Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b9cd9a72 authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Limit stage install to system and whitelisted packges only (2/2)" into... 

Merge "Limit stage install to system and whitelisted packges only (2/2)" into rvc-dev am: cde07e5d

Change-Id: I7cb39d4e4afec837819f4c6b8b68784133308997
parents b0f3adae cde07e5d

core/java/android/content/pm/IPackageInstaller.aidl

+2 −0
Original line number Diff line number Diff line
@@ -55,4 +55,6 @@ interface IPackageInstaller { 
            in IntentSender statusReceiver, int userId, in List<String> whiteListedPermissions);



    void setPermissionsResult(int sessionId, boolean accepted);



    void bypassNextStagedInstallerCheck(boolean value);

}

services/core/java/com/android/server/pm/PackageInstallerService.java

+21 −2
Original line number Diff line number Diff line
@@ -82,6 +82,7 @@ import com.android.internal.util.ImageUtils; 
import com.android.internal.util.IndentingPrintWriter;

import com.android.server.IoThread;

import com.android.server.LocalServices;

import com.android.server.SystemConfig;

import com.android.server.pm.parsing.PackageParser2;

import com.android.server.pm.permission.PermissionManagerServiceInternal;
@@ -151,6 +152,7 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements 
    private final Callbacks mCallbacks;



    private volatile boolean mOkToSendBroadcasts = false;

    private volatile boolean mBypassNextStagedInstallerCheck = false;



    /**

     * File storing persisted {@link #mSessions} metadata.
@@ -541,7 +543,7 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements 
            }

        }



        if (Build.IS_DEBUGGABLE || isDowngradeAllowedForCaller(callingUid)) {

        if (Build.IS_DEBUGGABLE || isCalledBySystemOrShell(callingUid)) {

            params.installFlags |= PackageManager.INSTALL_ALLOW_DOWNGRADE;

        } else {

            params.installFlags &= ~PackageManager.INSTALL_ALLOW_DOWNGRADE;
@@ -571,6 +573,14 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements 
            }

        }



        if (mBypassNextStagedInstallerCheck) {

            mBypassNextStagedInstallerCheck = false;

        } else if (params.isStaged

                && !isCalledBySystemOrShell(callingUid)

                && !isWhitelistedStagedInstaller(requestedInstallerPackageName)) {

            throw new SecurityException("Installer not allowed to commit staged install");

        }



        if (!params.isMultiPackage) {

            // Only system components can circumvent runtime permissions when installing.

            if ((params.installFlags & PackageManager.INSTALL_GRANT_RUNTIME_PERMISSIONS) != 0
@@ -683,11 +693,15 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements 
        return sessionId;

    }



    private boolean isDowngradeAllowedForCaller(int callingUid) {

    private boolean isCalledBySystemOrShell(int callingUid) {

        return callingUid == Process.SYSTEM_UID || callingUid == Process.ROOT_UID

                || callingUid == Process.SHELL_UID;

    }



    private boolean isWhitelistedStagedInstaller(String installerName) {

        return SystemConfig.getInstance().getWhitelistedStagedInstallers().contains(installerName);

    }



    @Override

    public void updateSessionAppIcon(int sessionId, Bitmap appIcon) {

        synchronized (mSessions) {
@@ -963,6 +977,11 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements 
        }

    }



    @Override

    public void bypassNextStagedInstallerCheck(boolean value) {

        mBypassNextStagedInstallerCheck = value;

    }



    private static int getSessionCount(SparseArray<PackageInstallerSession> sessions,

            int installerUid) {

        int count = 0;

services/core/java/com/android/server/pm/PackageManagerShellCommand.java

+16 −0
Original line number Diff line number Diff line
@@ -297,6 +297,8 @@ class PackageManagerShellCommand extends ShellCommand { 
                    return runGetModuleInfo();

                case "log-visibility":

                    return runLogVisibility();

                case "bypass-staged-installer-check":

                    return runBypassStagedInstallerCheck();

                default: {

                    String nextArg = getNextArg();

                    if (nextArg == null) {
@@ -392,6 +394,20 @@ class PackageManagerShellCommand extends ShellCommand { 
        return 1;

    }



    private int runBypassStagedInstallerCheck() {

        final PrintWriter pw = getOutPrintWriter();

        try {

            mInterface.getPackageInstaller()

                    .bypassNextStagedInstallerCheck(Boolean.parseBoolean(getNextArg()));

            return 0;

        } catch (RemoteException e) {

            pw.println("Failure ["

                    + e.getClass().getName() + " - "

                    + e.getMessage() + "]");

            return -1;

        }

    }



    private int uninstallSystemUpdates() {

        final PrintWriter pw = getOutPrintWriter();

        List<String> failedUninstalls = new LinkedList<>();