diff options
4 files changed, 62 insertions, 2 deletions
diff --git a/service/java/com/android/permission/persistence/RuntimePermissionsPersistenceImpl.java b/service/java/com/android/permission/persistence/RuntimePermissionsPersistenceImpl.java index c1f9299c2..f3ba5aaef 100644 --- a/service/java/com/android/permission/persistence/RuntimePermissionsPersistenceImpl.java +++ b/service/java/com/android/permission/persistence/RuntimePermissionsPersistenceImpl.java @@ -28,6 +28,8 @@ import android.util.Log; import android.util.Xml; import com.android.internal.annotations.VisibleForTesting; +import com.android.modules.utils.build.SdkLevel; +import com.android.server.security.FileIntegrity; import org.xmlpull.v1.XmlPullParser; import org.xmlpull.v1.XmlPullParserException; @@ -70,6 +72,27 @@ public class RuntimePermissionsPersistenceImpl implements RuntimePermissionsPers private static final String ATTRIBUTE_NAME = "name"; private static final String ATTRIBUTE_VERSION = "version"; + @VisibleForTesting + interface Injector { + void enableFsVerity(@NonNull File file) throws IOException; + } + + @NonNull + private final Injector mInjector; + + RuntimePermissionsPersistenceImpl() { + this(file -> { + if (SdkLevel.isAtLeastU()) { + FileIntegrity.setUpFsVerity(file); + } + }); + } + + @VisibleForTesting + RuntimePermissionsPersistenceImpl(@NonNull Injector injector) { + mInjector = injector; + } + @Nullable @Override public RuntimePermissionsState readForUser(@NonNull UserHandle user) { @@ -224,6 +247,13 @@ public class RuntimePermissionsPersistenceImpl implements RuntimePermissionsPers } catch (Exception e) { Log.e(LOG_TAG, "Failed to write reserve copy: " + reserveFile, e); } + + try { + mInjector.enableFsVerity(file); + mInjector.enableFsVerity(reserveFile); + } catch (Exception e) { + Log.e(LOG_TAG, "Failed to verity-protect runtime-permissions", e); + } } private static void serializeRuntimePermissions(@NonNull XmlSerializer serializer, diff --git a/service/java/com/android/role/persistence/RolesPersistenceImpl.java b/service/java/com/android/role/persistence/RolesPersistenceImpl.java index 944036aeb..76cf8f81f 100644 --- a/service/java/com/android/role/persistence/RolesPersistenceImpl.java +++ b/service/java/com/android/role/persistence/RolesPersistenceImpl.java @@ -28,7 +28,9 @@ import android.util.Log; import android.util.Xml; import com.android.internal.annotations.VisibleForTesting; +import com.android.modules.utils.build.SdkLevel; import com.android.permission.persistence.IoUtils; +import com.android.server.security.FileIntegrity; import org.xmlpull.v1.XmlPullParser; import org.xmlpull.v1.XmlPullParserException; @@ -66,6 +68,27 @@ public class RolesPersistenceImpl implements RolesPersistence { private static final String ATTRIBUTE_NAME = "name"; private static final String ATTRIBUTE_PACKAGES_HASH = "packagesHash"; + @VisibleForTesting + interface Injector { + void enableFsVerity(@NonNull File file) throws IOException; + } + + @NonNull + private final Injector mInjector; + + RolesPersistenceImpl() { + this(file -> { + if (SdkLevel.isAtLeastU()) { + FileIntegrity.setUpFsVerity(file); + } + }); + } + + @VisibleForTesting + RolesPersistenceImpl(@NonNull Injector injector) { + mInjector = injector; + } + @Nullable @Override public RolesState readForUser(@NonNull UserHandle user) { @@ -195,6 +218,13 @@ public class RolesPersistenceImpl implements RolesPersistence { } catch (Exception e) { Log.e(LOG_TAG, "Failed to write reserve copy: " + reserveFile, e); } + + try { + mInjector.enableFsVerity(file); + mInjector.enableFsVerity(reserveFile); + } catch (Exception e) { + Log.e(LOG_TAG, "Failed to verity-protect roles", e); + } } private static void serializeRoles(@NonNull XmlSerializer serializer, diff --git a/tests/apex/java/com/android/permission/persistence/RuntimePermissionsPersistenceTest.kt b/tests/apex/java/com/android/permission/persistence/RuntimePermissionsPersistenceTest.kt index a3502a01a..59bf6a381 100644 --- a/tests/apex/java/com/android/permission/persistence/RuntimePermissionsPersistenceTest.kt +++ b/tests/apex/java/com/android/permission/persistence/RuntimePermissionsPersistenceTest.kt @@ -46,7 +46,7 @@ class RuntimePermissionsPersistenceTest { private lateinit var mockitoSession: MockitoSession @Mock lateinit var apexEnvironment: ApexEnvironment - private val persistence = RuntimePermissionsPersistence.createInstance() + private val persistence = RuntimePermissionsPersistenceImpl {} private val permissionState = RuntimePermissionsState.PermissionState("permission", true, 3) private val state = RuntimePermissionsState( diff --git a/tests/apex/java/com/android/role/persistence/RolesPersistenceTest.kt b/tests/apex/java/com/android/role/persistence/RolesPersistenceTest.kt index 814826b98..1806f8e13 100644 --- a/tests/apex/java/com/android/role/persistence/RolesPersistenceTest.kt +++ b/tests/apex/java/com/android/role/persistence/RolesPersistenceTest.kt @@ -46,7 +46,7 @@ class RolesPersistenceTest { private lateinit var mockitoSession: MockitoSession @Mock lateinit var apexEnvironment: ApexEnvironment - private val persistence = RolesPersistence.createInstance() + private val persistence = RolesPersistenceImpl {} private val state = RolesState(1, "packagesHash", mapOf("role" to setOf("holder1", "holder2"))) private val user = Process.myUserHandle() |