Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4693a75e authored by Mathew Inwood's avatar Mathew Inwood
Browse files

Package whitelist for hiddenapi checks. 

Some packages in the system image are not built against the SDK, so
enforcing hiddenapi checks for these will break them. Add a whitelist
for such packages.

For now, just add the contacts provider to the whitelist. The list will be
further populated later.

Test: Added test app package name to whitelist to verify.

Bug: 73244707
Change-Id: I94746b7f12dd9371d5068bb235eb853f63ee4d97
parent 78cab5a5

core/java/android/content/pm/ApplicationInfo.java

+5 −1
Original line number Diff line number Diff line
@@ -37,6 +37,7 @@ import android.util.SparseArray; 
import android.util.proto.ProtoOutputStream;



import com.android.internal.util.ArrayUtils;

import com.android.server.SystemConfig;



import java.lang.annotation.Retention;

import java.lang.annotation.RetentionPolicy;
@@ -1601,7 +1602,10 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
     * @hide

     */

    public boolean isAllowedToUseHiddenApi() {

        return isSystemApp() || isUpdatedSystemApp();

        boolean whitelisted =

                SystemConfig.getInstance().getHiddenApiWhitelistedApps().contains(packageName);

        return isSystemApp() || // TODO get rid of this once the whitelist has been populated

                (whitelisted && (isSystemApp() || isUpdatedSystemApp()));

    }



    /**

core/java/com/android/server/SystemConfig.java

+18 −0
Original line number Diff line number Diff line
@@ -63,6 +63,7 @@ public class SystemConfig { 
    private static final int ALLOW_APP_CONFIGS = 0x08;

    private static final int ALLOW_PRIVAPP_PERMISSIONS = 0x10;

    private static final int ALLOW_OEM_PERMISSIONS = 0x20;

    private static final int ALLOW_HIDDENAPI_WHITELISTING = 0x40;

    private static final int ALLOW_ALL = ~0;



    // Group-ids that are given to all packages as read from etc/permissions/*.xml.
@@ -137,6 +138,9 @@ public class SystemConfig { 
    // These are the permitted backup transport service components

    final ArraySet<ComponentName> mBackupTransportWhitelist = new ArraySet<>();



    // Package names that are exempted from private API blacklisting

    final ArraySet<String> mHiddenApiPackageWhitelist = new ArraySet<>();



    // These are the packages of carrier-associated apps which should be disabled until used until

    // a SIM is inserted which grants carrier privileges to that carrier app.

    final ArrayMap<String, List<String>> mDisabledUntilUsedPreinstalledCarrierAssociatedApps =
@@ -215,6 +219,10 @@ public class SystemConfig { 
        return mSystemUserBlacklistedApps;

    }



    public ArraySet<String> getHiddenApiWhitelistedApps() {

        return mHiddenApiPackageWhitelist;

    }



    public ArraySet<ComponentName> getDefaultVrComponents() {

        return mDefaultVrComponents;

    }
@@ -376,6 +384,7 @@ public class SystemConfig { 
            boolean allowAppConfigs = (permissionFlag & ALLOW_APP_CONFIGS) != 0;

            boolean allowPrivappPermissions = (permissionFlag & ALLOW_PRIVAPP_PERMISSIONS) != 0;

            boolean allowOemPermissions = (permissionFlag & ALLOW_OEM_PERMISSIONS) != 0;

            boolean allowApiWhitelisting = (permissionFlag & ALLOW_HIDDENAPI_WHITELISTING) != 0;

            while (true) {

                XmlUtils.nextElement(parser);

                if (parser.getEventType() == XmlPullParser.END_DOCUMENT) {
@@ -637,6 +646,15 @@ public class SystemConfig { 
                    }

                } else if ("oem-permissions".equals(name) && allowOemPermissions) {

                    readOemPermissions(parser);

                } else if ("hidden-api-whitelisted-app".equals(name) && allowApiWhitelisting) {

                    String pkgname = parser.getAttributeValue(null, "package");

                    if (pkgname == null) {

                        Slog.w(TAG, "<hidden-api-whitelisted-app> without package in " + permFile

                                + " at " + parser.getPositionDescription());

                    } else {

                        mHiddenApiPackageWhitelist.add(pkgname);

                    }

                    XmlUtils.skipCurrentTag(parser);

                } else {

                    XmlUtils.skipCurrentTag(parser);

                    continue;

data/etc/Android.mk

+8 −0
Original line number Diff line number Diff line
@@ -39,3 +39,11 @@ LOCAL_MODULE_CLASS := ETC 
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions

LOCAL_SRC_FILES := $(LOCAL_MODULE)

include $(BUILD_PREBUILT)



########################

include $(CLEAR_VARS)

LOCAL_MODULE := hiddenapi-package-whitelist.xml

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/sysconfig

LOCAL_SRC_FILES := $(LOCAL_MODULE)

include $(BUILD_PREBUILT)

data/etc/hiddenapi-package-whitelist.xml

0 → 100644
+26 −0
Original line number Diff line number Diff line 
<?xml version="1.0" encoding="utf-8"?>

<!--

  ~ Copyright (C) 2018 The Android Open Source Project

  ~

  ~ Licensed under the Apache License, Version 2.0 (the "License");

  ~ you may not use this file except in compliance with the License.

  ~ You may obtain a copy of the License at

  ~

  ~      http://www.apache.org/licenses/LICENSE-2.0

  ~

  ~ Unless required by applicable law or agreed to in writing, software

  ~ distributed under the License is distributed on an "AS IS" BASIS,

  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  ~ See the License for the specific language governing permissions and

  ~ limitations under the License

  -->



<!--

This XML file declares which system apps should be exempted from the hidden API blacklisting, i.e.

which apps should be allowed to access the entire private API.

-->



<config>

  <hidden-api-whitelisted-app package="com.android.providers.contacts" />

</config>