Loading core/java/com/android/internal/security/VerityUtils.java +10 −0 Original line number Diff line number Diff line Loading @@ -81,6 +81,15 @@ public abstract class VerityUtils { } } /** Enables fs-verity for an open file without signature. */ public static void setUpFsverity(int fd) throws IOException { int errno = enableFsverityForFdNative(fd); if (errno != 0) { throw new IOException("Failed to enable fs-verity on FD(" + fd + "): " + Os.strerror(errno)); } } /** Returns whether the file has fs-verity enabled. */ public static boolean hasFsverity(@NonNull String filePath) { int retval = statxForFsverityNative(filePath); Loading Loading @@ -211,6 +220,7 @@ public abstract class VerityUtils { } private static native int enableFsverityNative(@NonNull String filePath); private static native int enableFsverityForFdNative(int fd); private static native int measureFsverityNative(@NonNull String filePath, @NonNull byte[] digest); private static native int statxForFsverityNative(@NonNull String filePath); Loading core/jni/com_android_internal_security_VerityUtils.cpp +13 −8 Original line number Diff line number Diff line Loading @@ -38,13 +38,8 @@ namespace android { namespace { int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath) { ScopedUtfChars path(env, filePath); if (path.c_str() == nullptr) { return EINVAL; } ::android::base::unique_fd rfd(open(path.c_str(), O_RDONLY | O_CLOEXEC)); if (rfd.get() < 0) { int enableFsverityForFd(JNIEnv *env, jobject clazz, jint fd) { if (fd < 0) { return errno; } Loading @@ -55,12 +50,21 @@ int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath) { arg.salt_size = 0; arg.salt_ptr = reinterpret_cast<uintptr_t>(nullptr); if (ioctl(rfd.get(), FS_IOC_ENABLE_VERITY, &arg) < 0) { if (ioctl(fd, FS_IOC_ENABLE_VERITY, &arg) < 0) { return errno; } return 0; } int enableFsverity(JNIEnv *env, jobject clazz, jstring filePath) { ScopedUtfChars path(env, filePath); if (path.c_str() == nullptr) { return EINVAL; } ::android::base::unique_fd rfd(open(path.c_str(), O_RDONLY | O_CLOEXEC)); return enableFsverityForFd(env, clazz, rfd.get()); } // Returns whether the file has fs-verity enabled. // 0 if it is not present, 1 if is present, and -errno if there was an error. int statxForFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath) { Loading Loading @@ -126,6 +130,7 @@ int measureFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath, jbyteArr } const JNINativeMethod sMethods[] = { {"enableFsverityNative", "(Ljava/lang/String;)I", (void *)enableFsverity}, {"enableFsverityForFdNative", "(I)I", (void *)enableFsverityForFd}, {"statxForFsverityNative", "(Ljava/lang/String;)I", (void *)statxForFsverity}, {"measureFsverityNative", "(Ljava/lang/String;[B)I", (void *)measureFsverity}, }; Loading services/api/current.txt +3 −2 Original line number Diff line number Diff line Loading @@ -227,8 +227,9 @@ package com.android.server.role { package com.android.server.security { public final class FileIntegrityLocal { method public static void setUpFsVerity(@NonNull String) throws java.io.IOException; public final class FileIntegrity { method public static void setUpFsVerity(@NonNull java.io.File) throws java.io.IOException; method public static void setUpFsVerity(@NonNull android.os.ParcelFileDescriptor) throws java.io.IOException; } } Loading services/core/java/com/android/server/pm/Settings.java +3 −3 Original line number Diff line number Diff line Loading @@ -120,7 +120,7 @@ import com.android.server.pm.resolution.ComponentResolver; import com.android.server.pm.verify.domain.DomainVerificationLegacySettings; import com.android.server.pm.verify.domain.DomainVerificationManagerInternal; import com.android.server.pm.verify.domain.DomainVerificationPersistence; import com.android.server.security.FileIntegrityLocal; import com.android.server.security.FileIntegrity; import com.android.server.utils.Slogf; import com.android.server.utils.Snappable; import com.android.server.utils.SnapshotCache; Loading Loading @@ -2714,8 +2714,8 @@ public final class Settings implements Watchable, Snappable { } try { FileIntegrityLocal.setUpFsVerity(mSettingsFilename.getAbsolutePath()); FileIntegrityLocal.setUpFsVerity(mSettingsReserveCopyFilename.getAbsolutePath()); FileIntegrity.setUpFsVerity(mSettingsFilename); FileIntegrity.setUpFsVerity(mSettingsReserveCopyFilename); } catch (IOException e) { Slog.e(TAG, "Failed to verity-protect settings", e); } Loading services/core/java/com/android/server/security/FileIntegrityLocal.java→services/core/java/com/android/server/security/FileIntegrity.java +18 −4 Original line number Diff line number Diff line Loading @@ -18,19 +18,32 @@ package com.android.server.security; import android.annotation.NonNull; import android.annotation.SystemApi; import android.os.ParcelFileDescriptor; import com.android.internal.security.VerityUtils; import java.io.File; import java.io.IOException; /** * In-process API for server side FileIntegrity related infrastructure. * * @hide */ @SystemApi(client = SystemApi.Client.SYSTEM_SERVER) public final class FileIntegrityLocal { private FileIntegrityLocal() {} public final class FileIntegrity { private FileIntegrity() {} /** * Enables fs-verity, if supported by the filesystem. * @see <a href="https://www.kernel.org/doc/html/latest/filesystems/fsverity.html"> * @hide */ @SystemApi(client = SystemApi.Client.SYSTEM_SERVER) public static void setUpFsVerity(@NonNull File file) throws IOException { VerityUtils.setUpFsverity(file.getAbsolutePath()); } /** * Enables fs-verity, if supported by the filesystem. Loading @@ -38,7 +51,8 @@ public final class FileIntegrityLocal { * @hide */ @SystemApi(client = SystemApi.Client.SYSTEM_SERVER) public static void setUpFsVerity(@NonNull String filePath) throws IOException { VerityUtils.setUpFsverity(filePath); public static void setUpFsVerity(@NonNull ParcelFileDescriptor parcelFileDescriptor) throws IOException { VerityUtils.setUpFsverity(parcelFileDescriptor.getFd()); } } Loading
core/java/com/android/internal/security/VerityUtils.java +10 −0 Original line number Diff line number Diff line Loading @@ -81,6 +81,15 @@ public abstract class VerityUtils { } } /** Enables fs-verity for an open file without signature. */ public static void setUpFsverity(int fd) throws IOException { int errno = enableFsverityForFdNative(fd); if (errno != 0) { throw new IOException("Failed to enable fs-verity on FD(" + fd + "): " + Os.strerror(errno)); } } /** Returns whether the file has fs-verity enabled. */ public static boolean hasFsverity(@NonNull String filePath) { int retval = statxForFsverityNative(filePath); Loading Loading @@ -211,6 +220,7 @@ public abstract class VerityUtils { } private static native int enableFsverityNative(@NonNull String filePath); private static native int enableFsverityForFdNative(int fd); private static native int measureFsverityNative(@NonNull String filePath, @NonNull byte[] digest); private static native int statxForFsverityNative(@NonNull String filePath); Loading
core/jni/com_android_internal_security_VerityUtils.cpp +13 −8 Original line number Diff line number Diff line Loading @@ -38,13 +38,8 @@ namespace android { namespace { int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath) { ScopedUtfChars path(env, filePath); if (path.c_str() == nullptr) { return EINVAL; } ::android::base::unique_fd rfd(open(path.c_str(), O_RDONLY | O_CLOEXEC)); if (rfd.get() < 0) { int enableFsverityForFd(JNIEnv *env, jobject clazz, jint fd) { if (fd < 0) { return errno; } Loading @@ -55,12 +50,21 @@ int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath) { arg.salt_size = 0; arg.salt_ptr = reinterpret_cast<uintptr_t>(nullptr); if (ioctl(rfd.get(), FS_IOC_ENABLE_VERITY, &arg) < 0) { if (ioctl(fd, FS_IOC_ENABLE_VERITY, &arg) < 0) { return errno; } return 0; } int enableFsverity(JNIEnv *env, jobject clazz, jstring filePath) { ScopedUtfChars path(env, filePath); if (path.c_str() == nullptr) { return EINVAL; } ::android::base::unique_fd rfd(open(path.c_str(), O_RDONLY | O_CLOEXEC)); return enableFsverityForFd(env, clazz, rfd.get()); } // Returns whether the file has fs-verity enabled. // 0 if it is not present, 1 if is present, and -errno if there was an error. int statxForFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath) { Loading Loading @@ -126,6 +130,7 @@ int measureFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath, jbyteArr } const JNINativeMethod sMethods[] = { {"enableFsverityNative", "(Ljava/lang/String;)I", (void *)enableFsverity}, {"enableFsverityForFdNative", "(I)I", (void *)enableFsverityForFd}, {"statxForFsverityNative", "(Ljava/lang/String;)I", (void *)statxForFsverity}, {"measureFsverityNative", "(Ljava/lang/String;[B)I", (void *)measureFsverity}, }; Loading
services/api/current.txt +3 −2 Original line number Diff line number Diff line Loading @@ -227,8 +227,9 @@ package com.android.server.role { package com.android.server.security { public final class FileIntegrityLocal { method public static void setUpFsVerity(@NonNull String) throws java.io.IOException; public final class FileIntegrity { method public static void setUpFsVerity(@NonNull java.io.File) throws java.io.IOException; method public static void setUpFsVerity(@NonNull android.os.ParcelFileDescriptor) throws java.io.IOException; } } Loading
services/core/java/com/android/server/pm/Settings.java +3 −3 Original line number Diff line number Diff line Loading @@ -120,7 +120,7 @@ import com.android.server.pm.resolution.ComponentResolver; import com.android.server.pm.verify.domain.DomainVerificationLegacySettings; import com.android.server.pm.verify.domain.DomainVerificationManagerInternal; import com.android.server.pm.verify.domain.DomainVerificationPersistence; import com.android.server.security.FileIntegrityLocal; import com.android.server.security.FileIntegrity; import com.android.server.utils.Slogf; import com.android.server.utils.Snappable; import com.android.server.utils.SnapshotCache; Loading Loading @@ -2714,8 +2714,8 @@ public final class Settings implements Watchable, Snappable { } try { FileIntegrityLocal.setUpFsVerity(mSettingsFilename.getAbsolutePath()); FileIntegrityLocal.setUpFsVerity(mSettingsReserveCopyFilename.getAbsolutePath()); FileIntegrity.setUpFsVerity(mSettingsFilename); FileIntegrity.setUpFsVerity(mSettingsReserveCopyFilename); } catch (IOException e) { Slog.e(TAG, "Failed to verity-protect settings", e); } Loading
services/core/java/com/android/server/security/FileIntegrityLocal.java→services/core/java/com/android/server/security/FileIntegrity.java +18 −4 Original line number Diff line number Diff line Loading @@ -18,19 +18,32 @@ package com.android.server.security; import android.annotation.NonNull; import android.annotation.SystemApi; import android.os.ParcelFileDescriptor; import com.android.internal.security.VerityUtils; import java.io.File; import java.io.IOException; /** * In-process API for server side FileIntegrity related infrastructure. * * @hide */ @SystemApi(client = SystemApi.Client.SYSTEM_SERVER) public final class FileIntegrityLocal { private FileIntegrityLocal() {} public final class FileIntegrity { private FileIntegrity() {} /** * Enables fs-verity, if supported by the filesystem. * @see <a href="https://www.kernel.org/doc/html/latest/filesystems/fsverity.html"> * @hide */ @SystemApi(client = SystemApi.Client.SYSTEM_SERVER) public static void setUpFsVerity(@NonNull File file) throws IOException { VerityUtils.setUpFsverity(file.getAbsolutePath()); } /** * Enables fs-verity, if supported by the filesystem. Loading @@ -38,7 +51,8 @@ public final class FileIntegrityLocal { * @hide */ @SystemApi(client = SystemApi.Client.SYSTEM_SERVER) public static void setUpFsVerity(@NonNull String filePath) throws IOException { VerityUtils.setUpFsverity(filePath); public static void setUpFsVerity(@NonNull ParcelFileDescriptor parcelFileDescriptor) throws IOException { VerityUtils.setUpFsverity(parcelFileDescriptor.getFd()); } }
