Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2cfe73d6 authored by Todd Kennedy's avatar Todd Kennedy
Browse files

Remove privilege if a priv_app is removed via OTA 

If a priv_app is removed from the system via an OTA, any update
to that application retains its privilege for the entirety of
that boot cycle. Once the device reboots a second time, any
update will lose its privilege.

We want to ensure the application loses its privilege as
soon as the version has been removed from the system image.

NOTE: It's still an open question about whether or not the
application's data should be cleared. It potentially had
access to privileged data, so, we may consider clearing
data in this scenario.

Fixes: 122806918
Test: Manual
Test: Put any application into /system/priv-app
Test: Verify application is PRIVILEGED
Test: Install application using 'adb install'
Test: Verify application is still PRIVILEGED
Test: Remove application from /system/priv-app
Test: Restart shell
Test: Verify application is NOT PRIVILEGED
Test: Repeat above up to removing /system/priv-app
Test: Corrupt APK on /data/app [eg. cat /dev/null > base.apk]
Test: Restart shell
Test: Verify application is no longer on the system
Change-Id: I6e9b2806aa1fbc681b56c55d2eba8495836726ef
parent 43541017

services/core/java/com/android/server/pm/PackageManagerService.java

+35 −13
Original line number Diff line number Diff line
@@ -2837,28 +2837,50 @@ public class PackageManagerService extends IPackageManager.Stub 
                // Remove disable package settings for updated system apps that were

                // removed via an OTA. If the update is no longer present, remove the

                // app completely. Otherwise, revoke their system privileges.

                for (String deletedAppName : possiblyDeletedUpdatedSystemApps) {

                    PackageParser.Package deletedPkg = mPackages.get(deletedAppName);

                    mSettings.removeDisabledSystemPackageLPw(deletedAppName);

                for (int i = possiblyDeletedUpdatedSystemApps.size() - 1; i >= 0; --i) {

                    final String packageName = possiblyDeletedUpdatedSystemApps.get(i);

                    final PackageParser.Package pkg = mPackages.get(packageName);

                    final String msg;

                    if (deletedPkg == null) {













                    // remove from the disabled system list; do this first so any future













                    // scans of this package are performed without this state













                    mSettings.removeDisabledSystemPackageLPw(packageName);

























                    if (pkg == null) {















                        // should have found an update, but, we didn't; remove everything













                        msg = "Updated system package " + deletedAppName













                        msg = "Updated system package " + packageName















                                + " no longer exists; removing its data";















                        // Actual deletion of code and data will be handled by later















                        // reconciliation step















                    } else {















                        // found an update; revoke system privileges













                        msg = "Updated system package + " + deletedAppName













                                + " no longer exists; revoking system privileges";













                        msg = "Updated system package " + packageName













                                + " no longer exists; rescanning package on data";

























                        // NOTE: We don't do anything special if a stub is removed from the













                        // system image. But, if we were [like removing the uncompressed













                        // version from the /data partition], this is where it'd be done.

























                        // remove the package from the system and re-scan it without any













                        // special privileges













                        removePackageLI(pkg, true);













                        try {













                            final File codePath = new File(pkg.applicationInfo.getCodePath());













                            scanPackageTracedLI(codePath, 0, scanFlags, 0, null);













                        } catch (PackageManagerException e) {













                            Slog.e(TAG, "Failed to parse updated, ex-system package: "













                                    + e.getMessage());













                        }













                    }



























                        // Don't do anything if a stub is removed from the system image. If













                        // we were to remove the uncompressed version from the /data partition,













                        // this is where it'd be done.













                    // one final check. if we still have a package setting [ie. it was













                    // previously scanned and known to the system], but, we don't have













                    // a package [ie. there was an error scanning it from the /data













                    // partition], completely remove the package data.













                    final PackageSetting ps = mSettings.mPackages.get(packageName);













                    if (ps != null && mPackages.get(packageName) == null) {













                        removePackageDataLIF(ps, null, null, 0, false);



























                        final PackageSetting deletedPs = mSettings.mPackages.get(deletedAppName);













                        deletedPkg.applicationInfo.flags &= ~ApplicationInfo.FLAG_SYSTEM;













                        deletedPs.pkgFlags &= ~ApplicationInfo.FLAG_SYSTEM;















                    }















                    logCriticalInfo(Log.WARN, msg);















                }