When ro.apk_verity.mode is on, full apk verification is only skipped if
the apk already has verity enabled in the file system, and if the apk
contains the Merkle tree root hash we need.
Since the configuration in the file system is duplicated from the apk
(including the offset and size of Signing Block and the Merkle tree),
in order to prevent offline attacker from changing it, we need to
measure the observed configuration and make sure it matches the kernel's
view.
Test: observed package manager's requeset to installd (only) for updated
priv apps.
Bug: 30972906
Change-Id: I33531a3f6148232b777ea8bfd02f13700649e317
This change also contains a workaround that ByteBuffer#put(byte)
sometimes does not work at all. See comments.
Test: saw correct debugging output of struct in dmesg.
Bug: 30972906
Bug: 72459251
Change-Id: I54553a8f20b8ef01c81c648f9aa588d28ab5eea5
Allows a uid that uploads a statsd config to additionally
register a BroadcastSubscriber with statsd. If statsd
detects an anomaly (according to the config's Alert),
statsd can inform a BroadcastSubscriber provided in the config.
The config uses a subscriberId (just an int) to identify the
BroadcastSubscriber. It then uses StatsManager.setBroadcastSubscriber
to associate that subscriberId with a given PendingIntent.
Then, when the anomaly is detected, statsd sends a broadcast
using that PendingIntent, alerting whoever was specified by
the config/setBroadcastSubscriber.
Bug: 70356901
Test: cts-tradefed run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.alert.BroadcastSubscriberTests
Change-Id: I4d9ea9a6c8a85e61fadfd99c1513c55abbadd5e9
Since http://r.android.com/565744 , these classes do not appear
in the signature of any other Android API. There are no plans to
make them part of any future API signatures.
They do not provide useful abstractions because:
- They lack encapsulation and functionality (value is nonfinal;
lack of equals/hashCode and toString).
- It's trivial for apps to implement similar types for their
internal use.
Only three of these eight classes (Mutable{Int,Long,Boolean}) are
used internally in Android; most of these usages could be written
better with named, more specific classes.
Therefore these classes do not pull their own weight on the API
surface of android.util.
This CL deprecates all eight classes in preparation for removing
them from the Android API surface at some point in the future, and
to allow the unused classes to be removed entirely.
Bug: 71546998
Test: Treehugger
Change-Id: I1cc1eb5ca9c36749bbb9a233d60036f6319bf2d3
This also adds a feature flag to read to see if the feature is enabled
on a given device.
Bug: 66679618
Test: Used in Settings Robotest
Change-Id: Idb892aa78f244d026a8d4b7dc104d47e0f611085
With the addition of APK Signature Scheme v3, the platform now can
support key rotation by using the proof-of-rotation provided by the
new scheme. Create a new API which allows checking of the entire
provided history of an APK's signing certificates, not just the
current signer. This should allow for changes of APK signing
certificates without fear of losing access to resources that would
have been provided under the old signing certificate.
Change getPackageInfo(GET_SIGNATURES) to return the oldest signing
certificate in the chain so that apps which do programmatic checks,
but are not updated to use the new API, still get the same information
they would have gotten had there been no rotation.
Bug: 64686581
Test: Builds, boots.
Change-Id: I8982fd4cce60f5d85a6180d157a6e2a661b1a6d7
APK Signature Scheme v3 enables APK signing key rotation by allowing
an APK to embed a proof-of-rotation structure linking past signing
certificates to the current one. This information needs to be exposed
to the system before it can be used to make authorization decisions.
Bug: 64686581
Test: Builds and boots.
Change-Id: I49961f92fcec141d73b36197147d5d8fa64c149e
Changes the default value of the settings_zone_picker_v2 to true to
allow more wide spread testing of the new zone picker.
Bug: 62255208
Test: manual
Change-Id: I6755a527ffa38835c126e4598be37b1d7035d0df
We changed the API to use long-based config keys instead of strings,
but we have some code that depends on the old API. Let's add them
back temporarily. The old API (that does nothing now) will be
deleted next month.
Test: N/A. Just to prevent build failures.
Bug: 69522276
Change-Id: Ibc51622371d4f3ced3e9b2f66a862dea1ac1c63c
This code was previously used by telephony
but was removed by frameworks/opt/telephony
commit a0f09cee0f6328ea104b9ef965a387b4a4652e8a
Bug: 63743683
Test: make droid
Change-Id: I83deffc2aadc098e1c976bf164a752e19b96c77a
This change makes APK signature verifier accept the 4k-based signature
algorithms.
Test: build, install apk with such algorithm by apksig
Bug: 30972906
Change-Id: I90f32a6779f258605668e44f0d66f53e6890cfa7
This change replaces fields from Package that relate to signing
with a single SigningDetails container. It does the same with
InstallArgs and InstallParams. This simplifies much of the code
that would have otherwise relied on synchronizing many fields and
will enable PackageManagerService to make install-time descisions
based on package data instead of forcing it to be part of package
parsing.
This is a retake of ag/3382280
Test: android.appsecurity.cts.PkgInstallSignatureVerificationTest passes.
Test: atest google/perf/boottime/boottime-test to ensure no startup regression.
Bug: 68860689
Change-Id: I0df45ce537df5552a7e60e4d727a4dcef23c2252
Mirrors the design of TimeUnit and ChronoUnit which many developers
are already familiar with, making it easy to pick up and use.
Yes, this is an enum.
Bug: 70915728
Test: bit FrameworksCoreTests:android.util.DataUnitTest
Change-Id: Id0cfdac5c81ed89c3c9ece23c964acba4a4f8471
This change replaces fields from Package that relate to signing
with a single SigningDetails container. It does the same with
InstallArgs and InstallParams. This simplifies much of the code
that would have otherwise relied on synchronizing many fields and
will enable PackageManagerService to make install-time descisions
based on package data instead of forcing it to be part of package
parsing.
Test: android.appsecurity.cts.PkgInstallSignatureVerificationTest passes.
Bug: 68860689
Change-Id: I53bc8c6908b61a54004d1b1d45637be9710ae72f
For JobScheduler, DeviceIdle and AppStandby constants, allow
using a more compact format than milliseconds,
which are a PITA to calculate.
So instead of 18640000000... whatever, you can
use PT2H (for 2 hours), or P2D (for 2 days), etc.
Uses Duration.parse() to do the parsing. See Duration
for format.
Test: adb shell settings put global app_standby_constants
screen_thresholds=0/PT2H/PT12H/P2D
Fixes: 71554131
Change-Id: I5141854ec7df6de266725a67f1f3e2a6e0b4c1c1
