Merge "Enable low target sdk install block" into udc-dev am: c0875d89

import static com.android.server.pm.PackageManagerService.DEBUG_UPGRADE;

import static com.android.server.pm.PackageManagerService.DEBUG_VERIFY;

import static com.android.server.pm.PackageManagerService.EMPTY_INT_ARRAY;

import static com.android.server.pm.PackageManagerService.MIN_INSTALLABLE_TARGET_SDK;

import static com.android.server.pm.PackageManagerService.PLATFORM_PACKAGE_NAME;

import static com.android.server.pm.PackageManagerService.POST_INSTALL;

import static com.android.server.pm.PackageManagerService.PRECOMPILE_LAYOUTS;

import android.os.incremental.IncrementalStorage;

import android.os.storage.StorageManager;

import android.os.storage.VolumeInfo;

import android.provider.DeviceConfig;

import android.stats.storage.StorageEnums;

import android.system.ErrnoException;

import android.system.Os;

            Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);

        }

        // If the minimum installable SDK version enforcement is enabled, block the install

        // of apps using a lower target SDK version than required. This helps improve security

        // and privacy as malware can target older SDK versions to avoid enforcement of new API

        // behavior.

        if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

                "MinInstallableTargetSdk__install_block_enabled",

                false)) {

            int minInstallableTargetSdk =

                    DeviceConfig.getInt(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

                            "MinInstallableTargetSdk__min_installable_target_sdk",

                            0);

            // Determine if enforcement is in strict mode

            boolean strictMode = false;

            if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

                    "MinInstallableTargetSdk__install_block_strict_mode_enabled",

                    false)) {

                if (parsedPackage.getTargetSdkVersion()

                        < DeviceConfig.getInt(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,

                        "MinInstallableTargetSdk__strict_mode_target_sdk",

                        0)) {

                    strictMode = true;

                }

            }

            // Skip enforcement when the bypass flag is set

        // Block the install of apps using a lower target SDK version than required.

        // This helps improve security and privacy as malware can target older SDK versions

        // to avoid enforcement of new API behavior.

        boolean bypassLowTargetSdkBlock =

                ((installFlags & PackageManager.INSTALL_BYPASS_LOW_TARGET_SDK_BLOCK) != 0);

            // Skip enforcement for tests that were installed from adb

            if (!strictMode && !bypassLowTargetSdkBlock

                    && ((installFlags & PackageManager.INSTALL_FROM_ADB) != 0)) {

                bypassLowTargetSdkBlock = true;

            }

            // Skip enforcement if the installer package name is not set

            // (e.g. "pm install" from shell)

            if (!strictMode && !bypassLowTargetSdkBlock) {

                if (request.getInstallerPackageName() == null) {

                    bypassLowTargetSdkBlock = true;

                } else {

                    // Also skip if the install is occurring from an app that was installed from adb

                    if (mContext

                            .getPackageManager()

                            .getInstallerPackageName(request.getInstallerPackageName()) == null) {

                        bypassLowTargetSdkBlock = true;

                    }

                }

            }

        // Skip enforcement when the testOnly flag is set

        if (!bypassLowTargetSdkBlock && parsedPackage.isTestOnly()) {

            bypassLowTargetSdkBlock = true;

        // Enforce the low target sdk install block except when

        // the --bypass-low-target-sdk-block is set for the install

        if (!bypassLowTargetSdkBlock

                    && parsedPackage.getTargetSdkVersion() < minInstallableTargetSdk) {

                && parsedPackage.getTargetSdkVersion() < MIN_INSTALLABLE_TARGET_SDK) {

            Slog.w(TAG, "App " + parsedPackage.getPackageName()

                    + " targets deprecated sdk version");

            throw new PrepareFailure(INSTALL_FAILED_DEPRECATED_SDK_VERSION,

                    "App package must target at least SDK version "

                                + minInstallableTargetSdk + ", but found "

                            + MIN_INSTALLABLE_TARGET_SDK + ", but found "

                            + parsedPackage.getTargetSdkVersion());

        }

        }

        // Instant apps have several additional install-time checks.

        if (instantApp) {

    // How many required verifiers can be on the system.

    private static final int REQUIRED_VERIFIERS_MAX_COUNT = 2;

    /**

     * Specifies the minimum target SDK version an apk must specify in order to be installed

     * on the system. This improves security and privacy by blocking low

     * target sdk apps as malware can target older sdk versions to avoid

     * the enforcement of new API behavior.

     */

    public static final int MIN_INSTALLABLE_TARGET_SDK = Build.VERSION_CODES.M;

    // Compilation reasons.

    // TODO(b/260124949): Clean this up with the legacy dexopt code.

    public static final int REASON_FIRST_BOOT = 0;