Merge "Add ROLLBACK past signing cert capability." into pi-dev (65a5d788) · Commits · e / os / android_frameworks_base

core/java/android/content/pm/PackageParser.java

+5 −1

Original line number	Diff line number	Diff line
		@@ -5701,7 +5701,8 @@ public class PackageParser {
		flag = true,
		value = {CertCapabilities.INSTALLED_DATA,
		CertCapabilities.SHARED_USER_ID,
		CertCapabilities.PERMISSION })
		CertCapabilities.PERMISSION,
		CertCapabilities.ROLLBACK})
		public @interface CertCapabilities {

		/** accept data from already installed pkg with this cert */
		@@ -5712,6 +5713,9 @@ public class PackageParser {

		/** grant SIGNATURE permissions to pkgs with this cert */
		int PERMISSION = 4;

		/** allow pkg to update to one signed by this certificate */
		int ROLLBACK = 8;
		}

		/**

services/core/java/com/android/server/pm/PackageManagerService.java

+8 −2

Original line number	Diff line number	Diff line
		@@ -8766,7 +8766,10 @@ public class PackageManagerService extends IPackageManager.Stub
		&& !pkgSetting.isSystem()) {

		if (!pkg.mSigningDetails.checkCapability(pkgSetting.signatures.mSigningDetails,
		PackageParser.SigningDetails.CertCapabilities.INSTALLED_DATA)) {
		PackageParser.SigningDetails.CertCapabilities.INSTALLED_DATA)
		&& !pkgSetting.signatures.mSigningDetails.checkCapability(
		pkg.mSigningDetails,
		PackageParser.SigningDetails.CertCapabilities.ROLLBACK)) {
		logCriticalInfo(Log.WARN,
		"System package signature mismatch;"
		+ " name: " + pkgSetting.name);
		@@ -16228,7 +16231,10 @@ public class PackageManagerService extends IPackageManager.Stub

		// default to original signature matching
		if (!pkg.mSigningDetails.checkCapability(oldPackage.mSigningDetails,
		PackageParser.SigningDetails.CertCapabilities.INSTALLED_DATA)) {
		PackageParser.SigningDetails.CertCapabilities.INSTALLED_DATA)
		&& !oldPackage.mSigningDetails.checkCapability(
		pkg.mSigningDetails,
		PackageParser.SigningDetails.CertCapabilities.ROLLBACK)) {
		res.setError(INSTALL_FAILED_UPDATE_INCOMPATIBLE,
		"New package has a different signature: " + pkgName);
		return;

services/core/java/com/android/server/pm/PackageManagerServiceUtils.java

+14 −3

Original line number	Diff line number	Diff line
		@@ -576,7 +576,10 @@ public class PackageManagerServiceUtils {
		PackageParser.collectCertificates(disabledPkgSetting.pkg, true /* skipVerify */);
		if (pkgSetting.signatures.mSigningDetails.checkCapability(
		disabledPkgSetting.signatures.mSigningDetails,
		PackageParser.SigningDetails.CertCapabilities.INSTALLED_DATA)) {
		PackageParser.SigningDetails.CertCapabilities.INSTALLED_DATA)
		\|\| disabledPkgSetting.signatures.mSigningDetails.checkCapability(
		pkgSetting.signatures.mSigningDetails,
		PackageParser.SigningDetails.CertCapabilities.ROLLBACK)) {
		return true;
		} else {
		logCriticalInfo(Log.ERROR, "Updated system app mismatches cert on /system: " +
		@@ -616,7 +619,10 @@ public class PackageManagerServiceUtils {
		// Already existing package. Make sure signatures match
		boolean match = parsedSignatures.checkCapability(
		pkgSetting.signatures.mSigningDetails,
		PackageParser.SigningDetails.CertCapabilities.INSTALLED_DATA);
		PackageParser.SigningDetails.CertCapabilities.INSTALLED_DATA)
		\|\| pkgSetting.signatures.mSigningDetails.checkCapability(
		parsedSignatures,
		PackageParser.SigningDetails.CertCapabilities.ROLLBACK);
		if (!match && compareCompat) {
		match = matchSignaturesCompat(packageName, pkgSetting.signatures,
		parsedSignatures);
		@@ -627,7 +633,12 @@ public class PackageManagerServiceUtils {
		packageName,
		pkgSetting.signatures.mSigningDetails,
		parsedSignatures,
		PackageParser.SigningDetails.CertCapabilities.INSTALLED_DATA);
		PackageParser.SigningDetails.CertCapabilities.INSTALLED_DATA)
		\|\| matchSignaturesRecover(
		packageName,
		parsedSignatures,
		pkgSetting.signatures.mSigningDetails,
		PackageParser.SigningDetails.CertCapabilities.ROLLBACK);
		}

		if (!match && isApkVerificationForced(disabledPkgSetting)) {