Force off-device package installation with FUSE
The non-A/B package installation is subject to TOC/TOU flaw if the attacker can switch the package in the middle of installation. And the most pratical case is to store the package on an external device, e.g. a sdcard, and swap the device in the middle. To prevent that, we can adopt the same protection as used in sideloading a package with FUSE. Specifically, when we install the package with FUSE, we read the entire package to cryptographically verify its signature. The hash for each transfer block is recorded in the memory (TOC), and the subsequent reads (TOU) will be rejected upon dectecting a mismatch. This CL forces the package installation with FUSE when the package stays on a removable media. Bug: 136498130 Test: Run bin/recovery --update_package with various paths; and packages are installed from FUSE as expected Test: recovery_unit_test - no new failures Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5 Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
This commit is contained in:
Tianjie Xu
Bryan Ferris
@@ -30,6 +30,7 @@
|
||||
#include <atomic>
|
||||
#include <chrono>
|
||||
#include <condition_variable>
|
||||
#include <filesystem>
|
||||
#include <functional>
|
||||
#include <limits>
|
||||
#include <mutex>
|
||||
@@ -641,3 +642,49 @@ bool verify_package(Package* package, RecoveryUI* ui) {
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
bool SetupPackageMount(const std::string& package_path, bool* should_use_fuse) {
|
||||
CHECK(should_use_fuse != nullptr);
|
||||
|
||||
if (package_path.empty()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
*should_use_fuse = true;
|
||||
if (package_path[0] == '@') {
|
||||
auto block_map_path = package_path.substr(1);
|
||||
if (ensure_path_mounted(block_map_path) != 0) {
|
||||
LOG(ERROR) << "Failed to mount " << block_map_path;
|
||||
return false;
|
||||
}
|
||||
// uncrypt only produces block map only if the package stays on /data.
|
||||
*should_use_fuse = false;
|
||||
return true;
|
||||
}
|
||||
|
||||
// Package is not a block map file.
|
||||
if (ensure_path_mounted(package_path) != 0) {
|
||||
LOG(ERROR) << "Failed to mount " << package_path;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Reject the package if the input path doesn't equal the canonicalized path.
|
||||
// e.g. /cache/../sdcard/update_package.
|
||||
std::error_code ec;
|
||||
auto canonical_path = std::filesystem::canonical(package_path, ec);
|
||||
if (ec) {
|
||||
LOG(ERROR) << "Failed to get canonical of " << package_path << ", " << ec.message();
|
||||
return false;
|
||||
}
|
||||
if (canonical_path.string() != package_path) {
|
||||
LOG(ERROR) << "Installation aborts. The canonical path " << canonical_path.string()
|
||||
<< " doesn't equal the original path " << package_path;
|
||||
return false;
|
||||
}
|
||||
|
||||
constexpr const char* CACHE_ROOT = "/cache";
|
||||
if (android::base::StartsWith(package_path, CACHE_ROOT)) {
|
||||
*should_use_fuse = false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user