Remove the dependencies to the IntegrityFileManager from AppIntegrityManagerServiceImpl by setting the methods that use it to a default empty value. This is part of the effort to clean-up the AppIntegrityManager related code. Change-Id: I56d66a9c5e97c5b87632caec8582ad668a5b7ced

commit: 4938b5cff952f46fee1f826f387d84082c57ad90 [log] [tgz]
author: Ömer Yaveroğlu <omernebil@google.com> Tue Oct 22 13:05:57 2024 +0000
committer: Ömer Yaveroğlu <omernebil@google.com> Tue Oct 22 13:05:57 2024 +0000
tree: 16b89fde3a50668dd3c27f075e028e485b8ce17a
parent: e37b8ffd8fb18d9debc05fc1fd8acb9eae15afa9 [diff]
diff --git a/services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java b/services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java
index 509fa3e..bb4ae96 100644
--- a/services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java
+++ b/services/core/java/com/android/server/integrity/AppIntegrityManagerServiceImpl.java

@@ -74,7 +74,6 @@
     private final Context mContext;
     private final Handler mHandler;
     private final PackageManagerInternal mPackageManagerInternal;
-    private final IntegrityFileManager mIntegrityFileManager;
 
     /** Create an instance of {@link AppIntegrityManagerServiceImpl}. */
     public static AppIntegrityManagerServiceImpl create(Context context) {
@@ -84,7 +83,6 @@
         return new AppIntegrityManagerServiceImpl(
                 context,
                 LocalServices.getService(PackageManagerInternal.class),
-                IntegrityFileManager.getInstance(),
                 handlerThread.getThreadHandler());
     }
 
@@ -92,11 +90,9 @@
     AppIntegrityManagerServiceImpl(
             Context context,
             PackageManagerInternal packageManagerInternal,
-            IntegrityFileManager integrityFileManager,
             Handler handler) {
         mContext = context;
         mPackageManagerInternal = packageManagerInternal;
-        mIntegrityFileManager = integrityFileManager;
         mHandler = handler;
 
         IntentFilter integrityVerificationFilter = new IntentFilter();
@@ -144,39 +140,23 @@
     @Override
     @BinderThread
     public String getCurrentRuleSetVersion() {
-        getCallerPackageNameOrThrow(Binder.getCallingUid());
-
-        RuleMetadata ruleMetadata = mIntegrityFileManager.readMetadata();
-        return (ruleMetadata != null && ruleMetadata.getVersion() != null)
-                ? ruleMetadata.getVersion()
-                : "";
+        return "";
     }
 
     @Override
     @BinderThread
     public String getCurrentRuleSetProvider() {
-        getCallerPackageNameOrThrow(Binder.getCallingUid());
-
-        RuleMetadata ruleMetadata = mIntegrityFileManager.readMetadata();
-        return (ruleMetadata != null && ruleMetadata.getRuleProvider() != null)
-                ? ruleMetadata.getRuleProvider()
-                : "";
+        return "";
     }
 
     @Override
     public ParceledListSlice<Rule> getCurrentRules() {
-        List<Rule> rules = Collections.emptyList();
-        try {
-            rules = mIntegrityFileManager.readRules(/* appInstallMetadata= */ null);
-        } catch (Exception e) {
-            Slog.e(TAG, "Error getting current rules", e);
-        }
-        return new ParceledListSlice<>(rules);
+        return new ParceledListSlice<>(Collections.emptyList());
     }
 
     @Override
     public List<String> getWhitelistedRuleProviders() {
-        return getAllowedRuleProviderSystemApps();
+        return Collections.emptyList();
     }
 
     private void handleIntegrityVerification(Intent intent) {
@@ -184,75 +164,4 @@
         mPackageManagerInternal.setIntegrityVerificationResult(
                 verificationId, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
     }
-
-    private String getCallerPackageNameOrThrow(int callingUid) {
-        String callerPackageName = getCallingRulePusherPackageName(callingUid);
-        if (callerPackageName == null) {
-            throw new SecurityException(
-                    "Only system packages specified in config_integrityRuleProviderPackages are "
-                            + "allowed to call this method.");
-        }
-        return callerPackageName;
-    }
-
-    private String getCallingRulePusherPackageName(int callingUid) {
-        // Obtain the system apps that are allowlisted in config_integrityRuleProviderPackages.
-        List<String> allowedRuleProviders = getAllowedRuleProviderSystemApps();
-        if (DEBUG_INTEGRITY_COMPONENT) {
-            Slog.i(
-                    TAG,
-                    String.format(
-                            "Rule provider system app list contains: %s", allowedRuleProviders));
-        }
-
-        // Identify the package names in the caller list.
-        List<String> callingPackageNames = getPackageListForUid(callingUid);
-
-        // Find the intersection between the allowed and calling packages. Ideally, we will have
-        // at most one package name here. But if we have more, it is fine.
-        List<String> allowedCallingPackages = new ArrayList<>();
-        for (String packageName : callingPackageNames) {
-            if (allowedRuleProviders.contains(packageName)) {
-                allowedCallingPackages.add(packageName);
-            }
-        }
-
-        return allowedCallingPackages.isEmpty() ? null : allowedCallingPackages.get(0);
-    }
-
-    private List<String> getAllowedRuleProviderSystemApps() {
-        List<String> integrityRuleProviders =
-                Arrays.asList(
-                        mContext.getResources()
-                                .getStringArray(R.array.config_integrityRuleProviderPackages));
-
-        // Filter out the rule provider packages that are not system apps.
-        List<String> systemAppRuleProviders = new ArrayList<>();
-        for (String ruleProvider : integrityRuleProviders) {
-            if (isSystemApp(ruleProvider)) {
-                systemAppRuleProviders.add(ruleProvider);
-            }
-        }
-        return systemAppRuleProviders;
-    }
-
-    private boolean isSystemApp(String packageName) {
-        try {
-            PackageInfo existingPackageInfo =
-                    mContext.getPackageManager().getPackageInfo(packageName, /* flags= */ 0);
-            return existingPackageInfo.applicationInfo != null
-                    && existingPackageInfo.applicationInfo.isSystemApp();
-        } catch (PackageManager.NameNotFoundException e) {
-            return false;
-        }
-    }
-
-    private List<String> getPackageListForUid(int uid) {
-        try {
-            return Arrays.asList(mContext.getPackageManager().getPackagesForUid(uid));
-        } catch (NullPointerException e) {
-            Slog.w(TAG, String.format("No packages were found for uid: %d", uid));
-            return List.of();
-        }
-    }
 }

diff --git a/services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java b/services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java
index a2e6d4c..93aa10b 100644
--- a/services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java
+++ b/services/tests/servicestests/src/com/android/server/integrity/AppIntegrityManagerServiceImplTest.java

@@ -135,7 +135,6 @@
     @Mock PlatformCompat mPlatformCompat;
     @Mock Context mMockContext;
     @Mock Resources mMockResources;
-    @Mock IntegrityFileManager mIntegrityFileManager;
     @Mock Handler mHandler;
 
     private final Context mRealContext = InstrumentationRegistry.getTargetContext();
@@ -169,7 +168,6 @@
                 new AppIntegrityManagerServiceImpl(
                         mMockContext,
                         mPackageManagerInternal,
-                        mIntegrityFileManager,
                         mHandler);
 
         mSpyPackageManager = spy(mRealContext.getPackageManager());
@@ -177,7 +175,6 @@
         when(mMockContext.getPackageManager()).thenReturn(mSpyPackageManager);
         when(mMockContext.getResources()).thenReturn(mMockResources);
         when(mMockResources.getStringArray(anyInt())).thenReturn(new String[] {});
-        when(mIntegrityFileManager.initialized()).thenReturn(true);
         // These are needed to override the Settings.Global.get result.
         when(mMockContext.getContentResolver()).thenReturn(mRealContext.getContentResolver());
         setIntegrityCheckIncludesRuleProvider(true);
@@ -224,71 +221,6 @@
                         1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
     }
 
-    @Test
-    public void handleBroadcast_notInitialized() throws Exception {
-        allowlistUsAsRuleProvider();
-        makeUsSystemApp();
-        when(mIntegrityFileManager.initialized()).thenReturn(false);
-        ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =
-                ArgumentCaptor.forClass(BroadcastReceiver.class);
-        verify(mMockContext)
-                .registerReceiver(broadcastReceiverCaptor.capture(), any(), any(), any());
-        Intent intent = makeVerificationIntent();
-
-        broadcastReceiverCaptor.getValue().onReceive(mMockContext, intent);
-        runJobInHandler();
-
-        // The evaluation will still run since we still evaluate manifest based rules.
-        verify(mPackageManagerInternal)
-                .setIntegrityVerificationResult(
-                        1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
-    }
-
-    @Test
-    public void verifierAsInstaller_skipIntegrityVerification() throws Exception {
-        allowlistUsAsRuleProvider();
-        makeUsSystemApp();
-        setIntegrityCheckIncludesRuleProvider(false);
-        ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =
-                ArgumentCaptor.forClass(BroadcastReceiver.class);
-        verify(mMockContext, atLeastOnce())
-                .registerReceiver(broadcastReceiverCaptor.capture(), any(), any(), any());
-        Intent intent = makeVerificationIntent(TEST_FRAMEWORK_PACKAGE);
-
-        broadcastReceiverCaptor.getValue().onReceive(mMockContext, intent);
-        runJobInHandler();
-
-        verify(mPackageManagerInternal)
-                .setIntegrityVerificationResult(
-                        1, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);
-    }
-
-    @Test
-    public void getCurrentRules() throws Exception {
-        allowlistUsAsRuleProvider();
-        makeUsSystemApp();
-        Rule rule = new Rule(IntegrityFormula.Application.packageNameEquals("package"), Rule.DENY);
-        when(mIntegrityFileManager.readRules(any())).thenReturn(Arrays.asList(rule));
-
-        assertThat(mService.getCurrentRules().getList()).containsExactly(rule);
-    }
-
-    @Test
-    public void getWhitelistedRuleProviders_returnsEmptyForNonSystemApps() throws Exception {
-        allowlistUsAsRuleProvider();
-        makeUsSystemApp(false);
-
-        assertThat(mService.getWhitelistedRuleProviders()).isEmpty();
-    }
-
-    @Test
-    public void getWhitelistedRuleProviders() throws Exception {
-        allowlistUsAsRuleProvider();
-        makeUsSystemApp();
-
-        assertThat(mService.getWhitelistedRuleProviders()).containsExactly(TEST_FRAMEWORK_PACKAGE);
-    }
-
     private void allowlistUsAsRuleProvider() {
         Resources mockResources = mock(Resources.class);
         when(mockResources.getStringArray(R.array.config_integrityRuleProviderPackages))
commit	4938b5cff952f46fee1f826f387d84082c57ad90	[log] [tgz]
author	Ömer Yaveroğlu <omernebil@google.com>	Tue Oct 22 13:05:57 2024 +0000
committer	Ömer Yaveroğlu <omernebil@google.com>	Tue Oct 22 13:05:57 2024 +0000
tree	16b89fde3a50668dd3c27f075e028e485b8ce17a
parent	e37b8ffd8fb18d9debc05fc1fd8acb9eae15afa9 [diff]