Installd: new interface to enable apk verity
Note that file-based verity can be enabled only with CAP_SYS_ADMIN.
The implementation is dummy at the moment and waiting for kernel
implementation to be ready. Having the interface ready first allows our
iteration on the caller side in Package Manager.
Test: Saw logs on install if ro.apk_verity.mode is 1
Bug: 30972906
Change-Id: I5fb03d745111028bafbff1029f480b0386906e8a
diff --git a/cmds/installd/InstalldNativeService.cpp b/cmds/installd/InstalldNativeService.cpp
index 6877fb7..db1d4a3 100644
--- a/cmds/installd/InstalldNativeService.cpp
+++ b/cmds/installd/InstalldNativeService.cpp
@@ -37,6 +37,7 @@
#include <unistd.h>
#include <android-base/logging.h>
+#include <android-base/properties.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
@@ -82,6 +83,8 @@
static constexpr const char* IDMAP_PREFIX = "/data/resource-cache/";
static constexpr const char* IDMAP_SUFFIX = "@idmap";
+static constexpr const char* kPropApkVerityMode = "ro.apk_verity.mode";
+
// NOTE: keep in sync with Installer
static constexpr int FLAG_CLEAR_CACHE_ONLY = 1 << 8;
static constexpr int FLAG_CLEAR_CODE_CACHE_ONLY = 1 << 9;
@@ -2351,6 +2354,17 @@
return res ? ok() : error();
}
+binder::Status InstalldNativeService::installApkVerity(const std::string& /*filePath*/,
+ const ::android::base::unique_fd& /*verityInput*/) {
+ ENFORCE_UID(AID_SYSTEM);
+ if (!android::base::GetBoolProperty(kPropApkVerityMode, false)) {
+ return ok();
+ }
+ // TODO: Append verity to filePath then issue ioctl to enable
+ // it and hide the tree. See b/30972906.
+ return error("not implemented yet");
+}
+
binder::Status InstalldNativeService::reconcileSecondaryDexFile(
const std::string& dexPath, const std::string& packageName, int32_t uid,
const std::vector<std::string>& isas, const std::unique_ptr<std::string>& volumeUuid,