Merge "[8/N] per-user global verification policy" into main

    void reportUnarchivalStatus(int unarchiveId, int status, long requiredStorageBytes, in PendingIntent userActionIntent, in UserHandle userHandle);

    void reportUnarchivalStatus(int unarchiveId, int status, long requiredStorageBytes, in PendingIntent userActionIntent, in UserHandle userHandle);

    @EnforcePermission("VERIFICATION_AGENT")

    @EnforcePermission("VERIFICATION_AGENT")

    int getVerificationPolicy();

    int getVerificationPolicy(int userId);

    @EnforcePermission("VERIFICATION_AGENT")

    @EnforcePermission("VERIFICATION_AGENT")

    boolean setVerificationPolicy(int policy);

    boolean setVerificationPolicy(int policy, int userId);

}

}

    @RequiresPermission(android.Manifest.permission.VERIFICATION_AGENT)

    @RequiresPermission(android.Manifest.permission.VERIFICATION_AGENT)

    public final @VerificationPolicy int getVerificationPolicy() {

    public final @VerificationPolicy int getVerificationPolicy() {

        try {

        try {

            return mInstaller.getVerificationPolicy();

            return mInstaller.getVerificationPolicy(mUserId);

        } catch (RemoteException e) {

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

            throw e.rethrowFromSystemServer();

        }

        }

    @RequiresPermission(android.Manifest.permission.VERIFICATION_AGENT)

    @RequiresPermission(android.Manifest.permission.VERIFICATION_AGENT)

    public final boolean setVerificationPolicy(@VerificationPolicy int policy) {

    public final boolean setVerificationPolicy(@VerificationPolicy int policy) {

        try {

        try {

            return mInstaller.setVerificationPolicy(policy);

            return mInstaller.setVerificationPolicy(policy, mUserId);

        } catch (RemoteException e) {

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

            throw e.rethrowFromSystemServer();

        }

        }

    private final String mSessionErrorMessage;

    private final String mSessionErrorMessage;

    private final String mPreVerifiedDomains;

    private final String mPreVerifiedDomains;

    private final String mPackageName;

    private final String mPackageName;

    private final int mInitialVerificationPolicy;

    private final int mCurrentVerificationPolicy;

    PackageInstallerHistoricalSession(int sessionId, int userId, int originalInstallerUid,

    PackageInstallerHistoricalSession(int sessionId, int userId, int originalInstallerUid,

            String originalInstallerPackageName, InstallSource installSource, int installerUid,

            String originalInstallerPackageName, InstallSource installSource, int installerUid,

            int[] childSessionIds, boolean sessionApplied, boolean sessionFailed,

            int[] childSessionIds, boolean sessionApplied, boolean sessionFailed,

            boolean sessionReady, int sessionErrorCode, String sessionErrorMessage,

            boolean sessionReady, int sessionErrorCode, String sessionErrorMessage,

            PreapprovalDetails preapprovalDetails, DomainSet preVerifiedDomains,

            PreapprovalDetails preapprovalDetails, DomainSet preVerifiedDomains,

            String packageNameFromApk) {

            String packageNameFromApk, int initialVerificationPolicy,

            int currentVerificationPolicy) {

        this.sessionId = sessionId;

        this.sessionId = sessionId;

        this.userId = userId;

        this.userId = userId;

        this.mOriginalInstallerUid = originalInstallerUid;

        this.mOriginalInstallerUid = originalInstallerUid;

        this.mPackageName = preapprovalDetails != null ? preapprovalDetails.getPackageName()

        this.mPackageName = preapprovalDetails != null ? preapprovalDetails.getPackageName()

                : packageNameFromApk != null ? packageNameFromApk : params.appPackageName;

                : packageNameFromApk != null ? packageNameFromApk : params.appPackageName;

        this.mInitialVerificationPolicy = initialVerificationPolicy;

        this.mCurrentVerificationPolicy = currentVerificationPolicy;

    }

    }

    void dump(IndentingPrintWriter pw) {

    void dump(IndentingPrintWriter pw) {

        pw.printPair("mPreapprovalDetails", mPreapprovalDetails);

        pw.printPair("mPreapprovalDetails", mPreapprovalDetails);

        pw.printPair("mPreVerifiedDomains", mPreVerifiedDomains);

        pw.printPair("mPreVerifiedDomains", mPreVerifiedDomains);

        pw.printPair("mAppPackageName", mPackageName);

        pw.printPair("mAppPackageName", mPackageName);

        pw.printPair("mInitialVerificationPolicy", mInitialVerificationPolicy);

        pw.printPair("mCurrentVerificationPolicy", mCurrentVerificationPolicy);

        pw.println();

        pw.println();

        pw.decreaseIndent();

        pw.decreaseIndent();

import static android.content.pm.PackageManager.INSTALL_UNARCHIVE_DRAFT;

import static android.content.pm.PackageManager.INSTALL_UNARCHIVE_DRAFT;

import static android.os.Process.INVALID_UID;

import static android.os.Process.INVALID_UID;

import static android.os.Process.SYSTEM_UID;

import static android.os.Process.SYSTEM_UID;

import static android.os.UserHandle.USER_SYSTEM;

import static com.android.server.pm.PackageArchiver.isArchivingEnabled;

import static com.android.server.pm.PackageArchiver.isArchivingEnabled;

import static com.android.server.pm.PackageInstallerSession.isValidVerificationPolicy;

import static com.android.server.pm.PackageInstallerSession.isValidVerificationPolicy;

import java.util.TreeMap;

import java.util.TreeMap;

import java.util.TreeSet;

import java.util.TreeSet;

import java.util.concurrent.CompletableFuture;

import java.util.concurrent.CompletableFuture;

import java.util.concurrent.atomic.AtomicInteger;

import java.util.function.IntPredicate;

import java.util.function.IntPredicate;

import java.util.function.Supplier;

import java.util.function.Supplier;

    };

    };

    /**

    /**

     * Default verification policy for incoming installation sessions.

     * Default verification policy for incoming installation sessions, mapped from userId to policy.

     * TODO(b/360129657): update the default policy.

     */

     */

    private final AtomicInteger mVerificationPolicy = new AtomicInteger(

    @GuardedBy("mVerificationPolicyPerUser")

            VERIFICATION_POLICY_BLOCK_FAIL_WARN);

    private final SparseIntArray mVerificationPolicyPerUser = new SparseIntArray(1);

    // TODO(b/360129657): update the default policy.

    private static final int DEFAULT_VERIFICATION_POLICY = VERIFICATION_POLICY_BLOCK_FAIL_WARN;

    private static final class Lifecycle extends SystemService {

    private static final class Lifecycle extends SystemService {

        private final PackageInstallerService mPackageInstallerService;

        private final PackageInstallerService mPackageInstallerService;

                context, mInstallThread.getLooper(), new AppStateHelper(context));

                context, mInstallThread.getLooper(), new AppStateHelper(context));

        mPackageArchiver = new PackageArchiver(mContext, mPm);

        mPackageArchiver = new PackageArchiver(mContext, mPm);

        mVerifierController = new VerifierController(mContext, mInstallHandler);

        mVerifierController = new VerifierController(mContext, mInstallHandler);

        synchronized (mVerificationPolicyPerUser) {

            mVerificationPolicyPerUser.put(USER_SYSTEM, DEFAULT_VERIFICATION_POLICY);

        }

        LocalServices.getService(SystemServiceManager.class).startService(

        LocalServices.getService(SystemServiceManager.class).startService(

                new Lifecycle(context, this));

                new Lifecycle(context, this));

        InstallSource installSource = InstallSource.create(installerPackageName,

        InstallSource installSource = InstallSource.create(installerPackageName,

                originatingPackageName, requestedInstallerPackageName, requestedInstallerPackageUid,

                originatingPackageName, requestedInstallerPackageName, requestedInstallerPackageUid,

                requestedInstallerPackageName, installerAttributionTag, params.packageSource);

                requestedInstallerPackageName, installerAttributionTag, params.packageSource);

        final int verificationPolicy;

        synchronized (mVerificationPolicyPerUser) {

            verificationPolicy = mVerificationPolicyPerUser.get(

                    userId, DEFAULT_VERIFICATION_POLICY);

        }

        session = new PackageInstallerSession(mInternalCallback, mContext, mPm, this,

        session = new PackageInstallerSession(mInternalCallback, mContext, mPm, this,

                mSilentUpdatePolicy, mInstallThread.getLooper(), mStagingManager, sessionId,

                mSilentUpdatePolicy, mInstallThread.getLooper(), mStagingManager, sessionId,

                userId, callingUid, installSource, params, createdMillis, 0L, stageDir, stageCid,

                userId, callingUid, installSource, params, createdMillis, 0L, stageDir, stageCid,

                null, null, false, false, false, false, null, SessionInfo.INVALID_ID,

                null, null, false, false, false, false, null, SessionInfo.INVALID_ID,

                false, false, false, PackageManager.INSTALL_UNKNOWN, "", null,

                false, false, false, PackageManager.INSTALL_UNKNOWN, "", null,

                mVerifierController, mVerificationPolicy.get());

                mVerifierController, verificationPolicy, verificationPolicy);

        synchronized (mSessions) {

        synchronized (mSessions) {

            mSessions.put(sessionId, session);

            mSessions.put(sessionId, session);

    @Override

    @Override

    @EnforcePermission(android.Manifest.permission.VERIFICATION_AGENT)

    @EnforcePermission(android.Manifest.permission.VERIFICATION_AGENT)

    public @PackageInstaller.VerificationPolicy int getVerificationPolicy() {

    public @PackageInstaller.VerificationPolicy int getVerificationPolicy(int userId) {

        getVerificationPolicy_enforcePermission();

        getVerificationPolicy_enforcePermission();

        return mVerificationPolicy.get();

        synchronized (mVerificationPolicyPerUser) {

            if (mVerificationPolicyPerUser.indexOfKey(userId) < 0) {

                throw new IllegalStateException(

                        "Verification policy for user " + userId + " does not exist."

                                + " Does the user exist?");

            }

            return mVerificationPolicyPerUser.get(userId);

        }

    }

    }

    @Override

    @Override

    @EnforcePermission(android.Manifest.permission.VERIFICATION_AGENT)

    @EnforcePermission(android.Manifest.permission.VERIFICATION_AGENT)

    public boolean setVerificationPolicy(@PackageInstaller.VerificationPolicy int policy) {

    public boolean setVerificationPolicy(@PackageInstaller.VerificationPolicy int policy,

            int userId) {

        setVerificationPolicy_enforcePermission();

        setVerificationPolicy_enforcePermission();

        final int callingUid = getCallingUid();

        final int callingUid = getCallingUid();

        // Only the verifier currently bound by the system can change the policy, except for Shell

        // Only the verifier currently bound by the system can change the policy, except for Shell

        if (!isValidVerificationPolicy(policy)) {

        if (!isValidVerificationPolicy(policy)) {

            return false;

            return false;

        }

        }

        if (policy != mVerificationPolicy.get()) {

        synchronized (mVerificationPolicyPerUser) {

            mVerificationPolicy.set(policy);

            if (mVerificationPolicyPerUser.indexOfKey(userId) < 0) {

                throw new IllegalStateException(

                        "Verification policy for user " + userId + " does not exist."

                                + " Does the user exist?");

            }

            if (policy != mVerificationPolicyPerUser.get(userId)) {

                mVerificationPolicyPerUser.put(userId, policy);

            }

        }

        }

        return true;

        return true;

    }

    }

    void onUserAdded(int userId) {

        synchronized (mVerificationPolicyPerUser) {

            mVerificationPolicyPerUser.put(userId, DEFAULT_VERIFICATION_POLICY);

        }

    }

    void onUserRemoved(int userId) {

        synchronized (mVerificationPolicyPerUser) {

            mVerificationPolicyPerUser.delete(userId);

        }

    }

    private static int getSessionCount(SparseArray<PackageInstallerSession> sessions,

    private static int getSessionCount(SparseArray<PackageInstallerSession> sessions,

            int installerUid) {

            int installerUid) {

        int count = 0;

        int count = 0;

        }

        }

        mSilentUpdatePolicy.dump(pw);

        mSilentUpdatePolicy.dump(pw);

        mGentleUpdateHelper.dump(pw);

        mGentleUpdateHelper.dump(pw);

        synchronized (mVerificationPolicyPerUser) {

            pw.printPair("VerificationPolicyPerUser", mVerificationPolicyPerUser.toString());

        }

    }

    }

    @VisibleForTesting(visibility = VisibleForTesting.Visibility.PACKAGE)

    @VisibleForTesting(visibility = VisibleForTesting.Visibility.PACKAGE)

    private static final String ATTR_APPLICATION_ENABLED_SETTING_PERSISTENT =

    private static final String ATTR_APPLICATION_ENABLED_SETTING_PERSISTENT =

            "applicationEnabledSettingPersistent";

            "applicationEnabledSettingPersistent";

    private static final String ATTR_DOMAIN = "domain";

    private static final String ATTR_DOMAIN = "domain";

    private static final String ATTR_VERIFICATION_POLICY = "verificationPolicy";

    private static final String ATTR_INITIAL_VERIFICATION_POLICY = "initialVerificationPolicy";

    private static final String ATTR_CURRENT_VERIFICATION_POLICY = "currentVerificationPolicy";

    private static final String PROPERTY_NAME_INHERIT_NATIVE = "pi.inherit_native_on_dont_kill";

    private static final String PROPERTY_NAME_INHERIT_NATIVE = "pi.inherit_native_on_dont_kill";

    private static final int[] EMPTY_CHILD_SESSION_ARRAY = EmptyArray.INT;

    private static final int[] EMPTY_CHILD_SESSION_ARRAY = EmptyArray.INT;

    private final PackageSessionProvider mSessionProvider;

    private final PackageSessionProvider mSessionProvider;

    private final SilentUpdatePolicy mSilentUpdatePolicy;

    private final SilentUpdatePolicy mSilentUpdatePolicy;

    /**

    /**

     * The verification policy applied to this session, which might be different from the default

     * The initial verification policy assigned to this session when it was first created.

     * verification policy used by the system.

     */

     */

    private final AtomicInteger mVerificationPolicy;

    private final int mInitialVerificationPolicy;

    /**

     * The active verification policy, which might be different from the initial verification policy

     * assigned to this session or the default policy currently used by the system.

     */

    private final AtomicInteger mCurrentVerificationPolicy;

    /**

    /**

     * Note all calls must be done outside {@link #mLock} to prevent lock inversion.

     * Note all calls must be done outside {@link #mLock} to prevent lock inversion.

     */

     */

            boolean isFailed, boolean isApplied, int sessionErrorCode,

            boolean isFailed, boolean isApplied, int sessionErrorCode,

            String sessionErrorMessage, DomainSet preVerifiedDomains,

            String sessionErrorMessage, DomainSet preVerifiedDomains,

            @NonNull VerifierController verifierController,

            @NonNull VerifierController verifierController,

            @PackageInstaller.VerificationPolicy int verificationPolicy) {

            @PackageInstaller.VerificationPolicy int initialVerificationPolicy,

            @PackageInstaller.VerificationPolicy int currentVerificationPolicy) {

        mCallback = callback;

        mCallback = callback;

        mContext = context;

        mContext = context;

        mPm = pm;

        mPm = pm;

        mHandler = new Handler(looper, mHandlerCallback);

        mHandler = new Handler(looper, mHandlerCallback);

        mStagingManager = stagingManager;

        mStagingManager = stagingManager;

        mVerifierController = verifierController;

        mVerifierController = verifierController;

        mVerificationPolicy = new AtomicInteger(verificationPolicy);

        mInitialVerificationPolicy = initialVerificationPolicy;

        mCurrentVerificationPolicy = new AtomicInteger(currentVerificationPolicy);

        this.sessionId = sessionId;

        this.sessionId = sessionId;

        this.userId = userId;

        this.userId = userId;

                    mStageDirInUse, mDestroyed, mFds.size(), mBridges.size(), mFinalStatus,

                    mStageDirInUse, mDestroyed, mFds.size(), mBridges.size(), mFinalStatus,

                    mFinalMessage, params, mParentSessionId, getChildSessionIdsLocked(),

                    mFinalMessage, params, mParentSessionId, getChildSessionIdsLocked(),

                    mSessionApplied, mSessionFailed, mSessionReady, mSessionErrorCode,

                    mSessionApplied, mSessionFailed, mSessionReady, mSessionErrorCode,

                    mSessionErrorMessage, mPreapprovalDetails, mPreVerifiedDomains, mPackageName);

                    mSessionErrorMessage, mPreapprovalDetails, mPreVerifiedDomains, mPackageName,

                    mInitialVerificationPolicy, mCurrentVerificationPolicy.get());

        }

        }

    }

    }

            final VerifierCallback verifierCallback = new VerifierCallback();

            final VerifierCallback verifierCallback = new VerifierCallback();

            if (!mVerifierController.startVerificationSession(mPm::snapshotComputer, userId,

            if (!mVerifierController.startVerificationSession(mPm::snapshotComputer, userId,

                    sessionId, getPackageName(), Uri.fromFile(stageDir), signingInfo,

                    sessionId, getPackageName(), Uri.fromFile(stageDir), signingInfo,

                    declaredLibraries, mVerificationPolicy.get(), /* extensionParams= */ null,

                    declaredLibraries, mCurrentVerificationPolicy.get(),

                    verifierCallback, /* retry= */ false)) {

                    /* extensionParams= */ null, verifierCallback, /* retry= */ false)) {

                // A verifier is installed but cannot be connected.

                // A verifier is installed but cannot be connected.

                verifierCallback.onConnectionFailed();

                verifierCallback.onConnectionFailed();

            }

            }

         * verification policy for this session.

         * verification policy for this session.

         */

         */

        public @PackageInstaller.VerificationPolicy int getVerificationPolicy() {

        public @PackageInstaller.VerificationPolicy int getVerificationPolicy() {

            return mVerificationPolicy.get();

            return mCurrentVerificationPolicy.get();

        }

        }

        /**

        /**

         * Called by the VerifierController when the verifier requests to change the verification

         * Called by the VerifierController when the verifier requests to change the verification

            if (!isValidVerificationPolicy(policy)) {

            if (!isValidVerificationPolicy(policy)) {

                return false;

                return false;

            }

            }

            mVerificationPolicy.set(policy);

            mCurrentVerificationPolicy.set(policy);

            return true;

            return true;

        }

        }

        /**

        /**

            // TODO: handle extension response

            // TODO: handle extension response

            mHandler.post(() -> {

            mHandler.post(() -> {

                if (statusReceived.isVerified()

                if (statusReceived.isVerified()

                        || mVerificationPolicy.get() == VERIFICATION_POLICY_NONE) {

                        || mCurrentVerificationPolicy.get() == VERIFICATION_POLICY_NONE) {

                    // Continue with the rest of the verification and installation.

                    // Continue with the rest of the verification and installation.

                    resumeVerify();

                    resumeVerify();

                    return;

                    return;

        }

        }

        private void handleNonPackageBlockedFailure(Runnable onFailWarning, Runnable onFailClosed) {

        private void handleNonPackageBlockedFailure(Runnable onFailWarning, Runnable onFailClosed) {

            final Runnable r = switch (mVerificationPolicy.get()) {

            final Runnable r = switch (mCurrentVerificationPolicy.get()) {

                case VERIFICATION_POLICY_NONE, VERIFICATION_POLICY_BLOCK_FAIL_OPEN ->

                case VERIFICATION_POLICY_NONE, VERIFICATION_POLICY_BLOCK_FAIL_OPEN ->

                        PackageInstallerSession.this::resumeVerify;

                        PackageInstallerSession.this::resumeVerify;

                case VERIFICATION_POLICY_BLOCK_FAIL_WARN -> onFailWarning;

                case VERIFICATION_POLICY_BLOCK_FAIL_WARN -> onFailWarning;

                case VERIFICATION_POLICY_BLOCK_FAIL_CLOSED -> onFailClosed;

                case VERIFICATION_POLICY_BLOCK_FAIL_CLOSED -> onFailClosed;

                default -> {

                default -> {

                    Log.wtf(TAG, "Unknown verification policy: " + mVerificationPolicy.get());

                    Log.wtf(TAG, "Unknown verification policy: "

                            + mCurrentVerificationPolicy.get());

                    yield onFailClosed;

                    yield onFailClosed;

                }

                }

            };

            };

        }

        }

    }

    }

    /**

     * @return the initial policy for the verification request assigned to the session when created.

     */

    @VisibleForTesting

    public @PackageInstaller.VerificationPolicy int getInitialVerificationPolicy() {

        assertCallerIsOwnerOrRoot();

        return mInitialVerificationPolicy;

    }

    /**

    /**

     * @return the current policy for the verification request associated with this session.

     * @return the current policy for the verification request associated with this session.

     */

     */

    @VisibleForTesting

    @VisibleForTesting

    public @PackageInstaller.VerificationPolicy int getVerificationPolicy() {

    public @PackageInstaller.VerificationPolicy int getCurrentVerificationPolicy() {

        assertCallerIsOwnerOrRoot();

        assertCallerIsOwnerOrRoot();

        return mVerificationPolicy.get();

        return mCurrentVerificationPolicy.get();

    }

    }

    void setSessionReady() {

    void setSessionReady() {

        if (mPreVerifiedDomains != null) {

        if (mPreVerifiedDomains != null) {

            pw.printPair("mPreVerifiedDomains", mPreVerifiedDomains);

            pw.printPair("mPreVerifiedDomains", mPreVerifiedDomains);

        }

        }

        pw.printPair("mInitialVerificationPolicy", mInitialVerificationPolicy);

        pw.printPair("mCurrentVerificationPolicy", mCurrentVerificationPolicy.get());

        pw.println();

        pw.println();

        pw.decreaseIndent();

        pw.decreaseIndent();

            out.attributeInt(null, ATTR_INSTALL_REASON, params.installReason);

            out.attributeInt(null, ATTR_INSTALL_REASON, params.installReason);

            writeBooleanAttribute(out, ATTR_APPLICATION_ENABLED_SETTING_PERSISTENT,

            writeBooleanAttribute(out, ATTR_APPLICATION_ENABLED_SETTING_PERSISTENT,

                    params.applicationEnabledSettingPersistent);

                    params.applicationEnabledSettingPersistent);

            out.attributeInt(null, ATTR_VERIFICATION_POLICY, mVerificationPolicy.get());

            out.attributeInt(null, ATTR_INITIAL_VERIFICATION_POLICY, mInitialVerificationPolicy);

            out.attributeInt(null, ATTR_CURRENT_VERIFICATION_POLICY,

                    mCurrentVerificationPolicy.get());

            final boolean isDataLoader = params.dataLoaderParams != null;

            final boolean isDataLoader = params.dataLoaderParams != null;

            writeBooleanAttribute(out, ATTR_IS_DATALOADER, isDataLoader);

            writeBooleanAttribute(out, ATTR_IS_DATALOADER, isDataLoader);

        final boolean sealed = in.getAttributeBoolean(null, ATTR_SEALED, false);

        final boolean sealed = in.getAttributeBoolean(null, ATTR_SEALED, false);

        final int parentSessionId = in.getAttributeInt(null, ATTR_PARENT_SESSION_ID,

        final int parentSessionId = in.getAttributeInt(null, ATTR_PARENT_SESSION_ID,

                SessionInfo.INVALID_ID);

                SessionInfo.INVALID_ID);

        final int verificationPolicy = in.getAttributeInt(null, ATTR_VERIFICATION_POLICY,

        final int initialVerificationPolicy = in.getAttributeInt(null,

                VERIFICATION_POLICY_NONE);

                ATTR_INITIAL_VERIFICATION_POLICY, VERIFICATION_POLICY_NONE);

        final int currentVerificationPolicy = in.getAttributeInt(null,

                ATTR_CURRENT_VERIFICATION_POLICY, VERIFICATION_POLICY_NONE);

        final SessionParams params = new SessionParams(

        final SessionParams params = new SessionParams(

                SessionParams.MODE_INVALID);

                SessionParams.MODE_INVALID);

                stageCid, fileArray, checksumsMap, prepared, committed, destroyed, sealed,

                stageCid, fileArray, checksumsMap, prepared, committed, destroyed, sealed,

                childSessionIdsArray, parentSessionId, isReady, isFailed, isApplied,

                childSessionIdsArray, parentSessionId, isReady, isFailed, isApplied,

                sessionErrorCode, sessionErrorMessage, preVerifiedDomains, verifierController,

                sessionErrorCode, sessionErrorMessage, preVerifiedDomains, verifierController,

                verificationPolicy);

                initialVerificationPolicy, currentVerificationPolicy);

    }

    }

}

}