From 7d0c4f3aa7c7640afc0496a9c901eeb49c65b47d Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 31 Jan 2023 19:32:46 +0200
Subject: [PATCH] require fs-verity when installing system package updates

---
 .../android/server/pm/InstallPackageHelper.java  | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
index e929e4762126..2bfbd199d7f5 100644
--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
+++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
@@ -1513,6 +1513,22 @@ && cannotInstallWithBadPermissionGroups(parsedPackage)) {
                     "Failed to set up verity: " + e);
         }
 
+        boolean checkVerity = true;
+        if (Build.IS_DEBUGGABLE) {
+            if (SystemProperties.getBoolean("persist.disable_install_time_fsverity_check", false)) {
+                checkVerity = false;
+            }
+        }
+
+        if (checkVerity && PackageVerityExt.getSystemPackage(parsedPackage) != null) {
+            try {
+                PackageVerityExt.checkFsVerity(parsedPackage);
+            } catch (PackageManagerException e) {
+                throw new PrepareFailure(INSTALL_FAILED_INTERNAL_ERROR,
+                        "fs-verity not set up for system package update " + e);
+            }
+        }
+
         final PackageFreezer freezer =
                 freezePackageForInstall(pkgName, installFlags, "installPackageLI");
         boolean shouldCloseFreezerBeforeReturn = true;