Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.server.om; |
| 18 | |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 19 | import static android.content.Context.IDMAP_SERVICE; |
| 20 | import static android.text.format.DateUtils.SECOND_IN_MILLIS; |
| 21 | |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 22 | import static com.android.server.om.OverlayManagerService.DEBUG; |
| 23 | import static com.android.server.om.OverlayManagerService.TAG; |
| 24 | |
| 25 | import android.annotation.NonNull; |
| 26 | import android.content.om.OverlayInfo; |
Mårten Kongstad | d10d06d | 2019-01-07 17:26:25 -0800 | [diff] [blame] | 27 | import android.content.pm.ApplicationInfo; |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 28 | import android.content.pm.PackageInfo; |
Mårten Kongstad | d10d06d | 2019-01-07 17:26:25 -0800 | [diff] [blame] | 29 | import android.os.Build.VERSION_CODES; |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 30 | import android.os.IBinder; |
| 31 | import android.os.IIdmap2; |
| 32 | import android.os.RemoteException; |
| 33 | import android.os.ServiceManager; |
Mårten Kongstad | d10d06d | 2019-01-07 17:26:25 -0800 | [diff] [blame] | 34 | import android.os.SystemProperties; |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 35 | import android.os.UserHandle; |
| 36 | import android.util.Slog; |
| 37 | |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 38 | import com.android.internal.os.BackgroundThread; |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 39 | import com.android.server.pm.Installer; |
| 40 | |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 41 | import java.io.File; |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 42 | |
| 43 | /** |
| 44 | * Handle the creation and deletion of idmap files. |
| 45 | * |
| 46 | * The actual work is performed by the idmap binary, launched through Installer |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 47 | * and installd (or idmap2). |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 48 | * |
| 49 | * Note: this class is subclassed in the OMS unit tests, and hence not marked as final. |
| 50 | */ |
| 51 | class IdmapManager { |
Mårten Kongstad | b87b5072 | 2018-09-21 09:58:10 +0200 | [diff] [blame] | 52 | private static final boolean FEATURE_FLAG_IDMAP2 = true; |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 53 | |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 54 | private final Installer mInstaller; |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 55 | private IIdmap2 mIdmap2Service; |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 56 | |
Mårten Kongstad | d10d06d | 2019-01-07 17:26:25 -0800 | [diff] [blame] | 57 | private static final boolean VENDOR_IS_Q_OR_LATER; |
| 58 | static { |
| 59 | // STOPSHIP(b/119390857): Check api version once Q sdk version is finalized |
| 60 | final String value = SystemProperties.get("ro.vndk.version", "Q"); |
| 61 | VENDOR_IS_Q_OR_LATER = value.equals("Q") || value.equals("q"); |
| 62 | } |
| 63 | |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 64 | IdmapManager(final Installer installer) { |
| 65 | mInstaller = installer; |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 66 | if (FEATURE_FLAG_IDMAP2) { |
| 67 | connectToIdmap2d(); |
| 68 | } |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 69 | } |
| 70 | |
| 71 | boolean createIdmap(@NonNull final PackageInfo targetPackage, |
| 72 | @NonNull final PackageInfo overlayPackage, int userId) { |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 73 | if (DEBUG) { |
| 74 | Slog.d(TAG, "create idmap for " + targetPackage.packageName + " and " |
| 75 | + overlayPackage.packageName); |
| 76 | } |
| 77 | final int sharedGid = UserHandle.getSharedAppGid(targetPackage.applicationInfo.uid); |
| 78 | final String targetPath = targetPackage.applicationInfo.getBaseCodePath(); |
| 79 | final String overlayPath = overlayPackage.applicationInfo.getBaseCodePath(); |
| 80 | try { |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 81 | if (FEATURE_FLAG_IDMAP2) { |
Mårten Kongstad | d10d06d | 2019-01-07 17:26:25 -0800 | [diff] [blame] | 82 | int policies = determineFulfilledPolicies(overlayPackage); |
| 83 | boolean enforce = enforceOverlayable(overlayPackage); |
| 84 | if (mIdmap2Service.verifyIdmap(overlayPath, policies, enforce, userId)) { |
Mårten Kongstad | ef0695d | 2018-12-04 14:36:48 +0100 | [diff] [blame] | 85 | return true; |
| 86 | } |
Mårten Kongstad | d10d06d | 2019-01-07 17:26:25 -0800 | [diff] [blame] | 87 | return mIdmap2Service.createIdmap(targetPath, overlayPath, policies, enforce, |
| 88 | userId) != null; |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 89 | } else { |
| 90 | mInstaller.idmap(targetPath, overlayPath, sharedGid); |
Mårten Kongstad | ef0695d | 2018-12-04 14:36:48 +0100 | [diff] [blame] | 91 | return true; |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 92 | } |
| 93 | } catch (Exception e) { |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 94 | Slog.w(TAG, "failed to generate idmap for " + targetPath + " and " |
| 95 | + overlayPath + ": " + e.getMessage()); |
| 96 | return false; |
| 97 | } |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 98 | } |
| 99 | |
| 100 | boolean removeIdmap(@NonNull final OverlayInfo oi, final int userId) { |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 101 | if (DEBUG) { |
| 102 | Slog.d(TAG, "remove idmap for " + oi.baseCodePath); |
| 103 | } |
| 104 | try { |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 105 | if (FEATURE_FLAG_IDMAP2) { |
Mårten Kongstad | ef0695d | 2018-12-04 14:36:48 +0100 | [diff] [blame] | 106 | return mIdmap2Service.removeIdmap(oi.baseCodePath, userId); |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 107 | } else { |
| 108 | mInstaller.removeIdmap(oi.baseCodePath); |
Mårten Kongstad | ef0695d | 2018-12-04 14:36:48 +0100 | [diff] [blame] | 109 | return true; |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 110 | } |
| 111 | } catch (Exception e) { |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 112 | Slog.w(TAG, "failed to remove idmap for " + oi.baseCodePath + ": " + e.getMessage()); |
| 113 | return false; |
| 114 | } |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 115 | } |
| 116 | |
| 117 | boolean idmapExists(@NonNull final OverlayInfo oi) { |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 118 | return new File(getIdmapPath(oi.baseCodePath, oi.userId)).isFile(); |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 119 | } |
| 120 | |
| 121 | boolean idmapExists(@NonNull final PackageInfo overlayPackage, final int userId) { |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 122 | return new File(getIdmapPath(overlayPackage.applicationInfo.getBaseCodePath(), userId)) |
| 123 | .isFile(); |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 124 | } |
| 125 | |
Mårten Kongstad | 06a1ac8 | 2018-09-20 13:09:47 +0200 | [diff] [blame] | 126 | private @NonNull String getIdmapPath(@NonNull final String overlayPackagePath, |
| 127 | final int userId) { |
| 128 | if (FEATURE_FLAG_IDMAP2) { |
| 129 | try { |
| 130 | return mIdmap2Service.getIdmapPath(overlayPackagePath, userId); |
| 131 | } catch (Exception e) { |
| 132 | Slog.w(TAG, "failed to get idmap path for " + overlayPackagePath + ": " |
| 133 | + e.getMessage()); |
| 134 | return ""; |
| 135 | } |
| 136 | } else { |
| 137 | final StringBuilder sb = new StringBuilder("/data/resource-cache/"); |
| 138 | sb.append(overlayPackagePath.substring(1).replace('/', '@')); |
| 139 | sb.append("@idmap"); |
| 140 | return sb.toString(); |
| 141 | } |
| 142 | } |
| 143 | |
| 144 | private void connectToIdmap2d() { |
| 145 | IBinder binder = ServiceManager.getService(IDMAP_SERVICE); |
| 146 | if (binder != null) { |
| 147 | try { |
| 148 | binder.linkToDeath(new IBinder.DeathRecipient() { |
| 149 | @Override |
| 150 | public void binderDied() { |
| 151 | Slog.w(TAG, "service '" + IDMAP_SERVICE + "' died; reconnecting..."); |
| 152 | connectToIdmap2d(); |
| 153 | } |
| 154 | |
| 155 | }, 0); |
| 156 | } catch (RemoteException e) { |
| 157 | binder = null; |
| 158 | } |
| 159 | } |
| 160 | if (binder != null) { |
| 161 | mIdmap2Service = IIdmap2.Stub.asInterface(binder); |
| 162 | if (DEBUG) { |
| 163 | Slog.d(TAG, "service '" + IDMAP_SERVICE + "' connected"); |
| 164 | } |
| 165 | } else { |
| 166 | Slog.w(TAG, "service '" + IDMAP_SERVICE + "' not found; trying again..."); |
| 167 | BackgroundThread.getHandler().postDelayed(() -> { |
| 168 | connectToIdmap2d(); |
| 169 | }, SECOND_IN_MILLIS); |
| 170 | } |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 171 | } |
Mårten Kongstad | d10d06d | 2019-01-07 17:26:25 -0800 | [diff] [blame] | 172 | |
| 173 | /** |
| 174 | * Checks if overlayable and policies should be enforced on the specified overlay for backwards |
| 175 | * compatibility with pre-Q overlays. |
| 176 | */ |
| 177 | private boolean enforceOverlayable(@NonNull final PackageInfo overlayPackage) { |
| 178 | final ApplicationInfo ai = overlayPackage.applicationInfo; |
| 179 | if (ai.targetSdkVersion >= VERSION_CODES.Q) { |
| 180 | // Always enforce policies for overlays targeting Q+. |
| 181 | return true; |
| 182 | } |
| 183 | |
| 184 | if (ai.isVendor() && !VENDOR_IS_Q_OR_LATER) { |
| 185 | // If the overlay is on a pre-Q vendor partition, do not enforce overlayable |
| 186 | // restrictions on this overlay because the pre-Q platform has no understanding of |
| 187 | // overlayable. |
| 188 | return false; |
| 189 | } |
| 190 | |
| 191 | // Do not enforce overlayable restrictions on pre-Q overlays signed with the |
| 192 | // platform signature. |
| 193 | return !ai.isSignedWithPlatformKey(); |
| 194 | } |
| 195 | |
| 196 | /** |
| 197 | * Retrieves a bitmask for idmap2 that represents the policies the specified overlay fulfills. |
| 198 | * @throws SecurityException if the overlay is not allowed to overlay any resource |
| 199 | */ |
| 200 | private int determineFulfilledPolicies(@NonNull final PackageInfo overlayPackage) |
| 201 | throws SecurityException { |
| 202 | final ApplicationInfo ai = overlayPackage.applicationInfo; |
| 203 | final boolean overlayIsQOrLater = ai.targetSdkVersion >= VERSION_CODES.Q; |
| 204 | |
| 205 | int fulfilledPolicies = 0; |
| 206 | |
| 207 | // TODO(b/119402606) : Add signature policy |
| 208 | |
| 209 | // Vendor partition (/vendor) |
| 210 | if (ai.isVendor()) { |
| 211 | if (overlayIsQOrLater) { |
| 212 | fulfilledPolicies |= IIdmap2.POLICY_VENDOR_PARTITION; |
| 213 | } else if (VENDOR_IS_Q_OR_LATER) { |
| 214 | throw new SecurityException("Overlay must target Q sdk or higher"); |
| 215 | } |
| 216 | } |
| 217 | |
| 218 | // Product partition (/product) |
| 219 | if (ai.isProduct()) { |
| 220 | if (overlayIsQOrLater) { |
| 221 | fulfilledPolicies |= IIdmap2.POLICY_PRODUCT_PARTITION; |
| 222 | } else { |
| 223 | throw new SecurityException("Overlay must target Q sdk or higher"); |
| 224 | } |
| 225 | } |
| 226 | |
| 227 | // System partition (/system) |
| 228 | if (ai.isSystemApp()) { |
| 229 | if (overlayIsQOrLater) { |
| 230 | fulfilledPolicies |= IIdmap2.POLICY_SYSTEM_PARTITION; |
| 231 | } else { |
| 232 | throw new SecurityException("Overlay must target Q sdk or higher"); |
| 233 | } |
| 234 | } |
| 235 | |
| 236 | // All overlays can overlay resources with the public policy |
| 237 | return fulfilledPolicies | IIdmap2.POLICY_PUBLIC; |
| 238 | } |
Mårten Kongstad | eabc9e9 | 2015-12-15 16:40:23 +0100 | [diff] [blame] | 239 | } |