xref: /aosp_15_r20/system/apex/apexd/apex_shim.cpp (revision 33f3758387333dbd2962d7edbd98681940d895da) 
1*33f37583SAndroid Build Coastguard Worker /*
2*33f37583SAndroid Build Coastguard Worker  * Copyright (C) 2019 The Android Open Source Project
3*33f37583SAndroid Build Coastguard Worker  *
4*33f37583SAndroid Build Coastguard Worker  * Licensed under the Apache License, Version 2.0 (the "License");
5*33f37583SAndroid Build Coastguard Worker  * you may not use this file except in compliance with the License.
6*33f37583SAndroid Build Coastguard Worker  * You may obtain a copy of the License at
7*33f37583SAndroid Build Coastguard Worker  *
8*33f37583SAndroid Build Coastguard Worker  *      http://www.apache.org/licenses/LICENSE-2.0
9*33f37583SAndroid Build Coastguard Worker  *
10*33f37583SAndroid Build Coastguard Worker  * Unless required by applicable law or agreed to in writing, software
11*33f37583SAndroid Build Coastguard Worker  * distributed under the License is distributed on an "AS IS" BASIS,
12*33f37583SAndroid Build Coastguard Worker  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*33f37583SAndroid Build Coastguard Worker  * See the License for the specific language governing permissions and
14*33f37583SAndroid Build Coastguard Worker  * limitations under the License.
15*33f37583SAndroid Build Coastguard Worker  */
16*33f37583SAndroid Build Coastguard Worker 
17*33f37583SAndroid Build Coastguard Worker #include "apex_shim.h"
18*33f37583SAndroid Build Coastguard Worker 
19*33f37583SAndroid Build Coastguard Worker #include <android-base/file.h>
20*33f37583SAndroid Build Coastguard Worker #include <android-base/logging.h>
21*33f37583SAndroid Build Coastguard Worker #include <android-base/stringprintf.h>
22*33f37583SAndroid Build Coastguard Worker #include <android-base/strings.h>
23*33f37583SAndroid Build Coastguard Worker #include <openssl/sha.h>
24*33f37583SAndroid Build Coastguard Worker 
25*33f37583SAndroid Build Coastguard Worker #include <filesystem>
26*33f37583SAndroid Build Coastguard Worker #include <fstream>
27*33f37583SAndroid Build Coastguard Worker #include <sstream>
28*33f37583SAndroid Build Coastguard Worker #include <unordered_set>
29*33f37583SAndroid Build Coastguard Worker 
30*33f37583SAndroid Build Coastguard Worker #include "apex_constants.h"
31*33f37583SAndroid Build Coastguard Worker #include "apex_file.h"
32*33f37583SAndroid Build Coastguard Worker #include "apex_sha.h"
33*33f37583SAndroid Build Coastguard Worker #include "string_log.h"
34*33f37583SAndroid Build Coastguard Worker 
35*33f37583SAndroid Build Coastguard Worker using android::base::ErrnoError;
36*33f37583SAndroid Build Coastguard Worker using android::base::Error;
37*33f37583SAndroid Build Coastguard Worker using android::base::Result;
38*33f37583SAndroid Build Coastguard Worker using ::apex::proto::ApexManifest;
39*33f37583SAndroid Build Coastguard Worker 
40*33f37583SAndroid Build Coastguard Worker namespace android {
41*33f37583SAndroid Build Coastguard Worker namespace apex {
42*33f37583SAndroid Build Coastguard Worker namespace shim {
43*33f37583SAndroid Build Coastguard Worker 
44*33f37583SAndroid Build Coastguard Worker namespace fs = std::filesystem;
45*33f37583SAndroid Build Coastguard Worker 
46*33f37583SAndroid Build Coastguard Worker namespace {
47*33f37583SAndroid Build Coastguard Worker 
48*33f37583SAndroid Build Coastguard Worker static constexpr const char* kApexCtsShimPackage = "com.android.apex.cts.shim";
49*33f37583SAndroid Build Coastguard Worker static constexpr const char* kHashFilePath = "etc/hash.txt";
50*33f37583SAndroid Build Coastguard Worker static constexpr const fs::perms kForbiddenFilePermissions =
51*33f37583SAndroid Build Coastguard Worker     fs::perms::owner_exec | fs::perms::group_exec | fs::perms::others_exec;
52*33f37583SAndroid Build Coastguard Worker static constexpr const char* kExpectedCtsShimFiles[] = {
53*33f37583SAndroid Build Coastguard Worker     "apex_manifest.json",
54*33f37583SAndroid Build Coastguard Worker     "apex_manifest.pb",
55*33f37583SAndroid Build Coastguard Worker     "etc/hash.txt",
56*33f37583SAndroid Build Coastguard Worker     "etc/permissions/signature-permission-allowlist.xml",
57*33f37583SAndroid Build Coastguard Worker     "app/CtsShim/CtsShim.apk",
58*33f37583SAndroid Build Coastguard Worker     "app/CtsShim@1/CtsShim.apk",
59*33f37583SAndroid Build Coastguard Worker     "app/CtsShim@2/CtsShim.apk",
60*33f37583SAndroid Build Coastguard Worker     "app/CtsShim@3/CtsShim.apk",
61*33f37583SAndroid Build Coastguard Worker     "app/CtsShim@AOSP.MASTER/CtsShim.apk",
62*33f37583SAndroid Build Coastguard Worker     "app/CtsShim@MASTER/CtsShim.apk",
63*33f37583SAndroid Build Coastguard Worker     "app/CtsShim@MAIN/CtsShim.apk",
64*33f37583SAndroid Build Coastguard Worker     "app/CtsShimAddApkToApex/CtsShimAddApkToApex.apk",
65*33f37583SAndroid Build Coastguard Worker     "app/CtsShimAddApkToApex@1/CtsShimAddApkToApex.apk",
66*33f37583SAndroid Build Coastguard Worker     "app/CtsShimAddApkToApex@2/CtsShimAddApkToApex.apk",
67*33f37583SAndroid Build Coastguard Worker     "app/CtsShimAddApkToApex@3/CtsShimAddApkToApex.apk",
68*33f37583SAndroid Build Coastguard Worker     "app/CtsShimAddApkToApex@AOSP.MASTER/CtsShimAddApkToApex.apk",
69*33f37583SAndroid Build Coastguard Worker     "app/CtsShimAddApkToApex@MASTER/CtsShimAddApkToApex.apk",
70*33f37583SAndroid Build Coastguard Worker     "app/CtsShimAddApkToApex@MAIN/CtsShimAddApkToApex.apk",
71*33f37583SAndroid Build Coastguard Worker     "app/CtsShimTargetPSdk/CtsShimTargetPSdk.apk",
72*33f37583SAndroid Build Coastguard Worker     "app/CtsShimTargetPSdk@1/CtsShimTargetPSdk.apk",
73*33f37583SAndroid Build Coastguard Worker     "app/CtsShimTargetPSdk@2/CtsShimTargetPSdk.apk",
74*33f37583SAndroid Build Coastguard Worker     "app/CtsShimTargetPSdk@3/CtsShimTargetPSdk.apk",
75*33f37583SAndroid Build Coastguard Worker     "app/CtsShimTargetPSdk@AOSP.MASTER/CtsShimTargetPSdk.apk",
76*33f37583SAndroid Build Coastguard Worker     "app/CtsShimTargetPSdk@MASTER/CtsShimTargetPSdk.apk",
77*33f37583SAndroid Build Coastguard Worker     "app/CtsShimTargetPSdk@MAIN/CtsShimTargetPSdk.apk",
78*33f37583SAndroid Build Coastguard Worker     "priv-app/CtsShimPriv/CtsShimPriv.apk",
79*33f37583SAndroid Build Coastguard Worker     "priv-app/CtsShimPriv@1/CtsShimPriv.apk",
80*33f37583SAndroid Build Coastguard Worker     "priv-app/CtsShimPriv@2/CtsShimPriv.apk",
81*33f37583SAndroid Build Coastguard Worker     "priv-app/CtsShimPriv@3/CtsShimPriv.apk",
82*33f37583SAndroid Build Coastguard Worker     "priv-app/CtsShimPriv@AOSP.MASTER/CtsShimPriv.apk",
83*33f37583SAndroid Build Coastguard Worker     "priv-app/CtsShimPriv@MASTER/CtsShimPriv.apk",
84*33f37583SAndroid Build Coastguard Worker     "priv-app/CtsShimPriv@MAIN/CtsShimPriv.apk",
85*33f37583SAndroid Build Coastguard Worker };
86*33f37583SAndroid Build Coastguard Worker 
GetAllowedHashes(const std::string & path)87*33f37583SAndroid Build Coastguard Worker Result<std::vector<std::string>> GetAllowedHashes(const std::string& path) {
88*33f37583SAndroid Build Coastguard Worker   using android::base::ReadFileToString;
89*33f37583SAndroid Build Coastguard Worker   using android::base::StringPrintf;
90*33f37583SAndroid Build Coastguard Worker   const std::string& file_path =
91*33f37583SAndroid Build Coastguard Worker       StringPrintf("%s/%s", path.c_str(), kHashFilePath);
92*33f37583SAndroid Build Coastguard Worker   LOG(DEBUG) << "Reading SHA512 from " << file_path;
93*33f37583SAndroid Build Coastguard Worker   std::string hash;
94*33f37583SAndroid Build Coastguard Worker   if (!ReadFileToString(file_path, &hash, false /* follows symlinks */)) {
95*33f37583SAndroid Build Coastguard Worker     return ErrnoError() << "Failed to read " << file_path;
96*33f37583SAndroid Build Coastguard Worker   }
97*33f37583SAndroid Build Coastguard Worker   std::vector<std::string> allowed_hashes = android::base::Split(hash, "\n");
98*33f37583SAndroid Build Coastguard Worker   auto system_shim_hash = CalculateSha512(
99*33f37583SAndroid Build Coastguard Worker       StringPrintf("%s/%s", kApexPackageSystemDir, shim::kSystemShimApexName));
100*33f37583SAndroid Build Coastguard Worker   if (!system_shim_hash.ok()) {
101*33f37583SAndroid Build Coastguard Worker     return system_shim_hash.error();
102*33f37583SAndroid Build Coastguard Worker   }
103*33f37583SAndroid Build Coastguard Worker   allowed_hashes.push_back(std::move(*system_shim_hash));
104*33f37583SAndroid Build Coastguard Worker   return allowed_hashes;
105*33f37583SAndroid Build Coastguard Worker }
106*33f37583SAndroid Build Coastguard Worker }  // namespace
107*33f37583SAndroid Build Coastguard Worker 
IsShimApex(const ApexFile & apex_file)108*33f37583SAndroid Build Coastguard Worker bool IsShimApex(const ApexFile& apex_file) {
109*33f37583SAndroid Build Coastguard Worker   return apex_file.GetManifest().name() == kApexCtsShimPackage;
110*33f37583SAndroid Build Coastguard Worker }
111*33f37583SAndroid Build Coastguard Worker 
ValidateShimApex(const std::string & mount_point,const ApexFile & apex_file)112*33f37583SAndroid Build Coastguard Worker Result<void> ValidateShimApex(const std::string& mount_point,
113*33f37583SAndroid Build Coastguard Worker                               const ApexFile& apex_file) {
114*33f37583SAndroid Build Coastguard Worker   LOG(DEBUG) << "Validating shim apex " << mount_point;
115*33f37583SAndroid Build Coastguard Worker   const ApexManifest& manifest = apex_file.GetManifest();
116*33f37583SAndroid Build Coastguard Worker   if (!manifest.preinstallhook().empty() ||
117*33f37583SAndroid Build Coastguard Worker       !manifest.postinstallhook().empty()) {
118*33f37583SAndroid Build Coastguard Worker     return Errorf("Shim apex is not allowed to have pre or post install hooks");
119*33f37583SAndroid Build Coastguard Worker   }
120*33f37583SAndroid Build Coastguard Worker   std::error_code ec;
121*33f37583SAndroid Build Coastguard Worker   std::unordered_set<std::string> expected_files;
122*33f37583SAndroid Build Coastguard Worker   for (auto file : kExpectedCtsShimFiles) {
123*33f37583SAndroid Build Coastguard Worker     expected_files.insert(file);
124*33f37583SAndroid Build Coastguard Worker   }
125*33f37583SAndroid Build Coastguard Worker 
126*33f37583SAndroid Build Coastguard Worker   auto iter = fs::recursive_directory_iterator(mount_point, ec);
127*33f37583SAndroid Build Coastguard Worker   // Unfortunately fs::recursive_directory_iterator::operator++ can throw an
128*33f37583SAndroid Build Coastguard Worker   // exception, which means that it's impossible to use range-based for loop
129*33f37583SAndroid Build Coastguard Worker   // here.
130*33f37583SAndroid Build Coastguard Worker   while (iter != fs::end(iter)) {
131*33f37583SAndroid Build Coastguard Worker     auto path = iter->path();
132*33f37583SAndroid Build Coastguard Worker     // Resolve the mount point to ensure any trailing slash is removed.
133*33f37583SAndroid Build Coastguard Worker     auto resolved_mount_point = fs::path(mount_point).string();
134*33f37583SAndroid Build Coastguard Worker     auto local_path = path.string().substr(resolved_mount_point.length() + 1);
135*33f37583SAndroid Build Coastguard Worker     fs::file_status status = iter->status(ec);
136*33f37583SAndroid Build Coastguard Worker 
137*33f37583SAndroid Build Coastguard Worker     if (fs::is_symlink(status)) {
138*33f37583SAndroid Build Coastguard Worker       return Error()
139*33f37583SAndroid Build Coastguard Worker              << "Shim apex is not allowed to contain symbolic links, found "
140*33f37583SAndroid Build Coastguard Worker              << path;
141*33f37583SAndroid Build Coastguard Worker     } else if (fs::is_regular_file(status)) {
142*33f37583SAndroid Build Coastguard Worker       if ((status.permissions() & kForbiddenFilePermissions) !=
143*33f37583SAndroid Build Coastguard Worker           fs::perms::none) {
144*33f37583SAndroid Build Coastguard Worker         return Error() << path << " has illegal permissions";
145*33f37583SAndroid Build Coastguard Worker       }
146*33f37583SAndroid Build Coastguard Worker       auto ex = expected_files.find(local_path);
147*33f37583SAndroid Build Coastguard Worker       if (ex != expected_files.end()) {
148*33f37583SAndroid Build Coastguard Worker         expected_files.erase(local_path);
149*33f37583SAndroid Build Coastguard Worker       } else {
150*33f37583SAndroid Build Coastguard Worker         return Error() << path << " is an unexpected file inside the shim apex";
151*33f37583SAndroid Build Coastguard Worker       }
152*33f37583SAndroid Build Coastguard Worker     } else if (!fs::is_directory(status)) {
153*33f37583SAndroid Build Coastguard Worker       // If this is not a symlink, a file or a directory, fail.
154*33f37583SAndroid Build Coastguard Worker       return Error() << "Unexpected file entry in shim apex: " << iter->path();
155*33f37583SAndroid Build Coastguard Worker     }
156*33f37583SAndroid Build Coastguard Worker     iter = iter.increment(ec);
157*33f37583SAndroid Build Coastguard Worker     if (ec) {
158*33f37583SAndroid Build Coastguard Worker       return Error() << "Failed to scan " << mount_point << " : "
159*33f37583SAndroid Build Coastguard Worker                      << ec.message();
160*33f37583SAndroid Build Coastguard Worker     }
161*33f37583SAndroid Build Coastguard Worker   }
162*33f37583SAndroid Build Coastguard Worker 
163*33f37583SAndroid Build Coastguard Worker   return {};
164*33f37583SAndroid Build Coastguard Worker }
165*33f37583SAndroid Build Coastguard Worker 
ValidateUpdate(const std::string & system_apex_path,const std::string & new_apex_path)166*33f37583SAndroid Build Coastguard Worker Result<void> ValidateUpdate(const std::string& system_apex_path,
167*33f37583SAndroid Build Coastguard Worker                             const std::string& new_apex_path) {
168*33f37583SAndroid Build Coastguard Worker   LOG(DEBUG) << "Validating update of shim apex to " << new_apex_path
169*33f37583SAndroid Build Coastguard Worker              << " using system shim apex " << system_apex_path;
170*33f37583SAndroid Build Coastguard Worker   auto allowed = GetAllowedHashes(system_apex_path);
171*33f37583SAndroid Build Coastguard Worker   if (!allowed.ok()) {
172*33f37583SAndroid Build Coastguard Worker     return allowed.error();
173*33f37583SAndroid Build Coastguard Worker   }
174*33f37583SAndroid Build Coastguard Worker   auto actual = CalculateSha512(new_apex_path);
175*33f37583SAndroid Build Coastguard Worker   if (!actual.ok()) {
176*33f37583SAndroid Build Coastguard Worker     return actual.error();
177*33f37583SAndroid Build Coastguard Worker   }
178*33f37583SAndroid Build Coastguard Worker   auto it = std::find(allowed->begin(), allowed->end(), *actual);
179*33f37583SAndroid Build Coastguard Worker   if (it == allowed->end()) {
180*33f37583SAndroid Build Coastguard Worker     return Error() << new_apex_path << " has unexpected SHA512 hash "
181*33f37583SAndroid Build Coastguard Worker                    << *actual;
182*33f37583SAndroid Build Coastguard Worker   }
183*33f37583SAndroid Build Coastguard Worker   return {};
184*33f37583SAndroid Build Coastguard Worker }
185*33f37583SAndroid Build Coastguard Worker 
186*33f37583SAndroid Build Coastguard Worker }  // namespace shim
187*33f37583SAndroid Build Coastguard Worker }  // namespace apex
188*33f37583SAndroid Build Coastguard Worker }  // namespace android
189