Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Exempt platform-cert signed apps from hidden API checks.

Browse Source 
This means that APKs signed with the platform cert are allowed to use
hidden APIs, even if they are not on the package whitelist, and if they are
not in the system image. It will also allow a number of packages to be
removed from the package whitelist.

Also remove all platform cert signed apps from the package whitelist, as
there is no longer any need for them to be in there.

Bug: 64382372
Test: device boots
Change-Id: Id805419918de51f946c1f592581bab36ae79de83
This commit is contained in:
Mathew Inwood
2018-04-04 16:08:21 +01:00
parent de3569ef84
commit 9d89543d48
3 changed files with 36 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
core/java/android/content/pm/ApplicationInfo.java
View File

@@ -590,26 +590,33 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
public static final int PRIVATE_FLAG_VIRTUAL_PRELOAD = 1 << 16;
/**
* Value for {@linl #privateFlags}: whether this app is pre-installed on the
* Value for {@link #privateFlags}: whether this app is pre-installed on the
* OEM partition of the system image.
* @hide
*/
public static final int PRIVATE_FLAG_OEM = 1 << 17;
/**
* Value for {@linl #privateFlags}: whether this app is pre-installed on the
* Value for {@link #privateFlags}: whether this app is pre-installed on the
* vendor partition of the system image.
* @hide
*/
public static final int PRIVATE_FLAG_VENDOR = 1 << 18;
/**
* Value for {@linl #privateFlags}: whether this app is pre-installed on the
* Value for {@link #privateFlags}: whether this app is pre-installed on the
* product partition of the system image.
* @hide
*/
public static final int PRIVATE_FLAG_PRODUCT = 1 << 19;
/**
* Value for {@link #privateFlags}: whether this app is signed with the
* platform key.
* @hide
*/
public static final int PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY = 1 << 20;
/** @hide */
@IntDef(flag = true, prefix = { "PRIVATE_FLAG_" }, value = {
PRIVATE_FLAG_ACTIVITIES_RESIZE_MODE_RESIZEABLE,
@@ -629,6 +636,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
PRIVATE_FLAG_PRIVILEGED,
PRIVATE_FLAG_PRODUCT,
PRIVATE_FLAG_REQUIRED_FOR_SYSTEM_USER,
PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY,
PRIVATE_FLAG_STATIC_SHARED_LIBRARY,
PRIVATE_FLAG_VENDOR,
PRIVATE_FLAG_VIRTUAL_PRELOAD,
@@ -1658,6 +1666,11 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
return SystemConfig.getInstance().getHiddenApiWhitelistedApps().contains(packageName);
}
private boolean isAllowedToUseHiddenApis() {
return isSignedWithPlatformKey()
|| (isPackageWhitelistedForHiddenApis() && (isSystemApp() || isUpdatedSystemApp()));
}
/**
* @hide
*/
@@ -1665,7 +1678,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
if (mHiddenApiPolicy != HIDDEN_API_ENFORCEMENT_DEFAULT) {
return mHiddenApiPolicy;
}
if (isPackageWhitelistedForHiddenApis() && (isSystemApp() || isUpdatedSystemApp())) {
if (isAllowedToUseHiddenApis()) {
return HIDDEN_API_ENFORCEMENT_NONE;
}
return HIDDEN_API_ENFORCEMENT_BLACK;
@@ -1757,6 +1770,11 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
return (privateFlags & ApplicationInfo.PRIVATE_FLAG_PARTIALLY_DIRECT_BOOT_AWARE) != 0;
}
/** @hide */
public boolean isSignedWithPlatformKey() {
return (privateFlags & ApplicationInfo.PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY) != 0;
}
/** @hide */
@TestApi
public boolean isPrivilegedApp() {

65
data/etc/hiddenapi-package-whitelist.xml
View File

@@ -17,66 +17,28 @@
<!--
This XML file declares which system apps should be exempted from the hidden API blacklisting, i.e.
which apps should be allowed to access the entire private API.
which apps should be allowed to access the entire private API. Only apps NOT signed with the
platform cert need to be included, as apps signed with the platform cert are exempted by default.
-->
<config>
<hidden-api-whitelisted-app package="android.car.cluster.loggingrenderer" />
<hidden-api-whitelisted-app package="android.car.input.service" />
<hidden-api-whitelisted-app package="android.car.usb.handler" />
<hidden-api-whitelisted-app package="android.ext.services" />
<hidden-api-whitelisted-app package="com.android.apps.tag" />
<hidden-api-whitelisted-app package="com.android.backupconfirm" />
<hidden-api-whitelisted-app package="com.android.basicsmsreceiver" />
<hidden-api-whitelisted-app package="com.android.bluetooth" />
<hidden-api-whitelisted-app package="com.android.bluetoothdebug" />
<hidden-api-whitelisted-app package="com.android.bluetoothmidiservice" />
<hidden-api-whitelisted-app package="com.android.bookmarkprovider" />
<hidden-api-whitelisted-app package="com.android.calllogbackup" />
<hidden-api-whitelisted-app package="com.android.camera" />
<hidden-api-whitelisted-app package="com.android.captiveportallogin" />
<hidden-api-whitelisted-app package="com.android.car" />
<hidden-api-whitelisted-app package="com.android.car.dialer" />
<hidden-api-whitelisted-app package="com.android.car.hvac" />
<hidden-api-whitelisted-app package="com.android.car.mapsplaceholder" />
<hidden-api-whitelisted-app package="com.android.car.media" />
<hidden-api-whitelisted-app package="com.android.car.media.localmediaplayer" />
<hidden-api-whitelisted-app package="com.android.car.messenger" />
<hidden-api-whitelisted-app package="com.android.car.overview" />
<hidden-api-whitelisted-app package="com.android.car.radio" />
<hidden-api-whitelisted-app package="com.android.car.settings" />
<hidden-api-whitelisted-app package="com.android.car.stream" />
<hidden-api-whitelisted-app package="com.android.car.systemupdater" />
<hidden-api-whitelisted-app package="com.android.car.trust" />
<hidden-api-whitelisted-app package="com.android.carrierconfig" />
<hidden-api-whitelisted-app package="com.android.carrierdefaultapp" />
<hidden-api-whitelisted-app package="com.android.cellbroadcastreceiver" />
<hidden-api-whitelisted-app package="com.android.certinstaller" />
<hidden-api-whitelisted-app package="com.android.companiondevicemanager" />
<hidden-api-whitelisted-app package="com.android.customlocale2" />
<hidden-api-whitelisted-app package="com.android.defcontainer" />
<hidden-api-whitelisted-app package="com.android.development" />
<hidden-api-whitelisted-app package="com.android.documentsui" />
<hidden-api-whitelisted-app package="com.android.dreams.basic" />
<hidden-api-whitelisted-app package="com.android.egg" />
<hidden-api-whitelisted-app package="com.android.emergency" />
<hidden-api-whitelisted-app package="com.android.externalstorage" />
<hidden-api-whitelisted-app package="com.android.fakeoemfeatures" />
<hidden-api-whitelisted-app package="com.android.gallery" />
<hidden-api-whitelisted-app package="com.android.hotspot2" />
<hidden-api-whitelisted-app package="com.android.keychain" />
<hidden-api-whitelisted-app package="com.android.launcher3" />
<hidden-api-whitelisted-app package="com.android.location.fused" />
<hidden-api-whitelisted-app package="com.android.managedprovisioning" />
<hidden-api-whitelisted-app package="com.android.mms.service" />
<hidden-api-whitelisted-app package="com.android.mtp" />
<hidden-api-whitelisted-app package="com.android.musicfx" />
<hidden-api-whitelisted-app package="com.android.nfc" />
<hidden-api-whitelisted-app package="com.android.osu" />
<hidden-api-whitelisted-app package="com.android.packageinstaller" />
<hidden-api-whitelisted-app package="com.android.pacprocessor" />
<hidden-api-whitelisted-app package="com.android.phone" />
<hidden-api-whitelisted-app package="com.android.pmc" />
<hidden-api-whitelisted-app package="com.android.printservice.recommendation" />
<hidden-api-whitelisted-app package="com.android.printspooler" />
<hidden-api-whitelisted-app package="com.android.providers.blockednumber" />
@@ -85,36 +47,13 @@ which apps should be allowed to access the entire private API.
<hidden-api-whitelisted-app package="com.android.providers.downloads" />
<hidden-api-whitelisted-app package="com.android.providers.downloads.ui" />
<hidden-api-whitelisted-app package="com.android.providers.media" />
<hidden-api-whitelisted-app package="com.android.providers.settings" />
<hidden-api-whitelisted-app package="com.android.providers.telephony" />
<hidden-api-whitelisted-app package="com.android.providers.tv" />
<hidden-api-whitelisted-app package="com.android.providers.userdictionary" />
<hidden-api-whitelisted-app package="com.android.provision" />
<hidden-api-whitelisted-app package="com.android.proxyhandler" />
<hidden-api-whitelisted-app package="com.android.sdksetup" />
<hidden-api-whitelisted-app package="com.android.se" />
<hidden-api-whitelisted-app package="com.android.server.telecom" />
<hidden-api-whitelisted-app package="com.android.service.ims" />
<hidden-api-whitelisted-app package="com.android.service.ims.presence" />
<hidden-api-whitelisted-app package="com.android.settings" />
<hidden-api-whitelisted-app package="com.android.sharedstoragebackup" />
<hidden-api-whitelisted-app package="com.android.shell" />
<hidden-api-whitelisted-app package="com.android.smspush" />
<hidden-api-whitelisted-app package="com.android.spare_parts" />
<hidden-api-whitelisted-app package="com.android.statementservice" />
<hidden-api-whitelisted-app package="com.android.stk" />
<hidden-api-whitelisted-app package="com.android.storagemanager" />
<hidden-api-whitelisted-app package="com.android.support.car.lenspicker" />
<hidden-api-whitelisted-app package="com.android.systemui" />
<hidden-api-whitelisted-app package="com.android.systemui.plugins" />
<hidden-api-whitelisted-app package="com.android.terminal" />
<hidden-api-whitelisted-app package="com.android.timezone.updater" />
<hidden-api-whitelisted-app package="com.android.traceur" />
<hidden-api-whitelisted-app package="com.android.tv.settings" />
<hidden-api-whitelisted-app package="com.android.vpndialogs" />
<hidden-api-whitelisted-app package="com.android.wallpaper.livepicker" />
<hidden-api-whitelisted-app package="com.android.wallpaperbackup" />
<hidden-api-whitelisted-app package="com.android.wallpapercropper" />
<hidden-api-whitelisted-app package="com.googlecode.android_scripting" />
<hidden-api-whitelisted-app package="jp.co.omronsoft.openwnn" />
</config>

15
services/core/java/com/android/server/pm/PackageManagerService.java
View File

@@ -8700,7 +8700,7 @@ public class PackageManagerService extends IPackageManager.Stub
disabledPkgSetting /* pkgSetting */, null /* disabledPkgSetting */,
null /* originalPkgSetting */, null, parseFlags, scanFlags,
(pkg == mPlatformPackage), user);
applyPolicy(pkg, parseFlags, scanFlags);
applyPolicy(pkg, parseFlags, scanFlags, mPlatformPackage);
scanPackageOnlyLI(request, mFactoryTest, -1L);
}
}
@@ -10019,7 +10019,7 @@ public class PackageManagerService extends IPackageManager.Stub
scanFlags = adjustScanFlags(scanFlags, pkgSetting, disabledPkgSetting, user, pkg);
synchronized (mPackages) {
applyPolicy(pkg, parseFlags, scanFlags);
applyPolicy(pkg, parseFlags, scanFlags, mPlatformPackage);
assertPackageIsValid(pkg, parseFlags, scanFlags);
SharedUserSetting sharedUserSetting = null;
@@ -10699,7 +10699,7 @@ public class PackageManagerService extends IPackageManager.Stub
* ideally be static, but, it requires locks to read system state.
*/
private static void applyPolicy(PackageParser.Package pkg, final @ParseFlags int parseFlags,
final @ScanFlags int scanFlags) {
final @ScanFlags int scanFlags, PackageParser.Package platformPkg) {
if ((scanFlags & SCAN_AS_SYSTEM) != 0) {
pkg.applicationInfo.flags |= ApplicationInfo.FLAG_SYSTEM;
if (pkg.applicationInfo.isDirectBootAware()) {
@@ -10785,6 +10785,15 @@ public class PackageManagerService extends IPackageManager.Stub
pkg.applicationInfo.privateFlags |= ApplicationInfo.PRIVATE_FLAG_PRODUCT;
}
// Check if the package is signed with the same key as the platform package.
if (PLATFORM_PACKAGE_NAME.equals(pkg.packageName) ||
(platformPkg != null && compareSignatures(
platformPkg.mSigningDetails.signatures,
pkg.mSigningDetails.signatures) == PackageManager.SIGNATURE_MATCH)) {
pkg.applicationInfo.privateFlags |=
ApplicationInfo.PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY;
}
if (!isSystemApp(pkg)) {
// Only system apps can use these features.
pkg.mOriginalPackages = null;