Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit edd8447b authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge "Remove the dependencies to the IntegrityFileManager from...

Merge "Remove the dependencies to the IntegrityFileManager from AppIntegrityManagerServiceImpl by setting the methods that use it to a default empty value." into main
parents e37b8ffd 4938b5cf
Loading
Loading
Loading
Loading
+4 −95
Original line number Diff line number Diff line
@@ -74,7 +74,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
    private final Context mContext;
    private final Handler mHandler;
    private final PackageManagerInternal mPackageManagerInternal;
    private final IntegrityFileManager mIntegrityFileManager;

    /** Create an instance of {@link AppIntegrityManagerServiceImpl}. */
    public static AppIntegrityManagerServiceImpl create(Context context) {
@@ -84,7 +83,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
        return new AppIntegrityManagerServiceImpl(
                context,
                LocalServices.getService(PackageManagerInternal.class),
                IntegrityFileManager.getInstance(),
                handlerThread.getThreadHandler());
    }

@@ -92,11 +90,9 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
    AppIntegrityManagerServiceImpl(
            Context context,
            PackageManagerInternal packageManagerInternal,
            IntegrityFileManager integrityFileManager,
            Handler handler) {
        mContext = context;
        mPackageManagerInternal = packageManagerInternal;
        mIntegrityFileManager = integrityFileManager;
        mHandler = handler;

        IntentFilter integrityVerificationFilter = new IntentFilter();
@@ -144,39 +140,23 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
    @Override
    @BinderThread
    public String getCurrentRuleSetVersion() {
        getCallerPackageNameOrThrow(Binder.getCallingUid());

        RuleMetadata ruleMetadata = mIntegrityFileManager.readMetadata();
        return (ruleMetadata != null && ruleMetadata.getVersion() != null)
                ? ruleMetadata.getVersion()
                : "";
        return "";
    }

    @Override
    @BinderThread
    public String getCurrentRuleSetProvider() {
        getCallerPackageNameOrThrow(Binder.getCallingUid());

        RuleMetadata ruleMetadata = mIntegrityFileManager.readMetadata();
        return (ruleMetadata != null && ruleMetadata.getRuleProvider() != null)
                ? ruleMetadata.getRuleProvider()
                : "";
        return "";
    }

    @Override
    public ParceledListSlice<Rule> getCurrentRules() {
        List<Rule> rules = Collections.emptyList();
        try {
            rules = mIntegrityFileManager.readRules(/* appInstallMetadata= */ null);
        } catch (Exception e) {
            Slog.e(TAG, "Error getting current rules", e);
        }
        return new ParceledListSlice<>(rules);
        return new ParceledListSlice<>(Collections.emptyList());
    }

    @Override
    public List<String> getWhitelistedRuleProviders() {
        return getAllowedRuleProviderSystemApps();
        return Collections.emptyList();
    }

    private void handleIntegrityVerification(Intent intent) {
@@ -184,75 +164,4 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
        mPackageManagerInternal.setIntegrityVerificationResult(
                verificationId, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
    }

    private String getCallerPackageNameOrThrow(int callingUid) {
        String callerPackageName = getCallingRulePusherPackageName(callingUid);
        if (callerPackageName == null) {
            throw new SecurityException(
                    "Only system packages specified in config_integrityRuleProviderPackages are "
                            + "allowed to call this method.");
        }
        return callerPackageName;
    }

    private String getCallingRulePusherPackageName(int callingUid) {
        // Obtain the system apps that are allowlisted in config_integrityRuleProviderPackages.
        List<String> allowedRuleProviders = getAllowedRuleProviderSystemApps();
        if (DEBUG_INTEGRITY_COMPONENT) {
            Slog.i(
                    TAG,
                    String.format(
                            "Rule provider system app list contains: %s", allowedRuleProviders));
        }

        // Identify the package names in the caller list.
        List<String> callingPackageNames = getPackageListForUid(callingUid);

        // Find the intersection between the allowed and calling packages. Ideally, we will have
        // at most one package name here. But if we have more, it is fine.
        List<String> allowedCallingPackages = new ArrayList<>();
        for (String packageName : callingPackageNames) {
            if (allowedRuleProviders.contains(packageName)) {
                allowedCallingPackages.add(packageName);
            }
        }

        return allowedCallingPackages.isEmpty() ? null : allowedCallingPackages.get(0);
    }

    private List<String> getAllowedRuleProviderSystemApps() {
        List<String> integrityRuleProviders =
                Arrays.asList(
                        mContext.getResources()
                                .getStringArray(R.array.config_integrityRuleProviderPackages));

        // Filter out the rule provider packages that are not system apps.
        List<String> systemAppRuleProviders = new ArrayList<>();
        for (String ruleProvider : integrityRuleProviders) {
            if (isSystemApp(ruleProvider)) {
                systemAppRuleProviders.add(ruleProvider);
            }
        }
        return systemAppRuleProviders;
    }

    private boolean isSystemApp(String packageName) {
        try {
            PackageInfo existingPackageInfo =
                    mContext.getPackageManager().getPackageInfo(packageName, /* flags= */ 0);
            return existingPackageInfo.applicationInfo != null
                    && existingPackageInfo.applicationInfo.isSystemApp();
        } catch (PackageManager.NameNotFoundException e) {
            return false;
        }
    }

    private List<String> getPackageListForUid(int uid) {
        try {
            return Arrays.asList(mContext.getPackageManager().getPackagesForUid(uid));
        } catch (NullPointerException e) {
            Slog.w(TAG, String.format("No packages were found for uid: %d", uid));
            return List.of();
        }
    }
}
+0 −68
Original line number Diff line number Diff line
@@ -135,7 +135,6 @@ public class AppIntegrityManagerServiceImplTest {
    @Mock PlatformCompat mPlatformCompat;
    @Mock Context mMockContext;
    @Mock Resources mMockResources;
    @Mock IntegrityFileManager mIntegrityFileManager;
    @Mock Handler mHandler;

    private final Context mRealContext = InstrumentationRegistry.getTargetContext();
@@ -169,7 +168,6 @@ public class AppIntegrityManagerServiceImplTest {
                new AppIntegrityManagerServiceImpl(
                        mMockContext,
                        mPackageManagerInternal,
                        mIntegrityFileManager,
                        mHandler);

        mSpyPackageManager = spy(mRealContext.getPackageManager());
@@ -177,7 +175,6 @@ public class AppIntegrityManagerServiceImplTest {
        when(mMockContext.getPackageManager()).thenReturn(mSpyPackageManager);
        when(mMockContext.getResources()).thenReturn(mMockResources);
        when(mMockResources.getStringArray(anyInt())).thenReturn(new String[] {});
        when(mIntegrityFileManager.initialized()).thenReturn(true);
        // These are needed to override the Settings.Global.get result.
        when(mMockContext.getContentResolver()).thenReturn(mRealContext.getContentResolver());
        setIntegrityCheckIncludesRuleProvider(true);
@@ -224,71 +221,6 @@ public class AppIntegrityManagerServiceImplTest {
                        1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
    }

    @Test
    public void handleBroadcast_notInitialized() throws Exception {
        allowlistUsAsRuleProvider();
        makeUsSystemApp();
        when(mIntegrityFileManager.initialized()).thenReturn(false);
        ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =
                ArgumentCaptor.forClass(BroadcastReceiver.class);
        verify(mMockContext)
                .registerReceiver(broadcastReceiverCaptor.capture(), any(), any(), any());
        Intent intent = makeVerificationIntent();

        broadcastReceiverCaptor.getValue().onReceive(mMockContext, intent);
        runJobInHandler();

        // The evaluation will still run since we still evaluate manifest based rules.
        verify(mPackageManagerInternal)
                .setIntegrityVerificationResult(
                        1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
    }

    @Test
    public void verifierAsInstaller_skipIntegrityVerification() throws Exception {
        allowlistUsAsRuleProvider();
        makeUsSystemApp();
        setIntegrityCheckIncludesRuleProvider(false);
        ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =
                ArgumentCaptor.forClass(BroadcastReceiver.class);
        verify(mMockContext, atLeastOnce())
                .registerReceiver(broadcastReceiverCaptor.capture(), any(), any(), any());
        Intent intent = makeVerificationIntent(TEST_FRAMEWORK_PACKAGE);

        broadcastReceiverCaptor.getValue().onReceive(mMockContext, intent);
        runJobInHandler();

        verify(mPackageManagerInternal)
                .setIntegrityVerificationResult(
                        1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
    }

    @Test
    public void getCurrentRules() throws Exception {
        allowlistUsAsRuleProvider();
        makeUsSystemApp();
        Rule rule = new Rule(IntegrityFormula.Application.packageNameEquals("package"), Rule.DENY);
        when(mIntegrityFileManager.readRules(any())).thenReturn(Arrays.asList(rule));

        assertThat(mService.getCurrentRules().getList()).containsExactly(rule);
    }

    @Test
    public void getWhitelistedRuleProviders_returnsEmptyForNonSystemApps() throws Exception {
        allowlistUsAsRuleProvider();
        makeUsSystemApp(false);

        assertThat(mService.getWhitelistedRuleProviders()).isEmpty();
    }

    @Test
    public void getWhitelistedRuleProviders() throws Exception {
        allowlistUsAsRuleProvider();
        makeUsSystemApp();

        assertThat(mService.getWhitelistedRuleProviders()).containsExactly(TEST_FRAMEWORK_PACKAGE);
    }

    private void allowlistUsAsRuleProvider() {
        Resources mockResources = mock(Resources.class);
        when(mockResources.getStringArray(R.array.config_integrityRuleProviderPackages))