Add a new API for file Integrity.
Bug: 253568736
Bug: 196909329
Bug: 266719856
Test: presubmit
Change-Id: Iabade95e934a5c677578ad9e41b534e15c9bc422
diff --git a/services/api/current.txt b/services/api/current.txt
index f7d6ee9..70ee3b8 100644
--- a/services/api/current.txt
+++ b/services/api/current.txt
@@ -225,6 +225,14 @@
}
+package com.android.server.security {
+
+ public final class FileIntegrityLocal {
+ method public static void setUpFsVerity(@NonNull String) throws java.io.IOException;
+ }
+
+}
+
package com.android.server.stats {
public final class StatsHelper {
diff --git a/services/core/java/com/android/server/pm/Settings.java b/services/core/java/com/android/server/pm/Settings.java
index 4f0a115..9c91879 100644
--- a/services/core/java/com/android/server/pm/Settings.java
+++ b/services/core/java/com/android/server/pm/Settings.java
@@ -89,7 +89,6 @@
import com.android.internal.annotations.GuardedBy;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.os.BackgroundThread;
-import com.android.internal.security.VerityUtils;
import com.android.internal.util.ArrayUtils;
import com.android.internal.util.CollectionUtils;
import com.android.internal.util.IndentingPrintWriter;
@@ -121,6 +120,7 @@
import com.android.server.pm.verify.domain.DomainVerificationLegacySettings;
import com.android.server.pm.verify.domain.DomainVerificationManagerInternal;
import com.android.server.pm.verify.domain.DomainVerificationPersistence;
+import com.android.server.security.FileIntegrityLocal;
import com.android.server.utils.Slogf;
import com.android.server.utils.Snappable;
import com.android.server.utils.SnapshotCache;
@@ -2714,8 +2714,8 @@
}
try {
- VerityUtils.setUpFsverity(mSettingsFilename.getAbsolutePath());
- VerityUtils.setUpFsverity(mSettingsReserveCopyFilename.getAbsolutePath());
+ FileIntegrityLocal.setUpFsVerity(mSettingsFilename.getAbsolutePath());
+ FileIntegrityLocal.setUpFsVerity(mSettingsReserveCopyFilename.getAbsolutePath());
} catch (IOException e) {
Slog.e(TAG, "Failed to verity-protect settings", e);
}
diff --git a/services/core/java/com/android/server/security/FileIntegrityLocal.java b/services/core/java/com/android/server/security/FileIntegrityLocal.java
new file mode 100644
index 0000000..8c7219b
--- /dev/null
+++ b/services/core/java/com/android/server/security/FileIntegrityLocal.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.security;
+
+import android.annotation.NonNull;
+import android.annotation.SystemApi;
+
+import com.android.internal.security.VerityUtils;
+
+import java.io.IOException;
+
+/**
+ * In-process API for server side FileIntegrity related infrastructure.
+ *
+ * @hide
+ */
+@SystemApi(client = SystemApi.Client.SYSTEM_SERVER)
+public final class FileIntegrityLocal {
+ private FileIntegrityLocal() {}
+
+ /**
+ * Enables fs-verity, if supported by the filesystem.
+ * @see <a href="https://www.kernel.org/doc/html/latest/filesystems/fsverity.html">
+ * @hide
+ */
+ @SystemApi(client = SystemApi.Client.SYSTEM_SERVER)
+ public static void setUpFsVerity(@NonNull String filePath) throws IOException {
+ VerityUtils.setUpFsverity(filePath);
+ }
+}