Remove the updateRuleSet actions to stop writing the rules into AOSP component... (359075db) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java

+11 −50

Original line number	Diff line number	Diff line
		@@ -127,31 +127,8 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
		@BinderThread
		public void updateRuleSet(
		String version, ParceledListSlice<Rule> rules, IntentSender statusReceiver) {
		String ruleProvider = getCallerPackageNameOrThrow(Binder.getCallingUid());
		if (DEBUG_INTEGRITY_COMPONENT) {
		Slog.i(TAG, String.format("Calling rule provider name is: %s.", ruleProvider));
		}

		mHandler.post(
		() -> {
		boolean success = true;
		try {
		mIntegrityFileManager.writeRules(version, ruleProvider, rules.getList());
		} catch (Exception e) {
		Slog.e(TAG, "Error writing rules.", e);
		success = false;
		}

		if (DEBUG_INTEGRITY_COMPONENT) {
		Slog.i(
		TAG,
		String.format(
		"Successfully pushed rule set to version '%s' from '%s'",
		version, ruleProvider));
		}

		Intent intent = new Intent();
		intent.putExtra(EXTRA_STATUS, success ? STATUS_SUCCESS : STATUS_FAILURE);
		intent.putExtra(EXTRA_STATUS, STATUS_SUCCESS);
		try {
		statusReceiver.sendIntent(
		mContext,
		@@ -162,7 +139,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
		} catch (Exception e) {
		Slog.e(TAG, "Error sending status feedback.", e);
		}
		});
		}

		@Override
		@@ -209,21 +185,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
		verificationId, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
		}

		/** We will use the SHA256 digest of a package name if it is more than 32 bytes long. */
		private String getPackageNameNormalized(String packageName) {
		if (packageName.length() <= 32) {
		return packageName;
		}

		try {
		MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
		byte[] hashBytes = messageDigest.digest(packageName.getBytes(StandardCharsets.UTF_8));
		return getHexDigest(hashBytes);
		} catch (NoSuchAlgorithmException e) {
		throw new RuntimeException("SHA-256 algorithm not found", e);
		}
		}

		private String getCallerPackageNameOrThrow(int callingUid) {
		String callerPackageName = getCallingRulePusherPackageName(callingUid);
		if (callerPackageName == null) {

services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java

+0 −92

Original line number	Diff line number	Diff line
		@@ -190,98 +190,6 @@ public class AppIntegrityManagerServiceImplTest {
		mTestApkSourceStamp.delete();
		}

		@Test
		public void updateRuleSet_notAuthorized() throws Exception {
		makeUsSystemApp();
		Rule rule =
		new Rule(
		new AtomicFormula.BooleanAtomicFormula(AtomicFormula.PRE_INSTALLED, true),
		Rule.DENY);
		TestUtils.assertExpectException(
		SecurityException.class,
		"Only system packages specified in config_integrityRuleProviderPackages are"
		+ " allowed to call this method.",
		() ->
		mService.updateRuleSet(
		VERSION,
		new ParceledListSlice<>(Arrays.asList(rule)),
		/* statusReceiver= */ null));
		}

		@Test
		public void updateRuleSet_notSystemApp() throws Exception {
		allowlistUsAsRuleProvider();
		makeUsSystemApp(false);
		Rule rule =
		new Rule(
		new AtomicFormula.BooleanAtomicFormula(AtomicFormula.PRE_INSTALLED, true),
		Rule.DENY);
		TestUtils.assertExpectException(
		SecurityException.class,
		"Only system packages specified in config_integrityRuleProviderPackages are"
		+ " allowed to call this method.",
		() ->
		mService.updateRuleSet(
		VERSION,
		new ParceledListSlice<>(Arrays.asList(rule)),
		/* statusReceiver= */ null));
		}

		@Test
		public void updateRuleSet_authorized() throws Exception {
		allowlistUsAsRuleProvider();
		makeUsSystemApp();
		Rule rule =
		new Rule(
		new AtomicFormula.BooleanAtomicFormula(AtomicFormula.PRE_INSTALLED, true),
		Rule.DENY);

		// no SecurityException
		mService.updateRuleSet(
		VERSION, new ParceledListSlice<>(Arrays.asList(rule)), mock(IntentSender.class));
		}

		@Test
		public void updateRuleSet_correctMethodCall() throws Exception {
		allowlistUsAsRuleProvider();
		makeUsSystemApp();
		IntentSender mockReceiver = mock(IntentSender.class);
		List<Rule> rules =
		Arrays.asList(
		new Rule(
		IntegrityFormula.Application.packageNameEquals(PACKAGE_NAME),
		Rule.DENY));

		mService.updateRuleSet(VERSION, new ParceledListSlice<>(rules), mockReceiver);
		runJobInHandler();

		verify(mIntegrityFileManager).writeRules(VERSION, TEST_FRAMEWORK_PACKAGE, rules);
		ArgumentCaptor<Intent> intentCaptor = ArgumentCaptor.forClass(Intent.class);
		verify(mockReceiver).sendIntent(any(), anyInt(), intentCaptor.capture(), any(), any());
		assertEquals(STATUS_SUCCESS, intentCaptor.getValue().getIntExtra(EXTRA_STATUS, -1));
		}

		@Test
		public void updateRuleSet_fail() throws Exception {
		allowlistUsAsRuleProvider();
		makeUsSystemApp();
		doThrow(new IOException()).when(mIntegrityFileManager).writeRules(any(), any(), any());
		IntentSender mockReceiver = mock(IntentSender.class);
		List<Rule> rules =
		Arrays.asList(
		new Rule(
		IntegrityFormula.Application.packageNameEquals(PACKAGE_NAME),
		Rule.DENY));

		mService.updateRuleSet(VERSION, new ParceledListSlice<>(rules), mockReceiver);
		runJobInHandler();

		verify(mIntegrityFileManager).writeRules(VERSION, TEST_FRAMEWORK_PACKAGE, rules);
		ArgumentCaptor<Intent> intentCaptor = ArgumentCaptor.forClass(Intent.class);
		verify(mockReceiver).sendIntent(any(), anyInt(), intentCaptor.capture(), any(), any());
		assertEquals(STATUS_FAILURE, intentCaptor.getValue().getIntExtra(EXTRA_STATUS, -1));
		}

		@Test
		public void broadcastReceiverRegistration() throws Exception {
		allowlistUsAsRuleProvider();