Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a14c9e5f authored by Jay Thomas Sullivan's avatar Jay Thomas Sullivan
Browse files

[ECM] Add ECM allowlist to SystemConfig 

This introduces a new configurable XML file
(/etc/sysconfig/enhanced-confirmation.xml) for ECM (Enhanced
Confirmation Mode). This file enables OEMs to declare a list of
"trusted packages" and/or "trusted installer" packages.  A "trusted
package" will be exempt from ECM restrictions. A "trusted installer",
and all packages that it installs, will be exempt from ECM restrictions.

The file may contain zero or more XML elements of the form:

    <enhanced-confirmation-trusted-package
         package="com.example.app"
         sha256-cert-digest="E9:7A:BC:2C:D1:..."/>

...and/or...

    <enhanced-confirmation-trusted-installer
         package="com.example.app"
         sha256-cert-digest="E9:7A:BC:2C:D1:..."/>

(Where the 'package' attribute is a package name, and
'sha256-cert-digest' is a hex-encoded SHA-256 digest of a signing
certificate. Both fields are required for each XML element.)

This file is parsed by the SystemConfig class, where the collection of
all XML elements are deserialized into (SignedPackage) objects which
are cached within SystemConfig.

These objects are accessible by calling either the following SystemAPI
methods:

    SystemConfigManager::getEnhancedConfirmationTrustedPackages
    SystemConfigManager::getEnhancedConfirmationTrustedInstallers

...which in turn call the (respective) binder methods:

    SystemConfigService::getEnhancedConfirmationTrustedPackages
    SystemConfigService::getEnhancedConfirmationTrustedInstallers

...which read the data directly from SystemConfig.

The only intended caller of this API is ECM
(EnhancedConfirmationManager/EnhancedConfirmationService), which runs in
SystemServer.

The reason this needs to be SystemApi(MODULE_LIBRARIES) is that the ECM
source code lives within the packages/modules/Permission mainline
module.

Bug: 310654834
Test: atest FrameworksServicesTests:com.android.server.systemconfig.SystemConfigTest
Change-Id: I50e524e5782cea4e66232acef493edbe62aa1f61
parent ff26a560

core/api/module-lib-current.txt

+7 −0
Original line number Diff line number Diff line
@@ -127,6 +127,11 @@ package android.content.pm { 
    field public static final int MATCH_STATIC_SHARED_AND_SDK_LIBRARIES = 67108864; // 0x4000000

  }



  @FlaggedApi("android.permission.flags.enhanced_confirmation_mode_apis_enabled") public class SignedPackage {

    method @NonNull public byte[] getCertificateDigest();

    method @NonNull public String getPkgName();

  }



}



package android.hardware.usb {
@@ -422,6 +427,8 @@ package android.os { 


  public class SystemConfigManager {

    method @NonNull public java.util.List<android.content.ComponentName> getEnabledComponentOverrides(@NonNull String);

    method @FlaggedApi("android.permission.flags.enhanced_confirmation_mode_apis_enabled") @NonNull @RequiresPermission(android.Manifest.permission.MANAGE_ENHANCED_CONFIRMATION_STATES) public java.util.Set<android.content.pm.SignedPackage> getEnhancedConfirmationTrustedInstallers();

    method @FlaggedApi("android.permission.flags.enhanced_confirmation_mode_apis_enabled") @NonNull @RequiresPermission(android.Manifest.permission.MANAGE_ENHANCED_CONFIRMATION_STATES) public java.util.Set<android.content.pm.SignedPackage> getEnhancedConfirmationTrustedPackages();

  }



  public final class Trace {

core/java/android/content/pm/SignedPackage.java

0 → 100644
+75 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2024 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



package android.content.pm;



import android.annotation.FlaggedApi;

import android.annotation.NonNull;

import android.annotation.SystemApi;



import java.util.Arrays;

import java.util.Objects;



/**

 * A data class representing a package and (SHA-256 hash of) a signing certificate.

 *

 * @hide

 */

@SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)

@FlaggedApi(android.permission.flags.Flags.FLAG_ENHANCED_CONFIRMATION_MODE_APIS_ENABLED)

public class SignedPackage {

    @NonNull

    private final SignedPackageParcel mData;



    /** @hide */

    public SignedPackage(@NonNull String pkgName, @NonNull byte[] certificateDigest) {

        SignedPackageParcel data = new SignedPackageParcel();

        data.pkgName = pkgName;

        data.certificateDigest = certificateDigest;

        mData = data;

    }



    /** @hide */

    public SignedPackage(@NonNull SignedPackageParcel data) {

        mData = data;

    }



    /** @hide */

    public final @NonNull SignedPackageParcel getData() {

        return mData;

    }



    public @NonNull String getPkgName() {

        return mData.pkgName;

    }



    public @NonNull byte[] getCertificateDigest() {

        return mData.certificateDigest;

    }



    @Override

    public boolean equals(Object o) {

        if (this == o) return true;

        if (!(o instanceof SignedPackage that)) return false;

        return mData.pkgName.equals(that.mData.pkgName) && Arrays.equals(mData.certificateDigest,

                that.mData.certificateDigest);

    }



    @Override

    public int hashCode() {

        return Objects.hash(mData.pkgName, Arrays.hashCode(mData.certificateDigest));

    }

}

core/java/android/content/pm/SignedPackageParcel.aidl

0 → 100644
+25 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2024 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



package android.content.pm;



import android.content.ComponentName;



/** @hide */

parcelable SignedPackageParcel {

    String pkgName;

    byte[] certificateDigest;

}

core/java/android/os/ISystemConfig.aidl

+12 −0
Original line number Diff line number Diff line
@@ -17,6 +17,8 @@ 
package android.os;



import android.content.ComponentName;

import android.os.Bundle;

import android.content.pm.SignedPackageParcel;



/**

  * Binder interface to query SystemConfig in the system server.
@@ -57,4 +59,14 @@ interface ISystemConfig { 
     * @see SystemConfigManager#getPreventUserDisablePackages

     */

    List<String> getPreventUserDisablePackages();



    /**

     * @see SystemConfigManager#getEnhancedConfirmationTrustedPackages

     */

    List<SignedPackageParcel> getEnhancedConfirmationTrustedPackages();



    /**

     * @see SystemConfigManager#getEnhancedConfirmationTrustedInstallers

     */

    List<SignedPackageParcel> getEnhancedConfirmationTrustedInstallers();

}

core/java/android/os/SystemConfigManager.java

+69 −0
Original line number Diff line number Diff line
@@ -16,12 +16,15 @@ 
package android.os;



import android.Manifest;

import android.annotation.FlaggedApi;

import android.annotation.NonNull;

import android.annotation.RequiresPermission;

import android.annotation.SystemApi;

import android.annotation.SystemService;

import android.content.ComponentName;

import android.content.Context;

import android.content.pm.SignedPackage;

import android.content.pm.SignedPackageParcel;

import android.util.ArraySet;

import android.util.Log;
@@ -29,6 +32,7 @@ import java.util.Collections; 
import java.util.List;

import java.util.Map;

import java.util.Set;

import java.util.stream.Collectors;





/**
@@ -175,4 +179,69 @@ public class SystemConfigManager { 
            throw e.rethrowFromSystemServer();

        }

    }





    /**

     * Returns a set of signed packages, represented as (packageName, certificateDigest) pairs, that

     * should be considered "trusted packages" by ECM (Enhanced Confirmation Mode).

     *

     * <p>"Trusted packages" are exempt from ECM (i.e., they will never be considered "restricted").

     *

     * <p>A package will be considered "trusted package" if and only if it *matches* least one of

     * the (*packageName*, *certificateDigest*) pairs in this set, where *matches* means satisfying

     * both of the following:

     *

     * <ol>

     *   <li>The package's name equals *packageName*

     *   <li>The package is, or was ever, signed by *certificateDigest*, according to the package's

     *       {@link android.content.pm.SigningDetails}

     * </ol>

     *

     * @hide

     */

    @SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)

    @FlaggedApi(android.permission.flags.Flags.FLAG_ENHANCED_CONFIRMATION_MODE_APIS_ENABLED)

    @RequiresPermission(Manifest.permission.MANAGE_ENHANCED_CONFIRMATION_STATES)

    @NonNull

    public Set<SignedPackage> getEnhancedConfirmationTrustedPackages() {

        try {

            List<SignedPackageParcel> parcels = mInterface.getEnhancedConfirmationTrustedPackages();

            return parcels.stream().map(SignedPackage::new).collect(Collectors.toSet());

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

    }



    /**

     * Returns a set of signed packages, represented as (packageName, certificateDigest) pairs, that

     * should be considered "trusted installers" by ECM (Enhanced Confirmation Mode).

     *

     * <p>"Trusted installers", and all apps installed by a trusted installer, are exempt from ECM

     * (i.e., they will never be considered "restricted").

     *

     * <p>A package will be considered a "trusted installer" if and only if it *matches* least one

     * of the (*packageName*, *certificateDigest*) pairs in this set, where *matches* means

     * satisfying both of the following:

     *

     * <ol>

     *   <li>The package's name equals *packageName*

     *   <li>The package is, or was ever, signed by *certificateDigest*, according to the package's

     *       {@link android.content.pm.SigningDetails}

     * </ol>

     *

     * @hide

     */

    @SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)

    @FlaggedApi(android.permission.flags.Flags.FLAG_ENHANCED_CONFIRMATION_MODE_APIS_ENABLED)

    @RequiresPermission(Manifest.permission.MANAGE_ENHANCED_CONFIRMATION_STATES)

    @NonNull

    public Set<SignedPackage> getEnhancedConfirmationTrustedInstallers() {

        try {

            List<SignedPackageParcel> parcels =

                    mInterface.getEnhancedConfirmationTrustedInstallers();

            return parcels.stream().map(SignedPackage::new).collect(Collectors.toSet());

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

    }

}