Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ace5fd11 authored by Nick Kovacs's avatar Nick Kovacs
Browse files

Enable low target sdk install block by default 

Update the feature flags to enable the install
block by default. This will ensure that non-GMS
devices without feature flagging have this
enforcement as well.

Bug: 237321649
Test: atest PackageManagerTests
Change-Id: I4f6815906455175cfedf126df4ac694ba6f4684c
parent 3eb0a875

services/core/java/com/android/server/pm/InstallPackageHelper.java

+4 −4
Original line number Original line Diff line number Diff line
@@ -1134,22 +1134,22 @@ final class InstallPackageHelper { 
        // behavior.

        // behavior.

        if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

        if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

                "MinInstallableTargetSdk__install_block_enabled",

                "MinInstallableTargetSdk__install_block_enabled",

                false)) {

                true)) {

            int minInstallableTargetSdk =

            int minInstallableTargetSdk =

                    DeviceConfig.getInt(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

                    DeviceConfig.getInt(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

                            "MinInstallableTargetSdk__min_installable_target_sdk",

                            "MinInstallableTargetSdk__min_installable_target_sdk",

                            0);

                            PackageManagerService.MIN_INSTALLABLE_TARGET_SDK);





            // Determine if enforcement is in strict mode

            // Determine if enforcement is in strict mode

            boolean strictMode = false;

            boolean strictMode = false;





            if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

            if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

                    "MinInstallableTargetSdk__install_block_strict_mode_enabled",

                    "MinInstallableTargetSdk__install_block_strict_mode_enabled",

                    false)) {

                    true)) {

                if (parsedPackage.getTargetSdkVersion()

                if (parsedPackage.getTargetSdkVersion()

                        < DeviceConfig.getInt(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

                        < DeviceConfig.getInt(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

                        "MinInstallableTargetSdk__strict_mode_target_sdk",

                        "MinInstallableTargetSdk__strict_mode_target_sdk",

                        0)) {

                        PackageManagerService.MIN_INSTALLABLE_TARGET_SDK)) {

                    strictMode = true;

                    strictMode = true;

                }

                }

            }

            }

services/core/java/com/android/server/pm/PackageManagerService.java

+8 −0
Original line number Original line Diff line number Diff line
@@ -557,6 +557,14 @@ public class PackageManagerService implements PackageSender, TestUtilityService 
    // How many required verifiers can be on the system.

    // How many required verifiers can be on the system.

    private static final int REQUIRED_VERIFIERS_MAX_COUNT = 2;

    private static final int REQUIRED_VERIFIERS_MAX_COUNT = 2;





    /**

     * Specifies the minimum target SDK version an apk must specify in order to be installed

     * on the system. This improves security and privacy by blocking low

     * target sdk apps as malware can target older sdk versions to avoid

     * the enforcement of new API behavior.

     */

    public static final int MIN_INSTALLABLE_TARGET_SDK = Build.VERSION_CODES.M;



    // Compilation reasons.

    // Compilation reasons.

    // TODO(b/260124949): Clean this up with the legacy dexopt code.

    // TODO(b/260124949): Clean this up with the legacy dexopt code.

    public static final int REASON_FIRST_BOOT = 0;

    public static final int REASON_FIRST_BOOT = 0;