediacen...@gmail.com
on 21 Jan 2013 at 9:52
Fear nothing mah Boys :)
http://forum.xda-developers.com/showthread.php?p=36988155#post36988155
It was fixed this night. Tomorrow CM 10.1 nightly build will carry these
modifications allowing any previous app to get back to work.
Other ROMS users, can patch their kernels with Info provided on this thread.
Original comment by munhozdi...@gmail.com
on 21 Jan 2013 at 11:05
Sounds to good to be true ;-)
Original comment by markus.g...@gmail.com
on 21 Jan 2013 at 2:35
That's because it is! Well sort of.
0.7.7 Alpha will mount it and I can see the files in other apps - Yaay! but for
some reason when hitting unmount the app won't acknowledge that it's been
umounted? It keeps saying that a volume is still mounted and would I like to
unmount all volumes.
0.7.6 Will also mount but files are still only visible inside Cryptonite.
Original comment by robert.w...@gmail.com
on 23 Jan 2013 at 3:56
Fear nothing mah Boys :) Diego Munhóz here! and I got good news:
On CM 10.1 nightly *01/28/2013* the problem is almost fixed. Following these
steps that I created you will be able to use Cryptonite and his mount features
again.
Sidenote: My tests and my knowledge about this FIX is tested only on cm 10.1,
no guarantees that these steps will work on other roms.
1 - Download mountdir.sh file attached
2 - Using a File manage with root permissions, put downloaded file on
/etc/init.d
3 - Restart your phone
4 - wait 70 secs.
5 - Open cryptonite and configure mount dir to /mnt/obb/cifs
6 - Choose your truecrypt/encfs container
7 - Mount it :D
That's it guys. It's not the best! But It's working!
Explanations:
CM 10.1 latest nightly tried to workaround google recent changes on android.
In parts it works, but the only folder that I was able to mount dir using
cryptonit was: /mnt/obb/cifs
So I wrote this shell script to create and set permissions on /mnt/obb/cifs at
every boot.
The sleep 70 on sh script: I used this option because I dont know the side
effects of doing a remount in system right after system boots. So this .sh
script will wait 70 secs to perform his actions.
That's It :D Good lucky to everyone
Original comment by munhozdi...@gmail.com
on 28 Jan 2013 at 11:39
Attachments:
I saw your post on xda-developers
(http://forum.xda-developers.com/showpost.php?p=37309793&postcount=47). This
workaround only works on CM 10.1 latest nightly as there's a patch included to
restrict the slave mountspace to just some directories and not the root
directory / at all.
I wonder if you have some other idea how to circumvent this issue on stock ROM?
Original comment by piecha...@gmail.com
on 29 Jan 2013 at 11:11
Like I said on my post above, only cm 10.1 latest nightly. Other roms based on
Cyanogem work may work. Stock rom ? there's no way at this moment.
Original comment by munhozdi...@gmail.com
on 29 Jan 2013 at 11:15
Do you have an idea how StickMount solves the issue on stock ROM?
Original comment by piecha...@gmail.com
on 29 Jan 2013 at 11:17
Hijacking a process with permissions to mount system wide. You can even do this
manually using encfs command line + terminal. Sometimes it works, other's dont.
Original comment by munhozdi...@gmail.com
on 29 Jan 2013 at 11:36
Already checked process hijacking. Didn't work for me.
@all: Has anybody else with stock ROM checked to mount an EncFS folder under
/system?
Original comment by piecha...@gmail.com
on 30 Jan 2013 at 9:38
I've just tried this after CM 10.1 was updated to Android 4.2.2 on my phone.
Miraculously, I can now see mounted EncFS volumes both with the builtin file
browser and with ES file explorer. Can anyone else confirm this?
Original comment by christoph.schmidthieber@gmail.com
on 16 Feb 2013 at 11:48
Tried what ? for me it's working for a long time now.
Original comment by munhozdi...@gmail.com
on 17 Feb 2013 at 12:19
Comment #49 by munhozdiego:
> Tried what ? for me it's working for a long time now.
Stock Cryptonite from the Play store (0.7.6), no hacks.
Original comment by christoph.schmidthieber@gmail.com
on 17 Feb 2013 at 12:22
Original issue reported on code.google.com by
anilkpa...@gmail.com
on 28 Nov 2012 at 8:32