Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9d89543d authored by Mathew Inwood's avatar Mathew Inwood
Browse files

Exempt platform-cert signed apps from hidden API checks. 

This means that APKs signed with the platform cert are allowed to use
hidden APIs, even if they are not on the package whitelist, and if they are
not in the system image. It will also allow a number of packages to be
removed from the package whitelist.

Also remove all platform cert signed apps from the package whitelist, as
there is no longer any need for them to be in there.

Bug: 64382372
Test: device boots
Change-Id: Id805419918de51f946c1f592581bab36ae79de83
parent de3569ef

core/java/android/content/pm/ApplicationInfo.java

+22 −4
Original line number Diff line number Diff line
@@ -590,26 +590,33 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
    public static final int PRIVATE_FLAG_VIRTUAL_PRELOAD = 1 << 16;



    /**

     * Value for {@linl #privateFlags}: whether this app is pre-installed on the

     * Value for {@link #privateFlags}: whether this app is pre-installed on the

     * OEM partition of the system image.

     * @hide

     */

    public static final int PRIVATE_FLAG_OEM = 1 << 17;



    /**

     * Value for {@linl #privateFlags}: whether this app is pre-installed on the

     * Value for {@link #privateFlags}: whether this app is pre-installed on the

     * vendor partition of the system image.

     * @hide

     */

    public static final int PRIVATE_FLAG_VENDOR = 1 << 18;



    /**

     * Value for {@linl #privateFlags}: whether this app is pre-installed on the

     * Value for {@link #privateFlags}: whether this app is pre-installed on the

     * product partition of the system image.

     * @hide

     */

    public static final int PRIVATE_FLAG_PRODUCT = 1 << 19;



    /**

     * Value for {@link #privateFlags}: whether this app is signed with the

     * platform key.

     * @hide

     */

    public static final int PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY = 1 << 20;



    /** @hide */

    @IntDef(flag = true, prefix = { "PRIVATE_FLAG_" }, value = {

            PRIVATE_FLAG_ACTIVITIES_RESIZE_MODE_RESIZEABLE,
@@ -629,6 +636,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
            PRIVATE_FLAG_PRIVILEGED,

            PRIVATE_FLAG_PRODUCT,

            PRIVATE_FLAG_REQUIRED_FOR_SYSTEM_USER,

            PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY,

            PRIVATE_FLAG_STATIC_SHARED_LIBRARY,

            PRIVATE_FLAG_VENDOR,

            PRIVATE_FLAG_VIRTUAL_PRELOAD,
@@ -1658,6 +1666,11 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
        return SystemConfig.getInstance().getHiddenApiWhitelistedApps().contains(packageName);

    }



    private boolean isAllowedToUseHiddenApis() {

        return isSignedWithPlatformKey()

            || (isPackageWhitelistedForHiddenApis() && (isSystemApp() || isUpdatedSystemApp()));

    }



    /**

     * @hide

     */
@@ -1665,7 +1678,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
        if (mHiddenApiPolicy != HIDDEN_API_ENFORCEMENT_DEFAULT) {

            return mHiddenApiPolicy;

        }

        if (isPackageWhitelistedForHiddenApis() && (isSystemApp() || isUpdatedSystemApp())) {

        if (isAllowedToUseHiddenApis()) {

            return HIDDEN_API_ENFORCEMENT_NONE;

        }

        return HIDDEN_API_ENFORCEMENT_BLACK;
@@ -1757,6 +1770,11 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
        return (privateFlags & ApplicationInfo.PRIVATE_FLAG_PARTIALLY_DIRECT_BOOT_AWARE) != 0;

    }



    /** @hide */

    public boolean isSignedWithPlatformKey() {

        return (privateFlags & ApplicationInfo.PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY) != 0;

    }



    /** @hide */

    @TestApi

    public boolean isPrivilegedApp() {

data/etc/hiddenapi-package-whitelist.xml

+2 −63
Original line number Diff line number Diff line
@@ -17,66 +17,28 @@ 


<!--

This XML file declares which system apps should be exempted from the hidden API blacklisting, i.e.

which apps should be allowed to access the entire private API.

which apps should be allowed to access the entire private API. Only apps NOT signed with the

platform cert need to be included, as apps signed with the platform cert are exempted by default.

-->



<config>

  <hidden-api-whitelisted-app package="android.car.cluster.loggingrenderer" />

  <hidden-api-whitelisted-app package="android.car.input.service" />

  <hidden-api-whitelisted-app package="android.car.usb.handler" />

  <hidden-api-whitelisted-app package="android.ext.services" />

  <hidden-api-whitelisted-app package="com.android.apps.tag" />

  <hidden-api-whitelisted-app package="com.android.backupconfirm" />

  <hidden-api-whitelisted-app package="com.android.basicsmsreceiver" />

  <hidden-api-whitelisted-app package="com.android.bluetooth" />

  <hidden-api-whitelisted-app package="com.android.bluetoothdebug" />

  <hidden-api-whitelisted-app package="com.android.bluetoothmidiservice" />

  <hidden-api-whitelisted-app package="com.android.bookmarkprovider" />

  <hidden-api-whitelisted-app package="com.android.calllogbackup" />

  <hidden-api-whitelisted-app package="com.android.camera" />

  <hidden-api-whitelisted-app package="com.android.captiveportallogin" />

  <hidden-api-whitelisted-app package="com.android.car" />

  <hidden-api-whitelisted-app package="com.android.car.dialer" />

  <hidden-api-whitelisted-app package="com.android.car.hvac" />

  <hidden-api-whitelisted-app package="com.android.car.mapsplaceholder" />

  <hidden-api-whitelisted-app package="com.android.car.media" />

  <hidden-api-whitelisted-app package="com.android.car.media.localmediaplayer" />

  <hidden-api-whitelisted-app package="com.android.car.messenger" />

  <hidden-api-whitelisted-app package="com.android.car.overview" />

  <hidden-api-whitelisted-app package="com.android.car.radio" />

  <hidden-api-whitelisted-app package="com.android.car.settings" />

  <hidden-api-whitelisted-app package="com.android.car.stream" />

  <hidden-api-whitelisted-app package="com.android.car.systemupdater" />

  <hidden-api-whitelisted-app package="com.android.car.trust" />

  <hidden-api-whitelisted-app package="com.android.carrierconfig" />

  <hidden-api-whitelisted-app package="com.android.carrierdefaultapp" />

  <hidden-api-whitelisted-app package="com.android.cellbroadcastreceiver" />

  <hidden-api-whitelisted-app package="com.android.certinstaller" />

  <hidden-api-whitelisted-app package="com.android.companiondevicemanager" />

  <hidden-api-whitelisted-app package="com.android.customlocale2" />

  <hidden-api-whitelisted-app package="com.android.defcontainer" />

  <hidden-api-whitelisted-app package="com.android.development" />

  <hidden-api-whitelisted-app package="com.android.documentsui" />

  <hidden-api-whitelisted-app package="com.android.dreams.basic" />

  <hidden-api-whitelisted-app package="com.android.egg" />

  <hidden-api-whitelisted-app package="com.android.emergency" />

  <hidden-api-whitelisted-app package="com.android.externalstorage" />

  <hidden-api-whitelisted-app package="com.android.fakeoemfeatures" />

  <hidden-api-whitelisted-app package="com.android.gallery" />

  <hidden-api-whitelisted-app package="com.android.hotspot2" />

  <hidden-api-whitelisted-app package="com.android.keychain" />

  <hidden-api-whitelisted-app package="com.android.launcher3" />

  <hidden-api-whitelisted-app package="com.android.location.fused" />

  <hidden-api-whitelisted-app package="com.android.managedprovisioning" />

  <hidden-api-whitelisted-app package="com.android.mms.service" />

  <hidden-api-whitelisted-app package="com.android.mtp" />

  <hidden-api-whitelisted-app package="com.android.musicfx" />

  <hidden-api-whitelisted-app package="com.android.nfc" />

  <hidden-api-whitelisted-app package="com.android.osu" />

  <hidden-api-whitelisted-app package="com.android.packageinstaller" />

  <hidden-api-whitelisted-app package="com.android.pacprocessor" />

  <hidden-api-whitelisted-app package="com.android.phone" />

  <hidden-api-whitelisted-app package="com.android.pmc" />

  <hidden-api-whitelisted-app package="com.android.printservice.recommendation" />

  <hidden-api-whitelisted-app package="com.android.printspooler" />

  <hidden-api-whitelisted-app package="com.android.providers.blockednumber" />
@@ -85,36 +47,13 @@ which apps should be allowed to access the entire private API. 
  <hidden-api-whitelisted-app package="com.android.providers.downloads" />

  <hidden-api-whitelisted-app package="com.android.providers.downloads.ui" />

  <hidden-api-whitelisted-app package="com.android.providers.media" />

  <hidden-api-whitelisted-app package="com.android.providers.settings" />

  <hidden-api-whitelisted-app package="com.android.providers.telephony" />

  <hidden-api-whitelisted-app package="com.android.providers.tv" />

  <hidden-api-whitelisted-app package="com.android.providers.userdictionary" />

  <hidden-api-whitelisted-app package="com.android.provision" />

  <hidden-api-whitelisted-app package="com.android.proxyhandler" />

  <hidden-api-whitelisted-app package="com.android.sdksetup" />

  <hidden-api-whitelisted-app package="com.android.se" />

  <hidden-api-whitelisted-app package="com.android.server.telecom" />

  <hidden-api-whitelisted-app package="com.android.service.ims" />

  <hidden-api-whitelisted-app package="com.android.service.ims.presence" />

  <hidden-api-whitelisted-app package="com.android.settings" />

  <hidden-api-whitelisted-app package="com.android.sharedstoragebackup" />

  <hidden-api-whitelisted-app package="com.android.shell" />

  <hidden-api-whitelisted-app package="com.android.smspush" />

  <hidden-api-whitelisted-app package="com.android.spare_parts" />

  <hidden-api-whitelisted-app package="com.android.statementservice" />

  <hidden-api-whitelisted-app package="com.android.stk" />

  <hidden-api-whitelisted-app package="com.android.storagemanager" />

  <hidden-api-whitelisted-app package="com.android.support.car.lenspicker" />

  <hidden-api-whitelisted-app package="com.android.systemui" />

  <hidden-api-whitelisted-app package="com.android.systemui.plugins" />

  <hidden-api-whitelisted-app package="com.android.terminal" />

  <hidden-api-whitelisted-app package="com.android.timezone.updater" />

  <hidden-api-whitelisted-app package="com.android.traceur" />

  <hidden-api-whitelisted-app package="com.android.tv.settings" />

  <hidden-api-whitelisted-app package="com.android.vpndialogs" />

  <hidden-api-whitelisted-app package="com.android.wallpaper.livepicker" />

  <hidden-api-whitelisted-app package="com.android.wallpaperbackup" />

  <hidden-api-whitelisted-app package="com.android.wallpapercropper" />

  <hidden-api-whitelisted-app package="com.googlecode.android_scripting" />

  <hidden-api-whitelisted-app package="jp.co.omronsoft.openwnn" />

</config>

services/core/java/com/android/server/pm/PackageManagerService.java

+12 −3
Original line number Diff line number Diff line
@@ -8700,7 +8700,7 @@ public class PackageManagerService extends IPackageManager.Stub 
                            disabledPkgSetting /* pkgSetting */, null /* disabledPkgSetting */,

                            null /* originalPkgSetting */, null, parseFlags, scanFlags,

                            (pkg == mPlatformPackage), user);

                    applyPolicy(pkg, parseFlags, scanFlags);

                    applyPolicy(pkg, parseFlags, scanFlags, mPlatformPackage);

                    scanPackageOnlyLI(request, mFactoryTest, -1L);

                }

            }
@@ -10019,7 +10019,7 @@ public class PackageManagerService extends IPackageManager.Stub 














        scanFlags = adjustScanFlags(scanFlags, pkgSetting, disabledPkgSetting, user, pkg);















        synchronized (mPackages) {













            applyPolicy(pkg, parseFlags, scanFlags);













            applyPolicy(pkg, parseFlags, scanFlags, mPlatformPackage);















            assertPackageIsValid(pkg, parseFlags, scanFlags);





























            SharedUserSetting sharedUserSetting = null;










@@ -10699,7 +10699,7 @@ public class PackageManagerService extends IPackageManager.Stub













     * ideally be static, but, it requires locks to read system state.















     */















    private static void applyPolicy(PackageParser.Package pkg, final @ParseFlags int parseFlags,













            final @ScanFlags int scanFlags) {













            final @ScanFlags int scanFlags, PackageParser.Package platformPkg) {















        if ((scanFlags & SCAN_AS_SYSTEM) != 0) {















            pkg.applicationInfo.flags |= ApplicationInfo.FLAG_SYSTEM;















            if (pkg.applicationInfo.isDirectBootAware()) {










@@ -10785,6 +10785,15 @@ public class PackageManagerService extends IPackageManager.Stub













            pkg.applicationInfo.privateFlags |= ApplicationInfo.PRIVATE_FLAG_PRODUCT;















        }



























        // Check if the package is signed with the same key as the platform package.













        if (PLATFORM_PACKAGE_NAME.equals(pkg.packageName) ||













                (platformPkg != null && compareSignatures(













                        platformPkg.mSigningDetails.signatures,













                        pkg.mSigningDetails.signatures) == PackageManager.SIGNATURE_MATCH)) {













            pkg.applicationInfo.privateFlags |=













                ApplicationInfo.PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY;













        }



























        if (!isSystemApp(pkg)) {















            // Only system apps can use these features.















            pkg.mOriginalPackages = null;