Limit stage install to system and whitelisted packges only (1/2) (792c7962) · Commits · e / os / android_frameworks_base

core/java/com/android/server/SystemConfig.java

+19 −0

Original line number	Diff line number	Diff line
		@@ -229,6 +229,7 @@ public class SystemConfig {
		private ArrayMap<String, Set<String>> mPackageToUserTypeBlacklist = new ArrayMap<>();

		private final ArraySet<String> mRollbackWhitelistedPackages = new ArraySet<>();
		private final ArraySet<String> mWhitelistedStagedInstallers = new ArraySet<>();

		/**
		* Map of system pre-defined, uniquely named actors; keys are namespace,
		@@ -394,6 +395,10 @@ public class SystemConfig {
		return mRollbackWhitelistedPackages;
		}

		public Set<String> getWhitelistedStagedInstallers() {
		return mWhitelistedStagedInstallers;
		}

		public ArraySet<String> getAppDataIsolationWhitelistedApps() {
		return mAppDataIsolationWhitelistedApps;
		}
		@@ -1137,6 +1142,20 @@ public class SystemConfig {
		}
		XmlUtils.skipCurrentTag(parser);
		} break;
		case "whitelisted-staged-installer": {
		if (allowAppConfigs) {
		String pkgname = parser.getAttributeValue(null, "package");
		if (pkgname == null) {
		Slog.w(TAG, "<" + name + "> without package in " + permFile
		+ " at " + parser.getPositionDescription());
		} else {
		mWhitelistedStagedInstallers.add(pkgname);
		}
		} else {
		logNotAllowedInPartition(name, permFile, parser);
		}
		XmlUtils.skipCurrentTag(parser);
		} break;
		default: {
		Slog.w(TAG, "Tag " + name + " is unknown in "
		+ permFile + " at " + parser.getPositionDescription());

services/tests/servicestests/src/com/android/server/systemconfig/SystemConfigTest.java

+45 −2

Original line number	Diff line number	Diff line
		@@ -16,6 +16,8 @@

		package com.android.server.systemconfig;

		import static com.google.common.truth.Truth.assertThat;

		import static org.junit.Assert.assertEquals;

		import android.platform.test.annotations.Presubmit;
		@@ -180,8 +182,48 @@ public class SystemConfigTest {
		assertEquals(packageTwoExpected, packageTwo);
		}

		/**
		* Tests that readPermissions works correctly with {@link SystemConfig#ALLOW_APP_CONFIGS}
		* permission flag for the tag: whitelisted-staged-installer.
		*/
		@Test
		public void readPermissions_allowAppConfigs_parsesStagedInstallerWhitelist()
		throws IOException {
		final String contents =
		"<config>\n"
		+ " <whitelisted-staged-installer package=\"com.android.package1\" />\n"
		+ "</config>";
		final File folder = createTempSubfolder("folder");
		createTempFile(folder, "staged-installer-whitelist.xml", contents);

		mSysConfig.readPermissions(folder, /* Grant all permission flags */ ~0);

		assertThat(mSysConfig.getWhitelistedStagedInstallers())
		.containsExactly("com.android.package1");
		}

		/**
		* Tests that readPermissions works correctly without {@link SystemConfig#ALLOW_APP_CONFIGS}
		* permission flag for the tag: whitelisted-staged-installer.
		*/
		@Test
		public void readPermissions_notAllowAppConfigs_wontParseStagedInstallerWhitelist()
		throws IOException {
		final String contents =
		"<config>\n"
		+ " <whitelisted-staged-installer package=\"com.android.package1\" />\n"
		+ "</config>";
		final File folder = createTempSubfolder("folder");
		createTempFile(folder, "staged-installer-whitelist.xml", contents);

		mSysConfig.readPermissions(folder, /* Grant all but ALLOW_APP_CONFIGS flag */ ~0x08);

		assertThat(mSysConfig.getWhitelistedStagedInstallers()).isEmpty();
		}

		/**
		* Creates folderName/fileName in the mTemporaryFolder and fills it with the contents.
		*
		* @param folderName subdirectory of mTemporaryFolder to put the file, creating if needed
		* @return the folder
		*/
		@@ -194,6 +236,7 @@ public class SystemConfigTest {

		/**
		* Creates folderName/fileName in the mTemporaryFolder and fills it with the contents.
		*
		* @param folder pre-existing subdirectory of mTemporaryFolder to put the file
		* @param fileName name of the file (e.g. filename.xml) to create
		* @param contents contents to write to the file