From c5c5d9a3b75cda48aa5c9231fde2b6967afa2259 Mon Sep 17 00:00:00 2001
From: Victor Hsieh <victorhsieh@google.com>
Date: Mon, 15 Apr 2024 11:52:07 -0700
Subject: Move 2 new FileIntegrityManager APIs to @SystemApi

Due to system health concerns of potential system wide I/O impact by 3P
apps using this API, move it from public to @SystemApi until the
underlying verity performance problem is fixed.

setupFsverity is now guarded by SETUP_FSVERITY permission, which is
signature|privileged. getFsVerityDigest is not guarded because it simply
calls a (read-only) ioctl in the app process.

Bug: 285185747
Bug: 296467543
Test: m
Test: atest android.security.cts.FileIntegrityManagerTest FsVerityTest
Test: atest android.permissionpolicy.cts.PermissionPolicyTest#platformPermissionPolicyIsUnaltered
Change-Id: Iff6141f01c24a5a8f03339fc764316c51339e686
---
 core/api/current.txt                                             | 2 --
 core/api/system-current.txt                                      | 6 ++++++
 core/java/android/security/FileIntegrityManager.java             | 8 ++++++++
 core/res/AndroidManifest.xml                                     | 9 +++++++++
 .../java/com/android/server/security/FileIntegrityService.java   | 4 ++++
 5 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/core/api/current.txt b/core/api/current.txt
index c189a24c84ae..b74d223ce35c 100644
--- a/core/api/current.txt
+++ b/core/api/current.txt
@@ -39388,10 +39388,8 @@ package android.security {
   }
 
   public final class FileIntegrityManager {
-    method @FlaggedApi("android.security.fsverity_api") @Nullable public byte[] getFsVerityDigest(@NonNull java.io.File) throws java.io.IOException;
     method public boolean isApkVeritySupported();
     method @Deprecated @RequiresPermission(anyOf={android.Manifest.permission.INSTALL_PACKAGES, android.Manifest.permission.REQUEST_INSTALL_PACKAGES}) public boolean isAppSourceCertificateTrusted(@NonNull java.security.cert.X509Certificate) throws java.security.cert.CertificateEncodingException;
-    method @FlaggedApi("android.security.fsverity_api") public void setupFsVerity(@NonNull java.io.File) throws java.io.IOException;
   }
 
   public final class KeyChain {
diff --git a/core/api/system-current.txt b/core/api/system-current.txt
index b767c52ea9ba..45bcd0dbbf21 100644
--- a/core/api/system-current.txt
+++ b/core/api/system-current.txt
@@ -355,6 +355,7 @@ package android {
     field public static final String SEND_SHOW_SUSPENDED_APP_DETAILS = "android.permission.SEND_SHOW_SUSPENDED_APP_DETAILS";
     field public static final String SEND_SMS_NO_CONFIRMATION = "android.permission.SEND_SMS_NO_CONFIRMATION";
     field public static final String SERIAL_PORT = "android.permission.SERIAL_PORT";
+    field @FlaggedApi("android.security.fsverity_api") public static final String SETUP_FSVERITY = "android.permission.SETUP_FSVERITY";
     field public static final String SET_ACTIVITY_WATCHER = "android.permission.SET_ACTIVITY_WATCHER";
     field public static final String SET_CLIP_SOURCE = "android.permission.SET_CLIP_SOURCE";
     field public static final String SET_DEFAULT_ACCOUNT_FOR_CONTACTS = "android.permission.SET_DEFAULT_ACCOUNT_FOR_CONTACTS";
@@ -12106,6 +12107,11 @@ package android.se.omapi {
 
 package android.security {
 
+  public final class FileIntegrityManager {
+    method @FlaggedApi("android.security.fsverity_api") @Nullable public byte[] getFsVerityDigest(@NonNull java.io.File) throws java.io.IOException;
+    method @FlaggedApi("android.security.fsverity_api") public void setupFsVerity(@NonNull java.io.File) throws java.io.IOException;
+  }
+
   public final class KeyChain {
     method @Nullable @WorkerThread public static String getWifiKeyGrantAsUser(@NonNull android.content.Context, @NonNull android.os.UserHandle, @NonNull String);
     method @WorkerThread public static boolean hasWifiKeyGrantAsUser(@NonNull android.content.Context, @NonNull android.os.UserHandle, @NonNull String);
diff --git a/core/java/android/security/FileIntegrityManager.java b/core/java/android/security/FileIntegrityManager.java
index 025aac962fb9..478435b1ac5e 100644
--- a/core/java/android/security/FileIntegrityManager.java
+++ b/core/java/android/security/FileIntegrityManager.java
@@ -20,6 +20,8 @@ import android.annotation.FlaggedApi;
 import android.annotation.NonNull;
 import android.annotation.Nullable;
 import android.annotation.RequiresPermission;
+import android.annotation.SuppressLint;
+import android.annotation.SystemApi;
 import android.annotation.SystemService;
 import android.content.Context;
 import android.os.IInstalld.IFsveritySetupAuthToken;
@@ -99,8 +101,11 @@ public final class FileIntegrityManager {
      * @throws IOException If the operation failed.
      *
      * @see <a href="https://www.kernel.org/doc/html/next/filesystems/fsverity.html">Kernel doc</a>
+     * @hide
      */
     @FlaggedApi(Flags.FLAG_FSVERITY_API)
+    @SuppressLint("StreamFiles")
+    @SystemApi
     public void setupFsVerity(@NonNull File file) throws IOException {
         if (!file.isAbsolute()) {
             // fs-verity is to be enabled by installd, which enforces the validation to the
@@ -138,8 +143,11 @@ public final class FileIntegrityManager {
      * @param file The file to measure the fs-verity digest.
      * @return The fs-verity digest in byte[], null if none.
      * @see <a href="https://www.kernel.org/doc/html/next/filesystems/fsverity.html">Kernel doc</a>
+     * @hide
      */
     @FlaggedApi(Flags.FLAG_FSVERITY_API)
+    @SuppressLint("StreamFiles")
+    @SystemApi
     public @Nullable byte[] getFsVerityDigest(@NonNull File file) throws IOException {
         return VerityUtils.getFsverityDigest(file.getPath());
     }
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index ab714ad7d807..06a57cab4546 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -8182,6 +8182,15 @@
     <permission android:name="android.permission.SCREEN_TIMEOUT_OVERRIDE"
                 android:protectionLevel="signature" />
 
+    <!-- @SystemApi
+        @FlaggedApi("android.security.fsverity_api")
+        Allows app to setup fs-verity through FileIntegrityManager.
+        <p>Protection level: signature|privileged
+        @hide
+    -->
+    <permission android:name="android.permission.SETUP_FSVERITY"
+                android:protectionLevel="signature|privileged"/>
+
     <!-- Attribution for Geofencing service. -->
     <attribution android:tag="GeofencingService" android:label="@string/geofencing_service"/>
     <!-- Attribution for Country Detector. -->
diff --git a/services/core/java/com/android/server/security/FileIntegrityService.java b/services/core/java/com/android/server/security/FileIntegrityService.java
index bb4876bd5f56..5b501e16d652 100644
--- a/services/core/java/com/android/server/security/FileIntegrityService.java
+++ b/services/core/java/com/android/server/security/FileIntegrityService.java
@@ -170,6 +170,10 @@ public class FileIntegrityService extends SystemService {
         @Override
         public int setupFsverity(android.os.IInstalld.IFsveritySetupAuthToken authToken,
                 String filePath, String packageName) throws RemoteException {
+            getContext().enforceCallingPermission(android.Manifest.permission.SETUP_FSVERITY,
+                    "Permission android.permission.SETUP_FSVERITY not grantted to access "
+                    + "FileIntegrityManager#setupFsverity");
+
             Objects.requireNonNull(authToken);
             Objects.requireNonNull(filePath);
             Objects.requireNonNull(packageName);
-- 
cgit v1.2.3-59-g8ed1b