Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c7f733be authored by Victor Hsieh's avatar Victor Hsieh
Browse files

Migrate setupFsVerity check to EnforcePermission 

Bug: 285185747
Test: atest android.security.cts.FileIntegrityManagerTest
Change-Id: I294424c90576f6aee27a407ef5e525adfd226f27
parent df7351f6

core/java/android/security/IFileIntegrityService.aidl

+2 −0
Original line number Diff line number Diff line
@@ -28,6 +28,8 @@ interface IFileIntegrityService { 
    boolean isAppSourceCertificateTrusted(in byte[] certificateBytes, in String packageName);



    IInstalld.IFsveritySetupAuthToken createAuthToken(in ParcelFileDescriptor authFd);



    @EnforcePermission("SETUP_FSVERITY")

    int setupFsverity(IInstalld.IFsveritySetupAuthToken authToken, in String filePath,

            in String packageName);

}

services/core/java/com/android/server/security/FileIntegrityService.java

+12 −6
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 


package com.android.server.security;



import android.annotation.EnforcePermission;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.app.AppOpsManager;
@@ -27,6 +28,7 @@ import android.os.Build; 
import android.os.Environment;

import android.os.IBinder;

import android.os.ParcelFileDescriptor;

import android.os.PermissionEnforcer;

import android.os.RemoteException;

import android.os.ResultReceiver;

import android.os.ShellCallback;
@@ -79,7 +81,11 @@ public class FileIntegrityService extends SystemService { 
        return LocalServices.getService(FileIntegrityService.class);

    }



    private final IBinder mService = new IFileIntegrityService.Stub() {

    private final class BinderService extends IFileIntegrityService.Stub {

        BinderService(Context context) {

            super(PermissionEnforcer.fromContext(context));

        }



        @Override

        public boolean isApkVeritySupported() {

            return VerityUtils.isFsVeritySupported();
@@ -168,12 +174,10 @@ public class FileIntegrityService extends SystemService { 
        }



        @Override

        @EnforcePermission(android.Manifest.permission.SETUP_FSVERITY)

        public int setupFsverity(android.os.IInstalld.IFsveritySetupAuthToken authToken,

                String filePath, String packageName) throws RemoteException {

            getContext().enforceCallingPermission(android.Manifest.permission.SETUP_FSVERITY,

                    "Permission android.permission.SETUP_FSVERITY not grantted to access "

                    + "FileIntegrityManager#setupFsverity");



            setupFsverity_enforcePermission();

            Objects.requireNonNull(authToken);

            Objects.requireNonNull(filePath);

            Objects.requireNonNull(packageName);
@@ -185,10 +189,12 @@ public class FileIntegrityService extends SystemService { 
                throw new RemoteException(e);

            }

        }

    };

    }

    private final IBinder mService;



    public FileIntegrityService(final Context context) {

        super(context);

        mService = new BinderService(context);

        try {

            sCertFactory = CertificateFactory.getInstance("X.509");

        } catch (CertificateException e) {