From e366fe9f01a91d0a86f892ef544c85672627813e Mon Sep 17 00:00:00 2001
From: Kelvin Zhang <zhangkelvin@google.com>
Date: Mon, 18 Mar 2024 10:24:10 -0700
Subject: [PATCH] Check for build-tags before installing sideload OTA

Only allow test-key OTA to be installed on test-key devices,
and only allow release-key OTA to be installed on release-key devices.

Test: sideload recovery OTA
Bug: 314013134
Change-Id: I6609923929247ab498d3a315637765ae2d1370b0
---
 install/install.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/install/install.cpp b/install/install.cpp
index a9786cfd..6294a3dc 100644
--- a/install/install.cpp
+++ b/install/install.cpp
@@ -189,6 +189,17 @@ static bool CheckAbSpecificMetadata(const std::map<std::string, std::string>& me
       return false;
     }
   }
+  const auto post_build = get_value(metadata, "post-build");
+  const auto build_fingerprint = android::base::Tokenize(post_build, "/");
+  if (!build_fingerprint.empty()) {
+    const auto& post_build_tag = build_fingerprint.back();
+    const auto build_tag = android::base::GetProperty("ro.build.tags", "");
+    if (build_tag != post_build_tag) {
+      LOG(ERROR) << "Post build-tag " << post_build_tag << " does not match device build tag "
+                 << build_tag;
+      return false;
+    }
+  }
 
   return true;
 }