Replace incomplete path-based check with statx

The current check is incomplete as it doesn't capture /system and
others. Switch to hasFsverity (which calls statx) to directly query
the filesystem the fs-verity-ness. This only needs the commom getattr
SELinux privileged, so no sepolicy change is needed.

Bug: 279597861
Bug: 258093107
Test: see 258093107#30
Change-Id: I3140b770b57c4fedc8f077adddda5ec2a50c4ee6

services/core/java/com/android/server/pm/ApkChecksums.java

@@ -40,8 +40,6 @@ import android.content.pm.SigningDetails.SignatureSchemeVersion;
 import android.content.pm.parsing.ApkLiteParseUtils;
 import android.content.pm.parsing.result.ParseResult;
 import android.content.pm.parsing.result.ParseTypeImpl;
-import android.os.Environment;
-import android.os.FileUtils;
 import android.os.Handler;
 import android.os.RemoteException;
 import android.os.SystemClock;
@@ -638,18 +636,9 @@ public class ApkChecksums {
         return null;
     }
 
-    private static boolean containsFile(File dir, String filePath) {
-        if (dir == null) {
-            return false;
-        }
-        return FileUtils.contains(dir.getAbsolutePath(), filePath);
-    }
-
     private static ApkChecksum extractHashFromFS(String split, String filePath) {
         // verity first
-        // Skip /product folder.
-        // TODO(b/231354111): remove this hack once we are allowed to change SELinux rules.
-        if (!containsFile(Environment.getProductDirectory(), filePath)) {
+        if (VerityUtils.hasFsverity(filePath)) {
             byte[] verityHash = VerityUtils.getFsverityDigest(filePath);
             if (verityHash != null) {
                 return new ApkChecksum(split, TYPE_WHOLE_MERKLE_ROOT_4K_SHA256, verityHash);