Merge "Limit stage install to system and whitelisted packges only (1/2)" into rvc-dev

2020-04-06 14:16:25 +00:00
parent f241f95205 792c79623d
commit 04e287816f
2 changed files with 64 additions and 2 deletions
--- a/core/java/com/android/server/SystemConfig.java
+++ b/core/java/com/android/server/SystemConfig.java
@@ -229,6 +229,7 @@ public class SystemConfig {
    private ArrayMap<String, Set<String>> mPackageToUserTypeBlacklist = new ArrayMap<>();

    private final ArraySet<String> mRollbackWhitelistedPackages = new ArraySet<>();
+    private final ArraySet<String> mWhitelistedStagedInstallers = new ArraySet<>();

    /**
     * Map of system pre-defined, uniquely named actors; keys are namespace,
@@ -394,6 +395,10 @@ public class SystemConfig {
        return mRollbackWhitelistedPackages;
    }

+    public Set<String> getWhitelistedStagedInstallers() {
+        return mWhitelistedStagedInstallers;
+    }
+
    public ArraySet<String> getAppDataIsolationWhitelistedApps() {
        return mAppDataIsolationWhitelistedApps;
    }
@@ -1137,6 +1142,20 @@ public class SystemConfig {
                        }
                        XmlUtils.skipCurrentTag(parser);
                    } break;
+                    case "whitelisted-staged-installer": {
+                        if (allowAppConfigs) {
+                            String pkgname = parser.getAttributeValue(null, "package");
+                            if (pkgname == null) {
+                                Slog.w(TAG, "<" + name + "> without package in " + permFile
+                                        + " at " + parser.getPositionDescription());
+                            } else {
+                                mWhitelistedStagedInstallers.add(pkgname);
+                            }
+                        } else {
+                            logNotAllowedInPartition(name, permFile, parser);
+                        }
+                        XmlUtils.skipCurrentTag(parser);
+                    } break;
                    default: {
                        Slog.w(TAG, "Tag " + name + " is unknown in "
                                + permFile + " at " + parser.getPositionDescription());
--- a/services/tests/servicestests/src/com/android/server/systemconfig/SystemConfigTest.java
+++ b/services/tests/servicestests/src/com/android/server/systemconfig/SystemConfigTest.java
@@ -16,6 +16,8 @@

 package com.android.server.systemconfig;

+import static com.google.common.truth.Truth.assertThat;
+
 import static org.junit.Assert.assertEquals;

 import android.platform.test.annotations.Presubmit;
@@ -164,7 +166,7 @@ public class SystemConfigTest {

        mSysConfig.readPermissions(folder, /* No permission needed anyway */ 0);

-        final ArrayMap<String, Boolean>  packageOneExpected = new ArrayMap<>();
+        final ArrayMap<String, Boolean> packageOneExpected = new ArrayMap<>();
        packageOneExpected.put("com.android.package1.Full", true);
        packageOneExpected.put("com.android.package1.Relative", false);

@@ -180,8 +182,48 @@ public class SystemConfigTest {
        assertEquals(packageTwoExpected, packageTwo);
    }

+    /**
+     * Tests that readPermissions works correctly with {@link SystemConfig#ALLOW_APP_CONFIGS}
+     * permission flag for the tag: whitelisted-staged-installer.
+     */
+    @Test
+    public void readPermissions_allowAppConfigs_parsesStagedInstallerWhitelist()
+            throws IOException {
+        final String contents =
+                "<config>\n"
+                + "    <whitelisted-staged-installer package=\"com.android.package1\" />\n"
+                + "</config>";
+        final File folder = createTempSubfolder("folder");
+        createTempFile(folder, "staged-installer-whitelist.xml", contents);
+
+        mSysConfig.readPermissions(folder, /* Grant all permission flags */ ~0);
+
+        assertThat(mSysConfig.getWhitelistedStagedInstallers())
+                .containsExactly("com.android.package1");
+    }
+
+    /**
+     * Tests that readPermissions works correctly without {@link SystemConfig#ALLOW_APP_CONFIGS}
+     * permission flag for the tag: whitelisted-staged-installer.
+     */
+    @Test
+    public void readPermissions_notAllowAppConfigs_wontParseStagedInstallerWhitelist()
+            throws IOException {
+        final String contents =
+                "<config>\n"
+                + "    <whitelisted-staged-installer package=\"com.android.package1\" />\n"
+                + "</config>";
+        final File folder = createTempSubfolder("folder");
+        createTempFile(folder, "staged-installer-whitelist.xml", contents);
+
+        mSysConfig.readPermissions(folder, /* Grant all but ALLOW_APP_CONFIGS flag */ ~0x08);
+
+        assertThat(mSysConfig.getWhitelistedStagedInstallers()).isEmpty();
+    }
+
    /**
     * Creates folderName/fileName in the mTemporaryFolder and fills it with the contents.
+     *
     * @param folderName subdirectory of mTemporaryFolder to put the file, creating if needed
     * @return the folder
     */
@@ -194,7 +236,8 @@ public class SystemConfigTest {

    /**
     * Creates folderName/fileName in the mTemporaryFolder and fills it with the contents.
-     * @param folder pre-existing subdirectory of mTemporaryFolder to put the file
+     *
+     * @param folder   pre-existing subdirectory of mTemporaryFolder to put the file
     * @param fileName name of the file (e.g. filename.xml) to create
     * @param contents contents to write to the file
     * @return the folder containing the newly created file (not the file itself!)