Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Exempt platform-cert signed apps from hidden API checks." into pi-dev

Browse Source 
am: 0e650c1c55

Change-Id: I79b6b7643f71928c65943744aa62b8a77d2749d1
This commit is contained in:
Mathew Inwood
2018-04-05 03:53:55 -07:00
committed by android-build-merger
parent 6c6a79db4d 0e650c1c55
commit 85a2c917bd
3 changed files with 36 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
core/java/android/content/pm/ApplicationInfo.java
View File

@@ -590,26 +590,33 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
public static final int PRIVATE_FLAG_VIRTUAL_PRELOAD = 1 << 16;
/**
* Value for {@linl #privateFlags}: whether this app is pre-installed on the
* Value for {@link #privateFlags}: whether this app is pre-installed on the
* OEM partition of the system image.
* @hide
*/
public static final int PRIVATE_FLAG_OEM = 1 << 17;
/**
* Value for {@linl #privateFlags}: whether this app is pre-installed on the
* Value for {@link #privateFlags}: whether this app is pre-installed on the
* vendor partition of the system image.
* @hide
*/
public static final int PRIVATE_FLAG_VENDOR = 1 << 18;
/**
* Value for {@linl #privateFlags}: whether this app is pre-installed on the
* Value for {@link #privateFlags}: whether this app is pre-installed on the
* product partition of the system image.
* @hide
*/
public static final int PRIVATE_FLAG_PRODUCT = 1 << 19;
/**
* Value for {@link #privateFlags}: whether this app is signed with the
* platform key.
* @hide
*/
public static final int PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY = 1 << 20;
/** @hide */
@IntDef(flag = true, prefix = { "PRIVATE_FLAG_" }, value = {
PRIVATE_FLAG_ACTIVITIES_RESIZE_MODE_RESIZEABLE,
@@ -629,6 +636,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
PRIVATE_FLAG_PRIVILEGED,
PRIVATE_FLAG_PRODUCT,
PRIVATE_FLAG_REQUIRED_FOR_SYSTEM_USER,
PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY,
PRIVATE_FLAG_STATIC_SHARED_LIBRARY,
PRIVATE_FLAG_VENDOR,
PRIVATE_FLAG_VIRTUAL_PRELOAD,
@@ -1658,6 +1666,11 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
return SystemConfig.getInstance().getHiddenApiWhitelistedApps().contains(packageName);
}
private boolean isAllowedToUseHiddenApis() {
return isSignedWithPlatformKey()
|| (isPackageWhitelistedForHiddenApis() && (isSystemApp() || isUpdatedSystemApp()));
}
/**
* @hide
*/
@@ -1665,7 +1678,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
if (mHiddenApiPolicy != HIDDEN_API_ENFORCEMENT_DEFAULT) {
return mHiddenApiPolicy;
}
if (isPackageWhitelistedForHiddenApis() && (isSystemApp() || isUpdatedSystemApp())) {
if (isAllowedToUseHiddenApis()) {
return HIDDEN_API_ENFORCEMENT_NONE;
}
return HIDDEN_API_ENFORCEMENT_BLACK;
@@ -1757,6 +1770,11 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
return (privateFlags & ApplicationInfo.PRIVATE_FLAG_PARTIALLY_DIRECT_BOOT_AWARE) != 0;
}
/** @hide */
public boolean isSignedWithPlatformKey() {
return (privateFlags & ApplicationInfo.PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY) != 0;
}
/** @hide */
@TestApi
public boolean isPrivilegedApp() {

65
data/etc/hiddenapi-package-whitelist.xml
View File

@@ -17,66 +17,28 @@
<!--
This XML file declares which system apps should be exempted from the hidden API blacklisting, i.e.
which apps should be allowed to access the entire private API.
which apps should be allowed to access the entire private API. Only apps NOT signed with the
platform cert need to be included, as apps signed with the platform cert are exempted by default.
-->
<config>
<hidden-api-whitelisted-app package="android.car.cluster.loggingrenderer" />
<hidden-api-whitelisted-app package="android.car.input.service" />
<hidden-api-whitelisted-app package="android.car.usb.handler" />
<hidden-api-whitelisted-app package="android.ext.services" />
<hidden-api-whitelisted-app package="com.android.apps.tag" />
<hidden-api-whitelisted-app package="com.android.backupconfirm" />
<hidden-api-whitelisted-app package="com.android.basicsmsreceiver" />
<hidden-api-whitelisted-app package="com.android.bluetooth" />
<hidden-api-whitelisted-app package="com.android.bluetoothdebug" />
<hidden-api-whitelisted-app package="com.android.bluetoothmidiservice" />
<hidden-api-whitelisted-app package="com.android.bookmarkprovider" />
<hidden-api-whitelisted-app package="com.android.calllogbackup" />
<hidden-api-whitelisted-app package="com.android.camera" />
<hidden-api-whitelisted-app package="com.android.captiveportallogin" />
<hidden-api-whitelisted-app package="com.android.car" />
<hidden-api-whitelisted-app package="com.android.car.dialer" />
<hidden-api-whitelisted-app package="com.android.car.hvac" />
<hidden-api-whitelisted-app package="com.android.car.mapsplaceholder" />
<hidden-api-whitelisted-app package="com.android.car.media" />
<hidden-api-whitelisted-app package="com.android.car.media.localmediaplayer" />
<hidden-api-whitelisted-app package="com.android.car.messenger" />
<hidden-api-whitelisted-app package="com.android.car.overview" />
<hidden-api-whitelisted-app package="com.android.car.radio" />
<hidden-api-whitelisted-app package="com.android.car.settings" />
<hidden-api-whitelisted-app package="com.android.car.stream" />
<hidden-api-whitelisted-app package="com.android.car.systemupdater" />
<hidden-api-whitelisted-app package="com.android.car.trust" />
<hidden-api-whitelisted-app package="com.android.carrierconfig" />
<hidden-api-whitelisted-app package="com.android.carrierdefaultapp" />
<hidden-api-whitelisted-app package="com.android.cellbroadcastreceiver" />
<hidden-api-whitelisted-app package="com.android.certinstaller" />
<hidden-api-whitelisted-app package="com.android.companiondevicemanager" />
<hidden-api-whitelisted-app package="com.android.customlocale2" />
<hidden-api-whitelisted-app package="com.android.defcontainer" />
<hidden-api-whitelisted-app package="com.android.development" />
<hidden-api-whitelisted-app package="com.android.documentsui" />
<hidden-api-whitelisted-app package="com.android.dreams.basic" />
<hidden-api-whitelisted-app package="com.android.egg" />
<hidden-api-whitelisted-app package="com.android.emergency" />
<hidden-api-whitelisted-app package="com.android.externalstorage" />
<hidden-api-whitelisted-app package="com.android.fakeoemfeatures" />
<hidden-api-whitelisted-app package="com.android.gallery" />
<hidden-api-whitelisted-app package="com.android.hotspot2" />
<hidden-api-whitelisted-app package="com.android.keychain" />
<hidden-api-whitelisted-app package="com.android.launcher3" />
<hidden-api-whitelisted-app package="com.android.location.fused" />
<hidden-api-whitelisted-app package="com.android.managedprovisioning" />
<hidden-api-whitelisted-app package="com.android.mms.service" />
<hidden-api-whitelisted-app package="com.android.mtp" />
<hidden-api-whitelisted-app package="com.android.musicfx" />
<hidden-api-whitelisted-app package="com.android.nfc" />
<hidden-api-whitelisted-app package="com.android.osu" />
<hidden-api-whitelisted-app package="com.android.packageinstaller" />
<hidden-api-whitelisted-app package="com.android.pacprocessor" />
<hidden-api-whitelisted-app package="com.android.phone" />
<hidden-api-whitelisted-app package="com.android.pmc" />
<hidden-api-whitelisted-app package="com.android.printservice.recommendation" />
<hidden-api-whitelisted-app package="com.android.printspooler" />
<hidden-api-whitelisted-app package="com.android.providers.blockednumber" />
@@ -85,36 +47,13 @@ which apps should be allowed to access the entire private API.
<hidden-api-whitelisted-app package="com.android.providers.downloads" />
<hidden-api-whitelisted-app package="com.android.providers.downloads.ui" />
<hidden-api-whitelisted-app package="com.android.providers.media" />
<hidden-api-whitelisted-app package="com.android.providers.settings" />
<hidden-api-whitelisted-app package="com.android.providers.telephony" />
<hidden-api-whitelisted-app package="com.android.providers.tv" />
<hidden-api-whitelisted-app package="com.android.providers.userdictionary" />
<hidden-api-whitelisted-app package="com.android.provision" />
<hidden-api-whitelisted-app package="com.android.proxyhandler" />
<hidden-api-whitelisted-app package="com.android.sdksetup" />
<hidden-api-whitelisted-app package="com.android.se" />
<hidden-api-whitelisted-app package="com.android.server.telecom" />
<hidden-api-whitelisted-app package="com.android.service.ims" />
<hidden-api-whitelisted-app package="com.android.service.ims.presence" />
<hidden-api-whitelisted-app package="com.android.settings" />
<hidden-api-whitelisted-app package="com.android.sharedstoragebackup" />
<hidden-api-whitelisted-app package="com.android.shell" />
<hidden-api-whitelisted-app package="com.android.smspush" />
<hidden-api-whitelisted-app package="com.android.spare_parts" />
<hidden-api-whitelisted-app package="com.android.statementservice" />
<hidden-api-whitelisted-app package="com.android.stk" />
<hidden-api-whitelisted-app package="com.android.storagemanager" />
<hidden-api-whitelisted-app package="com.android.support.car.lenspicker" />
<hidden-api-whitelisted-app package="com.android.systemui" />
<hidden-api-whitelisted-app package="com.android.systemui.plugins" />
<hidden-api-whitelisted-app package="com.android.terminal" />
<hidden-api-whitelisted-app package="com.android.timezone.updater" />
<hidden-api-whitelisted-app package="com.android.traceur" />
<hidden-api-whitelisted-app package="com.android.tv.settings" />
<hidden-api-whitelisted-app package="com.android.vpndialogs" />
<hidden-api-whitelisted-app package="com.android.wallpaper.livepicker" />
<hidden-api-whitelisted-app package="com.android.wallpaperbackup" />
<hidden-api-whitelisted-app package="com.android.wallpapercropper" />
<hidden-api-whitelisted-app package="com.googlecode.android_scripting" />
<hidden-api-whitelisted-app package="jp.co.omronsoft.openwnn" />
</config>

15
services/core/java/com/android/server/pm/PackageManagerService.java
View File

@@ -8700,7 +8700,7 @@ public class PackageManagerService extends IPackageManager.Stub
disabledPkgSetting /* pkgSetting */, null /* disabledPkgSetting */,
null /* originalPkgSetting */, null, parseFlags, scanFlags,
(pkg == mPlatformPackage), user);
applyPolicy(pkg, parseFlags, scanFlags);
applyPolicy(pkg, parseFlags, scanFlags, mPlatformPackage);
scanPackageOnlyLI(request, mFactoryTest, -1L);
}
}
@@ -10030,7 +10030,7 @@ public class PackageManagerService extends IPackageManager.Stub
scanFlags = adjustScanFlags(scanFlags, pkgSetting, disabledPkgSetting, user, pkg);
synchronized (mPackages) {
applyPolicy(pkg, parseFlags, scanFlags);
applyPolicy(pkg, parseFlags, scanFlags, mPlatformPackage);
assertPackageIsValid(pkg, parseFlags, scanFlags);
SharedUserSetting sharedUserSetting = null;
@@ -10710,7 +10710,7 @@ public class PackageManagerService extends IPackageManager.Stub
* ideally be static, but, it requires locks to read system state.
*/
private static void applyPolicy(PackageParser.Package pkg, final @ParseFlags int parseFlags,
final @ScanFlags int scanFlags) {
final @ScanFlags int scanFlags, PackageParser.Package platformPkg) {
if ((scanFlags & SCAN_AS_SYSTEM) != 0) {
pkg.applicationInfo.flags |= ApplicationInfo.FLAG_SYSTEM;
if (pkg.applicationInfo.isDirectBootAware()) {
@@ -10796,6 +10796,15 @@ public class PackageManagerService extends IPackageManager.Stub
pkg.applicationInfo.privateFlags |= ApplicationInfo.PRIVATE_FLAG_PRODUCT;
}
// Check if the package is signed with the same key as the platform package.
if (PLATFORM_PACKAGE_NAME.equals(pkg.packageName) ||
(platformPkg != null && compareSignatures(
platformPkg.mSigningDetails.signatures,
pkg.mSigningDetails.signatures) == PackageManager.SIGNATURE_MATCH)) {
pkg.applicationInfo.privateFlags |=
ApplicationInfo.PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY;
}
if (!isSystemApp(pkg)) {
// Only system apps can use these features.
pkg.mOriginalPackages = null;