Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d39ec805 authored by Song Pan's avatar Song Pan
Browse files

Fix a bug with the settings for skipping integrity check for verifiers. 

Currently we read it at the start and cache it. This will cause any change in
settings to have effect only after restart. This is probably not what we want.

Bug: 150220476
Test: atest AppIntegrityManagerServiceImplTest
Change-Id: Icf4fc0e83e3563544b022c722e893a98f3512f25
parent 6f01c62d

services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java

+11 −15
Original line number Original line Diff line number Diff line
@@ -114,8 +114,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
    private final RuleEvaluationEngine mEvaluationEngine;

    private final RuleEvaluationEngine mEvaluationEngine;

    private final IntegrityFileManager mIntegrityFileManager;

    private final IntegrityFileManager mIntegrityFileManager;





    private final boolean mCheckIntegrityForRuleProviders;



    /** Create an instance of {@link AppIntegrityManagerServiceImpl}. */

    /** Create an instance of {@link AppIntegrityManagerServiceImpl}. */

    public static AppIntegrityManagerServiceImpl create(Context context) {

    public static AppIntegrityManagerServiceImpl create(Context context) {

        HandlerThread handlerThread = new HandlerThread("AppIntegrityManagerServiceHandler");

        HandlerThread handlerThread = new HandlerThread("AppIntegrityManagerServiceHandler");
@@ -126,13 +124,7 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
                LocalServices.getService(PackageManagerInternal.class),

                LocalServices.getService(PackageManagerInternal.class),

                RuleEvaluationEngine.getRuleEvaluationEngine(),

                RuleEvaluationEngine.getRuleEvaluationEngine(),

                IntegrityFileManager.getInstance(),

                IntegrityFileManager.getInstance(),

                handlerThread.getThreadHandler(),

                handlerThread.getThreadHandler());

                Settings.Global.getInt(

                        context.getContentResolver(),

                        Settings.Global.INTEGRITY_CHECK_INCLUDES_RULE_PROVIDER,

                        0)

                        == 1

        );

    }

    }





    @VisibleForTesting

    @VisibleForTesting
@@ -141,14 +133,12 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
            PackageManagerInternal packageManagerInternal,

            PackageManagerInternal packageManagerInternal,

            RuleEvaluationEngine evaluationEngine,

            RuleEvaluationEngine evaluationEngine,

            IntegrityFileManager integrityFileManager,

            IntegrityFileManager integrityFileManager,

            Handler handler,

            Handler handler) {

            boolean checkIntegrityForRuleProviders) {

        mContext = context;

        mContext = context;

        mPackageManagerInternal = packageManagerInternal;

        mPackageManagerInternal = packageManagerInternal;

        mEvaluationEngine = evaluationEngine;

        mEvaluationEngine = evaluationEngine;

        mIntegrityFileManager = integrityFileManager;

        mIntegrityFileManager = integrityFileManager;

        mHandler = handler;

        mHandler = handler;

        mCheckIntegrityForRuleProviders = checkIntegrityForRuleProviders;





        IntentFilter integrityVerificationFilter = new IntentFilter();

        IntentFilter integrityVerificationFilter = new IntentFilter();

        integrityVerificationFilter.addAction(ACTION_PACKAGE_NEEDS_INTEGRITY_VERIFICATION);

        integrityVerificationFilter.addAction(ACTION_PACKAGE_NEEDS_INTEGRITY_VERIFICATION);
@@ -259,7 +249,7 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
            String installerPackageName = getInstallerPackageName(intent);

            String installerPackageName = getInstallerPackageName(intent);





            // Skip integrity verification if the verifier is doing the install.

            // Skip integrity verification if the verifier is doing the install.

            if (!mCheckIntegrityForRuleProviders

            if (!integrityCheckIncludesRuleProvider()

                    && isRuleProvider(installerPackageName)) {

                    && isRuleProvider(installerPackageName)) {

                Slog.i(TAG, "Verifier doing the install. Skipping integrity check.");

                Slog.i(TAG, "Verifier doing the install. Skipping integrity check.");

                mPackageManagerInternal.setIntegrityVerificationResult(

                mPackageManagerInternal.setIntegrityVerificationResult(
@@ -271,8 +261,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
            List<String> installerCertificates =

            List<String> installerCertificates =

                    getInstallerCertificateFingerprint(installerPackageName);

                    getInstallerCertificateFingerprint(installerPackageName);





            Slog.w(TAG, appCertificates.toString());



            AppInstallMetadata.Builder builder = new AppInstallMetadata.Builder();

            AppInstallMetadata.Builder builder = new AppInstallMetadata.Builder();





            builder.setPackageName(getPackageNameNormalized(packageName));

            builder.setPackageName(getPackageNameNormalized(packageName));
@@ -631,4 +619,12 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub { 
        return getAllowedRuleProviders().stream()

        return getAllowedRuleProviders().stream()

                .anyMatch(ruleProvider -> ruleProvider.equals(installerPackageName));

                .anyMatch(ruleProvider -> ruleProvider.equals(installerPackageName));

    }

    }



    private boolean integrityCheckIncludesRuleProvider() {

        return Settings.Global.getInt(

                mContext.getContentResolver(),

                Settings.Global.INTEGRITY_CHECK_INCLUDES_RULE_PROVIDER,

                0)

                == 1;

    }

}
 
}

services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java

+28 −13
Original line number Original line Diff line number Diff line
@@ -60,6 +60,7 @@ import android.content.res.Resources; 
import android.net.Uri;

import android.net.Uri;

import android.os.Handler;

import android.os.Handler;

import android.os.Message;

import android.os.Message;

import android.provider.Settings;





import androidx.test.InstrumentationRegistry;

import androidx.test.InstrumentationRegistry;
@@ -119,7 +120,6 @@ public class AppIntegrityManagerServiceImplTest { 
    private static final String PLAY_STORE_PKG = "com.android.vending";

    private static final String PLAY_STORE_PKG = "com.android.vending";

    private static final String ADB_INSTALLER = "adb";

    private static final String ADB_INSTALLER = "adb";

    private static final String PLAY_STORE_CERT = "play_store_cert";

    private static final String PLAY_STORE_CERT = "play_store_cert";

    private static final String ADB_CERT = "";





    @org.junit.Rule

    @org.junit.Rule

    public MockitoRule mMockitoRule = MockitoJUnit.rule();

    public MockitoRule mMockitoRule = MockitoJUnit.rule();
@@ -137,11 +137,12 @@ public class AppIntegrityManagerServiceImplTest { 
    @Mock

    @Mock

    Handler mHandler;

    Handler mHandler;





    private final Context mRealContext = InstrumentationRegistry.getTargetContext();



    private PackageManager mSpyPackageManager;

    private PackageManager mSpyPackageManager;

    private File mTestApk;

    private File mTestApk;

    private File mTestApkTwoCerts;

    private File mTestApkTwoCerts;





    private final Context mRealContext = InstrumentationRegistry.getTargetContext();

    // under test

    // under test

    private AppIntegrityManagerServiceImpl mService;

    private AppIntegrityManagerServiceImpl mService;
@@ -163,8 +164,7 @@ public class AppIntegrityManagerServiceImplTest { 
                        mPackageManagerInternal,

                        mPackageManagerInternal,

                        mRuleEvaluationEngine,

                        mRuleEvaluationEngine,

                        mIntegrityFileManager,

                        mIntegrityFileManager,

                        mHandler,

                        mHandler);

                        /* checkIntegrityForRuleProviders= */ true);





        mSpyPackageManager = spy(mRealContext.getPackageManager());

        mSpyPackageManager = spy(mRealContext.getPackageManager());

        // setup mocks to prevent NPE

        // setup mocks to prevent NPE
@@ -172,6 +172,9 @@ public class AppIntegrityManagerServiceImplTest { 
        when(mMockContext.getResources()).thenReturn(mMockResources);

        when(mMockContext.getResources()).thenReturn(mMockResources);

        when(mMockResources.getStringArray(anyInt())).thenReturn(new String[]{});

        when(mMockResources.getStringArray(anyInt())).thenReturn(new String[]{});

        when(mIntegrityFileManager.initialized()).thenReturn(true);

        when(mIntegrityFileManager.initialized()).thenReturn(true);

        // These are needed to override the Settings.Global.get result.

        when(mMockContext.getContentResolver()).thenReturn(mRealContext.getContentResolver());

        setIntegrityCheckIncludesRuleProvider(true);

    }

    }





    @After

    @After
@@ -201,6 +204,7 @@ public class AppIntegrityManagerServiceImplTest { 
    @Test

    @Test

    public void updateRuleSet_notSystemApp() throws Exception {

    public void updateRuleSet_notSystemApp() throws Exception {

        whitelistUsAsRuleProvider();

        whitelistUsAsRuleProvider();

        makeUsSystemApp(false);

        Rule rule =

        Rule rule =

                new Rule(

                new Rule(

                        new AtomicFormula.BooleanAtomicFormula(AtomicFormula.PRE_INSTALLED, true),

                        new AtomicFormula.BooleanAtomicFormula(AtomicFormula.PRE_INSTALLED, true),
@@ -411,14 +415,7 @@ public class AppIntegrityManagerServiceImplTest { 
    public void verifierAsInstaller_skipIntegrityVerification() throws Exception {

    public void verifierAsInstaller_skipIntegrityVerification() throws Exception {

        whitelistUsAsRuleProvider();

        whitelistUsAsRuleProvider();

        makeUsSystemApp();

        makeUsSystemApp();

        mService =

        setIntegrityCheckIncludesRuleProvider(false);

                new AppIntegrityManagerServiceImpl(

                        mMockContext,

                        mPackageManagerInternal,

                        mRuleEvaluationEngine,

                        mIntegrityFileManager,

                        mHandler,

                        /* checkIntegrityForRuleProviders= */ false);

        ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =

        ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =

                ArgumentCaptor.forClass(BroadcastReceiver.class);

                ArgumentCaptor.forClass(BroadcastReceiver.class);

        verify(mMockContext, atLeastOnce())

        verify(mMockContext, atLeastOnce())
@@ -460,12 +457,21 @@ public class AppIntegrityManagerServiceImplTest { 
    }

    }





    private void makeUsSystemApp() throws Exception {

    private void makeUsSystemApp() throws Exception {

        makeUsSystemApp(true);

    }



    private void makeUsSystemApp(boolean isSystemApp) throws Exception {

        PackageInfo packageInfo =

        PackageInfo packageInfo =

                mRealContext.getPackageManager().getPackageInfo(TEST_FRAMEWORK_PACKAGE, 0);

                mRealContext.getPackageManager().getPackageInfo(TEST_FRAMEWORK_PACKAGE, 0);

        if (isSystemApp) {

            packageInfo.applicationInfo.flags |= ApplicationInfo.FLAG_SYSTEM;

            packageInfo.applicationInfo.flags |= ApplicationInfo.FLAG_SYSTEM;

        } else {

            packageInfo.applicationInfo.flags &= ~ApplicationInfo.FLAG_SYSTEM;

        }

        doReturn(packageInfo)

        doReturn(packageInfo)

                .when(mSpyPackageManager)

                .when(mSpyPackageManager)

                .getPackageInfo(eq(TEST_FRAMEWORK_PACKAGE), anyInt());

                .getPackageInfo(eq(TEST_FRAMEWORK_PACKAGE), anyInt());

        when(mMockContext.getPackageManager()).thenReturn(mSpyPackageManager);

    }

    }





    private Intent makeVerificationIntent() throws Exception {

    private Intent makeVerificationIntent() throws Exception {
@@ -492,4 +498,13 @@ public class AppIntegrityManagerServiceImplTest { 
        intent.putExtra(Intent.EXTRA_LONG_VERSION_CODE, VERSION_CODE);

        intent.putExtra(Intent.EXTRA_LONG_VERSION_CODE, VERSION_CODE);

        return intent;

        return intent;

    }

    }



    private void setIntegrityCheckIncludesRuleProvider(boolean shouldInclude) throws Exception {

        int value = shouldInclude ? 1 : 0;

        Settings.Global.putInt(mRealContext.getContentResolver(),

                Settings.Global.INTEGRITY_CHECK_INCLUDES_RULE_PROVIDER, value);

        assertThat(Settings.Global.getInt(mRealContext.getContentResolver(),

                Settings.Global.INTEGRITY_CHECK_INCLUDES_RULE_PROVIDER, -1) == 1).isEqualTo(

                shouldInclude);

    }

}
 
}