1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "apex_shim.h"
18
19 #include <android-base/file.h>
20 #include <android-base/logging.h>
21 #include <android-base/stringprintf.h>
22 #include <android-base/strings.h>
23 #include <openssl/sha.h>
24 #include <filesystem>
25 #include <fstream>
26 #include <sstream>
27 #include <unordered_set>
28
29 #include "apex_constants.h"
30 #include "apex_file.h"
31 #include "string_log.h"
32
33 using android::base::ErrnoError;
34 using android::base::Error;
35 using android::base::Result;
36 using ::apex::proto::ApexManifest;
37
38 namespace android {
39 namespace apex {
40 namespace shim {
41
42 namespace fs = std::filesystem;
43
44 namespace {
45
46 static constexpr const char* kApexCtsShimPackage = "com.android.apex.cts.shim";
47 static constexpr const char* kHashFilePath = "etc/hash.txt";
48 static constexpr const int kBufSize = 1024;
49 static constexpr const fs::perms kForbiddenFilePermissions =
50 fs::perms::owner_exec | fs::perms::group_exec | fs::perms::others_exec;
51 static constexpr const char* kExpectedCtsShimFiles[] = {
52 "apex_manifest.json",
53 "apex_manifest.pb",
54 "etc/hash.txt",
55 "app/CtsShim/CtsShim.apk",
56 "app/CtsShim@1/CtsShim.apk",
57 "app/CtsShim@2/CtsShim.apk",
58 "app/CtsShim@3/CtsShim.apk",
59 "app/CtsShim@AOSP.MASTER/CtsShim.apk",
60 "app/CtsShim@MASTER/CtsShim.apk",
61 "app/CtsShimTargetPSdk/CtsShimTargetPSdk.apk",
62 "app/CtsShimTargetPSdk@1/CtsShimTargetPSdk.apk",
63 "app/CtsShimTargetPSdk@2/CtsShimTargetPSdk.apk",
64 "app/CtsShimTargetPSdk@3/CtsShimTargetPSdk.apk",
65 "app/CtsShimTargetPSdk@AOSP.MASTER/CtsShimTargetPSdk.apk",
66 "app/CtsShimTargetPSdk@MASTER/CtsShimTargetPSdk.apk",
67 "priv-app/CtsShimPriv/CtsShimPriv.apk",
68 "priv-app/CtsShimPriv@1/CtsShimPriv.apk",
69 "priv-app/CtsShimPriv@2/CtsShimPriv.apk",
70 "priv-app/CtsShimPriv@3/CtsShimPriv.apk",
71 "priv-app/CtsShimPriv@AOSP.MASTER/CtsShimPriv.apk",
72 "priv-app/CtsShimPriv@MASTER/CtsShimPriv.apk",
73 };
74
CalculateSha512(const std::string & path)75 Result<std::string> CalculateSha512(const std::string& path) {
76 LOG(DEBUG) << "Calculating SHA512 of " << path;
77 SHA512_CTX ctx;
78 SHA512_Init(&ctx);
79 std::ifstream apex(path, std::ios::binary);
80 if (apex.bad()) {
81 return Error() << "Failed to open " << path;
82 }
83 char buf[kBufSize];
84 while (!apex.eof()) {
85 apex.read(buf, kBufSize);
86 if (apex.bad()) {
87 return Error() << "Failed to read " << path;
88 }
89 int bytes_read = apex.gcount();
90 SHA512_Update(&ctx, buf, bytes_read);
91 }
92 uint8_t hash[SHA512_DIGEST_LENGTH];
93 SHA512_Final(hash, &ctx);
94 std::stringstream ss;
95 ss << std::hex;
96 for (int i = 0; i < SHA512_DIGEST_LENGTH; i++) {
97 ss << std::setw(2) << std::setfill('0') << static_cast<int>(hash[i]);
98 }
99 return ss.str();
100 }
101
GetAllowedHashes(const std::string & path)102 Result<std::vector<std::string>> GetAllowedHashes(const std::string& path) {
103 using android::base::ReadFileToString;
104 using android::base::StringPrintf;
105 const std::string& file_path =
106 StringPrintf("%s/%s", path.c_str(), kHashFilePath);
107 LOG(DEBUG) << "Reading SHA512 from " << file_path;
108 std::string hash;
109 if (!ReadFileToString(file_path, &hash, false /* follows symlinks */)) {
110 return ErrnoError() << "Failed to read " << file_path;
111 }
112 std::vector<std::string> allowed_hashes = android::base::Split(hash, "\n");
113 auto system_shim_hash = CalculateSha512(
114 StringPrintf("%s/%s", kApexPackageSystemDir, shim::kSystemShimApexName));
115 if (!system_shim_hash.ok()) {
116 return system_shim_hash.error();
117 }
118 allowed_hashes.push_back(std::move(*system_shim_hash));
119 return allowed_hashes;
120 }
121 } // namespace
122
IsShimApex(const ApexFile & apex_file)123 bool IsShimApex(const ApexFile& apex_file) {
124 return apex_file.GetManifest().name() == kApexCtsShimPackage;
125 }
126
ValidateShimApex(const std::string & mount_point,const ApexFile & apex_file)127 Result<void> ValidateShimApex(const std::string& mount_point,
128 const ApexFile& apex_file) {
129 LOG(DEBUG) << "Validating shim apex " << mount_point;
130 const ApexManifest& manifest = apex_file.GetManifest();
131 if (!manifest.preinstallhook().empty() ||
132 !manifest.postinstallhook().empty()) {
133 return Errorf("Shim apex is not allowed to have pre or post install hooks");
134 }
135 std::error_code ec;
136 std::unordered_set<std::string> expected_files;
137 for (auto file : kExpectedCtsShimFiles) {
138 expected_files.insert(file);
139 }
140
141 auto iter = fs::recursive_directory_iterator(mount_point, ec);
142 // Unfortunately fs::recursive_directory_iterator::operator++ can throw an
143 // exception, which means that it's impossible to use range-based for loop
144 // here.
145 while (iter != fs::end(iter)) {
146 auto path = iter->path();
147 // Resolve the mount point to ensure any trailing slash is removed.
148 auto resolved_mount_point = fs::path(mount_point).string();
149 auto local_path = path.string().substr(resolved_mount_point.length() + 1);
150 fs::file_status status = iter->status(ec);
151
152 if (fs::is_symlink(status)) {
153 return Error()
154 << "Shim apex is not allowed to contain symbolic links, found "
155 << path;
156 } else if (fs::is_regular_file(status)) {
157 if ((status.permissions() & kForbiddenFilePermissions) !=
158 fs::perms::none) {
159 return Error() << path << " has illegal permissions";
160 }
161 auto ex = expected_files.find(local_path);
162 if (ex != expected_files.end()) {
163 expected_files.erase(local_path);
164 } else {
165 return Error() << path << " is an unexpected file inside the shim apex";
166 }
167 } else if (!fs::is_directory(status)) {
168 // If this is not a symlink, a file or a directory, fail.
169 return Error() << "Unexpected file entry in shim apex: " << iter->path();
170 }
171 iter = iter.increment(ec);
172 if (ec) {
173 return Error() << "Failed to scan " << mount_point << " : "
174 << ec.message();
175 }
176 }
177
178 return {};
179 }
180
ValidateUpdate(const std::string & system_apex_path,const std::string & new_apex_path)181 Result<void> ValidateUpdate(const std::string& system_apex_path,
182 const std::string& new_apex_path) {
183 LOG(DEBUG) << "Validating update of shim apex to " << new_apex_path
184 << " using system shim apex " << system_apex_path;
185 auto allowed = GetAllowedHashes(system_apex_path);
186 if (!allowed.ok()) {
187 return allowed.error();
188 }
189 auto actual = CalculateSha512(new_apex_path);
190 if (!actual.ok()) {
191 return actual.error();
192 }
193 auto it = std::find(allowed->begin(), allowed->end(), *actual);
194 if (it == allowed->end()) {
195 return Error() << new_apex_path << " has unexpected SHA512 hash "
196 << *actual;
197 }
198 return {};
199 }
200
201 } // namespace shim
202 } // namespace apex
203 } // namespace android
204