From e12cfda75f99cd6393b398ce6a0b2187b4657619 Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Tue, 30 Jun 2020 15:42:29 +0100
Subject: [PATCH] Don't allow shell to spoof initiating package name.

This preserves the ability to override the installer package name
(installer of record). But it prevents overriding the initiating
package name (real installing package) which should always be null for
an adb installed package.

Bug: 160224791
Test: manual
Test: atest PackageManagerTests PackageVerifierTest
Change-Id: I586b524d11dab075034ca05a87fac819cb99b61b
---
 .../java/com/android/server/pm/PackageInstallerService.java   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java
index f827721be3b7b..91b2ea1853fa8 100644
--- a/services/core/java/com/android/server/pm/PackageInstallerService.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerService.java
@@ -522,7 +522,9 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements
 
         if ((callingUid == Process.SHELL_UID) || (callingUid == Process.ROOT_UID)) {
             params.installFlags |= PackageManager.INSTALL_FROM_ADB;
-
+            // adb installs can override the installingPackageName, but not the
+            // initiatingPackageName
+            installerPackageName = null;
         } else {
             if (callingUid != Process.SYSTEM_UID) {
                 // The supplied installerPackageName must always belong to the calling app.