Merge "Fix system policy to mean overlays on /system"

        final String overlayPath = overlayPackage.applicationInfo.getBaseCodePath();

        final String overlayPath = overlayPackage.applicationInfo.getBaseCodePath();

        try {

        try {

            if (FEATURE_FLAG_IDMAP2) {

            if (FEATURE_FLAG_IDMAP2) {

                int policies = determineFulfilledPolicies(targetPackage, overlayPackage, userId);

                int policies = calculateFulfilledPolicies(targetPackage, overlayPackage, userId);

                boolean enforce = enforceOverlayable(overlayPackage);

                boolean enforce = enforceOverlayable(overlayPackage);

                if (mIdmap2Service.verifyIdmap(overlayPath, policies, enforce, userId)) {

                if (mIdmap2Service.verifyIdmap(overlayPath, policies, enforce, userId)) {

                    return true;

                    return true;

            return true;

            return true;

        }

        }

        if (ai.isVendor() && !VENDOR_IS_Q_OR_LATER) {

        if (ai.isVendor()) {

            // If the overlay is on a pre-Q vendor partition, do not enforce overlayable

            // If the overlay is on a pre-Q vendor partition, do not enforce overlayable

            // restrictions on this overlay because the pre-Q platform has no understanding of

            // restrictions on this overlay because the pre-Q platform has no understanding of

            // overlayable.

            // overlayable.

            return false;

            return VENDOR_IS_Q_OR_LATER;

        }

        }

        // Do not enforce overlayable restrictions on pre-Q overlays signed with the

        // Do not enforce overlayable restrictions on pre-Q overlays that are signed with the

        // platform signature.

        // platform signature or that are preinstalled.

        return !ai.isSignedWithPlatformKey();

        return !(ai.isSystemApp() || ai.isSignedWithPlatformKey());

    }

    }

    /**

    /**

     * Retrieves a bitmask for idmap2 that represents the policies the specified overlay fulfills.

     * Retrieves a bitmask for idmap2 that represents the policies the overlay fulfills.

     * @throws SecurityException if the overlay is not allowed to overlay any resource

     */

     */

    private int determineFulfilledPolicies(@NonNull final PackageInfo targetPackage,

    private int calculateFulfilledPolicies(@NonNull final PackageInfo targetPackage,

            @NonNull final PackageInfo overlayPackage, int userId) throws SecurityException {

            @NonNull final PackageInfo overlayPackage, int userId)  {

        final ApplicationInfo ai = overlayPackage.applicationInfo;

        final ApplicationInfo ai = overlayPackage.applicationInfo;

        final boolean overlayIsQOrLater = ai.targetSdkVersion >= VERSION_CODES.Q;

        int fulfilledPolicies = IIdmap2.POLICY_PUBLIC;

        int fulfilledPolicies = 0;

        // Overlay matches target signature

        // Overlay matches target signature

        if (mPackageManager.signaturesMatching(targetPackage.packageName,

        if (mPackageManager.signaturesMatching(targetPackage.packageName,

        // Vendor partition (/vendor)

        // Vendor partition (/vendor)

        if (ai.isVendor()) {

        if (ai.isVendor()) {

            if (overlayIsQOrLater) {

            return fulfilledPolicies | IIdmap2.POLICY_VENDOR_PARTITION;

                fulfilledPolicies |= IIdmap2.POLICY_VENDOR_PARTITION;

            } else if (VENDOR_IS_Q_OR_LATER) {

                throw new SecurityException("Overlay must target Q sdk or higher");

            }

        }

        }

        // Product partition (/product)

        // Product partition (/product)

        if (ai.isProduct()) {

        if (ai.isProduct()) {

            if (overlayIsQOrLater) {

            return fulfilledPolicies | IIdmap2.POLICY_PRODUCT_PARTITION;

                fulfilledPolicies |= IIdmap2.POLICY_PRODUCT_PARTITION;

            } else {

                throw new SecurityException("Overlay must target Q sdk or higher");

        }

        }

        // Check partitions for which there exists no policy so overlays on these partitions will

        // not fulfill the system policy.

        if (ai.isOem() || ai.isProductServices()) {

            return fulfilledPolicies;

        }

        }

        // System partition (/system)

        // Check this last since every partition except for data is scanned as system in the PMS.

        if (ai.isSystemApp()) {

        if (ai.isSystemApp()) {

            if (overlayIsQOrLater) {

            return fulfilledPolicies | IIdmap2.POLICY_SYSTEM_PARTITION;

                fulfilledPolicies |= IIdmap2.POLICY_SYSTEM_PARTITION;

            } else {

                throw new SecurityException("Overlay must target Q sdk or higher");

            }

        }

        }

        // All overlays can overlay resources with the public policy

        return fulfilledPolicies;

        return fulfilledPolicies | IIdmap2.POLICY_PUBLIC;

    }

    }

}

}