From 58a27693b22da9b93c634d053a53deb4c4a71e4e Mon Sep 17 00:00:00 2001
From: Tianjie Xu <xunchang@google.com>
Date: Tue, 6 Aug 2019 12:32:05 -0700
Subject: Force package installation with FUSE unless the package stores on
 device

The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.

To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.

This CL forces the package installation with FUSE when the package stays
on a removable media.

Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected

Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
---
 tests/Android.bp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'tests/Android.bp')

diff --git a/tests/Android.bp b/tests/Android.bp
index 5b881e367..ec49c07af 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -94,6 +94,7 @@ librecovery_static_libs = [
     "liblp",
     "libvndksupport",
     "libtinyxml2",
+    "libc++fs",
 ]
 
 cc_test {
-- 
cgit v1.2.3