diff options
| -rw-r--r-- | core/api/current.txt | 2 | ||||
| -rw-r--r-- | core/api/system-current.txt | 6 | ||||
| -rw-r--r-- | core/java/android/security/FileIntegrityManager.java | 8 | ||||
| -rw-r--r-- | core/res/AndroidManifest.xml | 9 | ||||
| -rw-r--r-- | services/core/java/com/android/server/security/FileIntegrityService.java | 4 |
5 files changed, 27 insertions, 2 deletions
diff --git a/core/api/current.txt b/core/api/current.txt index 948eb681f7d9..c86e4cd40cfa 100644 --- a/core/api/current.txt +++ b/core/api/current.txt @@ -39388,10 +39388,8 @@ package android.security { } public final class FileIntegrityManager { - method @FlaggedApi("android.security.fsverity_api") @Nullable public byte[] getFsVerityDigest(@NonNull java.io.File) throws java.io.IOException; method public boolean isApkVeritySupported(); method @Deprecated @RequiresPermission(anyOf={android.Manifest.permission.INSTALL_PACKAGES, android.Manifest.permission.REQUEST_INSTALL_PACKAGES}) public boolean isAppSourceCertificateTrusted(@NonNull java.security.cert.X509Certificate) throws java.security.cert.CertificateEncodingException; - method @FlaggedApi("android.security.fsverity_api") public void setupFsVerity(@NonNull java.io.File) throws java.io.IOException; } public final class KeyChain { diff --git a/core/api/system-current.txt b/core/api/system-current.txt index 138a92447d29..bed8c4169a63 100644 --- a/core/api/system-current.txt +++ b/core/api/system-current.txt @@ -355,6 +355,7 @@ package android { field public static final String SEND_SHOW_SUSPENDED_APP_DETAILS = "android.permission.SEND_SHOW_SUSPENDED_APP_DETAILS"; field public static final String SEND_SMS_NO_CONFIRMATION = "android.permission.SEND_SMS_NO_CONFIRMATION"; field public static final String SERIAL_PORT = "android.permission.SERIAL_PORT"; + field @FlaggedApi("android.security.fsverity_api") public static final String SETUP_FSVERITY = "android.permission.SETUP_FSVERITY"; field public static final String SET_ACTIVITY_WATCHER = "android.permission.SET_ACTIVITY_WATCHER"; field public static final String SET_CLIP_SOURCE = "android.permission.SET_CLIP_SOURCE"; field public static final String SET_DEFAULT_ACCOUNT_FOR_CONTACTS = "android.permission.SET_DEFAULT_ACCOUNT_FOR_CONTACTS"; @@ -12107,6 +12108,11 @@ package android.se.omapi { package android.security { + public final class FileIntegrityManager { + method @FlaggedApi("android.security.fsverity_api") @Nullable public byte[] getFsVerityDigest(@NonNull java.io.File) throws java.io.IOException; + method @FlaggedApi("android.security.fsverity_api") public void setupFsVerity(@NonNull java.io.File) throws java.io.IOException; + } + public final class KeyChain { method @Nullable @WorkerThread public static String getWifiKeyGrantAsUser(@NonNull android.content.Context, @NonNull android.os.UserHandle, @NonNull String); method @WorkerThread public static boolean hasWifiKeyGrantAsUser(@NonNull android.content.Context, @NonNull android.os.UserHandle, @NonNull String); diff --git a/core/java/android/security/FileIntegrityManager.java b/core/java/android/security/FileIntegrityManager.java index 025aac962fb9..478435b1ac5e 100644 --- a/core/java/android/security/FileIntegrityManager.java +++ b/core/java/android/security/FileIntegrityManager.java @@ -20,6 +20,8 @@ import android.annotation.FlaggedApi; import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.RequiresPermission; +import android.annotation.SuppressLint; +import android.annotation.SystemApi; import android.annotation.SystemService; import android.content.Context; import android.os.IInstalld.IFsveritySetupAuthToken; @@ -99,8 +101,11 @@ public final class FileIntegrityManager { * @throws IOException If the operation failed. * * @see <a href="https://www.kernel.org/doc/html/next/filesystems/fsverity.html">Kernel doc</a> + * @hide */ @FlaggedApi(Flags.FLAG_FSVERITY_API) + @SuppressLint("StreamFiles") + @SystemApi public void setupFsVerity(@NonNull File file) throws IOException { if (!file.isAbsolute()) { // fs-verity is to be enabled by installd, which enforces the validation to the @@ -138,8 +143,11 @@ public final class FileIntegrityManager { * @param file The file to measure the fs-verity digest. * @return The fs-verity digest in byte[], null if none. * @see <a href="https://www.kernel.org/doc/html/next/filesystems/fsverity.html">Kernel doc</a> + * @hide */ @FlaggedApi(Flags.FLAG_FSVERITY_API) + @SuppressLint("StreamFiles") + @SystemApi public @Nullable byte[] getFsVerityDigest(@NonNull File file) throws IOException { return VerityUtils.getFsverityDigest(file.getPath()); } diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml index 0864210aad32..f55f3c7c5820 100644 --- a/core/res/AndroidManifest.xml +++ b/core/res/AndroidManifest.xml @@ -8182,6 +8182,15 @@ <permission android:name="android.permission.SCREEN_TIMEOUT_OVERRIDE" android:protectionLevel="signature" /> + <!-- @SystemApi + @FlaggedApi("android.security.fsverity_api") + Allows app to setup fs-verity through FileIntegrityManager. + <p>Protection level: signature|privileged + @hide + --> + <permission android:name="android.permission.SETUP_FSVERITY" + android:protectionLevel="signature|privileged"/> + <!-- Attribution for Geofencing service. --> <attribution android:tag="GeofencingService" android:label="@string/geofencing_service"/> <!-- Attribution for Country Detector. --> diff --git a/services/core/java/com/android/server/security/FileIntegrityService.java b/services/core/java/com/android/server/security/FileIntegrityService.java index bb4876bd5f56..5b501e16d652 100644 --- a/services/core/java/com/android/server/security/FileIntegrityService.java +++ b/services/core/java/com/android/server/security/FileIntegrityService.java @@ -170,6 +170,10 @@ public class FileIntegrityService extends SystemService { @Override public int setupFsverity(android.os.IInstalld.IFsveritySetupAuthToken authToken, String filePath, String packageName) throws RemoteException { + getContext().enforceCallingPermission(android.Manifest.permission.SETUP_FSVERITY, + "Permission android.permission.SETUP_FSVERITY not grantted to access " + + "FileIntegrityManager#setupFsverity"); + Objects.requireNonNull(authToken); Objects.requireNonNull(filePath); Objects.requireNonNull(packageName); |