Only autoVerify at install for new hosts (8640d0c7) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/pm/PackageManagerService.java

+84 −35

Original line number	Original line	Diff line number	Diff line
	@@ -1142,13 +1142,6 @@ public class PackageManagerService extends IPackageManager.Stub
	int updatedStatus = INTENT_FILTER_DOMAIN_VERIFICATION_STATUS_UNDEFINED;		int updatedStatus = INTENT_FILTER_DOMAIN_VERIFICATION_STATUS_UNDEFINED;
	boolean needUpdate = false;		boolean needUpdate = false;

	if (DEBUG_DOMAIN_VERIFICATION) {
	Slog.d(TAG,
	"Updating IntentFilterVerificationInfo for package " + packageName
	+ " verificationId:" + verificationId
	+ " verified=" + verified);
	}

	// In a success case, we promote from undefined or ASK to ALWAYS. This		// In a success case, we promote from undefined or ASK to ALWAYS. This
	// supports a flow where the app fails validation but then ships an updated		// supports a flow where the app fails validation but then ships an updated
	// APK that passes, and therefore deserves to be in ALWAYS.		// APK that passes, and therefore deserves to be in ALWAYS.
	@@ -18121,72 +18114,126 @@ public class PackageManagerService extends IPackageManager.Stub

	int count = 0;		int count = 0;
	final String packageName = pkg.packageName;		final String packageName = pkg.packageName;
			boolean handlesWebUris = false;
			ArraySet<String> domains = new ArraySet<>();
			final boolean previouslyVerified;
			boolean hostSetExpanded = false;
			boolean needToRunVerify = false;
	synchronized (mPackages) {		synchronized (mPackages) {
	// If this is a new install and we see that we've already run verification for this		// If this is a new install and we see that we've already run verification for this
	// package, we have nothing to do: it means the state was restored from backup.		// package, we have nothing to do: it means the state was restored from backup.
	if (!replacing) {
	IntentFilterVerificationInfo ivi =		IntentFilterVerificationInfo ivi =
	mSettings.getIntentFilterVerificationLPr(packageName);		mSettings.getIntentFilterVerificationLPr(packageName);
	if (ivi != null) {		previouslyVerified = (ivi != null);
			if (!replacing && previouslyVerified) {
	if (DEBUG_DOMAIN_VERIFICATION) {		if (DEBUG_DOMAIN_VERIFICATION) {
	Slog.i(TAG, "Package " + packageName + " already verified: status="		Slog.i(TAG, "Package " + packageName + " already verified: status="
	+ ivi.getStatusString());		+ ivi.getStatusString());
	}		}
	return;		return;
	}		}

			if (DEBUG_DOMAIN_VERIFICATION) {
			Slog.i(TAG, " Previous verified hosts: "
			+ (ivi == null ? "[none]" : ivi.getDomainsString()));
	}		}

	// If any filters need to be verified, then all need to be.		// If any filters need to be verified, then all need to be. In addition, we need to
	boolean needToVerify = false;		// know whether an updating app has any web navigation intent filters, to re-
			// examine handling policy even if not re-verifying.
			final boolean needsVerification = needsNetworkVerificationLPr(packageName);
	for (PackageParser.Activity a : pkg.activities) {		for (PackageParser.Activity a : pkg.activities) {
	for (ActivityIntentInfo filter : a.intents) {		for (ActivityIntentInfo filter : a.intents) {
	if (filter.needsVerification() && needsNetworkVerificationLPr(filter)) {		if (filter.handlesWebUris(true)) {
			handlesWebUris = true;
			}
			if (needsVerification && filter.needsVerification()) {
	if (DEBUG_DOMAIN_VERIFICATION) {		if (DEBUG_DOMAIN_VERIFICATION) {
	Slog.d(TAG,		Slog.d(TAG, "autoVerify requested, processing all filters");
	"Intent filter needs verification, so processing all filters");
	}		}
	needToVerify = true;		needToRunVerify = true;
			// It's safe to break out here because filter.needsVerification()
			// can only be true if filter.handlesWebUris(true) returned true, so
			// we've already noted that.
	break;		break;
	}		}
	}		}
	}		}

	if (needToVerify) {		// Compare the new set of recognized hosts if the app is either requesting
			// autoVerify or has previously used autoVerify but no longer does.
			if (needToRunVerify \|\| previouslyVerified) {
	final int verificationId = mIntentFilterVerificationToken++;		final int verificationId = mIntentFilterVerificationToken++;
	for (PackageParser.Activity a : pkg.activities) {		for (PackageParser.Activity a : pkg.activities) {
	for (ActivityIntentInfo filter : a.intents) {		for (ActivityIntentInfo filter : a.intents) {
	// Run verification against hosts mentioned in any web-nav intent filter,		// Run verification against hosts mentioned in any web-nav intent filter,
	// even if the filter matches non-web schemes as well		// even if the filter matches non-web schemes as well
	if (filter.handlesWebUris(false) && needsNetworkVerificationLPr(filter)) {		if (filter.handlesWebUris(false /onlyWebSchemes/)) {
	if (DEBUG_DOMAIN_VERIFICATION) Slog.d(TAG,		if (DEBUG_DOMAIN_VERIFICATION) Slog.d(TAG,
	"Verification needed for IntentFilter:" + filter.toString());		"Verification needed for IntentFilter:" + filter.toString());
	mIntentFilterVerifier.addOneIntentFilterVerification(		mIntentFilterVerifier.addOneIntentFilterVerification(
	verifierUid, userId, verificationId, filter, packageName);		verifierUid, userId, verificationId, filter, packageName);
			domains.addAll(filter.getHostsList());
	count++;		count++;
	}		}
	}		}
	}		}
	}		}

			if (DEBUG_DOMAIN_VERIFICATION) {
			Slog.i(TAG, " Update published hosts: " + domains.toString());
			}

			// If we've previously verified this same host set (or a subset), we can trust that
			// a current ALWAYS policy is still applicable. If this is the case, we're done.
			// (If we aren't in ALWAYS, we want to reverify to allow for apps that had failing
			// hosts in their intent filters, then pushed a new apk that removed them and now
			// passes.)
			//
			// Cases:
			// + still autoVerify (needToRunVerify):
			// - preserve current state if all of: unexpanded, in always
			// - otherwise rerun as usual (fall through)
			// + no longer autoVerify (alreadyVerified && !needToRunVerify)
			// - wipe verification history always
			// - preserve current state if all of: unexpanded, in always
			hostSetExpanded = !previouslyVerified
			\|\| (ivi != null && !ivi.getDomains().containsAll(domains));
			final int currentPolicy =
			mSettings.getIntentFilterVerificationStatusLPr(packageName, userId);
			final boolean keepCurState = !hostSetExpanded
			&& currentPolicy == INTENT_FILTER_DOMAIN_VERIFICATION_STATUS_ALWAYS;

			if (needToRunVerify && keepCurState) {
			if (DEBUG_DOMAIN_VERIFICATION) {
			Slog.i(TAG, "Host set not expanding + ALWAYS -> no need to reverify");
			}
			ivi.setDomains(domains);
			scheduleWriteSettingsLocked();
			return;
			} else if (previouslyVerified && !needToRunVerify) {
			// Prior autoVerify state but not requesting it now. Clear autoVerify history,
			// and preserve the always policy iff the host set is not expanding.
			clearIntentFilterVerificationsLPw(packageName, userId, !keepCurState);
			return;
			}
	}		}

	if (count > 0) {		if (needToRunVerify && count > 0) {
			// app requested autoVerify and has at least one matching intent filter
	if (DEBUG_DOMAIN_VERIFICATION) Slog.d(TAG, "Starting " + count		if (DEBUG_DOMAIN_VERIFICATION) Slog.d(TAG, "Starting " + count
	+ " IntentFilter verification" + (count > 1 ? "s" : "")		+ " IntentFilter verification" + (count > 1 ? "s" : "")
	+ " for userId:" + userId);		+ " for userId:" + userId);
	mIntentFilterVerifier.startVerifications(userId);		mIntentFilterVerifier.startVerifications(userId);
	} else {		} else {
	if (DEBUG_DOMAIN_VERIFICATION) {		if (DEBUG_DOMAIN_VERIFICATION) {
	Slog.d(TAG, "No filters or not all autoVerify for " + packageName);		Slog.d(TAG, "No web filters or no new host policy for " + packageName);
	}		}
	}		}
	}		}

	@GuardedBy("mPackages")		@GuardedBy("mPackages")
	private boolean needsNetworkVerificationLPr(ActivityIntentInfo filter) {		private boolean needsNetworkVerificationLPr(String packageName) {
	final ComponentName cn = filter.activity.getComponentName();
	final String packageName = cn.getPackageName();

	IntentFilterVerificationInfo ivi = mSettings.getIntentFilterVerificationLPr(		IntentFilterVerificationInfo ivi = mSettings.getIntentFilterVerificationLPr(
	packageName);		packageName);
	if (ivi == null) {		if (ivi == null) {
	@@ -18932,7 +18979,7 @@ public class PackageManagerService extends IPackageManager.Stub
	if ((flags & PackageManager.DELETE_KEEP_DATA) == 0) {		if ((flags & PackageManager.DELETE_KEEP_DATA) == 0) {
	final SparseBooleanArray changedUsers = new SparseBooleanArray();		final SparseBooleanArray changedUsers = new SparseBooleanArray();
	synchronized (mPackages) {		synchronized (mPackages) {
	clearIntentFilterVerificationsLPw(deletedPs.name, UserHandle.USER_ALL);		clearIntentFilterVerificationsLPw(deletedPs.name, UserHandle.USER_ALL, true);
	clearDefaultBrowserIfNeeded(packageName);		clearDefaultBrowserIfNeeded(packageName);
	mSettings.mKeySetManagerService.removeAppKeySetDataLPw(packageName);		mSettings.mKeySetManagerService.removeAppKeySetDataLPw(packageName);
	removedAppId = mSettings.removePackageLPw(packageName);		removedAppId = mSettings.removePackageLPw(packageName);
	@@ -20437,13 +20484,14 @@ public class PackageManagerService extends IPackageManager.Stub
	final int packageCount = mPackages.size();		final int packageCount = mPackages.size();
	for (int i = 0; i < packageCount; i++) {		for (int i = 0; i < packageCount; i++) {
	PackageParser.Package pkg = mPackages.valueAt(i);		PackageParser.Package pkg = mPackages.valueAt(i);
	clearIntentFilterVerificationsLPw(pkg.packageName, userId);		clearIntentFilterVerificationsLPw(pkg.packageName, userId, true);
	}		}
	}		}

	/** This method takes a specific user id as well as UserHandle.USER_ALL. */		/** This method takes a specific user id as well as UserHandle.USER_ALL. */
	@GuardedBy("mPackages")		@GuardedBy("mPackages")
	void clearIntentFilterVerificationsLPw(String packageName, int userId) {		void clearIntentFilterVerificationsLPw(String packageName, int userId,
			boolean alsoResetStatus) {
	if (userId == UserHandle.USER_ALL) {		if (userId == UserHandle.USER_ALL) {
	if (mSettings.removeIntentFilterVerificationLPw(packageName,		if (mSettings.removeIntentFilterVerificationLPw(packageName,
	sUserManager.getUserIds())) {		sUserManager.getUserIds())) {
	@@ -20452,7 +20500,8 @@ public class PackageManagerService extends IPackageManager.Stub
	}		}
	}		}
	} else {		} else {
	if (mSettings.removeIntentFilterVerificationLPw(packageName, userId)) {		if (mSettings.removeIntentFilterVerificationLPw(packageName, userId,
			alsoResetStatus)) {
	scheduleWritePackageRestrictionsLocked(userId);		scheduleWritePackageRestrictionsLocked(userId);
	}		}
	}		}

services/core/java/com/android/server/pm/Settings.java

+7 −3

Original line number	Original line	Diff line number	Diff line
	@@ -1243,7 +1243,8 @@ public final class Settings {
	return result;		return result;
	}		}

	boolean removeIntentFilterVerificationLPw(String packageName, int userId) {		boolean removeIntentFilterVerificationLPw(String packageName, int userId,
			boolean alsoResetStatus) {
	PackageSetting ps = mPackages.get(packageName);		PackageSetting ps = mPackages.get(packageName);
	if (ps == null) {		if (ps == null) {
	if (DEBUG_DOMAIN_VERIFICATION) {		if (DEBUG_DOMAIN_VERIFICATION) {
	@@ -1251,14 +1252,17 @@ public final class Settings {
	}		}
	return false;		return false;
	}		}
			if (alsoResetStatus) {
	ps.clearDomainVerificationStatusForUser(userId);		ps.clearDomainVerificationStatusForUser(userId);
			}
			ps.setIntentFilterVerificationInfo(null);
	return true;		return true;
	}		}

	boolean removeIntentFilterVerificationLPw(String packageName, int[] userIds) {		boolean removeIntentFilterVerificationLPw(String packageName, int[] userIds) {
	boolean result = false;		boolean result = false;
	for (int userId : userIds) {		for (int userId : userIds) {
	result \|= removeIntentFilterVerificationLPw(packageName, userId);		result \|= removeIntentFilterVerificationLPw(packageName, userId, true);
	}		}
	return result;		return result;
	}		}