Merge "Remove the dependencies to the IntegrityFileManager from... (edd8447b) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java

+4 −95

Original line number	Diff line number	Diff line
		@@ -74,7 +74,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
		private final Context mContext;
		private final Handler mHandler;
		private final PackageManagerInternal mPackageManagerInternal;
		private final IntegrityFileManager mIntegrityFileManager;

		/** Create an instance of {@link AppIntegrityManagerServiceImpl}. */
		public static AppIntegrityManagerServiceImpl create(Context context) {
		@@ -84,7 +83,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
		return new AppIntegrityManagerServiceImpl(
		context,
		LocalServices.getService(PackageManagerInternal.class),
		IntegrityFileManager.getInstance(),
		handlerThread.getThreadHandler());
		}

		@@ -92,11 +90,9 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
		AppIntegrityManagerServiceImpl(
		Context context,
		PackageManagerInternal packageManagerInternal,
		IntegrityFileManager integrityFileManager,
		Handler handler) {
		mContext = context;
		mPackageManagerInternal = packageManagerInternal;
		mIntegrityFileManager = integrityFileManager;
		mHandler = handler;

		IntentFilter integrityVerificationFilter = new IntentFilter();
		@@ -144,39 +140,23 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
		@Override
		@BinderThread
		public String getCurrentRuleSetVersion() {
		getCallerPackageNameOrThrow(Binder.getCallingUid());

		RuleMetadata ruleMetadata = mIntegrityFileManager.readMetadata();
		return (ruleMetadata != null && ruleMetadata.getVersion() != null)
		? ruleMetadata.getVersion()
		: "";
		return "";
		}

		@Override
		@BinderThread
		public String getCurrentRuleSetProvider() {
		getCallerPackageNameOrThrow(Binder.getCallingUid());

		RuleMetadata ruleMetadata = mIntegrityFileManager.readMetadata();
		return (ruleMetadata != null && ruleMetadata.getRuleProvider() != null)
		? ruleMetadata.getRuleProvider()
		: "";
		return "";
		}

		@Override
		public ParceledListSlice<Rule> getCurrentRules() {
		List<Rule> rules = Collections.emptyList();
		try {
		rules = mIntegrityFileManager.readRules(/* appInstallMetadata= */ null);
		} catch (Exception e) {
		Slog.e(TAG, "Error getting current rules", e);
		}
		return new ParceledListSlice<>(rules);
		return new ParceledListSlice<>(Collections.emptyList());
		}

		@Override
		public List<String> getWhitelistedRuleProviders() {
		return getAllowedRuleProviderSystemApps();
		return Collections.emptyList();
		}

		private void handleIntegrityVerification(Intent intent) {
		@@ -184,75 +164,4 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
		mPackageManagerInternal.setIntegrityVerificationResult(
		verificationId, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
		}

		private String getCallerPackageNameOrThrow(int callingUid) {
		String callerPackageName = getCallingRulePusherPackageName(callingUid);
		if (callerPackageName == null) {
		throw new SecurityException(
		"Only system packages specified in config_integrityRuleProviderPackages are "
		+ "allowed to call this method.");
		}
		return callerPackageName;
		}

		private String getCallingRulePusherPackageName(int callingUid) {
		// Obtain the system apps that are allowlisted in config_integrityRuleProviderPackages.
		List<String> allowedRuleProviders = getAllowedRuleProviderSystemApps();
		if (DEBUG_INTEGRITY_COMPONENT) {
		Slog.i(
		TAG,
		String.format(
		"Rule provider system app list contains: %s", allowedRuleProviders));
		}

		// Identify the package names in the caller list.
		List<String> callingPackageNames = getPackageListForUid(callingUid);

		// Find the intersection between the allowed and calling packages. Ideally, we will have
		// at most one package name here. But if we have more, it is fine.
		List<String> allowedCallingPackages = new ArrayList<>();
		for (String packageName : callingPackageNames) {
		if (allowedRuleProviders.contains(packageName)) {
		allowedCallingPackages.add(packageName);
		}
		}

		return allowedCallingPackages.isEmpty() ? null : allowedCallingPackages.get(0);
		}

		private List<String> getAllowedRuleProviderSystemApps() {
		List<String> integrityRuleProviders =
		Arrays.asList(
		mContext.getResources()
		.getStringArray(R.array.config_integrityRuleProviderPackages));

		// Filter out the rule provider packages that are not system apps.
		List<String> systemAppRuleProviders = new ArrayList<>();
		for (String ruleProvider : integrityRuleProviders) {
		if (isSystemApp(ruleProvider)) {
		systemAppRuleProviders.add(ruleProvider);
		}
		}
		return systemAppRuleProviders;
		}

		private boolean isSystemApp(String packageName) {
		try {
		PackageInfo existingPackageInfo =
		mContext.getPackageManager().getPackageInfo(packageName, /* flags= */ 0);
		return existingPackageInfo.applicationInfo != null
		&& existingPackageInfo.applicationInfo.isSystemApp();
		} catch (PackageManager.NameNotFoundException e) {
		return false;
		}
		}

		private List<String> getPackageListForUid(int uid) {
		try {
		return Arrays.asList(mContext.getPackageManager().getPackagesForUid(uid));
		} catch (NullPointerException e) {
		Slog.w(TAG, String.format("No packages were found for uid: %d", uid));
		return List.of();
		}
		}
		}

services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java

+0 −68

Original line number	Diff line number	Diff line
		@@ -135,7 +135,6 @@ public class AppIntegrityManagerServiceImplTest {
		@Mock PlatformCompat mPlatformCompat;
		@Mock Context mMockContext;
		@Mock Resources mMockResources;
		@Mock IntegrityFileManager mIntegrityFileManager;
		@Mock Handler mHandler;

		private final Context mRealContext = InstrumentationRegistry.getTargetContext();
		@@ -169,7 +168,6 @@ public class AppIntegrityManagerServiceImplTest {
		new AppIntegrityManagerServiceImpl(
		mMockContext,
		mPackageManagerInternal,
		mIntegrityFileManager,
		mHandler);

		mSpyPackageManager = spy(mRealContext.getPackageManager());
		@@ -177,7 +175,6 @@ public class AppIntegrityManagerServiceImplTest {
		when(mMockContext.getPackageManager()).thenReturn(mSpyPackageManager);
		when(mMockContext.getResources()).thenReturn(mMockResources);
		when(mMockResources.getStringArray(anyInt())).thenReturn(new String[] {});
		when(mIntegrityFileManager.initialized()).thenReturn(true);
		// These are needed to override the Settings.Global.get result.
		when(mMockContext.getContentResolver()).thenReturn(mRealContext.getContentResolver());
		setIntegrityCheckIncludesRuleProvider(true);
		@@ -224,71 +221,6 @@ public class AppIntegrityManagerServiceImplTest {
		1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
		}

		@Test
		public void handleBroadcast_notInitialized() throws Exception {
		allowlistUsAsRuleProvider();
		makeUsSystemApp();
		when(mIntegrityFileManager.initialized()).thenReturn(false);
		ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =
		ArgumentCaptor.forClass(BroadcastReceiver.class);
		verify(mMockContext)
		.registerReceiver(broadcastReceiverCaptor.capture(), any(), any(), any());
		Intent intent = makeVerificationIntent();

		broadcastReceiverCaptor.getValue().onReceive(mMockContext, intent);
		runJobInHandler();

		// The evaluation will still run since we still evaluate manifest based rules.
		verify(mPackageManagerInternal)
		.setIntegrityVerificationResult(
		1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
		}

		@Test
		public void verifierAsInstaller_skipIntegrityVerification() throws Exception {
		allowlistUsAsRuleProvider();
		makeUsSystemApp();
		setIntegrityCheckIncludesRuleProvider(false);
		ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =
		ArgumentCaptor.forClass(BroadcastReceiver.class);
		verify(mMockContext, atLeastOnce())
		.registerReceiver(broadcastReceiverCaptor.capture(), any(), any(), any());
		Intent intent = makeVerificationIntent(TEST_FRAMEWORK_PACKAGE);

		broadcastReceiverCaptor.getValue().onReceive(mMockContext, intent);
		runJobInHandler();

		verify(mPackageManagerInternal)
		.setIntegrityVerificationResult(
		1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
		}

		@Test
		public void getCurrentRules() throws Exception {
		allowlistUsAsRuleProvider();
		makeUsSystemApp();
		Rule rule = new Rule(IntegrityFormula.Application.packageNameEquals("package"), Rule.DENY);
		when(mIntegrityFileManager.readRules(any())).thenReturn(Arrays.asList(rule));

		assertThat(mService.getCurrentRules().getList()).containsExactly(rule);
		}

		@Test
		public void getWhitelistedRuleProviders_returnsEmptyForNonSystemApps() throws Exception {
		allowlistUsAsRuleProvider();
		makeUsSystemApp(false);

		assertThat(mService.getWhitelistedRuleProviders()).isEmpty();
		}

		@Test
		public void getWhitelistedRuleProviders() throws Exception {
		allowlistUsAsRuleProvider();
		makeUsSystemApp();

		assertThat(mService.getWhitelistedRuleProviders()).containsExactly(TEST_FRAMEWORK_PACKAGE);
		}

		private void allowlistUsAsRuleProvider() {
		Resources mockResources = mock(Resources.class);
		when(mockResources.getStringArray(R.array.config_integrityRuleProviderPackages))