Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f9049cf6 authored by Alex Buynytskyy's avatar Alex Buynytskyy
Browse files

Addressing API comments. 

Bug: 266719856
Fixes: 266719856
Test: atest SettingsTest
Change-Id: Idbf60f3a653feede3d85895120deaeb5544acc16
parent 968a80bc

core/java/com/android/internal/security/VerityUtils.java

+10 −0
Original line number Diff line number Diff line
@@ -81,6 +81,15 @@ public abstract class VerityUtils { 
        }

    }



    /** Enables fs-verity for an open file without signature. */

    public static void setUpFsverity(int fd) throws IOException {

        int errno = enableFsverityForFdNative(fd);

        if (errno != 0) {

            throw new IOException("Failed to enable fs-verity on FD(" + fd + "): "

                    + Os.strerror(errno));

        }

    }



    /** Returns whether the file has fs-verity enabled. */

    public static boolean hasFsverity(@NonNull String filePath) {

        int retval = statxForFsverityNative(filePath);
@@ -211,6 +220,7 @@ public abstract class VerityUtils { 
    }



    private static native int enableFsverityNative(@NonNull String filePath);

    private static native int enableFsverityForFdNative(int fd);

    private static native int measureFsverityNative(@NonNull String filePath,

            @NonNull byte[] digest);

    private static native int statxForFsverityNative(@NonNull String filePath);

core/jni/com_android_internal_security_VerityUtils.cpp

+13 −8
Original line number Diff line number Diff line
@@ -38,13 +38,8 @@ namespace android { 


namespace {



int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath) {

    ScopedUtfChars path(env, filePath);

    if (path.c_str() == nullptr) {

        return EINVAL;

    }

    ::android::base::unique_fd rfd(open(path.c_str(), O_RDONLY | O_CLOEXEC));

    if (rfd.get() < 0) {

int enableFsverityForFd(JNIEnv *env, jobject clazz, jint fd) {

    if (fd < 0) {

        return errno;

    }
@@ -55,12 +50,21 @@ int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath) { 
    arg.salt_size = 0;

    arg.salt_ptr = reinterpret_cast<uintptr_t>(nullptr);



    if (ioctl(rfd.get(), FS_IOC_ENABLE_VERITY, &arg) < 0) {

    if (ioctl(fd, FS_IOC_ENABLE_VERITY, &arg) < 0) {

        return errno;

    }

    return 0;

}



int enableFsverity(JNIEnv *env, jobject clazz, jstring filePath) {

    ScopedUtfChars path(env, filePath);

    if (path.c_str() == nullptr) {

        return EINVAL;

    }

    ::android::base::unique_fd rfd(open(path.c_str(), O_RDONLY | O_CLOEXEC));

    return enableFsverityForFd(env, clazz, rfd.get());

}



// Returns whether the file has fs-verity enabled.

// 0 if it is not present, 1 if is present, and -errno if there was an error.

int statxForFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath) {
@@ -126,6 +130,7 @@ int measureFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath, jbyteArr 
}

const JNINativeMethod sMethods[] = {

        {"enableFsverityNative", "(Ljava/lang/String;)I", (void *)enableFsverity},

        {"enableFsverityForFdNative", "(I)I", (void *)enableFsverityForFd},

        {"statxForFsverityNative", "(Ljava/lang/String;)I", (void *)statxForFsverity},

        {"measureFsverityNative", "(Ljava/lang/String;[B)I", (void *)measureFsverity},

};

services/api/current.txt

+3 −2
Original line number Diff line number Diff line
@@ -227,8 +227,9 @@ package com.android.server.role { 


package com.android.server.security {



  public final class FileIntegrityLocal {

    method public static void setUpFsVerity(@NonNull String) throws java.io.IOException;

  public final class FileIntegrity {

    method public static void setUpFsVerity(@NonNull java.io.File) throws java.io.IOException;

    method public static void setUpFsVerity(@NonNull android.os.ParcelFileDescriptor) throws java.io.IOException;

  }



}

services/core/java/com/android/server/pm/Settings.java

+3 −3
Original line number Diff line number Diff line
@@ -120,7 +120,7 @@ import com.android.server.pm.resolution.ComponentResolver; 
import com.android.server.pm.verify.domain.DomainVerificationLegacySettings;

import com.android.server.pm.verify.domain.DomainVerificationManagerInternal;

import com.android.server.pm.verify.domain.DomainVerificationPersistence;

import com.android.server.security.FileIntegrityLocal;

import com.android.server.security.FileIntegrity;

import com.android.server.utils.Slogf;

import com.android.server.utils.Snappable;

import com.android.server.utils.SnapshotCache;
@@ -2714,8 +2714,8 @@ public final class Settings implements Watchable, Snappable { 
            }



            try {

                FileIntegrityLocal.setUpFsVerity(mSettingsFilename.getAbsolutePath());

                FileIntegrityLocal.setUpFsVerity(mSettingsReserveCopyFilename.getAbsolutePath());

                FileIntegrity.setUpFsVerity(mSettingsFilename);

                FileIntegrity.setUpFsVerity(mSettingsReserveCopyFilename);

            } catch (IOException e) {

                Slog.e(TAG, "Failed to verity-protect settings", e);

            }

services/core/java/com/android/server/security/FileIntegrityLocal.javaservices/core/java/com/android/server/security/FileIntegrity.java

+18 −4
Original line number Diff line number Diff line
@@ -18,19 +18,32 @@ package com.android.server.security; 


import android.annotation.NonNull;

import android.annotation.SystemApi;

import android.os.ParcelFileDescriptor;



import com.android.internal.security.VerityUtils;



import java.io.File;

import java.io.IOException;





/**

 * In-process API for server side FileIntegrity related infrastructure.

 *

 * @hide

 */

@SystemApi(client = SystemApi.Client.SYSTEM_SERVER)

public final class FileIntegrityLocal {

    private FileIntegrityLocal() {}

public final class FileIntegrity {

    private FileIntegrity() {}



    /**

     * Enables fs-verity, if supported by the filesystem.

     * @see <a href="https://www.kernel.org/doc/html/latest/filesystems/fsverity.html">

     * @hide

     */

    @SystemApi(client = SystemApi.Client.SYSTEM_SERVER)

    public static void setUpFsVerity(@NonNull File file) throws IOException {

        VerityUtils.setUpFsverity(file.getAbsolutePath());

    }



    /**

     * Enables fs-verity, if supported by the filesystem.
@@ -38,7 +51,8 @@ public final class FileIntegrityLocal { 
     * @hide

     */

    @SystemApi(client = SystemApi.Client.SYSTEM_SERVER)

    public static void setUpFsVerity(@NonNull String filePath) throws IOException {

        VerityUtils.setUpFsverity(filePath);

    public static void setUpFsVerity(@NonNull ParcelFileDescriptor parcelFileDescriptor)

            throws IOException {

        VerityUtils.setUpFsverity(parcelFileDescriptor.getFd());

    }

}