apexd/apex_shim.cpp

/*
 * Copyright (C) 2019 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include "apex_shim.h"

#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <openssl/sha.h>
#include <filesystem>
#include <fstream>
#include <sstream>
#include <unordered_set>

#include "apex_file.h"
#include "status.h"
#include "status_or.h"
#include "string_log.h"

namespace android {
namespace apex {
namespace shim {

namespace fs = std::filesystem;

namespace {

static constexpr const char* kApexCtsShimPackage = "com.android.apex.cts.shim";
static constexpr const char* kHashFileName = "hash.txt";
static constexpr const int kBufSize = 1024;
static constexpr const char* kApexManifestFileName = "apex_manifest.json";
static constexpr const char* kEtcFolderName = "etc";
static constexpr const char* kLostFoundFolderName = "lost+found";
static constexpr const fs::perms kFordbiddenFilePermissions =
    fs::perms::owner_exec | fs::perms::group_exec | fs::perms::others_exec;

StatusOr<std::string> CalculateSha512(const std::string& path) {
  using StatusT = StatusOr<std::string>;
  LOG(DEBUG) << "Calculating SHA512 of " << path;
  SHA512_CTX ctx;
  SHA512_Init(&ctx);
  std::ifstream apex(path, std::ios::binary);
  if (apex.bad()) {
    return StatusT::MakeError(StringLog() << "Failed to open " << path);
  }
  char buf[kBufSize];
  while (!apex.eof()) {
    apex.read(buf, kBufSize);
    if (apex.bad()) {
      return StatusT::MakeError(StringLog() << "Failed to read " << path);
    }
    int bytes_read = apex.gcount();
    SHA512_Update(&ctx, buf, bytes_read);
  }
  uint8_t hash[SHA512_DIGEST_LENGTH];
  SHA512_Final(hash, &ctx);
  std::stringstream ss;
  ss << std::hex;
  for (int i = 0; i < SHA512_DIGEST_LENGTH; i++) {
    ss << std::setw(2) << std::setfill('0') << static_cast<int>(hash[i]);
  }
  return StatusT(ss.str());
}

StatusOr<std::vector<std::string>> ReadSha512(const std::string& path) {
  using android::base::ReadFileToString;
  using android::base::StringPrintf;
  using StatusT = StatusOr<std::vector<std::string>>;
  const std::string& file_path =
      StringPrintf("%s/%s/%s", path.c_str(), kEtcFolderName, kHashFileName);
  LOG(DEBUG) << "Reading SHA512 from " << file_path;
  std::string hash;
  if (!ReadFileToString(file_path, &hash, false /* follows symlinks */)) {
    return StatusT::MakeError(PStringLog() << "Failed to read " << file_path);
  }
  return StatusT(android::base::Split(hash, "\n"));
}

Status IsRegularFile(const fs::directory_entry& entry) {
  const fs::path& path = entry.path();
  std::error_code ec;
  fs::file_status status = entry.status(ec);
  if (ec) {
    return Status::Fail(StringLog()
                        << "Failed to stat " << path << " : " << ec);
  }
  if (!fs::is_regular_file(status)) {
    return Status::Fail(StringLog() << path << " is not a file");
  }
  if ((status.permissions() & kFordbiddenFilePermissions) != fs::perms::none) {
    return Status::Fail(StringLog() << path << " has illegal permissions");
  }
  // TODO: consider checking that file only contains ascii characters.
  return Status::Success();
}

Status IsHashTxt(const fs::directory_entry& entry) {
  LOG(DEBUG) << "Checking if " << entry.path() << " is an allowed file";
  const Status& status = IsRegularFile(entry);
  if (!status.Ok()) {
    return status;
  }
  if (entry.path().filename() != kHashFileName) {
    return Status::Fail(StringLog() << "Illegal file " << entry.path());
  }
  return Status::Success();
}

Status IsWhitelistedTopLevelEntry(const fs::directory_entry& entry) {
  LOG(DEBUG) << "Checking if " << entry.path() << " is an allowed directory";
  std::error_code ec;
  const fs::path& path = entry.path();
  if (path.filename() == kLostFoundFolderName) {
    bool is_empty = fs::is_empty(path, ec);
    if (ec) {
      return Status::Fail(StringLog()
                          << "Failed to scan " << path << " : " << ec);
    }
    if (is_empty) {
      return Status::Success();
    } else {
      return Status::Fail(StringLog() << path << " is not empty");
    }
  } else if (path.filename() == kEtcFolderName) {
    auto iter = fs::directory_iterator(path, ec);
    if (ec) {
      return Status::Fail(StringLog()
                          << "Failed to scan " << path << " : " << ec);
    }
    bool is_empty = fs::is_empty(path, ec);
    if (ec) {
      return Status::Fail(StringLog()
                          << "Failed to scan " << path << " : " << ec);
    }
    if (is_empty) {
      return Status::Fail(StringLog()
                          << path << " should contain " << kHashFileName);
    }
    // TODO: change to non-throwing iterator.
    while (iter != fs::end(iter)) {
      const Status& status = IsHashTxt(*iter);
      if (!status.Ok()) {
        return status;
      }
      iter = iter.increment(ec);
      if (ec) {
        return Status::Fail(StringLog()
                            << "Failed to scan " << path << " : " << ec);
      }
    }
    return Status::Success();
  } else if (path.filename() == kApexManifestFileName) {
    return IsRegularFile(entry);
  } else {
    return Status::Fail(StringLog() << "Illegal entry " << path);
  }
}

}  // namespace

bool IsShimApex(const ApexFile& apex_file) {
  return apex_file.GetManifest().name() == kApexCtsShimPackage;
}

Status ValidateShimApex(const std::string& mount_point,
                        const ApexFile& apex_file) {
  LOG(DEBUG) << "Validating shim apex " << mount_point;
  const ApexManifest& manifest = apex_file.GetManifest();
  if (!manifest.preinstallhook().empty() ||
      !manifest.postinstallhook().empty()) {
    return Status::Fail(
        "Shim apex is not allowed to have pre or post install hooks");
  }
  std::error_code ec;
  auto iter = fs::directory_iterator(mount_point, ec);
  if (ec) {
    return Status::Fail(StringLog()
                        << "Failed to scan " << mount_point << " : " << ec);
  }
  // Unfortunately fs::directory_iterator::operator++ can throw an exception,
  // which means that it's impossible to use range-based for loop here.
  // TODO: wrap into a non-throwing iterator to support range-based for loop.
  while (iter != fs::end(iter)) {
    const Status& status = IsWhitelistedTopLevelEntry(*iter);
    if (!status.Ok()) {
      return status;
    }
    iter = iter.increment(ec);
    if (ec) {
      return Status::Fail(StringLog()
                          << "Failed to scan " << mount_point << " : " << ec);
    }
  }
  return Status::Success();
}

Status ValidateUpdate(const std::string& system_apex_path,
                      const std::string& new_apex_path) {
  LOG(DEBUG) << "Validating update of shim apex to " << new_apex_path
             << " using system shim apex " << system_apex_path;
  auto allowed = ReadSha512(system_apex_path);
  if (!allowed.Ok()) {
    return allowed.ErrorStatus();
  }
  auto actual = CalculateSha512(new_apex_path);
  if (!actual.Ok()) {
    return actual.ErrorStatus();
  }
  auto it = std::find(allowed->begin(), allowed->end(), *actual);
  if (it == allowed->end()) {
    return Status::Fail(StringLog()
                        << new_apex_path << " has unexpected SHA512 hash "
                        << *actual);
  }
  return Status::Success();
}

}  // namespace shim
}  // namespace apex
}  // namespace android