Loading services/core/java/com/android/server/pm/PackageManagerService.java +3 −14 Original line number Diff line number Diff line Loading @@ -9988,7 +9988,8 @@ Slog.e("TODD", // priv-apps. synchronized (mPackages) { PackageSetting platformPkgSetting = mSettings.mPackages.get("android"); if ((compareSignatures(platformPkgSetting.signatures.mSigningDetails.signatures, if (!pkg.packageName.equals("android") && (compareSignatures(platformPkgSetting.signatures.mSigningDetails.signatures, pkg.mSigningDetails.signatures) != PackageManager.SIGNATURE_MATCH)) { scanFlags |= SCAN_AS_PRIVILEGED; } Loading Loading @@ -10439,19 +10440,7 @@ Slog.e("TODD", pkg.applicationInfo.flags |= ApplicationInfo.FLAG_UPDATED_SYSTEM_APP; } // SELinux sandboxes become more restrictive as targetSdkVersion increases. // To ensure that apps with sharedUserId are placed in the same selinux domain // without breaking any assumptions about access, put them into the least // restrictive targetSdkVersion=25 domain. // TODO(b/72290969): Base this on the actual targetSdkVersion(s) of the apps within the // sharedUserSetting, instead of defaulting to the least restrictive domain. final int targetSdk = (sharedUserSetting != null) ? 25 : pkg.applicationInfo.targetSdkVersion; // TODO(b/71593002): isPrivileged for sharedUser and appInfo should never be out of sync. // They currently can be if the sharedUser apps are signed with the platform key. final boolean isPrivileged = (sharedUserSetting != null) ? sharedUserSetting.isPrivileged() : pkg.applicationInfo.isPrivilegedApp(); SELinuxMMAC.assignSeInfoValue(pkg, isPrivileged, targetSdk); SELinuxMMAC.assignSeInfoValue(pkg); pkg.mExtras = pkgSetting; pkg.applicationInfo.processName = fixProcessName( services/core/java/com/android/server/pm/SELinuxMMAC.java +3 −5 Original line number Diff line number Diff line Loading @@ -315,8 +315,7 @@ public final class SELinuxMMAC { * * @param pkg object representing the package to be labeled. */ public static void assignSeInfoValue(PackageParser.Package pkg, boolean isPrivileged, int targetSdkVersion) { public static void assignSeInfoValue(PackageParser.Package pkg) { synchronized (sPolicies) { if (!sPolicyRead) { if (DEBUG_POLICY) { Loading @@ -336,11 +335,10 @@ public final class SELinuxMMAC { if (pkg.applicationInfo.targetSandboxVersion == 2) pkg.applicationInfo.seInfo += SANDBOX_V2_STR; if (isPrivileged) { if (pkg.applicationInfo.isPrivilegedApp()) pkg.applicationInfo.seInfo += PRIVILEGED_APP_STR; } pkg.applicationInfo.seInfo += TARGETSDKVERSION_STR + targetSdkVersion; pkg.applicationInfo.seInfo += TARGETSDKVERSION_STR + pkg.applicationInfo.targetSdkVersion; if (DEBUG_POLICY_INSTALL) { Slog.i(TAG, "package (" + pkg.packageName + ") labeled with " + Loading Loading
services/core/java/com/android/server/pm/PackageManagerService.java +3 −14 Original line number Diff line number Diff line Loading @@ -9988,7 +9988,8 @@ Slog.e("TODD", // priv-apps. synchronized (mPackages) { PackageSetting platformPkgSetting = mSettings.mPackages.get("android"); if ((compareSignatures(platformPkgSetting.signatures.mSigningDetails.signatures, if (!pkg.packageName.equals("android") && (compareSignatures(platformPkgSetting.signatures.mSigningDetails.signatures, pkg.mSigningDetails.signatures) != PackageManager.SIGNATURE_MATCH)) { scanFlags |= SCAN_AS_PRIVILEGED; } Loading Loading @@ -10439,19 +10440,7 @@ Slog.e("TODD", pkg.applicationInfo.flags |= ApplicationInfo.FLAG_UPDATED_SYSTEM_APP; } // SELinux sandboxes become more restrictive as targetSdkVersion increases. // To ensure that apps with sharedUserId are placed in the same selinux domain // without breaking any assumptions about access, put them into the least // restrictive targetSdkVersion=25 domain. // TODO(b/72290969): Base this on the actual targetSdkVersion(s) of the apps within the // sharedUserSetting, instead of defaulting to the least restrictive domain. final int targetSdk = (sharedUserSetting != null) ? 25 : pkg.applicationInfo.targetSdkVersion; // TODO(b/71593002): isPrivileged for sharedUser and appInfo should never be out of sync. // They currently can be if the sharedUser apps are signed with the platform key. final boolean isPrivileged = (sharedUserSetting != null) ? sharedUserSetting.isPrivileged() : pkg.applicationInfo.isPrivilegedApp(); SELinuxMMAC.assignSeInfoValue(pkg, isPrivileged, targetSdk); SELinuxMMAC.assignSeInfoValue(pkg); pkg.mExtras = pkgSetting; pkg.applicationInfo.processName = fixProcessName(
services/core/java/com/android/server/pm/SELinuxMMAC.java +3 −5 Original line number Diff line number Diff line Loading @@ -315,8 +315,7 @@ public final class SELinuxMMAC { * * @param pkg object representing the package to be labeled. */ public static void assignSeInfoValue(PackageParser.Package pkg, boolean isPrivileged, int targetSdkVersion) { public static void assignSeInfoValue(PackageParser.Package pkg) { synchronized (sPolicies) { if (!sPolicyRead) { if (DEBUG_POLICY) { Loading @@ -336,11 +335,10 @@ public final class SELinuxMMAC { if (pkg.applicationInfo.targetSandboxVersion == 2) pkg.applicationInfo.seInfo += SANDBOX_V2_STR; if (isPrivileged) { if (pkg.applicationInfo.isPrivilegedApp()) pkg.applicationInfo.seInfo += PRIVILEGED_APP_STR; } pkg.applicationInfo.seInfo += TARGETSDKVERSION_STR + targetSdkVersion; pkg.applicationInfo.seInfo += TARGETSDKVERSION_STR + pkg.applicationInfo.targetSdkVersion; if (DEBUG_POLICY_INSTALL) { Slog.i(TAG, "package (" + pkg.packageName + ") labeled with " + Loading
