Add missing fs-verity setup for UPS.

Similar to what was done for runtime permission, role and package XMLs. Including deleting the reserve copy file right before copying, so that we won't try to write to a file with fs-verity enabled. Bug: 354230498 Flag: EXEMPT bugfix Test: manual Change-Id: I373bd2707dbf41053381ec104c8b95f5ac6db173
author: Hai Zhang <zhanghai@google.com> 2024-07-19 23:47:36 +0000
committer: Hai Zhang <zhanghai@google.com> 2024-07-20 01:05:24 +0000
commit: 8923df743c7fb240f923ba79448dc77a502c06c0 (patch)
tree: dbba0ff07eb08ade0b8854e9a8886e270cbf6bf6
parent: bc9a73e36fa05c98d4911c552e64f0bb211044a5 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/services/permission/java/com/android/server/permission/access/util/AtomicFileExtensions.kt b/services/permission/java/com/android/server/permission/access/util/AtomicFileExtensions.kt
index 996daf5a5f68..95ee958f3ce4 100644
--- a/services/permission/java/com/android/server/permission/access/util/AtomicFileExtensions.kt
+++ b/services/permission/java/com/android/server/permission/access/util/AtomicFileExtensions.kt
@@ -19,6 +19,7 @@ package com.android.server.permission.access.util
 import android.os.FileUtils
 import android.util.AtomicFile
 import android.util.Slog
+import com.android.server.security.FileIntegrity;
 import java.io.File
 import java.io.FileInputStream
 import java.io.FileNotFoundException
@@ -49,6 +50,7 @@ inline fun AtomicFile.readWithReserveCopy(block: (FileInputStream) -> Unit) {
 inline fun AtomicFile.writeWithReserveCopy(block: (FileOutputStream) -> Unit) {
     writeInlined(block)
     val reserveFile = File(baseFile.parentFile, baseFile.name + ".reservecopy")
+    reserveFile.delete()
     try {
         FileInputStream(baseFile).use { inputStream ->
             FileOutputStream(reserveFile).use { outputStream ->
@@ -59,6 +61,12 @@ inline fun AtomicFile.writeWithReserveCopy(block: (FileOutputStream) -> Unit) {
     } catch (e: Exception) {
         Slog.e("AccessPersistence", "Failed to write $reserveFile", e)
     }
+    try {
+        FileIntegrity.setUpFsVerity(baseFile)
+        FileIntegrity.setUpFsVerity(reserveFile)
+    } catch (e: Exception) {
+        Slog.e("AccessPersistence", "Failed to verity-protect runtime-permissions", e)
+    }
 }
 
 /** Write to an [AtomicFile] and close everything safely when done. */
author	Hai Zhang <zhanghai@google.com>	2024-07-19 23:47:36 +0000
committer	Hai Zhang <zhanghai@google.com>	2024-07-20 01:05:24 +0000
commit	8923df743c7fb240f923ba79448dc77a502c06c0 (patch)
tree	dbba0ff07eb08ade0b8854e9a8886e270cbf6bf6
parent	bc9a73e36fa05c98d4911c552e64f0bb211044a5 (diff)