• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2022 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package com.android.server.sdksandbox;
18 
19 import static com.android.sdksandbox.flags.Flags.sdkSandboxVerifySdkDexFiles;
20 
21 import android.content.BroadcastReceiver;
22 import android.content.Context;
23 import android.content.Intent;
24 import android.content.pm.PackageInfo;
25 import android.content.pm.PackageManager;
26 import android.os.Build;
27 import android.os.Handler;
28 import android.os.HandlerThread;
29 import android.os.OutcomeReceiver;
30 import android.os.Process;
31 import android.provider.DeviceConfig;
32 import android.util.Log;
33 
34 import com.android.internal.annotations.VisibleForTesting;
35 import com.android.server.sdksandbox.verifier.SdkDexVerifier;
36 import com.android.server.sdksandbox.verifier.SdkDexVerifier.VerificationResult;
37 
38 /**
39  * Broadcast Receiver for receiving new Sdk install requests and verifying Sdk code before running
40  * it in Sandbox.
41  *
42  * @hide
43  */
44 public class SdkSandboxVerifierReceiver extends BroadcastReceiver {
45 
46     private static final String TAG = "SdkSandboxVerifier";
47     private Handler mHandler;
48     private SdkDexVerifier mSdkDexVerifier;
49 
SdkSandboxVerifierReceiver()50     public SdkSandboxVerifierReceiver() {
51         HandlerThread handlerThread =
52                 new HandlerThread("DexVerifierHandlerThread", Process.THREAD_PRIORITY_BACKGROUND);
53         handlerThread.start();
54         mHandler = new Handler(handlerThread.getLooper());
55     }
56 
57     @Override
onReceive(Context context, Intent intent)58     public void onReceive(Context context, Intent intent) {
59         if (!Intent.ACTION_PACKAGE_NEEDS_VERIFICATION.equals(intent.getAction())) {
60             return;
61         }
62 
63         Log.d(TAG, "Received sdk sandbox verification intent " + intent.toString());
64         Log.d(TAG, "Extras " + intent.getExtras());
65 
66         verifySdkHandler(context, intent, mHandler);
67     }
68 
69     @VisibleForTesting
setSdkDexVerifier(SdkDexVerifier sdkDexVerifier)70     void setSdkDexVerifier(SdkDexVerifier sdkDexVerifier) {
71         mSdkDexVerifier = sdkDexVerifier;
72     }
73 
74     @VisibleForTesting
verifySdkHandler(Context context, Intent intent, Handler handler)75     void verifySdkHandler(Context context, Intent intent, Handler handler) {
76         int verificationId = intent.getIntExtra(PackageManager.EXTRA_VERIFICATION_ID, -1);
77 
78         boolean isRestrictionsEnabled =
79                 sdkSandboxVerifySdkDexFiles()
80                         && DeviceConfig.getBoolean(
81                                 DeviceConfig.NAMESPACE_ADSERVICES,
82                                 SdkSandboxManagerService.PROPERTY_ENFORCE_RESTRICTIONS,
83                                 SdkSandboxManagerService.DEFAULT_VALUE_ENFORCE_RESTRICTIONS);
84         if (!isRestrictionsEnabled) {
85             context.getPackageManager()
86                     .verifyPendingInstall(verificationId, PackageManager.VERIFICATION_ALLOW);
87             Log.d(TAG, "Restrictions disabled. Sent VERIFICATION_ALLOW");
88             return;
89         }
90 
91         String apkPath = intent.getData() != null ? intent.getData().getPath() : null;
92 
93         PackageInfo packageInfo =
94                 apkPath != null
95                         ? context.getPackageManager().getPackageArchiveInfo(apkPath, /* flags */ 0)
96                         : null;
97 
98         if (packageInfo == null) {
99             Log.e(TAG, "Package data to verify was absent or invalid.");
100             context.getPackageManager()
101                     .verifyPendingInstall(verificationId, PackageManager.VERIFICATION_REJECT);
102             return;
103         }
104 
105         if (mSdkDexVerifier == null) {
106             mSdkDexVerifier = SdkDexVerifier.getInstance();
107         }
108         int targetSdkVersion =
109                 packageInfo.applicationInfo != null
110                         ? packageInfo.applicationInfo.targetSdkVersion
111                         : Build.VERSION.SDK_INT;
112         handler.post(
113                 () ->
114                         mSdkDexVerifier.startDexVerification(
115                                 apkPath,
116                                 packageInfo.packageName,
117                                 targetSdkVersion,
118                                 context,
119                                 new OutcomeReceiver<VerificationResult, Exception>() {
120                                     @Override
121                                     public void onResult(VerificationResult result) {}
122 
123                                     @Override
124                                     public void onError(Exception e) {
125                                         Log.e(TAG, "Error at SdkSandboxVerifierReceiver", e);
126                                     }
127                                 }));
128 
129         // Verification will continue to run on background, return VERIFICATION_ALLOW to
130         // unblock install
131         context.getPackageManager()
132                 .verifyPendingInstall(verificationId, PackageManager.VERIFICATION_ALLOW);
133         Log.d(TAG, "Sent VERIFICATION_ALLOW");
134     }
135 }
136