summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java99
-rw-r--r--services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java68
2 files changed, 4 insertions, 163 deletions
diff --git a/services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java b/services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java
index 509fa3e1c9ba..bb4ae96da53b 100644
--- a/services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java
+++ b/services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java
@@ -74,7 +74,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
private final Context mContext;
private final Handler mHandler;
private final PackageManagerInternal mPackageManagerInternal;
- private final IntegrityFileManager mIntegrityFileManager;
/** Create an instance of {@link AppIntegrityManagerServiceImpl}. */
public static AppIntegrityManagerServiceImpl create(Context context) {
@@ -84,7 +83,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
return new AppIntegrityManagerServiceImpl(
context,
LocalServices.getService(PackageManagerInternal.class),
- IntegrityFileManager.getInstance(),
handlerThread.getThreadHandler());
}
@@ -92,11 +90,9 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
AppIntegrityManagerServiceImpl(
Context context,
PackageManagerInternal packageManagerInternal,
- IntegrityFileManager integrityFileManager,
Handler handler) {
mContext = context;
mPackageManagerInternal = packageManagerInternal;
- mIntegrityFileManager = integrityFileManager;
mHandler = handler;
IntentFilter integrityVerificationFilter = new IntentFilter();
@@ -144,39 +140,23 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
@Override
@BinderThread
public String getCurrentRuleSetVersion() {
- getCallerPackageNameOrThrow(Binder.getCallingUid());
-
- RuleMetadata ruleMetadata = mIntegrityFileManager.readMetadata();
- return (ruleMetadata != null && ruleMetadata.getVersion() != null)
- ? ruleMetadata.getVersion()
- : "";
+ return "";
}
@Override
@BinderThread
public String getCurrentRuleSetProvider() {
- getCallerPackageNameOrThrow(Binder.getCallingUid());
-
- RuleMetadata ruleMetadata = mIntegrityFileManager.readMetadata();
- return (ruleMetadata != null && ruleMetadata.getRuleProvider() != null)
- ? ruleMetadata.getRuleProvider()
- : "";
+ return "";
}
@Override
public ParceledListSlice<Rule> getCurrentRules() {
- List<Rule> rules = Collections.emptyList();
- try {
- rules = mIntegrityFileManager.readRules(/* appInstallMetadata= */ null);
- } catch (Exception e) {
- Slog.e(TAG, "Error getting current rules", e);
- }
- return new ParceledListSlice<>(rules);
+ return new ParceledListSlice<>(Collections.emptyList());
}
@Override
public List<String> getWhitelistedRuleProviders() {
- return getAllowedRuleProviderSystemApps();
+ return Collections.emptyList();
}
private void handleIntegrityVerification(Intent intent) {
@@ -184,75 +164,4 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
mPackageManagerInternal.setIntegrityVerificationResult(
verificationId, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
}
-
- private String getCallerPackageNameOrThrow(int callingUid) {
- String callerPackageName = getCallingRulePusherPackageName(callingUid);
- if (callerPackageName == null) {
- throw new SecurityException(
- "Only system packages specified in config_integrityRuleProviderPackages are "
- + "allowed to call this method.");
- }
- return callerPackageName;
- }
-
- private String getCallingRulePusherPackageName(int callingUid) {
- // Obtain the system apps that are allowlisted in config_integrityRuleProviderPackages.
- List<String> allowedRuleProviders = getAllowedRuleProviderSystemApps();
- if (DEBUG_INTEGRITY_COMPONENT) {
- Slog.i(
- TAG,
- String.format(
- "Rule provider system app list contains: %s", allowedRuleProviders));
- }
-
- // Identify the package names in the caller list.
- List<String> callingPackageNames = getPackageListForUid(callingUid);
-
- // Find the intersection between the allowed and calling packages. Ideally, we will have
- // at most one package name here. But if we have more, it is fine.
- List<String> allowedCallingPackages = new ArrayList<>();
- for (String packageName : callingPackageNames) {
- if (allowedRuleProviders.contains(packageName)) {
- allowedCallingPackages.add(packageName);
- }
- }
-
- return allowedCallingPackages.isEmpty() ? null : allowedCallingPackages.get(0);
- }
-
- private List<String> getAllowedRuleProviderSystemApps() {
- List<String> integrityRuleProviders =
- Arrays.asList(
- mContext.getResources()
- .getStringArray(R.array.config_integrityRuleProviderPackages));
-
- // Filter out the rule provider packages that are not system apps.
- List<String> systemAppRuleProviders = new ArrayList<>();
- for (String ruleProvider : integrityRuleProviders) {
- if (isSystemApp(ruleProvider)) {
- systemAppRuleProviders.add(ruleProvider);
- }
- }
- return systemAppRuleProviders;
- }
-
- private boolean isSystemApp(String packageName) {
- try {
- PackageInfo existingPackageInfo =
- mContext.getPackageManager().getPackageInfo(packageName, /* flags= */ 0);
- return existingPackageInfo.applicationInfo != null
- && existingPackageInfo.applicationInfo.isSystemApp();
- } catch (PackageManager.NameNotFoundException e) {
- return false;
- }
- }
-
- private List<String> getPackageListForUid(int uid) {
- try {
- return Arrays.asList(mContext.getPackageManager().getPackagesForUid(uid));
- } catch (NullPointerException e) {
- Slog.w(TAG, String.format("No packages were found for uid: %d", uid));
- return List.of();
- }
- }
}
diff --git a/services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java b/services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java
index a2e6d4c7bfed..93aa10b9112f 100644
--- a/services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java
+++ b/services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java
@@ -135,7 +135,6 @@ public class AppIntegrityManagerServiceImplTest {
@Mock PlatformCompat mPlatformCompat;
@Mock Context mMockContext;
@Mock Resources mMockResources;
- @Mock IntegrityFileManager mIntegrityFileManager;
@Mock Handler mHandler;
private final Context mRealContext = InstrumentationRegistry.getTargetContext();
@@ -169,7 +168,6 @@ public class AppIntegrityManagerServiceImplTest {
new AppIntegrityManagerServiceImpl(
mMockContext,
mPackageManagerInternal,
- mIntegrityFileManager,
mHandler);
mSpyPackageManager = spy(mRealContext.getPackageManager());
@@ -177,7 +175,6 @@ public class AppIntegrityManagerServiceImplTest {
when(mMockContext.getPackageManager()).thenReturn(mSpyPackageManager);
when(mMockContext.getResources()).thenReturn(mMockResources);
when(mMockResources.getStringArray(anyInt())).thenReturn(new String[] {});
- when(mIntegrityFileManager.initialized()).thenReturn(true);
// These are needed to override the Settings.Global.get result.
when(mMockContext.getContentResolver()).thenReturn(mRealContext.getContentResolver());
setIntegrityCheckIncludesRuleProvider(true);
@@ -224,71 +221,6 @@ public class AppIntegrityManagerServiceImplTest {
1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
}
- @Test
- public void handleBroadcast_notInitialized() throws Exception {
- allowlistUsAsRuleProvider();
- makeUsSystemApp();
- when(mIntegrityFileManager.initialized()).thenReturn(false);
- ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =
- ArgumentCaptor.forClass(BroadcastReceiver.class);
- verify(mMockContext)
- .registerReceiver(broadcastReceiverCaptor.capture(), any(), any(), any());
- Intent intent = makeVerificationIntent();
-
- broadcastReceiverCaptor.getValue().onReceive(mMockContext, intent);
- runJobInHandler();
-
- // The evaluation will still run since we still evaluate manifest based rules.
- verify(mPackageManagerInternal)
- .setIntegrityVerificationResult(
- 1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
- }
-
- @Test
- public void verifierAsInstaller_skipIntegrityVerification() throws Exception {
- allowlistUsAsRuleProvider();
- makeUsSystemApp();
- setIntegrityCheckIncludesRuleProvider(false);
- ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =
- ArgumentCaptor.forClass(BroadcastReceiver.class);
- verify(mMockContext, atLeastOnce())
- .registerReceiver(broadcastReceiverCaptor.capture(), any(), any(), any());
- Intent intent = makeVerificationIntent(TEST_FRAMEWORK_PACKAGE);
-
- broadcastReceiverCaptor.getValue().onReceive(mMockContext, intent);
- runJobInHandler();
-
- verify(mPackageManagerInternal)
- .setIntegrityVerificationResult(
- 1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
- }
-
- @Test
- public void getCurrentRules() throws Exception {
- allowlistUsAsRuleProvider();
- makeUsSystemApp();
- Rule rule = new Rule(IntegrityFormula.Application.packageNameEquals("package"), Rule.DENY);
- when(mIntegrityFileManager.readRules(any())).thenReturn(Arrays.asList(rule));
-
- assertThat(mService.getCurrentRules().getList()).containsExactly(rule);
- }
-
- @Test
- public void getWhitelistedRuleProviders_returnsEmptyForNonSystemApps() throws Exception {
- allowlistUsAsRuleProvider();
- makeUsSystemApp(false);
-
- assertThat(mService.getWhitelistedRuleProviders()).isEmpty();
- }
-
- @Test
- public void getWhitelistedRuleProviders() throws Exception {
- allowlistUsAsRuleProvider();
- makeUsSystemApp();
-
- assertThat(mService.getWhitelistedRuleProviders()).containsExactly(TEST_FRAMEWORK_PACKAGE);
- }
-
private void allowlistUsAsRuleProvider() {
Resources mockResources = mock(Resources.class);
when(mockResources.getStringArray(R.array.config_integrityRuleProviderPackages))
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-11-04 00:22:12 +0000