hardware_manager: Validate upgrade zips against the saved ota channel

tools/helpers/images.py

@@ -81,6 +81,20 @@ def get(args):
             break
     remove_overlay(args)
 
+def validate(args, channel, image_zip):
+    # Verify that the zip comes from the channel
+    cfg = tools.config.load(args)
+    channel_url = cfg["waydroid"][channel]
+    channel_request = helpers.http.retrieve(channel_url)
+    if channel_request[0] != 200:
+        return False
+    channel_responses = json.loads(channel_request[1].decode('utf8'))["response"]
+    for build in channel_responses:
+        if sha256sum(image_zip) == build['id']:
+            return True
+    logging.warning(f"Could not verify the image {image_zip} against {channel_url}")
+    return False
+
 def replace(args, system_zip, system_time, vendor_zip, vendor_time):
     cfg = tools.config.load(args)
     args.images_path = cfg["waydroid"]["images_path"]

tools/services/hardware_manager.py

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 import logging
 import threading
+import os
 import tools.actions.container_manager
 import tools.actions.session_manager
 import tools.config
@@ -29,6 +30,12 @@ def start(args):
         helpers.lxc.start(args)
 
     def upgrade(system_zip, system_time, vendor_zip, vendor_time):
+        if os.path.exists(system_zip) and not helpers.images.validate(args, "system_ota", system_zip):
+            logging.warning("Not upgrading because system.img comes from an unverified source")
+            return
+        if os.path.exists(vendor_zip) and not helpers.images.validate(args, "vendor_ota", vendor_zip):
+            logging.warning("Not upgrading because vendor.img comes from an unverified source")
+            return
         helpers.lxc.stop(args)
         helpers.images.umount_rootfs(args)
         helpers.images.replace(args, system_zip, system_time,