diff options
| author | 2024-10-11 21:41:40 +0000 | |
|---|---|---|
| committer | 2024-10-11 21:41:40 +0000 | |
| commit | 477d06b6b6e89c8f9926c1189b7ae739e7fdcbb5 (patch) | |
| tree | 4695052ce5e1f1ced3c599838136de93506966f0 | |
| parent | 22d985deab942e32f3773a0d14a9d5ed62508537 (diff) | |
| parent | 86d1ddc8c4819f5331aafcc8f94991fd797a6b3d (diff) | |
Merge "Remove the RuleEvaluator for AppIntegrityManager. This is part of the efforts for cleaning the install-time integrity protections." into main am: 918b558707 am: 86d1ddc8c4
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/3304817
Change-Id: I94b3f099e3c2837d88a2cab68afbcd52c091f0fa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
4 files changed, 6 insertions, 386 deletions
diff --git a/services/core/java/com/android/server/integrity/engine/RuleEvaluationEngine.java b/services/core/java/com/android/server/integrity/engine/RuleEvaluationEngine.java index 61da45ddbfef..e8c828bb85b6 100644 --- a/services/core/java/com/android/server/integrity/engine/RuleEvaluationEngine.java +++ b/services/core/java/com/android/server/integrity/engine/RuleEvaluationEngine.java @@ -66,7 +66,7 @@ public class RuleEvaluationEngine { public IntegrityCheckResult evaluate( AppInstallMetadata appInstallMetadata) { List<Rule> rules = loadRules(appInstallMetadata); - return RuleEvaluator.evaluateRules(rules, appInstallMetadata); + return IntegrityCheckResult.allow(); } private List<Rule> loadRules(AppInstallMetadata appInstallMetadata) { diff --git a/services/core/java/com/android/server/integrity/engine/RuleEvaluator.java b/services/core/java/com/android/server/integrity/engine/RuleEvaluator.java deleted file mode 100644 index 9d9430441e07..000000000000 --- a/services/core/java/com/android/server/integrity/engine/RuleEvaluator.java +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright (C) 2019 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.android.server.integrity.engine; - -import static android.content.integrity.Rule.DENY; -import static android.content.integrity.Rule.FORCE_ALLOW; - -import android.annotation.NonNull; -import android.content.integrity.AppInstallMetadata; -import android.content.integrity.Rule; - -import com.android.server.integrity.model.IntegrityCheckResult; - -import java.util.List; -import java.util.stream.Collectors; - -/** - * A helper class for evaluating rules against app install metadata to find if there are matching - * rules. - */ -final class RuleEvaluator { - - /** - * Match the list of rules against an app install metadata. - * - * <p>Rules must be in disjunctive normal form (DNF). A rule should contain AND'ed formulas - * only. All rules are OR'ed together by default. - * - * @param rules The list of rules to evaluate. - * @param appInstallMetadata Metadata of the app to be installed, and to evaluate the rules - * against. - * @return result of the integrity check - */ - @NonNull - static IntegrityCheckResult evaluateRules( - List<Rule> rules, AppInstallMetadata appInstallMetadata) { - - // Identify the rules that match the {@code appInstallMetadata}. - List<Rule> matchedRules = - rules.stream() - .filter(rule -> rule.getFormula().matches(appInstallMetadata)) - .collect(Collectors.toList()); - - // Identify the matched power allow rules and terminate early if we have any. - List<Rule> matchedPowerAllowRules = - matchedRules.stream() - .filter(rule -> rule.getEffect() == FORCE_ALLOW) - .collect(Collectors.toList()); - - if (!matchedPowerAllowRules.isEmpty()) { - return IntegrityCheckResult.allow(matchedPowerAllowRules); - } - - // Identify the matched deny rules. - List<Rule> matchedDenyRules = - matchedRules.stream() - .filter(rule -> rule.getEffect() == DENY) - .collect(Collectors.toList()); - - if (!matchedDenyRules.isEmpty()) { - return IntegrityCheckResult.deny(matchedDenyRules); - } - - // When no rules are denied, return default allow result. - return IntegrityCheckResult.allow(); - } -} diff --git a/services/tests/servicestests/src/com/android/server/integrity/engine/RuleEvaluationEngineTest.java b/services/tests/servicestests/src/com/android/server/integrity/engine/RuleEvaluationEngineTest.java index 1c860ca31990..e1ee9c3a1c8f 100644 --- a/services/tests/servicestests/src/com/android/server/integrity/engine/RuleEvaluationEngineTest.java +++ b/services/tests/servicestests/src/com/android/server/integrity/engine/RuleEvaluationEngineTest.java @@ -114,7 +114,7 @@ public class RuleEvaluationEngineTest { .setInstallerCertificates(Collections.singletonList(INSTALLER_1_CERT)) .build(); assertThat(mEngine.evaluate(appInstallMetadata2).getEffect()) - .isEqualTo(IntegrityCheckResult.Effect.DENY); + .isEqualTo(IntegrityCheckResult.Effect.ALLOW); AppInstallMetadata appInstallMetadata3 = getAppInstallMetadataBuilder() @@ -123,7 +123,7 @@ public class RuleEvaluationEngineTest { .setInstallerCertificates(Collections.singletonList(RANDOM_INSTALLER_CERT)) .build(); assertThat(mEngine.evaluate(appInstallMetadata3).getEffect()) - .isEqualTo(IntegrityCheckResult.Effect.DENY); + .isEqualTo(IntegrityCheckResult.Effect.ALLOW); AppInstallMetadata appInstallMetadata4 = getAppInstallMetadataBuilder() @@ -132,7 +132,7 @@ public class RuleEvaluationEngineTest { .setInstallerCertificates(Collections.singletonList(RANDOM_INSTALLER_CERT)) .build(); assertThat(mEngine.evaluate(appInstallMetadata4).getEffect()) - .isEqualTo(IntegrityCheckResult.Effect.DENY); + .isEqualTo(IntegrityCheckResult.Effect.ALLOW); } @Test @@ -166,7 +166,7 @@ public class RuleEvaluationEngineTest { .setInstallerCertificates(Collections.singletonList(INSTALLER_2_CERT)) .build(); assertThat(mEngine.evaluate(appInstallMetadata3).getEffect()) - .isEqualTo(IntegrityCheckResult.Effect.DENY); + .isEqualTo(IntegrityCheckResult.Effect.ALLOW); AppInstallMetadata appInstallMetadata4 = getAppInstallMetadataBuilder() @@ -175,7 +175,7 @@ public class RuleEvaluationEngineTest { .setInstallerCertificates(Collections.singletonList(INSTALLER_1_CERT)) .build(); assertThat(mEngine.evaluate(appInstallMetadata4).getEffect()) - .isEqualTo(IntegrityCheckResult.Effect.DENY); + .isEqualTo(IntegrityCheckResult.Effect.ALLOW); } /** Returns a builder with all fields filled with some placeholder data. */ diff --git a/services/tests/servicestests/src/com/android/server/integrity/engine/RuleEvaluatorTest.java b/services/tests/servicestests/src/com/android/server/integrity/engine/RuleEvaluatorTest.java deleted file mode 100644 index 5089f74894d9..000000000000 --- a/services/tests/servicestests/src/com/android/server/integrity/engine/RuleEvaluatorTest.java +++ /dev/null @@ -1,299 +0,0 @@ -/* - * Copyright (C) 2019 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.android.server.integrity.engine; - -import static com.android.server.integrity.model.IntegrityCheckResult.Effect.ALLOW; -import static com.android.server.integrity.model.IntegrityCheckResult.Effect.DENY; - -import static com.google.common.truth.Truth.assertThat; - -import android.content.integrity.AppInstallMetadata; -import android.content.integrity.AtomicFormula; -import android.content.integrity.AtomicFormula.LongAtomicFormula; -import android.content.integrity.AtomicFormula.StringAtomicFormula; -import android.content.integrity.CompoundFormula; -import android.content.integrity.Rule; - -import com.android.server.integrity.model.IntegrityCheckResult; - -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.List; - -@RunWith(JUnit4.class) -public class RuleEvaluatorTest { - - private static final String PACKAGE_NAME_1 = "com.test.app"; - private static final String PACKAGE_NAME_2 = "com.test.app2"; - private static final String APP_CERTIFICATE = "test_cert"; - private static final AppInstallMetadata APP_INSTALL_METADATA = - new AppInstallMetadata.Builder() - .setPackageName(PACKAGE_NAME_1) - .setAppCertificates(Collections.singletonList(APP_CERTIFICATE)) - .setAppCertificateLineage(Collections.singletonList(APP_CERTIFICATE)) - .setVersionCode(2) - .build(); - - @Test - public void testEvaluateRules_noRules_allow() { - List<Rule> rules = new ArrayList<>(); - - IntegrityCheckResult result = RuleEvaluator.evaluateRules(rules, APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(ALLOW); - } - - @Test - public void testEvaluateRules_noMatchedRules_allow() { - Rule rule = - new Rule( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_2, - /* isHashedValue= */ false), - Rule.DENY); - - IntegrityCheckResult result = - RuleEvaluator.evaluateRules(Collections.singletonList(rule), APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(ALLOW); - } - - @Test - public void testEvaluateRules_oneMatch_deny() { - Rule rule1 = - new Rule( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_1, - /* isHashedValue= */ false), - Rule.DENY); - Rule rule2 = - new Rule( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_2, - /* isHashedValue= */ false), - Rule.DENY); - - IntegrityCheckResult result = - RuleEvaluator.evaluateRules(Arrays.asList(rule1, rule2), APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(DENY); - assertThat(result.getMatchedRules()).containsExactly(rule1); - } - - @Test - public void testEvaluateRules_multipleMatches_deny() { - Rule rule1 = - new Rule( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_1, - /* isHashedValue= */ false), - Rule.DENY); - Rule rule2 = new Rule( - new CompoundFormula( - CompoundFormula.AND, - Arrays.asList( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_1, - /* isHashedValue= */ false), - new StringAtomicFormula( - AtomicFormula.APP_CERTIFICATE, - APP_CERTIFICATE, - /* isHashedValue= */ false))), - Rule.DENY); - - IntegrityCheckResult result = - RuleEvaluator.evaluateRules(Arrays.asList(rule1, rule2), APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(DENY); - assertThat(result.getMatchedRules()).containsExactly(rule1, rule2); - } - - @Test - public void testEvaluateRules_ruleWithNot_deny() { - Rule rule = new Rule( - new CompoundFormula( - CompoundFormula.NOT, - Collections.singletonList( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_2, - /* isHashedValue= */ false))), - Rule.DENY); - - IntegrityCheckResult result = - RuleEvaluator.evaluateRules(Collections.singletonList(rule), APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(DENY); - assertThat(result.getMatchedRules()).containsExactly(rule); - } - - @Test - public void testEvaluateRules_ruleWithIntegerOperators_deny() { - Rule rule = - new Rule( - new LongAtomicFormula(AtomicFormula.VERSION_CODE, - AtomicFormula.GT, 1), - Rule.DENY); - - IntegrityCheckResult result = - RuleEvaluator.evaluateRules(Collections.singletonList(rule), APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(DENY); - assertThat(result.getMatchedRules()).containsExactly(rule); - } - - @Test - public void testEvaluateRules_validForm_deny() { - Rule rule = new Rule( - new CompoundFormula( - CompoundFormula.AND, - Arrays.asList( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_1, - /* isHashedValue= */ false), - new StringAtomicFormula( - AtomicFormula.APP_CERTIFICATE, - APP_CERTIFICATE, - /* isHashedValue= */ false))), - Rule.DENY); - - IntegrityCheckResult result = - RuleEvaluator.evaluateRules(Collections.singletonList(rule), APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(DENY); - assertThat(result.getMatchedRules()).containsExactly(rule); - } - - @Test - public void testEvaluateRules_orRules() { - Rule rule = new Rule( - new CompoundFormula( - CompoundFormula.OR, - Arrays.asList( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_1, - /* isHashedValue= */ false), - new StringAtomicFormula( - AtomicFormula.APP_CERTIFICATE, - APP_CERTIFICATE, - /* isHashedValue= */ false))), - Rule.DENY); - - IntegrityCheckResult result = - RuleEvaluator.evaluateRules(Collections.singletonList(rule), APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(DENY); - assertThat(result.getMatchedRules()).containsExactly(rule); - } - - @Test - public void testEvaluateRules_compoundFormulaWithNot_deny() { - CompoundFormula openSubFormula = - new CompoundFormula( - CompoundFormula.AND, - Arrays.asList( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_2, - /* isHashedValue= */ false), - new StringAtomicFormula( - AtomicFormula.APP_CERTIFICATE, - APP_CERTIFICATE, - /* isHashedValue= */ false))); - CompoundFormula compoundFormula = - new CompoundFormula(CompoundFormula.NOT, Collections.singletonList(openSubFormula)); - Rule rule = new Rule(compoundFormula, Rule.DENY); - - IntegrityCheckResult result = - RuleEvaluator.evaluateRules(Collections.singletonList(rule), APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(DENY); - assertThat(result.getMatchedRules()).containsExactly(rule); - } - - @Test - public void testEvaluateRules_forceAllow() { - Rule rule1 = - new Rule( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_1, - /* isHashedValue= */ false), - Rule.FORCE_ALLOW); - Rule rule2 = new Rule( - new CompoundFormula( - CompoundFormula.AND, - Arrays.asList( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_1, - /* isHashedValue= */ false), - new StringAtomicFormula( - AtomicFormula.APP_CERTIFICATE, - APP_CERTIFICATE, - /* isHashedValue= */ false))), - Rule.DENY); - - IntegrityCheckResult result = - RuleEvaluator.evaluateRules(Arrays.asList(rule1, rule2), APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(ALLOW); - assertThat(result.getMatchedRules()).containsExactly(rule1); - } - - @Test - public void testEvaluateRules_multipleMatches_forceAllow() { - Rule rule1 = - new Rule( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_1, - /* isHashedValue= */ false), - Rule.FORCE_ALLOW); - Rule rule2 = new Rule( - new CompoundFormula( - CompoundFormula.AND, - Arrays.asList( - new StringAtomicFormula( - AtomicFormula.PACKAGE_NAME, - PACKAGE_NAME_1, - /* isHashedValue= */ false), - new StringAtomicFormula( - AtomicFormula.APP_CERTIFICATE, - APP_CERTIFICATE, - /* isHashedValue= */ false))), - Rule.FORCE_ALLOW); - - IntegrityCheckResult result = - RuleEvaluator.evaluateRules(Arrays.asList(rule1, rule2), APP_INSTALL_METADATA); - - assertThat(result.getEffect()).isEqualTo(ALLOW); - assertThat(result.getMatchedRules()).containsExactly(rule1, rule2); - } -}
\ No newline at end of file |