Merge "Exempt platform-cert signed apps from hidden API checks." into pi-dev am: 0e650c1c55 (c89245f5) · Commits · e / os / android_frameworks_base

core/java/android/content/pm/ApplicationInfo.java

+19 −1

Original line number	Diff line number	Diff line
		@@ -610,6 +610,13 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
		*/
		public static final int PRIVATE_FLAG_PRODUCT = 1 << 19;

		/**
		* Value for {@link #privateFlags}: whether this app is signed with the
		* platform key.
		* @hide
		*/
		public static final int PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY = 1 << 20;

		/** @hide */
		@IntDef(flag = true, prefix = { "PRIVATE_FLAG_" }, value = {
		PRIVATE_FLAG_ACTIVITIES_RESIZE_MODE_RESIZEABLE,
		@@ -629,6 +636,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
		PRIVATE_FLAG_PRIVILEGED,
		PRIVATE_FLAG_PRODUCT,
		PRIVATE_FLAG_REQUIRED_FOR_SYSTEM_USER,
		PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY,
		PRIVATE_FLAG_STATIC_SHARED_LIBRARY,
		PRIVATE_FLAG_VENDOR,
		PRIVATE_FLAG_VIRTUAL_PRELOAD,
		@@ -1658,6 +1666,11 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
		return SystemConfig.getInstance().getHiddenApiWhitelistedApps().contains(packageName);
		}

		private boolean isAllowedToUseHiddenApis() {
		return isSignedWithPlatformKey()
		\|\| (isPackageWhitelistedForHiddenApis() && (isSystemApp() \|\| isUpdatedSystemApp()));
		}

		/**
		* @hide
		*/
		@@ -1665,7 +1678,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
		if (mHiddenApiPolicy != HIDDEN_API_ENFORCEMENT_DEFAULT) {
		return mHiddenApiPolicy;
		}
		if (isPackageWhitelistedForHiddenApis() && (isSystemApp() \|\| isUpdatedSystemApp())) {
		if (isAllowedToUseHiddenApis()) {
		return HIDDEN_API_ENFORCEMENT_NONE;
		}
		return HIDDEN_API_ENFORCEMENT_BLACK;
		@@ -1757,6 +1770,11 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
		return (privateFlags & ApplicationInfo.PRIVATE_FLAG_PARTIALLY_DIRECT_BOOT_AWARE) != 0;
		}

		/** @hide */
		public boolean isSignedWithPlatformKey() {
		return (privateFlags & ApplicationInfo.PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY) != 0;
		}

		/** @hide */
		@TestApi
		public boolean isPrivilegedApp() {

data/etc/hiddenapi-package-whitelist.xml

+2 −63

Original line number	Diff line number	Diff line
		@@ -17,66 +17,28 @@

		<!--
		This XML file declares which system apps should be exempted from the hidden API blacklisting, i.e.
		which apps should be allowed to access the entire private API.
		which apps should be allowed to access the entire private API. Only apps NOT signed with the
		platform cert need to be included, as apps signed with the platform cert are exempted by default.
		-->

		<config>
		<hidden-api-whitelisted-app package="android.car.cluster.loggingrenderer" />
		<hidden-api-whitelisted-app package="android.car.input.service" />
		<hidden-api-whitelisted-app package="android.car.usb.handler" />
		<hidden-api-whitelisted-app package="android.ext.services" />
		<hidden-api-whitelisted-app package="com.android.apps.tag" />
		<hidden-api-whitelisted-app package="com.android.backupconfirm" />
		<hidden-api-whitelisted-app package="com.android.basicsmsreceiver" />
		<hidden-api-whitelisted-app package="com.android.bluetooth" />
		<hidden-api-whitelisted-app package="com.android.bluetoothdebug" />
		<hidden-api-whitelisted-app package="com.android.bluetoothmidiservice" />
		<hidden-api-whitelisted-app package="com.android.bookmarkprovider" />
		<hidden-api-whitelisted-app package="com.android.calllogbackup" />
		<hidden-api-whitelisted-app package="com.android.camera" />
		<hidden-api-whitelisted-app package="com.android.captiveportallogin" />
		<hidden-api-whitelisted-app package="com.android.car" />
		<hidden-api-whitelisted-app package="com.android.car.dialer" />
		<hidden-api-whitelisted-app package="com.android.car.hvac" />
		<hidden-api-whitelisted-app package="com.android.car.mapsplaceholder" />
		<hidden-api-whitelisted-app package="com.android.car.media" />
		<hidden-api-whitelisted-app package="com.android.car.media.localmediaplayer" />
		<hidden-api-whitelisted-app package="com.android.car.messenger" />
		<hidden-api-whitelisted-app package="com.android.car.overview" />
		<hidden-api-whitelisted-app package="com.android.car.radio" />
		<hidden-api-whitelisted-app package="com.android.car.settings" />
		<hidden-api-whitelisted-app package="com.android.car.stream" />
		<hidden-api-whitelisted-app package="com.android.car.systemupdater" />
		<hidden-api-whitelisted-app package="com.android.car.trust" />
		<hidden-api-whitelisted-app package="com.android.carrierconfig" />
		<hidden-api-whitelisted-app package="com.android.carrierdefaultapp" />
		<hidden-api-whitelisted-app package="com.android.cellbroadcastreceiver" />
		<hidden-api-whitelisted-app package="com.android.certinstaller" />
		<hidden-api-whitelisted-app package="com.android.companiondevicemanager" />
		<hidden-api-whitelisted-app package="com.android.customlocale2" />
		<hidden-api-whitelisted-app package="com.android.defcontainer" />
		<hidden-api-whitelisted-app package="com.android.development" />
		<hidden-api-whitelisted-app package="com.android.documentsui" />
		<hidden-api-whitelisted-app package="com.android.dreams.basic" />
		<hidden-api-whitelisted-app package="com.android.egg" />
		<hidden-api-whitelisted-app package="com.android.emergency" />
		<hidden-api-whitelisted-app package="com.android.externalstorage" />
		<hidden-api-whitelisted-app package="com.android.fakeoemfeatures" />
		<hidden-api-whitelisted-app package="com.android.gallery" />
		<hidden-api-whitelisted-app package="com.android.hotspot2" />
		<hidden-api-whitelisted-app package="com.android.keychain" />
		<hidden-api-whitelisted-app package="com.android.launcher3" />
		<hidden-api-whitelisted-app package="com.android.location.fused" />
		<hidden-api-whitelisted-app package="com.android.managedprovisioning" />
		<hidden-api-whitelisted-app package="com.android.mms.service" />
		<hidden-api-whitelisted-app package="com.android.mtp" />
		<hidden-api-whitelisted-app package="com.android.musicfx" />
		<hidden-api-whitelisted-app package="com.android.nfc" />
		<hidden-api-whitelisted-app package="com.android.osu" />
		<hidden-api-whitelisted-app package="com.android.packageinstaller" />
		<hidden-api-whitelisted-app package="com.android.pacprocessor" />
		<hidden-api-whitelisted-app package="com.android.phone" />
		<hidden-api-whitelisted-app package="com.android.pmc" />
		<hidden-api-whitelisted-app package="com.android.printservice.recommendation" />
		<hidden-api-whitelisted-app package="com.android.printspooler" />
		<hidden-api-whitelisted-app package="com.android.providers.blockednumber" />
		@@ -85,36 +47,13 @@ which apps should be allowed to access the entire private API.
		<hidden-api-whitelisted-app package="com.android.providers.downloads" />
		<hidden-api-whitelisted-app package="com.android.providers.downloads.ui" />
		<hidden-api-whitelisted-app package="com.android.providers.media" />
		<hidden-api-whitelisted-app package="com.android.providers.settings" />
		<hidden-api-whitelisted-app package="com.android.providers.telephony" />
		<hidden-api-whitelisted-app package="com.android.providers.tv" />
		<hidden-api-whitelisted-app package="com.android.providers.userdictionary" />
		<hidden-api-whitelisted-app package="com.android.provision" />
		<hidden-api-whitelisted-app package="com.android.proxyhandler" />
		<hidden-api-whitelisted-app package="com.android.sdksetup" />
		<hidden-api-whitelisted-app package="com.android.se" />
		<hidden-api-whitelisted-app package="com.android.server.telecom" />
		<hidden-api-whitelisted-app package="com.android.service.ims" />
		<hidden-api-whitelisted-app package="com.android.service.ims.presence" />
		<hidden-api-whitelisted-app package="com.android.settings" />
		<hidden-api-whitelisted-app package="com.android.sharedstoragebackup" />
		<hidden-api-whitelisted-app package="com.android.shell" />
		<hidden-api-whitelisted-app package="com.android.smspush" />
		<hidden-api-whitelisted-app package="com.android.spare_parts" />
		<hidden-api-whitelisted-app package="com.android.statementservice" />
		<hidden-api-whitelisted-app package="com.android.stk" />
		<hidden-api-whitelisted-app package="com.android.storagemanager" />
		<hidden-api-whitelisted-app package="com.android.support.car.lenspicker" />
		<hidden-api-whitelisted-app package="com.android.systemui" />
		<hidden-api-whitelisted-app package="com.android.systemui.plugins" />
		<hidden-api-whitelisted-app package="com.android.terminal" />
		<hidden-api-whitelisted-app package="com.android.timezone.updater" />
		<hidden-api-whitelisted-app package="com.android.traceur" />
		<hidden-api-whitelisted-app package="com.android.tv.settings" />
		<hidden-api-whitelisted-app package="com.android.vpndialogs" />
		<hidden-api-whitelisted-app package="com.android.wallpaper.livepicker" />
		<hidden-api-whitelisted-app package="com.android.wallpaperbackup" />
		<hidden-api-whitelisted-app package="com.android.wallpapercropper" />
		<hidden-api-whitelisted-app package="com.googlecode.android_scripting" />
		<hidden-api-whitelisted-app package="jp.co.omronsoft.openwnn" />
		</config>

services/core/java/com/android/server/pm/PackageManagerService.java

+12 −3

Original line number	Diff line number	Diff line
		@@ -8704,7 +8704,7 @@ public class PackageManagerService extends IPackageManager.Stub
		disabledPkgSetting /* pkgSetting /, null / disabledPkgSetting */,
		null /* originalPkgSetting */, null, parseFlags, scanFlags,
		(pkg == mPlatformPackage), user);
		applyPolicy(pkg, parseFlags, scanFlags);
		applyPolicy(pkg, parseFlags, scanFlags, mPlatformPackage);
		scanPackageOnlyLI(request, mFactoryTest, -1L);
		}
		}
		@@ -10034,7 +10034,7 @@ public class PackageManagerService extends IPackageManager.Stub

		scanFlags = adjustScanFlags(scanFlags, pkgSetting, disabledPkgSetting, user, pkg);
		synchronized (mPackages) {
		applyPolicy(pkg, parseFlags, scanFlags);
		applyPolicy(pkg, parseFlags, scanFlags, mPlatformPackage);
		assertPackageIsValid(pkg, parseFlags, scanFlags);

		SharedUserSetting sharedUserSetting = null;
		@@ -10714,7 +10714,7 @@ public class PackageManagerService extends IPackageManager.Stub
		* ideally be static, but, it requires locks to read system state.
		*/
		private static void applyPolicy(PackageParser.Package pkg, final @ParseFlags int parseFlags,
		final @ScanFlags int scanFlags) {
		final @ScanFlags int scanFlags, PackageParser.Package platformPkg) {
		if ((scanFlags & SCAN_AS_SYSTEM) != 0) {
		pkg.applicationInfo.flags \|= ApplicationInfo.FLAG_SYSTEM;
		if (pkg.applicationInfo.isDirectBootAware()) {
		@@ -10800,6 +10800,15 @@ public class PackageManagerService extends IPackageManager.Stub
		pkg.applicationInfo.privateFlags \|= ApplicationInfo.PRIVATE_FLAG_PRODUCT;
		}

		// Check if the package is signed with the same key as the platform package.
		if (PLATFORM_PACKAGE_NAME.equals(pkg.packageName) \|\|
		(platformPkg != null && compareSignatures(
		platformPkg.mSigningDetails.signatures,
		pkg.mSigningDetails.signatures) == PackageManager.SIGNATURE_MATCH)) {
		pkg.applicationInfo.privateFlags \|=
		ApplicationInfo.PRIVATE_FLAG_SIGNED_WITH_PLATFORM_KEY;
		}

		if (!isSystemApp(pkg)) {
		// Only system apps can use these features.
		pkg.mOriginalPackages = null;