diff options
author | Ryan Mitchell <rtmitchell@google.com> | 2021-05-11 11:53:47 -0700 |
---|---|---|
committer | Ryan Mitchell <rtmitchell@google.com> | 2021-05-26 08:06:28 -0700 |
commit | fb1d2b2cd3aad6c5be0eb8567e05e3a9869e57be (patch) | |
tree | 3b80fa20be1fe4a5ed1cbdced627933d1d9556f3 | |
parent | 566de22c055afc72cf5796945645586b6c693995 (diff) | |
download | incremental_delivery-fb1d2b2cd3aad6c5be0eb8567e05e3a9869e57be.tar.gz |
Disable verification for fully installed apps
When the overload of IncFsFileMap::Create that allows verification
enable status to be specified is used, only enable verification if the
the APK is actually incrementally installed.
Also creates a new IncFsFileMap::CreateForceVerification to force
verification on or off for testing/benchmarks.
Bug: 187220960
Test: atest ResourcesHardeningTest
Test: atest hardening-benchmark
Change-Id: I8e1a53cf3b57e61c4de3de62c967435875d7e58b
-rw-r--r-- | incfs/tests/hardening_benchmark.cpp | 4 | ||||
-rw-r--r-- | incfs/util/include/util/map_ptr.h | 9 | ||||
-rw-r--r-- | incfs/util/map_ptr.cpp | 36 |
3 files changed, 35 insertions, 14 deletions
diff --git a/incfs/tests/hardening_benchmark.cpp b/incfs/tests/hardening_benchmark.cpp index 298198b..8e4f047 100644 --- a/incfs/tests/hardening_benchmark.cpp +++ b/incfs/tests/hardening_benchmark.cpp @@ -73,7 +73,7 @@ BENCHMARK(TestRead); static void TestMapPtrRaw(benchmark::State& state) { auto tmp = makeFile(); android::incfs::IncFsFileMap map; - map.Create(tmp->fd, 0, 1, tmp->path, true); + map.CreateForceVerification(tmp->fd, 0, 1, tmp->path, true); int val = 0; const uint8_t* prev_block = nullptr; for (auto _ : state) { @@ -87,7 +87,7 @@ BENCHMARK(TestMapPtrRaw); static void TestMapPtr(benchmark::State& state) { auto tmp = makeFile(); android::incfs::IncFsFileMap map; - map.Create(tmp->fd, 0, 1, tmp->path, true); + map.CreateForceVerification(tmp->fd, 0, 1, tmp->path, true); int val = 0; for (auto _ : state) { val += map.data<char>().verify(); diff --git a/incfs/util/include/util/map_ptr.h b/incfs/util/include/util/map_ptr.h index d1bfb40..304540f 100644 --- a/incfs/util/include/util/map_ptr.h +++ b/incfs/util/include/util/map_ptr.h @@ -66,9 +66,16 @@ public: // Returns whether or not the file was able to be memory-mapped. bool Create(int fd, off64_t offset, size_t length, const char* file_name); - // Same thing, but allows for manual verification enablement + // Same thing, but allows verification to be disabled when `verify` is `false`, and enabled when + // `verify` is true and the file resides on IncFs. bool Create(int fd, off64_t offset, size_t length, const char* file_name, bool verify); + // Same thing, but allows verification to be disabled when `verify` is `false`, and enabled when + // `verify` is true regardless of whether the file resides on IncFs (used for benchmarks and + // testing). + bool CreateForceVerification(int fd, off64_t offset, size_t length, const char* file_name, + bool verify); + template <typename T = void> map_ptr<T> data() const { return map_ptr<T>(verification_enabled_ ? this : nullptr, diff --git a/incfs/util/map_ptr.cpp b/incfs/util/map_ptr.cpp index 3ae09c3..f391506 100644 --- a/incfs/util/map_ptr.cpp +++ b/incfs/util/map_ptr.cpp @@ -46,19 +46,29 @@ const char* IncFsFileMap::file_name() const { return map_->getFileName(); } +bool IncFsFileMap::Create(int fd, off64_t offset, size_t length, const char* file_name) { + return Create(fd, offset, length, file_name, true /* verify */); +} + #ifdef __ANDROID__ -bool IsVerificationEnabled(int fd) { +static bool IsVerificationEnabled(int fd) { return isIncFsFd(fd) && isFullyLoaded(fd) != LoadingState::Full; } using data_block_index_t = uint32_t; -data_block_index_t get_block_index(const uint8_t* ptr, const uint8_t* start_block_ptr) { +static data_block_index_t get_block_index(const uint8_t* ptr, const uint8_t* start_block_ptr) { return (ptr - start_block_ptr) / INCFS_DATA_FILE_BLOCK_SIZE; } bool IncFsFileMap::Create(int fd, off64_t offset, size_t length, const char* file_name, bool verify) { + return CreateForceVerification(fd, offset, length, file_name, + verify && IsVerificationEnabled(fd)); +} + +bool IncFsFileMap::CreateForceVerification(int fd, off64_t offset, size_t length, + const char* file_name, bool verify) { map_ = std::make_unique<android::FileMap>(); if (!map_->create(file_name, fd, offset, length, true /* readOnly */)) { return false; @@ -80,15 +90,8 @@ bool IncFsFileMap::Create(int fd, off64_t offset, size_t length, const char* fil return true; } -bool IncFsFileMap::Create(int fd, off64_t offset, size_t length, const char* file_name) { - return Create(fd, offset, length, file_name, IsVerificationEnabled(fd)); -} - bool IncFsFileMap::Verify(const uint8_t* const& data_start, const uint8_t* const& data_end, const uint8_t** prev_verified_block) const { -#ifndef __ANDROID__ - return true; -#else const data_block_index_t start_index = get_block_index(data_start, start_block_ptr_); const data_block_index_t end_index = get_block_index(data_end - 1U, start_block_ptr_); @@ -130,14 +133,25 @@ bool IncFsFileMap::Verify(const uint8_t* const& data_start, const uint8_t* const // Update the previous verified block pointer to optimize repeated verifies on the same block. *prev_verified_block = start_block_ptr_ + (end_index * INCFS_DATA_FILE_BLOCK_SIZE); return true; -#endif } #else -bool IncFsFileMap::Create(int fd, off64_t offset, size_t length, const char* file_name) { +bool IncFsFileMap::Create(int fd, off64_t offset, size_t length, const char* file_name, + bool verify) { + return CreateForceVerification(fd, offset, length, file_name, verify); +} + +bool IncFsFileMap::CreateForceVerification(int fd, off64_t offset, size_t length, + const char* file_name, bool /* verify */) { map_ = std::make_unique<android::FileMap>(); return map_->create(file_name, fd, offset, length, true /* readOnly */); } + +bool IncFsFileMap::Verify(const uint8_t* const& /* data_start */, + const uint8_t* const& /* data_end */, + const uint8_t** /* prev_verified_block */) const { + return true; +} #endif } // namespace android::incfs
\ No newline at end of file |