To mitigate a boot loop with reading a massive
install_sessions.xml file, this restricts the amount of
data that can be written by limiting the size of
unbounded parameters like package name and app label.
This introduces a lowered max session count. 50 for general
applications without the INSTALL_PACKAGES permission, and
the same 1024 for those with the permission.
Also truncates labels read from PackageItemInfo to 1000
characters, which is probably enough.
These changes restrict a malicious third party app to ~0.15 MB
written to disk, and a valid installer to ~3.6 MB, as opposed to
the >1000 MB previously allowed.
These numbers assume no install granted runtime permissions.
Those were not restricted since there's no good way to do so,
but it's assumed that any installer with that permission is
highly privleged and doesn't need to be limited.
Along the same lines, DataLoaderParams are also not restricted.
This will have to be added if that API is ever made public.
However, installer package was restricted, even though the API is
hidden. It was an easy add and may have some effect since the value
is derived from other data and passed through by other system
components.
It's still possible to inflate the file size if a lot of
different apps attempt to install a large number of packages,
but that would require thousands of malicious apps to be installed.
Bug: 157224146
Test: atest android.content.pm.PackageSessionTests
Change-Id: Iec42bee08d19d4ac53b361a92be6bc1401d9efc8
For Activity aliases, it's possible some values are already
set, which means they cannot be assumed to be 0, and can't be
overwritten if a attribute in the alias is undefined. For the
parsing v2 refactor, this was cleaned up to avoid
redundant != 0 checks, but those checks are indeed necessary.
This copies over the old logic and uses it exactly.
In some future cleanup, there should be a more structured way
of doing this, since it's not immediately obvious which values
are overridden or not. For example, description is always
overwritten even if no new value is provided in the alias.
This also fixes up the comparison tests and other bugs that
popped up because of them. The core issue was that when
auto-generating the dumpToString methods, the Alt+Insert
macro default selects all the fields in the current class,
but not all the parent classes, so some shared fields like
name/icon were not considered.
A notable case that was found when running the comparison tests
is that persistableMode is now "fixed" with v2. Previously,
a bug in PackageParser caused this value to be dropped if
the ActivityInfo object ever had to be copied. This is a change
from Q behavior, but there's no good way to reconcile this, and
it's better to be correct and consistent than broken, so this
fix was left in and excluded from the comparison tests.
Bug: 150106908
Test: manual run through steps in bug
Test: atest com.android.server.pm.parsing
Merged-In: I1301e28540314d0e643b73af7146c1a366eca6b5
Change-Id: I1301e28540314d0e643b73af7146c1a366eca6b5
The camera API, MediaStore.ACTION_IMAGE_CAPTURE requires apps to pass
a content:// URI with write permissions to the camera. Unfortunately,
apps haven't been doing this and we only started hitting problems in R
for two reasons:
1. The FileUriExposedException that should crash apps when they try to
share file:// URIs acroos binder is skipped. This is because, the
image_capture intent is passed across binder as a field in a
ChooserActivity Intent and the child intents are not checked for
file URI exposed
2. Prior to R, when camera gets a file:// URI, camera issues a file
open(2) in its process. This open(2) succeeds because the camera had
write_external_storage permission which gave it write access to all
files on external storage
Now, camera targets R and (2) fails because camera does not have write
access to files owned by other apps. To workaround, we do the
following in the apps process when it targets < R:
a. When we detect a file:// URI for the camera in an Intent, we create
the file on disk if it is not already created.
b. Scan the file to insert it in the database and retrieve a
content:// URI
c. Replace the file:// URI with the content URI in the image_capture
intent
This works because, the system will ensure the camera is granted write
access to the content URI.
Test: Manual
Bug: 156336269
Change-Id: I4849ff5e806a8207650ff7534846c36ecdc6d3c0
For Activity aliases, it's possible some values are already
set, which means they cannot be assumed to be 0, and can't be
overwritten if a attribute in the alias is undefined. For the
parsing v2 refactor, this was cleaned up to avoid
redundant != 0 checks, but those checks are indeed necessary.
This copies over the old logic and uses it exactly.
In some future cleanup, there should be a more structured way
of doing this, since it's not immediately obvious which values
are overridden or not. For example, description is always
overwritten even if no new value is provided in the alias.
This also fixes up the comparison tests and other bugs that
popped up because of them. The core issue was that when
auto-generating the dumpToString methods, the Alt+Insert
macro default selects all the fields in the current class,
but not all the parent classes, so some shared fields like
name/icon were not considered.
A notable case that was found when running the comparison tests
is that persistableMode is now "fixed" with v2. Previously,
a bug in PackageParser caused this value to be dropped if
the ActivityInfo object ever had to be copied. This is a change
from Q behavior, but there's no good way to reconcile this, and
it's better to be correct and consistent than broken, so this
fix was left in and excluded from the comparison tests.
Bug: 150106908
Test: manual run through steps in bug
Test: atest com.android.server.pm.parsing
Change-Id: I1301e28540314d0e643b73af7146c1a366eca6b5
Introduce meta-data tag "android.supports_size_changes" which will indicated that an activity works well with size changes like display changing size.
Test: Manual - Run by adding metadata to the app running with SizeCompatMode.
Bug: 155041354
Change-Id: I0f358f63c9e14c63294275c0bfcd08744bee1108
Starting S+, if an intent filter is defined, we are requiring that the
android:exported flag also be explicitly defined in the manifest. With
this change apps targeting S+ that do not meet this requirement will
fail to install.
There is no change in the default behavior of the `android:exported`
flag when there is no intent filter defined (i.e. the flag defaults to
false in these cases).
Bug: 150232615
Test: Flashed the build on a device and tested with test apps
Change-Id: I36efeebf28f21a4d4277f40a17e38d2183514037
On Pixel 2 devices, /product is a symlink to /system/product. The
product partition has a higher partition precedence than the system
partition so the app should be installed as a system app on the product
partition.
This change also unifies methods for checking whether a file is within
a partition so we will paths will always be canonicalized before the
check.
Bug: 152522330
Test: update system app in system/product/privapp, uninstall updates,
verify that the app was scanned as privileged
Change-Id: I646a5f293b977a78daa2102b73f1d3122f774a2a
Currently when a package is installed / updated in a sharedUid the
signatures for the sharedUid are not updated unless the new package
adds a new signer to the lineage; in this case the new lineage is
assigned to the sharedUid without consideration for the existing
lineage. This leads to the following problems:
1. If the current sharedUid lineage is A -> B and the new package has
lineage B -> C then this is used for the sharedUid and A is lost from
the lineage.
2. If the new lineage revokes one or more capabilities from a previous
signer in the lineage these updated capabilities are ignored unless the
lineage added a new signer as well.
3. If the new lineage revokes the sharedUid capability from a previous
signing key in the lineage and another app is installed as part of the
sharedUid and signed with that key the new app's installation is allowed
to proceed.
4. If only a single app is installed as part of a sharedUid, and that
app is updated with a rotated key and a lineage that revokes the
previous signing key's sharedUid capability the update is blocked.
5. If an app is installed as part of the sharedUid and has a diverged
signer in the lineage (ie sharedUid lineage is Y -> A -> B and new app
lineage is Z -> A -> B -> C) the installation is allowed and Y is lost
from the lineage.
Problems 1 and 2 are addressed with the new SigningDetails
mergeLineageWith method that merges common signers between two lineages
and also updates their capabilities to the most restrictive between
the two lineages (capabilities are anded together). Problems 3 is
addressed by checking the signatures of each of the packages in the
sharedUid for any signed with an ancestor for which the sharedUid
capability may have been revoked. Problem 4 is addressed by checking
if the package being updated is the only one in the sharedUid; if so
the update to the new lineage is allowed to proceed. Problem 5 is
addressed by verifying the new app's lineage is the same, a subset, or
a superset of the other.
Bug: 152046935
Test: atest PkgInstallSignatureVerificationTest
Test: atest SigningDetailsTest
Test: atest PackageManagerTests
Test: atest PackageManagerTest
Change-Id: I420c309f522bb47b65ca40ee848024c85cd5804d
By adding a util method that prefers longlabel and
falls back to shortlabel.
Test: atest
Bug: 157140669
Change-Id: Ib7229b75b7a8ab87274e9aab1c7816129f04e505
This was moved to PackageCacher, but the old and unused counter
was not removed.
Bug: 154310064
Test: manual device reboots and logs cached count >0
Change-Id: I32fdb4b8fccd281fe61c64f231cb0ba154934679
Per b/147806409, the old code to delete snapshots by inode didn't work.
There is no point in storing mCeSnapshotInodes inside
PackageRollbackInfo. Let's remove related code.
TODO: fix ApexManager/Installer APIs that have unused parameter/return
values.
Bug: 154897348
Test: atest RollbackStoreTest RollbackUnitTest AppDataRollbackHelperTest
Change-Id: I66357c22607bfffbe4d9f55fc13c4c657d5f700c
