apexd/apexd_brand_new_verifier.cpp - platform/system/apex - Git at Google

 /*
  * Copyright (C) 2024 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include "apexd_brand_new_verifier.h"

 #include <optional>
 #include <string>

 #include "android-base/logging.h"
 #include "apex_constants.h"
 #include "apex_file_repository.h"

 using android::base::Error;
 using android::base::Result;

 namespace android::apex {

 Result<ApexPartition> VerifyBrandNewPackageAgainstPreinstalled(
     const ApexFile& apex) {
   CHECK(ApexFileRepository::IsBrandNewApexEnabled())
       << "Brand-new APEX must be enabled in order to do verification.";

   const std::string& name = apex.GetManifest().name();
   const auto& file_repository = ApexFileRepository::GetInstance();
   auto partition = file_repository.GetBrandNewApexPublicKeyPartition(
       apex.GetBundledPublicKey());
   if (!partition.has_value()) {
     return Error()
            << "No pre-installed public key found for the brand-new APEX: "
            << name;
   }

   if (apex.GetManifest().version() <=
       file_repository.GetBrandNewApexBlockedVersion(partition.value(), name)) {
     return Error() << "Brand-new APEX is blocked: " << name;
   }

   return partition.value();
 }

 Result<void> VerifyBrandNewPackageAgainstActive(const ApexFile& apex,
                                                 const MountedApexDatabase& db) {
   CHECK(ApexFileRepository::IsBrandNewApexEnabled())
       << "Brand-new APEX must be enabled in order to do verification.";

   const std::string& name = apex.GetManifest().name();
   const auto& file_repository = ApexFileRepository::GetInstance();

   if (file_repository.HasPreInstalledVersion(name)) {
     return {};
   }
   // This is a brand-new apex being staged. It should have the same public key
   // as any currently active version.
   auto active = db.GetLatestMountedApex(name);
   if (active) {
     auto active_apex_file = OR_RETURN(ApexFile::Open(active->full_path));
     if (apex.GetBundledPublicKey() != active_apex_file.GetBundledPublicKey()) {
       return Error()
              << "Brand-new APEX public key doesn't match existing active APEX: "
              << name;
     }
   }
   return {};
 }

 }  // namespace android::apex
	/*
	* Copyright (C) 2024 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include "apexd_brand_new_verifier.h"

	#include <optional>
	#include <string>

	#include "android-base/logging.h"
	#include "apex_constants.h"
	#include "apex_file_repository.h"

	using android::base::Error;
	using android::base::Result;

	namespace android::apex {

	Result<ApexPartition> VerifyBrandNewPackageAgainstPreinstalled(
	const ApexFile& apex) {
	CHECK(ApexFileRepository::IsBrandNewApexEnabled())
	<< "Brand-new APEX must be enabled in order to do verification.";

	const std::string& name = apex.GetManifest().name();
	const auto& file_repository = ApexFileRepository::GetInstance();
	auto partition = file_repository.GetBrandNewApexPublicKeyPartition(
	apex.GetBundledPublicKey());
	if (!partition.has_value()) {
	return Error()
	<< "No pre-installed public key found for the brand-new APEX: "
	<< name;
	}

	if (apex.GetManifest().version() <=
	file_repository.GetBrandNewApexBlockedVersion(partition.value(), name)) {
	return Error() << "Brand-new APEX is blocked: " << name;
	}

	return partition.value();
	}

	Result<void> VerifyBrandNewPackageAgainstActive(const ApexFile& apex,
	const MountedApexDatabase& db) {
	CHECK(ApexFileRepository::IsBrandNewApexEnabled())
	<< "Brand-new APEX must be enabled in order to do verification.";

	const std::string& name = apex.GetManifest().name();
	const auto& file_repository = ApexFileRepository::GetInstance();

	if (file_repository.HasPreInstalledVersion(name)) {
	return {};
	}
	// This is a brand-new apex being staged. It should have the same public key
	// as any currently active version.
	auto active = db.GetLatestMountedApex(name);
	if (active) {
	auto active_apex_file = OR_RETURN(ApexFile::Open(active->full_path));
	if (apex.GetBundledPublicKey() != active_apex_file.GetBundledPublicKey()) {
	return Error()
	<< "Brand-new APEX public key doesn't match existing active APEX: "
	<< name;
	}
	}
	return {};
	}

	} // namespace android::apex