Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0f7191c2 authored by Omer Nebil Yaveroglu's avatar Omer Nebil Yaveroglu
Browse files

As per Todd's advice, this CL does the following on AppIntegrityComponentImpl: 

1 - Remove the use of stream() -- still couldn't do this for File.listDir result.
2 - Hide the logs behind a DEBUG_INTEGRITY_COMPONENT static boolean.

Bug: 154698352
Test: atest AppIntegrityManagerServiceImplTest
Change-Id: I23b56ea2a50bb27814721d8e512be137673aaaec
parent 6d295aa1

services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java

+59 −33
Original line number Diff line number Diff line
@@ -117,6 +117,8 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
    private static final String ALLOWED_INSTALLER_DELIMITER = ",";

    private static final String INSTALLER_PACKAGE_CERT_DELIMITER = "\\|";



    public static final boolean DEBUG_INTEGRITY_COMPONENT = false;



    private static final Set<String> PACKAGE_INSTALLER =

            new HashSet<>(

                    Arrays.asList(
@@ -262,14 +264,18 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
        int verificationId = intent.getIntExtra(EXTRA_VERIFICATION_ID, -1);



        try {

            Slog.i(TAG, "Received integrity verification intent " + intent.toString());

            Slog.i(TAG, "Extras " + intent.getExtras());

            if (DEBUG_INTEGRITY_COMPONENT) {

                Slog.d(TAG, "Received integrity verification intent " + intent.toString());

                Slog.d(TAG, "Extras " + intent.getExtras());

            }



            String installerPackageName = getInstallerPackageName(intent);



            // Skip integrity verification if the verifier is doing the install.

            if (!integrityCheckIncludesRuleProvider() && isRuleProvider(installerPackageName)) {

                if (DEBUG_INTEGRITY_COMPONENT) {

                    Slog.i(TAG, "Verifier doing the install. Skipping integrity check.");

                }

                mPackageManagerInternal.setIntegrityVerificationResult(

                        verificationId, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);

                return;
@@ -303,19 +309,23 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 


            AppInstallMetadata appInstallMetadata = builder.build();



            if (DEBUG_INTEGRITY_COMPONENT) {

                Slog.i(

                        TAG,

                        "To be verified: "

                                + appInstallMetadata

                                + " installers "

                                + getAllowedInstallers(packageInfo));

            }

            IntegrityCheckResult result = mEvaluationEngine.evaluate(appInstallMetadata);

            if (DEBUG_INTEGRITY_COMPONENT) {

                Slog.i(

                        TAG,

                        "Integrity check result: "

                                + result.getEffect()

                                + " due to "

                                + result.getMatchedRules());

            }



            FrameworkStatsLog.write(

                    FrameworkStatsLog.INTEGRITY_CHECK_RESULT_REPORTED,
@@ -424,7 +434,7 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
                            .getPackageInfo(installer, PackageManager.GET_SIGNING_CERTIFICATES);

            return getCertificateFingerprint(installerInfo);

        } catch (PackageManager.NameNotFoundException e) {

            Slog.i(TAG, "Installer package " + installer + " not found.");

            Slog.w(TAG, "Installer package " + installer + " not found.");

            return Collections.emptyList();

        }

    }
@@ -653,28 +663,39 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
    private String getCallingRulePusherPackageName(int callingUid) {

        // Obtain the system apps that are whitelisted in config_integrityRuleProviderPackages.

        List<String> allowedRuleProviders = getAllowedRuleProviderSystemApps();

        if (DEBUG_INTEGRITY_COMPONENT) {

            Slog.i(TAG, String.format(

                    "Rule provider system app list contains: %s", allowedRuleProviders));

        }



        // Identify the package names in the caller list.

        List<String> callingPackageNames = getPackageListForUid(callingUid);

        if (DEBUG_INTEGRITY_COMPONENT) {

            Slog.i(TAG, String.format("Calling packages are: ", callingPackageNames));

        }



        // Find the intersection between the allowed and calling packages. Ideally, we will have

        // at most one package name here. But if we have more, it is fine.

        List<String> allowedCallingPackages =

                callingPackageNames

                        .stream()

                        .filter(packageName -> allowedRuleProviders.contains(packageName))

                        .collect(Collectors.toList());

        Slog.i(TAG, String.format("Calling rule pusher packages are: ", allowedCallingPackages));



        List<String> allowedCallingPackages = new ArrayList<>();

        for (String packageName : callingPackageNames) {

            if (allowedRuleProviders.contains(packageName)) {

                allowedCallingPackages.add(packageName);

            }

        }

        if (DEBUG_INTEGRITY_COMPONENT) {

            Slog.i(TAG,

                    String.format("Calling rule pusher packages are: ", allowedCallingPackages));

        }

        return allowedCallingPackages.isEmpty() ? null : allowedCallingPackages.get(0);

    }



    private boolean isRuleProvider(String installerPackageName) {

        return getAllowedRuleProviderSystemApps().stream()

                .anyMatch(ruleProvider -> ruleProvider.equals(installerPackageName));

        for (String ruleProvider : getAllowedRuleProviderSystemApps()) {

            if (ruleProvider.matches(installerPackageName)) {

                return true;

            }

        }

        return false;

    }



    private List<String> getAllowedRuleProviderSystemApps() {
@@ -682,13 +703,18 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
                Arrays.asList(

                        mContext.getResources()

                                .getStringArray(R.array.config_integrityRuleProviderPackages));



        if (DEBUG_INTEGRITY_COMPONENT) {

            Slog.i(TAG, String.format("Rule provider list contains: %s", integrityRuleProviders));

        }



        // Filter out the rule provider packages that are not system apps.

        return integrityRuleProviders.stream()

                .filter(this::isSystemApp)

                .collect(Collectors.toList());

        List<String> systemAppRuleProviders = new ArrayList<>();

        for (String ruleProvider: integrityRuleProviders) {

            if (isSystemApp(ruleProvider)) {

                systemAppRuleProviders.add(ruleProvider);

            }

        }

        return systemAppRuleProviders;

    }



    private boolean isSystemApp(String packageName) {