Set verified stamps to be trusted

Bug: 148006415 Test: atest FrameworksServicesTests:AppIntegrityManagerServiceImplTest Change-Id: I61d8d7032580d158e1bccac8f571576447248860
2020-03-09 12:02:49 +00:00
parent 5580360ba8
commit 612ecd2379
2 changed files with 3 additions and 22 deletions
--- a/services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java
+++ b/services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java
@@ -52,7 +52,6 @@ import android.os.Handler;
 import android.os.HandlerThread;
 import android.os.UserHandle;
 import android.provider.Settings;
-import android.security.FileIntegrityManager;
 import android.util.Slog;
 import android.util.apk.SourceStampVerificationResult;
 import android.util.apk.SourceStampVerifier;
@@ -122,7 +121,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
    private final PackageManagerInternal mPackageManagerInternal;
    private final RuleEvaluationEngine mEvaluationEngine;
    private final IntegrityFileManager mIntegrityFileManager;
-    private final FileIntegrityManager mFileIntegrityManager;

    /** Create an instance of {@link AppIntegrityManagerServiceImpl}. */
    public static AppIntegrityManagerServiceImpl create(Context context) {
@@ -134,7 +132,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
                LocalServices.getService(PackageManagerInternal.class),
                RuleEvaluationEngine.getRuleEvaluationEngine(),
                IntegrityFileManager.getInstance(),
-                (FileIntegrityManager) context.getSystemService(Context.FILE_INTEGRITY_SERVICE),
                handlerThread.getThreadHandler());
    }

@@ -144,13 +141,11 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
            PackageManagerInternal packageManagerInternal,
            RuleEvaluationEngine evaluationEngine,
            IntegrityFileManager integrityFileManager,
-            FileIntegrityManager fileIntegrityManager,
            Handler handler) {
        mContext = context;
        mPackageManagerInternal = packageManagerInternal;
        mEvaluationEngine = evaluationEngine;
        mIntegrityFileManager = integrityFileManager;
-        mFileIntegrityManager = fileIntegrityManager;
        mHandler = handler;

        IntentFilter integrityVerificationFilter = new IntentFilter();
@@ -476,6 +471,8 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
                SourceStampVerifier.verify(installationPath.getAbsolutePath());
        appInstallMetadata.setIsStampPresent(sourceStampVerificationResult.isPresent());
        appInstallMetadata.setIsStampVerified(sourceStampVerificationResult.isVerified());
+        // A verified stamp is set to be trusted.
+        appInstallMetadata.setIsStampTrusted(sourceStampVerificationResult.isVerified());
        if (sourceStampVerificationResult.isVerified()) {
            X509Certificate sourceStampCertificate =
                    (X509Certificate) sourceStampVerificationResult.getCertificate();
@@ -488,16 +485,6 @@ public class AppIntegrityManagerServiceImpl extends IAppIntegrityManager.Stub {
                throw new IllegalArgumentException(
                        "Error computing source stamp certificate digest", e);
            }
-            // Checks if the source stamp certificate is trusted.
-            try {
-                appInstallMetadata.setIsStampTrusted(
-                        mFileIntegrityManager.isApkVeritySupported()
-                                && mFileIntegrityManager.isAppSourceCertificateTrusted(
-                                        sourceStampCertificate));
-            } catch (CertificateEncodingException e) {
-                throw new IllegalArgumentException(
-                        "Error checking if source stamp certificate is trusted", e);
-            }
        }
    }

--- a/services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java
+++ b/services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java
@@ -62,7 +62,6 @@ import android.net.Uri;
 import android.os.Handler;
 import android.os.Message;
 import android.provider.Settings;
-import android.security.FileIntegrityManager;

 import androidx.test.InstrumentationRegistry;

@@ -136,7 +135,6 @@ public class AppIntegrityManagerServiceImplTest {
    @Mock RuleEvaluationEngine mRuleEvaluationEngine;
    @Mock IntegrityFileManager mIntegrityFileManager;
    @Mock Handler mHandler;
-    FileIntegrityManager mFileIntegrityManager;

    private final Context mRealContext = InstrumentationRegistry.getTargetContext();

@@ -165,16 +163,12 @@ public class AppIntegrityManagerServiceImplTest {
            Files.copy(inputStream, mTestApkSourceStamp.toPath(), REPLACE_EXISTING);
        }

-        mFileIntegrityManager =
-                (FileIntegrityManager)
-                        mRealContext.getSystemService(Context.FILE_INTEGRITY_SERVICE);
        mService =
                new AppIntegrityManagerServiceImpl(
                        mMockContext,
                        mPackageManagerInternal,
                        mRuleEvaluationEngine,
                        mIntegrityFileManager,
-                        mFileIntegrityManager,
                        mHandler);

        mSpyPackageManager = spy(mRealContext.getPackageManager());
@@ -379,7 +373,7 @@ public class AppIntegrityManagerServiceImplTest {
        AppInstallMetadata appInstallMetadata = metadataCaptor.getValue();
        assertTrue(appInstallMetadata.isStampPresent());
        assertTrue(appInstallMetadata.isStampVerified());
-        assertFalse(appInstallMetadata.isStampTrusted());
+        assertTrue(appInstallMetadata.isStampTrusted());
        assertEquals(SOURCE_STAMP_CERTIFICATE_HASH, appInstallMetadata.getStampCertificateHash());
    }