From bbc133a2ecf3654fd749388e18139f6689613253 Mon Sep 17 00:00:00 2001
From: Victor Hsieh <victorhsieh@google.com>
Date: Tue, 9 Jan 2024 15:49:39 -0800
Subject: [PATCH] Fix fs-verity API for secondary users

While the main fix is on the other change in the topic, this change:
 * Adjust to the installd API change by dropping userId in the call
 * Mark the test as suitable for secondary users

Bug: 319280249
Test: atest FsVerityTest
Test: atest FsVerityTest --user-type secondary_user
Merged-In: I1abc779ddc4fd79644d64b704698d0e7d67a9d75
Change-Id: I1abc779ddc4fd79644d64b704698d0e7d67a9d75
---
 core/java/android/os/storage/StorageManagerInternal.java  | 2 +-
 .../java/com/android/server/StorageManagerService.java    | 4 ++--
 services/core/java/com/android/server/pm/Installer.java   | 8 +++-----
 .../com/android/server/security/FileIntegrityService.java | 2 +-
 tests/FsVerityTest/AndroidTest.xml                        | 1 +
 5 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/core/java/android/os/storage/StorageManagerInternal.java b/core/java/android/os/storage/StorageManagerInternal.java
index 8961846728a6..6995ea87ebe3 100644
--- a/core/java/android/os/storage/StorageManagerInternal.java
+++ b/core/java/android/os/storage/StorageManagerInternal.java
@@ -193,7 +193,7 @@ public abstract class StorageManagerInternal {
      * @see com.android.server.pm.Installer#createFsveritySetupAuthToken()
      */
     public abstract IInstalld.IFsveritySetupAuthToken createFsveritySetupAuthToken(
-            ParcelFileDescriptor authFd, int appUid, @UserIdInt int userId) throws IOException;
+            ParcelFileDescriptor authFd, int uid) throws IOException;
 
     /**
      * A proxy call to the corresponding method in Installer.
diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java
index 7a4ac6ac4500..2b35231a51f8 100644
--- a/services/core/java/com/android/server/StorageManagerService.java
+++ b/services/core/java/com/android/server/StorageManagerService.java
@@ -5040,9 +5040,9 @@ class StorageManagerService extends IStorageManager.Stub
 
         @Override
         public IFsveritySetupAuthToken createFsveritySetupAuthToken(ParcelFileDescriptor authFd,
-                int appUid, @UserIdInt int userId) throws IOException {
+                int uid) throws IOException {
             try {
-                return mInstaller.createFsveritySetupAuthToken(authFd, appUid, userId);
+                return mInstaller.createFsveritySetupAuthToken(authFd, uid);
             } catch (Installer.InstallerException e) {
                 throw new IOException(e);
             }
diff --git a/services/core/java/com/android/server/pm/Installer.java b/services/core/java/com/android/server/pm/Installer.java
index d5471cb01527..34903d1ed47d 100644
--- a/services/core/java/com/android/server/pm/Installer.java
+++ b/services/core/java/com/android/server/pm/Installer.java
@@ -1183,8 +1183,7 @@ public class Installer extends SystemService {
      * Returns an auth token for the provided writable FD.
      *
      * @param authFd a file descriptor to proof that the caller can write to the file.
-     * @param appUid uid of the calling app.
-     * @param userId id of the user whose app file to enable fs-verity.
+     * @param uid uid of the calling app.
      *
      * @return authToken, or null if a remote call shouldn't be continued. See {@link
      * #checkBeforeRemote}.
@@ -1192,13 +1191,12 @@ public class Installer extends SystemService {
      * @throws InstallerException if the remote call failed.
      */
     public IInstalld.IFsveritySetupAuthToken createFsveritySetupAuthToken(
-            ParcelFileDescriptor authFd, int appUid, @UserIdInt int userId)
-            throws InstallerException {
+            ParcelFileDescriptor authFd, int uid) throws InstallerException {
         if (!checkBeforeRemote()) {
             return null;
         }
         try {
-            return mInstalld.createFsveritySetupAuthToken(authFd, appUid, userId);
+            return mInstalld.createFsveritySetupAuthToken(authFd, uid);
         } catch (Exception e) {
             throw InstallerException.from(e);
         }
diff --git a/services/core/java/com/android/server/security/FileIntegrityService.java b/services/core/java/com/android/server/security/FileIntegrityService.java
index a49df50c1b92..bb4876bd5f56 100644
--- a/services/core/java/com/android/server/security/FileIntegrityService.java
+++ b/services/core/java/com/android/server/security/FileIntegrityService.java
@@ -157,7 +157,7 @@ public class FileIntegrityService extends SystemService {
             Objects.requireNonNull(authFd);
             try {
                 var authToken = getStorageManagerInternal().createFsveritySetupAuthToken(authFd,
-                        Binder.getCallingUid(), Binder.getCallingUserHandle().getIdentifier());
+                        Binder.getCallingUid());
                 // fs-verity setup requires no writable fd to the file. Release the dup now that
                 // it's passed.
                 authFd.close();
diff --git a/tests/FsVerityTest/AndroidTest.xml b/tests/FsVerityTest/AndroidTest.xml
index d2537f6410e8..f2d7990436e4 100644
--- a/tests/FsVerityTest/AndroidTest.xml
+++ b/tests/FsVerityTest/AndroidTest.xml
@@ -15,6 +15,7 @@
 -->
 <configuration description="fs-verity end-to-end test">
     <option name="test-suite-tag" value="apct" />
+    <option name="config-descriptor:metadata" key="parameter" value="secondary_user"/>
 
     <object type="module_controller" class="com.android.tradefed.testtype.suite.module.ShippingApiLevelModuleController">
         <!-- fs-verity is required since R/30 -->
-- 
GitLab