Loading core/java/android/provider/Settings.java +6 −0 Original line number Diff line number Diff line Loading @@ -11558,6 +11558,12 @@ public final class Settings { @Readable public static final String PACKAGE_VERIFIER_TIMEOUT = "verifier_timeout"; /** Timeout for package verification during streaming installations. * @hide */ @Readable public static final String PACKAGE_STREAMING_VERIFIER_TIMEOUT = "streaming_verifier_timeout"; /** Timeout for app integrity verification. * @hide */ @Readable Loading packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java +1 −0 Original line number Diff line number Diff line Loading @@ -396,6 +396,7 @@ public class SettingsBackupTest { Settings.Global.OTA_DISABLE_AUTOMATIC_UPDATE, Settings.Global.OVERLAY_DISPLAY_DEVICES, Settings.Global.PAC_CHANGE_DELAY, Settings.Global.PACKAGE_STREAMING_VERIFIER_TIMEOUT, Settings.Global.PACKAGE_VERIFIER_DEFAULT_RESPONSE, Settings.Global.PACKAGE_VERIFIER_INCLUDE_ADB, Settings.Global.PACKAGE_VERIFIER_SETTING_VISIBLE, Loading services/core/java/com/android/server/pm/DomainVerificationConnection.java +1 −1 Original line number Diff line number Diff line Loading @@ -76,7 +76,7 @@ public final class DomainVerificationConnection implements DomainVerificationSer @Override public long getPowerSaveTempWhitelistAppDuration() { return VerificationUtils.getVerificationTimeout(mPm.mContext); return VerificationUtils.getDefaultVerificationTimeout(mPm.mContext); } @Override Loading services/core/java/com/android/server/pm/InstallPackageHelper.java +0 −57 Original line number Diff line number Diff line Loading @@ -56,7 +56,6 @@ import static com.android.server.pm.PackageManagerService.DEBUG_COMPRESSION; import static com.android.server.pm.PackageManagerService.DEBUG_INSTALL; import static com.android.server.pm.PackageManagerService.DEBUG_PACKAGE_SCANNING; import static com.android.server.pm.PackageManagerService.DEBUG_REMOVE; import static com.android.server.pm.PackageManagerService.DEBUG_VERIFY; import static com.android.server.pm.PackageManagerService.EMPTY_INT_ARRAY; import static com.android.server.pm.PackageManagerService.PLATFORM_PACKAGE_NAME; import static com.android.server.pm.PackageManagerService.POST_INSTALL; Loading Loading @@ -90,7 +89,6 @@ import static com.android.server.pm.PackageManagerServiceUtils.verifySignatures; import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.UserIdInt; import android.app.AppOpsManager; import android.app.ApplicationPackageManager; import android.app.backup.IBackupManager; import android.content.ContentResolver; Loading Loading @@ -190,11 +188,6 @@ import java.util.Set; import java.util.concurrent.ExecutorService; final class InstallPackageHelper { /** * Whether verification is enabled by default. */ private static final boolean DEFAULT_VERIFY_ENABLE = true; private final PackageManagerService mPm; private final AppDataHelper mAppDataHelper; private final PackageManagerServiceInjector mInjector; Loading Loading @@ -2835,56 +2828,6 @@ final class InstallPackageHelper { } } /** * Check whether or not package verification has been enabled. * * @return true if verification should be performed */ boolean isVerificationEnabled(PackageInfoLite pkgInfoLite, int userId, int installFlags, int installerUid) { if (!DEFAULT_VERIFY_ENABLE) { return false; } // Check if installing from ADB if ((installFlags & PackageManager.INSTALL_FROM_ADB) != 0) { if (mPm.isUserRestricted(userId, UserManager.ENSURE_VERIFY_APPS)) { return true; } // Check if the developer wants to skip verification for ADB installs if ((installFlags & PackageManager.INSTALL_DISABLE_VERIFICATION) != 0) { synchronized (mPm.mLock) { if (mPm.mSettings.getPackageLPr(pkgInfoLite.packageName) == null) { // Always verify fresh install return true; } } // Only skip when apk is debuggable return !pkgInfoLite.debuggable; } return android.provider.Settings.Global.getInt(mPm.mContext.getContentResolver(), android.provider.Settings.Global.PACKAGE_VERIFIER_INCLUDE_ADB, 1) != 0; } // only when not installed from ADB, skip verification for instant apps when // the installer and verifier are the same. if ((installFlags & PackageManager.INSTALL_INSTANT_APP) != 0) { if (mPm.mInstantAppInstallerActivity != null && mPm.mInstantAppInstallerActivity.packageName.equals( mPm.mRequiredVerifierPackage)) { try { mPm.mInjector.getSystemService(AppOpsManager.class) .checkPackage(installerUid, mPm.mRequiredVerifierPackage); if (DEBUG_VERIFY) { Slog.i(TAG, "disable verification for instant app"); } return false; } catch (SecurityException ignore) { } } } return true; } public void sendPendingBroadcasts() { String[] packages; ArrayList<String>[] components; Loading services/core/java/com/android/server/pm/PackageHandler.java +40 −50 Original line number Diff line number Diff line Loading @@ -22,7 +22,6 @@ import static com.android.server.pm.PackageManagerService.CHECK_PENDING_INTEGRIT import static com.android.server.pm.PackageManagerService.CHECK_PENDING_VERIFICATION; import static com.android.server.pm.PackageManagerService.DEBUG_INSTALL; import static com.android.server.pm.PackageManagerService.DEFAULT_UNUSED_STATIC_SHARED_LIB_MIN_CACHE_PERIOD; import static com.android.server.pm.PackageManagerService.DEFAULT_VERIFICATION_RESPONSE; import static com.android.server.pm.PackageManagerService.DEFERRED_NO_KILL_INSTALL_OBSERVER; import static com.android.server.pm.PackageManagerService.DEFERRED_NO_KILL_POST_DELETE; import static com.android.server.pm.PackageManagerService.DOMAIN_VERIFICATION; Loading @@ -47,14 +46,12 @@ import android.content.pm.InstantAppRequest; import android.content.pm.PackageManager; import android.content.pm.PackageManagerInternal; import android.net.Uri; import android.os.Binder; import android.os.Handler; import android.os.Looper; import android.os.Message; import android.os.Process; import android.os.Trace; import android.os.UserHandle; import android.os.UserManager; import android.provider.Settings; import android.util.Log; import android.util.Slog; Loading Loading @@ -154,10 +151,20 @@ final class PackageHandler extends Handler { } break; case CHECK_PENDING_VERIFICATION: { final int verificationId = msg.arg1; final boolean streaming = msg.arg2 != 0; final PackageVerificationState state = mPm.mPendingVerification.get(verificationId); if ((state != null) && !state.isVerificationComplete() && !state.timeoutExtended()) { if (state == null || state.isVerificationComplete()) { // Not found or complete. break; } if (!streaming && state.timeoutExtended()) { // Timeout extended. break; } final PackageVerificationResponse response = (PackageVerificationResponse) msg.obj; final VerificationParams params = state.getVerificationParams(); final Uri originUri = Uri.fromFile(params.mOriginInfo.mResolvedFile); Loading @@ -165,11 +172,9 @@ final class PackageHandler extends Handler { Slog.i(TAG, errorMsg); final UserHandle user = params.getUser(); if (getDefaultVerificationResponse(user) == PackageManager.VERIFICATION_ALLOW) { if (response.code != PackageManager.VERIFICATION_REJECT) { Slog.i(TAG, "Continuing with installation of " + originUri); state.setVerifierResponse(Binder.getCallingUid(), PackageManager.VERIFICATION_ALLOW_WITHOUT_SUFFICIENT); state.setVerifierResponse(response.callerUid, response.code); VerificationUtils.broadcastPackageVerified(verificationId, originUri, PackageManager.VERIFICATION_ALLOW, null, params.mDataLoaderType, user, mPm.mContext); Loading @@ -179,8 +184,7 @@ final class PackageHandler extends Handler { params.mDataLoaderType, user, mPm.mContext); params.setReturnCode( PackageManager.INSTALL_FAILED_VERIFICATION_FAILURE, errorMsg); state.setVerifierResponse(Binder.getCallingUid(), PackageManager.VERIFICATION_REJECT); state.setVerifierResponse(response.callerUid, response.code); } if (state.areAllVerificationsComplete()) { Loading @@ -191,8 +195,6 @@ final class PackageHandler extends Handler { TRACE_TAG_PACKAGE_MANAGER, "verification", verificationId); params.handleVerificationFinished(); } break; } case CHECK_PENDING_INTEGRITY_VERIFICATION: { Loading Loading @@ -241,9 +243,12 @@ final class PackageHandler extends Handler { + " It may be invalid or overridden by integrity verification"); break; } if (state.isVerificationComplete()) { Slog.w(TAG, "Verification with id " + verificationId + " already complete."); break; } final PackageVerificationResponse response = (PackageVerificationResponse) msg.obj; state.setVerifierResponse(response.callerUid, response.code); if (state.isVerificationComplete()) { Loading Loading @@ -396,21 +401,6 @@ final class PackageHandler extends Handler { } } /** * Get the default verification agent response code. * * @return default verification response code */ private int getDefaultVerificationResponse(UserHandle user) { if (mPm.mUserManager.hasUserRestriction(UserManager.ENSURE_VERIFY_APPS, user.getIdentifier())) { return PackageManager.VERIFICATION_REJECT; } return android.provider.Settings.Global.getInt(mPm.mContext.getContentResolver(), android.provider.Settings.Global.PACKAGE_VERIFIER_DEFAULT_RESPONSE, DEFAULT_VERIFICATION_RESPONSE); } /** * Get the default integrity verification response code. */ Loading Loading
core/java/android/provider/Settings.java +6 −0 Original line number Diff line number Diff line Loading @@ -11558,6 +11558,12 @@ public final class Settings { @Readable public static final String PACKAGE_VERIFIER_TIMEOUT = "verifier_timeout"; /** Timeout for package verification during streaming installations. * @hide */ @Readable public static final String PACKAGE_STREAMING_VERIFIER_TIMEOUT = "streaming_verifier_timeout"; /** Timeout for app integrity verification. * @hide */ @Readable Loading
packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java +1 −0 Original line number Diff line number Diff line Loading @@ -396,6 +396,7 @@ public class SettingsBackupTest { Settings.Global.OTA_DISABLE_AUTOMATIC_UPDATE, Settings.Global.OVERLAY_DISPLAY_DEVICES, Settings.Global.PAC_CHANGE_DELAY, Settings.Global.PACKAGE_STREAMING_VERIFIER_TIMEOUT, Settings.Global.PACKAGE_VERIFIER_DEFAULT_RESPONSE, Settings.Global.PACKAGE_VERIFIER_INCLUDE_ADB, Settings.Global.PACKAGE_VERIFIER_SETTING_VISIBLE, Loading
services/core/java/com/android/server/pm/DomainVerificationConnection.java +1 −1 Original line number Diff line number Diff line Loading @@ -76,7 +76,7 @@ public final class DomainVerificationConnection implements DomainVerificationSer @Override public long getPowerSaveTempWhitelistAppDuration() { return VerificationUtils.getVerificationTimeout(mPm.mContext); return VerificationUtils.getDefaultVerificationTimeout(mPm.mContext); } @Override Loading
services/core/java/com/android/server/pm/InstallPackageHelper.java +0 −57 Original line number Diff line number Diff line Loading @@ -56,7 +56,6 @@ import static com.android.server.pm.PackageManagerService.DEBUG_COMPRESSION; import static com.android.server.pm.PackageManagerService.DEBUG_INSTALL; import static com.android.server.pm.PackageManagerService.DEBUG_PACKAGE_SCANNING; import static com.android.server.pm.PackageManagerService.DEBUG_REMOVE; import static com.android.server.pm.PackageManagerService.DEBUG_VERIFY; import static com.android.server.pm.PackageManagerService.EMPTY_INT_ARRAY; import static com.android.server.pm.PackageManagerService.PLATFORM_PACKAGE_NAME; import static com.android.server.pm.PackageManagerService.POST_INSTALL; Loading Loading @@ -90,7 +89,6 @@ import static com.android.server.pm.PackageManagerServiceUtils.verifySignatures; import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.UserIdInt; import android.app.AppOpsManager; import android.app.ApplicationPackageManager; import android.app.backup.IBackupManager; import android.content.ContentResolver; Loading Loading @@ -190,11 +188,6 @@ import java.util.Set; import java.util.concurrent.ExecutorService; final class InstallPackageHelper { /** * Whether verification is enabled by default. */ private static final boolean DEFAULT_VERIFY_ENABLE = true; private final PackageManagerService mPm; private final AppDataHelper mAppDataHelper; private final PackageManagerServiceInjector mInjector; Loading Loading @@ -2835,56 +2828,6 @@ final class InstallPackageHelper { } } /** * Check whether or not package verification has been enabled. * * @return true if verification should be performed */ boolean isVerificationEnabled(PackageInfoLite pkgInfoLite, int userId, int installFlags, int installerUid) { if (!DEFAULT_VERIFY_ENABLE) { return false; } // Check if installing from ADB if ((installFlags & PackageManager.INSTALL_FROM_ADB) != 0) { if (mPm.isUserRestricted(userId, UserManager.ENSURE_VERIFY_APPS)) { return true; } // Check if the developer wants to skip verification for ADB installs if ((installFlags & PackageManager.INSTALL_DISABLE_VERIFICATION) != 0) { synchronized (mPm.mLock) { if (mPm.mSettings.getPackageLPr(pkgInfoLite.packageName) == null) { // Always verify fresh install return true; } } // Only skip when apk is debuggable return !pkgInfoLite.debuggable; } return android.provider.Settings.Global.getInt(mPm.mContext.getContentResolver(), android.provider.Settings.Global.PACKAGE_VERIFIER_INCLUDE_ADB, 1) != 0; } // only when not installed from ADB, skip verification for instant apps when // the installer and verifier are the same. if ((installFlags & PackageManager.INSTALL_INSTANT_APP) != 0) { if (mPm.mInstantAppInstallerActivity != null && mPm.mInstantAppInstallerActivity.packageName.equals( mPm.mRequiredVerifierPackage)) { try { mPm.mInjector.getSystemService(AppOpsManager.class) .checkPackage(installerUid, mPm.mRequiredVerifierPackage); if (DEBUG_VERIFY) { Slog.i(TAG, "disable verification for instant app"); } return false; } catch (SecurityException ignore) { } } } return true; } public void sendPendingBroadcasts() { String[] packages; ArrayList<String>[] components; Loading
services/core/java/com/android/server/pm/PackageHandler.java +40 −50 Original line number Diff line number Diff line Loading @@ -22,7 +22,6 @@ import static com.android.server.pm.PackageManagerService.CHECK_PENDING_INTEGRIT import static com.android.server.pm.PackageManagerService.CHECK_PENDING_VERIFICATION; import static com.android.server.pm.PackageManagerService.DEBUG_INSTALL; import static com.android.server.pm.PackageManagerService.DEFAULT_UNUSED_STATIC_SHARED_LIB_MIN_CACHE_PERIOD; import static com.android.server.pm.PackageManagerService.DEFAULT_VERIFICATION_RESPONSE; import static com.android.server.pm.PackageManagerService.DEFERRED_NO_KILL_INSTALL_OBSERVER; import static com.android.server.pm.PackageManagerService.DEFERRED_NO_KILL_POST_DELETE; import static com.android.server.pm.PackageManagerService.DOMAIN_VERIFICATION; Loading @@ -47,14 +46,12 @@ import android.content.pm.InstantAppRequest; import android.content.pm.PackageManager; import android.content.pm.PackageManagerInternal; import android.net.Uri; import android.os.Binder; import android.os.Handler; import android.os.Looper; import android.os.Message; import android.os.Process; import android.os.Trace; import android.os.UserHandle; import android.os.UserManager; import android.provider.Settings; import android.util.Log; import android.util.Slog; Loading Loading @@ -154,10 +151,20 @@ final class PackageHandler extends Handler { } break; case CHECK_PENDING_VERIFICATION: { final int verificationId = msg.arg1; final boolean streaming = msg.arg2 != 0; final PackageVerificationState state = mPm.mPendingVerification.get(verificationId); if ((state != null) && !state.isVerificationComplete() && !state.timeoutExtended()) { if (state == null || state.isVerificationComplete()) { // Not found or complete. break; } if (!streaming && state.timeoutExtended()) { // Timeout extended. break; } final PackageVerificationResponse response = (PackageVerificationResponse) msg.obj; final VerificationParams params = state.getVerificationParams(); final Uri originUri = Uri.fromFile(params.mOriginInfo.mResolvedFile); Loading @@ -165,11 +172,9 @@ final class PackageHandler extends Handler { Slog.i(TAG, errorMsg); final UserHandle user = params.getUser(); if (getDefaultVerificationResponse(user) == PackageManager.VERIFICATION_ALLOW) { if (response.code != PackageManager.VERIFICATION_REJECT) { Slog.i(TAG, "Continuing with installation of " + originUri); state.setVerifierResponse(Binder.getCallingUid(), PackageManager.VERIFICATION_ALLOW_WITHOUT_SUFFICIENT); state.setVerifierResponse(response.callerUid, response.code); VerificationUtils.broadcastPackageVerified(verificationId, originUri, PackageManager.VERIFICATION_ALLOW, null, params.mDataLoaderType, user, mPm.mContext); Loading @@ -179,8 +184,7 @@ final class PackageHandler extends Handler { params.mDataLoaderType, user, mPm.mContext); params.setReturnCode( PackageManager.INSTALL_FAILED_VERIFICATION_FAILURE, errorMsg); state.setVerifierResponse(Binder.getCallingUid(), PackageManager.VERIFICATION_REJECT); state.setVerifierResponse(response.callerUid, response.code); } if (state.areAllVerificationsComplete()) { Loading @@ -191,8 +195,6 @@ final class PackageHandler extends Handler { TRACE_TAG_PACKAGE_MANAGER, "verification", verificationId); params.handleVerificationFinished(); } break; } case CHECK_PENDING_INTEGRITY_VERIFICATION: { Loading Loading @@ -241,9 +243,12 @@ final class PackageHandler extends Handler { + " It may be invalid or overridden by integrity verification"); break; } if (state.isVerificationComplete()) { Slog.w(TAG, "Verification with id " + verificationId + " already complete."); break; } final PackageVerificationResponse response = (PackageVerificationResponse) msg.obj; state.setVerifierResponse(response.callerUid, response.code); if (state.isVerificationComplete()) { Loading Loading @@ -396,21 +401,6 @@ final class PackageHandler extends Handler { } } /** * Get the default verification agent response code. * * @return default verification response code */ private int getDefaultVerificationResponse(UserHandle user) { if (mPm.mUserManager.hasUserRestriction(UserManager.ENSURE_VERIFY_APPS, user.getIdentifier())) { return PackageManager.VERIFICATION_REJECT; } return android.provider.Settings.Global.getInt(mPm.mContext.getContentResolver(), android.provider.Settings.Global.PACKAGE_VERIFIER_DEFAULT_RESPONSE, DEFAULT_VERIFICATION_RESPONSE); } /** * Get the default integrity verification response code. */ Loading
