1 /* 2 * Copyright (C) 2019 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.server.integrity.model; 18 19 import android.annotation.Nullable; 20 import android.content.integrity.Rule; 21 22 import com.android.internal.util.FrameworkStatsLog; 23 24 import java.util.Collections; 25 import java.util.List; 26 27 /** 28 * A class encapsulating the result from the evaluation engine after evaluating rules against app 29 * install metadata. 30 * 31 * <p>It contains the outcome effect (whether to allow or block the install), and the rule causing 32 * that effect. 33 */ 34 public final class IntegrityCheckResult { 35 36 public enum Effect { 37 ALLOW, 38 DENY 39 } 40 41 private final Effect mEffect; 42 private final List<Rule> mRuleList; 43 IntegrityCheckResult(Effect effect, @Nullable List<Rule> ruleList)44 private IntegrityCheckResult(Effect effect, @Nullable List<Rule> ruleList) { 45 this.mEffect = effect; 46 this.mRuleList = ruleList; 47 } 48 getEffect()49 public Effect getEffect() { 50 return mEffect; 51 } 52 getMatchedRules()53 public List<Rule> getMatchedRules() { 54 return mRuleList; 55 } 56 57 /** 58 * Create an ALLOW evaluation outcome. 59 * 60 * @return An evaluation outcome with ALLOW effect and no rule. 61 */ allow()62 public static IntegrityCheckResult allow() { 63 return new IntegrityCheckResult(Effect.ALLOW, Collections.emptyList()); 64 } 65 66 /** 67 * Create an ALLOW evaluation outcome. 68 * 69 * @return An evaluation outcome with ALLOW effect and rule causing that effect. 70 */ allow(List<Rule> ruleList)71 public static IntegrityCheckResult allow(List<Rule> ruleList) { 72 return new IntegrityCheckResult(Effect.ALLOW, ruleList); 73 } 74 75 /** 76 * Create a DENY evaluation outcome. 77 * 78 * @param ruleList All valid rules that cause the DENY effect. 79 * @return An evaluation outcome with DENY effect and rule causing that effect. 80 */ deny(List<Rule> ruleList)81 public static IntegrityCheckResult deny(List<Rule> ruleList) { 82 return new IntegrityCheckResult(Effect.DENY, ruleList); 83 } 84 85 /** 86 * Returns the in value of the integrity check result for logging purposes. 87 */ getLoggingResponse()88 public int getLoggingResponse() { 89 if (getEffect() == Effect.DENY) { 90 return FrameworkStatsLog.INTEGRITY_CHECK_RESULT_REPORTED__RESPONSE__REJECTED; 91 } else if (getEffect() == Effect.ALLOW && getMatchedRules().isEmpty()) { 92 return FrameworkStatsLog.INTEGRITY_CHECK_RESULT_REPORTED__RESPONSE__ALLOWED; 93 } else if (getEffect() == Effect.ALLOW && !getMatchedRules().isEmpty()) { 94 return FrameworkStatsLog.INTEGRITY_CHECK_RESULT_REPORTED__RESPONSE__FORCE_ALLOWED; 95 } else { 96 throw new IllegalStateException("IntegrityCheckResult is not valid."); 97 } 98 } 99 100 /** Returns true when the {@code mEffect} is caused by an app certificate mismatch. */ isCausedByAppCertRule()101 public boolean isCausedByAppCertRule() { 102 return mRuleList.stream().anyMatch(rule -> rule.getFormula().isAppCertificateFormula()); 103 } 104 105 /** Returns true when the {@code mEffect} is caused by an installer rule. */ isCausedByInstallerRule()106 public boolean isCausedByInstallerRule() { 107 return mRuleList.stream().anyMatch(rule -> rule.getFormula().isInstallerFormula()); 108 } 109 110 } 111