From 11d21a29767cedf62aa9dcc8708a828867491840 Mon Sep 17 00:00:00 2001
From: Nicolas Geoffray <ngeoffray@google.com>
Date: Wed, 24 Jan 2018 14:07:14 +0000
Subject: [PATCH] Rewrite handling of oob priv-apps in framework.

- Use 'verify' compiler filter for dexopt.
- Don't pass DISABLE_VERIFIER, instead rely on the oat file status.

This is made possible by:
https://android-review.googlesource.com/#/c/platform/art/+/568546/

Which allows loading oat files, but not executing them.

bug: 30972906
Test: build, set pm.dexopt.priv-apps-oob to true, shell stop && start, see we're not
      using the compiled code.

Change-Id: Idb909c68304f74a720499db3a6cc4a457b52f1e1
---
 .../com/android/server/am/ActivityManagerService.java  |  1 -
 .../com/android/server/pm/PackageDexOptimizer.java     | 10 +++++-----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 5eb5b1406231b..48d888f5e6d47 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -4020,7 +4020,6 @@ public class ActivityManagerService extends IActivityManager.Stub
 
             if (app.info.isPrivilegedApp() &&
                     SystemProperties.getBoolean("pm.dexopt.priv-apps-oob", false)) {
-                runtimeFlags |= Zygote.DISABLE_VERIFIER;
                 runtimeFlags |= Zygote.ONLY_USE_SYSTEM_OAT_FILES;
             }
 
diff --git a/services/core/java/com/android/server/pm/PackageDexOptimizer.java b/services/core/java/com/android/server/pm/PackageDexOptimizer.java
index 91df87b713e89..beab758f697c8 100644
--- a/services/core/java/com/android/server/pm/PackageDexOptimizer.java
+++ b/services/core/java/com/android/server/pm/PackageDexOptimizer.java
@@ -110,11 +110,6 @@ public class PackageDexOptimizer {
             return false;
         }
 
-        // We do not dexopt a priv-app package when pm.dexopt.priv-apps-oob is true.
-        if (pkg.isPrivileged()) {
-            return !SystemProperties.getBoolean("pm.dexopt.priv-apps-oob", false);
-        }
-
         return true;
     }
 
@@ -480,6 +475,11 @@ public class PackageDexOptimizer {
             boolean isUsedByOtherApps) {
         int flags = info.flags;
         boolean vmSafeMode = (flags & ApplicationInfo.FLAG_VM_SAFE_MODE) != 0;
+        // When pm.dexopt.priv-apps-oob is true, we only verify privileged apps.
+        if (info.isPrivilegedApp() &&
+            SystemProperties.getBoolean("pm.dexopt.priv-apps-oob", false)) {
+          return "verify";
+        }
         if (vmSafeMode) {
             return getSafeModeCompilerFilter(targetCompilerFilter);
         }