Loading services/core/java/com/android/server/pm/PackageManagerService.java +37 −32 Original line number Diff line number Diff line Loading @@ -348,6 +348,7 @@ import com.android.server.ServiceThread; import com.android.server.SystemConfig; import com.android.server.SystemServerInitThreadPool; import com.android.server.Watchdog; import com.android.server.compat.CompatChange; import com.android.server.compat.PlatformCompat; import com.android.server.net.NetworkPolicyManagerInternal; import com.android.server.pm.Installer.InstallerException; Loading Loading @@ -2612,8 +2613,7 @@ public class PackageManagerService extends IPackageManager.Stub PackageManagerService m = new PackageManagerService(injector, onlyCore, factoryTest); t.traceEnd(); // "create package manager" injector.getCompatibility().registerListener(SELinuxMMAC.SELINUX_LATEST_CHANGES, packageName -> { final CompatChange.ChangeListener selinuxChangeListener = packageName -> { synchronized (m.mInstallLock) { final AndroidPackage pkg; final PackageSetting ps; Loading Loading @@ -2644,7 +2644,12 @@ public class PackageManagerService extends IPackageManager.Stub m.prepareAppDataAfterInstallLIF(pkg); } } }); }; injector.getCompatibility().registerListener(SELinuxMMAC.SELINUX_LATEST_CHANGES, selinuxChangeListener); injector.getCompatibility().registerListener(SELinuxMMAC.SELINUX_R_CHANGES, selinuxChangeListener); m.installWhitelistedSystemPackages(); ServiceManager.addService("package", m); services/core/java/com/android/server/pm/SELinuxMMAC.java +21 −6 Original line number Diff line number Diff line Loading @@ -18,6 +18,7 @@ package com.android.server.pm; import android.compat.annotation.ChangeId; import android.compat.annotation.EnabledAfter; import android.content.pm.ApplicationInfo; import android.content.pm.PackageParser.SigningDetails; import android.content.pm.Signature; import android.os.Environment; Loading Loading @@ -77,9 +78,21 @@ public final class SELinuxMMAC { private static final String TARGETSDKVERSION_STR = ":targetSdkVersion="; /** * This change gates apps access to untrusted_app_R-targetSDk SELinux domain. Allows opt-in * Allows opt-in to the latest targetSdkVersion enforced changes without changing target SDK. * Turning this change off for an app targeting the latest SDK is a no-op. * * <p>Has no effect for apps using shared user id. * * TODO(b/143539591): Update description with relevant SELINUX changes this opts in to. */ @EnabledAfter(targetSdkVersion = android.os.Build.VERSION_CODES.R) @ChangeId static final long SELINUX_LATEST_CHANGES = 143539591L; /** * This change gates apps access to untrusted_app_R-targetSDK SELinux domain. Allows opt-in * to R targetSdkVersion enforced changes without changing target SDK. Turning this change * off for an app targeting R is a no-op. * off for an app targeting S is a no-op. * * <p>Has no effect for apps using shared user id. * Loading @@ -87,7 +100,7 @@ public final class SELinuxMMAC { */ @EnabledAfter(targetSdkVersion = android.os.Build.VERSION_CODES.Q) @ChangeId static final long SELINUX_LATEST_CHANGES = 143539591L; static final long SELINUX_R_CHANGES = 168782947L; // Only initialize sMacPermissions once. static { Loading Loading @@ -349,9 +362,11 @@ public final class SELinuxMMAC { if ((sharedUserSetting != null) && (sharedUserSetting.packages.size() != 0)) { return sharedUserSetting.seInfoTargetSdkVersion; } if (compatibility.isChangeEnabledInternal(SELINUX_LATEST_CHANGES, pkg.toAppInfoWithoutState())) { return android.os.Build.VERSION_CODES.R; final ApplicationInfo appInfo = pkg.toAppInfoWithoutState(); if (compatibility.isChangeEnabledInternal(SELINUX_LATEST_CHANGES, appInfo)) { return android.os.Build.VERSION_CODES.S; } else if (compatibility.isChangeEnabledInternal(SELINUX_R_CHANGES, appInfo)) { return Math.max(android.os.Build.VERSION_CODES.R, pkg.getTargetSdkVersion()); } return pkg.getTargetSdkVersion(); Loading services/tests/servicestests/src/com/android/server/pm/SELinuxMMACTest.java +36 −5 Original line number Diff line number Diff line Loading @@ -44,7 +44,8 @@ import org.mockito.junit.MockitoJUnitRunner; public class SELinuxMMACTest { private static final String PACKAGE_NAME = "my.package"; private static final int OPT_IN_VERSION = Build.VERSION_CODES.R; private static final int LATEST_OPT_IN_VERSION = Build.VERSION_CODES.S; private static final int R_OPT_IN_VERSION = Build.VERSION_CODES.R; @Mock PlatformCompat mMockCompatibility; Loading @@ -56,7 +57,17 @@ public class SELinuxMMACTest { argThat(argument -> argument.packageName.equals(pkg.getPackageName())))) .thenReturn(true); assertThat(SELinuxMMAC.getSeInfo(pkg, null, mMockCompatibility), is("default:targetSdkVersion=" + OPT_IN_VERSION)); is("default:targetSdkVersion=" + LATEST_OPT_IN_VERSION)); } @Test public void getSeInfoOptInToR() { AndroidPackage pkg = makePackage(Build.VERSION_CODES.P); when(mMockCompatibility.isChangeEnabledInternal(eq(SELinuxMMAC.SELINUX_R_CHANGES), argThat(argument -> argument.packageName.equals(pkg.getPackageName())))) .thenReturn(true); assertThat(SELinuxMMAC.getSeInfo(pkg, null, mMockCompatibility), is("default:targetSdkVersion=" + R_OPT_IN_VERSION)); } @Test Loading @@ -70,13 +81,33 @@ public class SELinuxMMACTest { } @Test public void getSeInfoNoOptInButAlreadyR() { AndroidPackage pkg = makePackage(OPT_IN_VERSION); public void getSeInfoNoOptInButAlreadyLatest() { AndroidPackage pkg = makePackage(LATEST_OPT_IN_VERSION); when(mMockCompatibility.isChangeEnabledInternal(eq(SELinuxMMAC.SELINUX_LATEST_CHANGES), argThat(argument -> argument.packageName.equals(pkg.getPackageName())))) .thenReturn(false); assertThat(SELinuxMMAC.getSeInfo(pkg, null, mMockCompatibility), is("default:targetSdkVersion=" + OPT_IN_VERSION)); is("default:targetSdkVersion=" + LATEST_OPT_IN_VERSION)); } @Test public void getSeInfoNoOptInButAlreadyR() { AndroidPackage pkg = makePackage(R_OPT_IN_VERSION); when(mMockCompatibility.isChangeEnabledInternal(eq(SELinuxMMAC.SELINUX_R_CHANGES), argThat(argument -> argument.packageName.equals(pkg.getPackageName())))) .thenReturn(false); assertThat(SELinuxMMAC.getSeInfo(pkg, null, mMockCompatibility), is("default:targetSdkVersion=" + R_OPT_IN_VERSION)); } @Test public void getSeInfoOptInRButLater() { AndroidPackage pkg = makePackage(R_OPT_IN_VERSION + 1); when(mMockCompatibility.isChangeEnabledInternal(eq(SELinuxMMAC.SELINUX_R_CHANGES), argThat(argument -> argument.packageName.equals(pkg.getPackageName())))) .thenReturn(true); assertThat(SELinuxMMAC.getSeInfo(pkg, null, mMockCompatibility), is("default:targetSdkVersion=" + (R_OPT_IN_VERSION + 1))); } private AndroidPackage makePackage(int targetSdkVersion) { Loading Loading
services/core/java/com/android/server/pm/PackageManagerService.java +37 −32 Original line number Diff line number Diff line Loading @@ -348,6 +348,7 @@ import com.android.server.ServiceThread; import com.android.server.SystemConfig; import com.android.server.SystemServerInitThreadPool; import com.android.server.Watchdog; import com.android.server.compat.CompatChange; import com.android.server.compat.PlatformCompat; import com.android.server.net.NetworkPolicyManagerInternal; import com.android.server.pm.Installer.InstallerException; Loading Loading @@ -2612,8 +2613,7 @@ public class PackageManagerService extends IPackageManager.Stub PackageManagerService m = new PackageManagerService(injector, onlyCore, factoryTest); t.traceEnd(); // "create package manager" injector.getCompatibility().registerListener(SELinuxMMAC.SELINUX_LATEST_CHANGES, packageName -> { final CompatChange.ChangeListener selinuxChangeListener = packageName -> { synchronized (m.mInstallLock) { final AndroidPackage pkg; final PackageSetting ps; Loading Loading @@ -2644,7 +2644,12 @@ public class PackageManagerService extends IPackageManager.Stub m.prepareAppDataAfterInstallLIF(pkg); } } }); }; injector.getCompatibility().registerListener(SELinuxMMAC.SELINUX_LATEST_CHANGES, selinuxChangeListener); injector.getCompatibility().registerListener(SELinuxMMAC.SELINUX_R_CHANGES, selinuxChangeListener); m.installWhitelistedSystemPackages(); ServiceManager.addService("package", m);
services/core/java/com/android/server/pm/SELinuxMMAC.java +21 −6 Original line number Diff line number Diff line Loading @@ -18,6 +18,7 @@ package com.android.server.pm; import android.compat.annotation.ChangeId; import android.compat.annotation.EnabledAfter; import android.content.pm.ApplicationInfo; import android.content.pm.PackageParser.SigningDetails; import android.content.pm.Signature; import android.os.Environment; Loading Loading @@ -77,9 +78,21 @@ public final class SELinuxMMAC { private static final String TARGETSDKVERSION_STR = ":targetSdkVersion="; /** * This change gates apps access to untrusted_app_R-targetSDk SELinux domain. Allows opt-in * Allows opt-in to the latest targetSdkVersion enforced changes without changing target SDK. * Turning this change off for an app targeting the latest SDK is a no-op. * * <p>Has no effect for apps using shared user id. * * TODO(b/143539591): Update description with relevant SELINUX changes this opts in to. */ @EnabledAfter(targetSdkVersion = android.os.Build.VERSION_CODES.R) @ChangeId static final long SELINUX_LATEST_CHANGES = 143539591L; /** * This change gates apps access to untrusted_app_R-targetSDK SELinux domain. Allows opt-in * to R targetSdkVersion enforced changes without changing target SDK. Turning this change * off for an app targeting R is a no-op. * off for an app targeting S is a no-op. * * <p>Has no effect for apps using shared user id. * Loading @@ -87,7 +100,7 @@ public final class SELinuxMMAC { */ @EnabledAfter(targetSdkVersion = android.os.Build.VERSION_CODES.Q) @ChangeId static final long SELINUX_LATEST_CHANGES = 143539591L; static final long SELINUX_R_CHANGES = 168782947L; // Only initialize sMacPermissions once. static { Loading Loading @@ -349,9 +362,11 @@ public final class SELinuxMMAC { if ((sharedUserSetting != null) && (sharedUserSetting.packages.size() != 0)) { return sharedUserSetting.seInfoTargetSdkVersion; } if (compatibility.isChangeEnabledInternal(SELINUX_LATEST_CHANGES, pkg.toAppInfoWithoutState())) { return android.os.Build.VERSION_CODES.R; final ApplicationInfo appInfo = pkg.toAppInfoWithoutState(); if (compatibility.isChangeEnabledInternal(SELINUX_LATEST_CHANGES, appInfo)) { return android.os.Build.VERSION_CODES.S; } else if (compatibility.isChangeEnabledInternal(SELINUX_R_CHANGES, appInfo)) { return Math.max(android.os.Build.VERSION_CODES.R, pkg.getTargetSdkVersion()); } return pkg.getTargetSdkVersion(); Loading
services/tests/servicestests/src/com/android/server/pm/SELinuxMMACTest.java +36 −5 Original line number Diff line number Diff line Loading @@ -44,7 +44,8 @@ import org.mockito.junit.MockitoJUnitRunner; public class SELinuxMMACTest { private static final String PACKAGE_NAME = "my.package"; private static final int OPT_IN_VERSION = Build.VERSION_CODES.R; private static final int LATEST_OPT_IN_VERSION = Build.VERSION_CODES.S; private static final int R_OPT_IN_VERSION = Build.VERSION_CODES.R; @Mock PlatformCompat mMockCompatibility; Loading @@ -56,7 +57,17 @@ public class SELinuxMMACTest { argThat(argument -> argument.packageName.equals(pkg.getPackageName())))) .thenReturn(true); assertThat(SELinuxMMAC.getSeInfo(pkg, null, mMockCompatibility), is("default:targetSdkVersion=" + OPT_IN_VERSION)); is("default:targetSdkVersion=" + LATEST_OPT_IN_VERSION)); } @Test public void getSeInfoOptInToR() { AndroidPackage pkg = makePackage(Build.VERSION_CODES.P); when(mMockCompatibility.isChangeEnabledInternal(eq(SELinuxMMAC.SELINUX_R_CHANGES), argThat(argument -> argument.packageName.equals(pkg.getPackageName())))) .thenReturn(true); assertThat(SELinuxMMAC.getSeInfo(pkg, null, mMockCompatibility), is("default:targetSdkVersion=" + R_OPT_IN_VERSION)); } @Test Loading @@ -70,13 +81,33 @@ public class SELinuxMMACTest { } @Test public void getSeInfoNoOptInButAlreadyR() { AndroidPackage pkg = makePackage(OPT_IN_VERSION); public void getSeInfoNoOptInButAlreadyLatest() { AndroidPackage pkg = makePackage(LATEST_OPT_IN_VERSION); when(mMockCompatibility.isChangeEnabledInternal(eq(SELinuxMMAC.SELINUX_LATEST_CHANGES), argThat(argument -> argument.packageName.equals(pkg.getPackageName())))) .thenReturn(false); assertThat(SELinuxMMAC.getSeInfo(pkg, null, mMockCompatibility), is("default:targetSdkVersion=" + OPT_IN_VERSION)); is("default:targetSdkVersion=" + LATEST_OPT_IN_VERSION)); } @Test public void getSeInfoNoOptInButAlreadyR() { AndroidPackage pkg = makePackage(R_OPT_IN_VERSION); when(mMockCompatibility.isChangeEnabledInternal(eq(SELinuxMMAC.SELINUX_R_CHANGES), argThat(argument -> argument.packageName.equals(pkg.getPackageName())))) .thenReturn(false); assertThat(SELinuxMMAC.getSeInfo(pkg, null, mMockCompatibility), is("default:targetSdkVersion=" + R_OPT_IN_VERSION)); } @Test public void getSeInfoOptInRButLater() { AndroidPackage pkg = makePackage(R_OPT_IN_VERSION + 1); when(mMockCompatibility.isChangeEnabledInternal(eq(SELinuxMMAC.SELINUX_R_CHANGES), argThat(argument -> argument.packageName.equals(pkg.getPackageName())))) .thenReturn(true); assertThat(SELinuxMMAC.getSeInfo(pkg, null, mMockCompatibility), is("default:targetSdkVersion=" + (R_OPT_IN_VERSION + 1))); } private AndroidPackage makePackage(int targetSdkVersion) { Loading
