Replace incomplete path-based check with statx
The current check is incomplete as it doesn't capture /system and
others. Switch to hasFsverity (which calls statx) to directly query
the filesystem the fs-verity-ness. This only needs the commom getattr
SELinux privileged, so no sepolicy change is needed.
Bug: 279597861
Bug: 258093107
Test: see 258093107#30
Change-Id: I3140b770b57c4fedc8f077adddda5ec2a50c4ee6
diff --git a/services/core/java/com/android/server/pm/ApkChecksums.java b/services/core/java/com/android/server/pm/ApkChecksums.java
index ffe0ca0..b00cc1a 100644
--- a/services/core/java/com/android/server/pm/ApkChecksums.java
+++ b/services/core/java/com/android/server/pm/ApkChecksums.java
@@ -40,8 +40,6 @@
import android.content.pm.parsing.ApkLiteParseUtils;
import android.content.pm.parsing.result.ParseResult;
import android.content.pm.parsing.result.ParseTypeImpl;
-import android.os.Environment;
-import android.os.FileUtils;
import android.os.Handler;
import android.os.RemoteException;
import android.os.SystemClock;
@@ -638,18 +636,9 @@
return null;
}
- private static boolean containsFile(File dir, String filePath) {
- if (dir == null) {
- return false;
- }
- return FileUtils.contains(dir.getAbsolutePath(), filePath);
- }
-
private static ApkChecksum extractHashFromFS(String split, String filePath) {
// verity first
- // Skip /product folder.
- // TODO(b/231354111): remove this hack once we are allowed to change SELinux rules.
- if (!containsFile(Environment.getProductDirectory(), filePath)) {
+ if (VerityUtils.hasFsverity(filePath)) {
byte[] verityHash = VerityUtils.getFsverityDigest(filePath);
if (verityHash != null) {
return new ApkChecksum(split, TYPE_WHOLE_MERKLE_ROOT_4K_SHA256, verityHash);