Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 724427aa authored by Sumedh Sen's avatar Sumedh Sen
Browse files

Remove the resolved path of session's APK from user confirmation intent 

Intent sent to the user for install confirmation includes the resolved
path of the session's base apk. A malicious app can modify this path, resulting in the installer activity to show a different app icon and label in the confirmation dialog.

To fix this, expose a @hide API for getting the resolved path and
permission protect it with a privileged permission.

Since @hide API is used, have PackageInstaller app depend on platform_apis

Bug: 269728874
Bug: 279028637
Test: Adding a @hide API in UDC. No CTS test required for the API. Performed manual test by installing an apk and verifying UI elements of the installation dialog.
Test: Test: atest CtsPackageInstallTestCases:SessionTest (To verify contents of user confirmation intent)

Merged-In: Ibe7fe3ab5e74e3e910d9f7bd5b6f3f2e3c0ca658
Change-Id: Ibe7fe3ab5e74e3e910d9f7bd5b6f3f2e3c0ca658
(cherry picked from commit 7623ac96)
parent 6a2dd9b9

core/java/android/content/pm/PackageInstaller.java

+12 −0
Original line number Diff line number Diff line
@@ -3553,6 +3553,18 @@ public class PackageInstaller { 
            return referrerUri;

        }



        /**

         * @return the path to the validated base APK for this session, which may point at an

         * APK inside the session (when the session defines the base), or it may

         * point at the existing base APK (when adding splits to an existing app).

         *

         * @hide

         */

        @RequiresPermission(Manifest.permission.READ_INSTALLED_SESSION_PATHS)

        public @Nullable String getResolvedBaseApkPath() {

            return resolvedBaseCodePath;

        }



        /**

         * Get the value set in {@link SessionParams#setGrantedRuntimePermissions(String[])}.

         *

core/res/AndroidManifest.xml

+9 −0
Original line number Diff line number Diff line
@@ -5418,6 +5418,15 @@ 
    <permission android:name="android.permission.INSTALL_DPC_PACKAGES"

                android:protectionLevel="signature|role" />



    <!-- Allows an application to read resolved paths to the APKs (Base and any splits)

         of a session based install.

         <p>Not for use by third-party applications.

         @hide

    -->

    <permission android:name="android.permission.READ_INSTALLED_SESSION_PATHS"

                android:protectionLevel="signature|installer" />

    <uses-permission android:name="android.permission.READ_INSTALLED_SESSION_PATHS" />



    <!-- Allows an application to use System Data Loaders.

         <p>Not for use by third-party applications.

         @hide

packages/PackageInstaller/Android.bp

+3 −6
Original line number Diff line number Diff line
@@ -39,8 +39,7 @@ android_app { 


    certificate: "platform",

    privileged: true,

    platform_apis: false,

    sdk_version: "system_current",

    platform_apis: true,

    rename_resources_package: false,

    static_libs: [

        "xz-java",
@@ -57,8 +56,7 @@ android_app { 


    certificate: "platform",

    privileged: true,

    platform_apis: false,

    sdk_version: "system_current",

    platform_apis: true,

    rename_resources_package: false,

    overrides: ["PackageInstaller"],
@@ -77,8 +75,7 @@ android_app { 


    certificate: "platform",

    privileged: true,

    platform_apis: false,

    sdk_version: "system_current",

    platform_apis: true,

    rename_resources_package: false,

    overrides: ["PackageInstaller"],

packages/PackageInstaller/AndroidManifest.xml

+1 −0
Original line number Diff line number Diff line
@@ -9,6 +9,7 @@ 
    <uses-permission android:name="android.permission.INSTALL_PACKAGES" />

    <uses-permission android:name="android.permission.DELETE_PACKAGES" />

    <uses-permission android:name="android.permission.READ_INSTALL_SESSIONS" />

    <uses-permission android:name="android.permission.READ_INSTALLED_SESSION_PATHS" />

    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />

    <uses-permission android:name="android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS" />

    <uses-permission android:name="android.permission.USE_RESERVED_DISK" />

packages/PackageInstaller/src/com/android/packageinstaller/PackageInstallerActivity.java

+3 −4
Original line number Diff line number Diff line
@@ -375,16 +375,15 @@ public class PackageInstallerActivity extends AlertActivity { 
            final int sessionId = intent.getIntExtra(PackageInstaller.EXTRA_SESSION_ID,

                    -1 /* defaultValue */);

            final SessionInfo info = mInstaller.getSessionInfo(sessionId);

            final String resolvedBaseCodePath = intent.getStringExtra(

                    PackageInstaller.EXTRA_RESOLVED_BASE_PATH);

            if (info == null || !info.isSealed() || resolvedBaseCodePath == null) {

            String resolvedPath = info.getResolvedBaseApkPath();

            if (info == null || !info.isSealed() || resolvedPath == null) {

                Log.w(TAG, "Session " + mSessionId + " in funky state; ignoring");

                finish();

                return;

            }



            mSessionId = sessionId;

            packageSource = Uri.fromFile(new File(resolvedBaseCodePath));

            packageSource = Uri.fromFile(new File(resolvedPath));

            mOriginatingURI = null;

            mReferrerURI = null;

            mPendingUserActionReason = info.getPendingUserActionReason();