summaryrefslogtreecommitdiffstats
path: root/services
diff options
context:
space:
mode:
authorSvetoslav <svetoslavganov@google.com>2015-07-06 18:31:23 -0700
committerSvetoslav <svetoslavganov@google.com>2015-07-07 14:02:51 -0700
commit3e7d977ff7c743713f0ad6336a039d7760ba47d1 (patch)
tree78c832f2bf7fde55fd89dcfcebf19db74e7e6ac1 /services
parent79d9219c9f9734025837a01a6f8e490d1e0ab57e (diff)
downloadframeworks_base-3e7d977ff7c743713f0ad6336a039d7760ba47d1.zip
frameworks_base-3e7d977ff7c743713f0ad6336a039d7760ba47d1.tar.gz
frameworks_base-3e7d977ff7c743713f0ad6336a039d7760ba47d1.tar.bz2
Grant installer and verifier install permissions robustly
bug:22248271 Change-Id: I3a47ae9a112ba7d88b421fcb5f9651d1168ba7a5
Diffstat (limited to 'services')
-rw-r--r--services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java124
-rw-r--r--services/core/java/com/android/server/pm/PackageManagerService.java49
2 files changed, 64 insertions, 109 deletions
diff --git a/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java b/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java
index 453f123..b10894f 100644
--- a/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java
+++ b/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java
@@ -54,7 +54,6 @@ final class DefaultPermissionGrantPolicy {
private static final String TAG = "DefaultPermGrantPolicy"; // must be <= 23 chars
private static final boolean DEBUG = false;
- private static final String PACKAGE_MIME_TYPE = "application/vnd.android.package-archive";
private static final String AUDIO_MIME_TYPE = "audio/mpeg";
private static final Set<String> PHONE_PERMISSIONS = new ArraySet<>();
@@ -127,19 +126,6 @@ final class DefaultPermissionGrantPolicy {
SETTINGS_PERMISSIONS.add(Manifest.permission.WRITE_SETTINGS);
}
- private static final Set<String> INSTALLER_PERMISSIONS = new ArraySet<>();
- static {
- INSTALLER_PERMISSIONS.add(Manifest.permission.GRANT_REVOKE_PERMISSIONS);
- INSTALLER_PERMISSIONS.add(Manifest.permission.INTERACT_ACROSS_USERS_FULL);
- INSTALLER_PERMISSIONS.add(Manifest.permission.CLEAR_APP_USER_DATA);
- INSTALLER_PERMISSIONS.add(Manifest.permission.KILL_UID);
- }
-
- private static final Set<String> VERIFIER_PERMISSIONS = new ArraySet<>();
- static {
- INSTALLER_PERMISSIONS.add(Manifest.permission.GRANT_REVOKE_PERMISSIONS);
- }
-
private final PackageManagerService mService;
private PackagesProvider mImePackagesProvider;
@@ -250,30 +236,20 @@ final class DefaultPermissionGrantPolicy {
syncAdapterPackagesProvider.getPackages(CalendarContract.AUTHORITY, userId) : null;
synchronized (mService.mPackages) {
- // Installers
- Intent installerIntent = new Intent(Intent.ACTION_INSTALL_PACKAGE);
- installerIntent.addCategory(Intent.CATEGORY_DEFAULT);
- installerIntent.setDataAndType(Uri.fromFile(new File("foo.apk")),
- PACKAGE_MIME_TYPE);
- List<PackageParser.Package> installerPackages =
- getPrivilegedHandlerActivityPackagesLPr(installerIntent, userId);
- final int installerCount = installerPackages.size();
- for (int i = 0; i < installerCount; i++) {
- PackageParser.Package installPackage = installerPackages.get(i);
- grantInstallPermissionsLPw(installPackage, INSTALLER_PERMISSIONS, userId);
- grantRuntimePermissionsLPw(installPackage, STORAGE_PERMISSIONS, true, userId);
- }
-
- // Verifiers
- Intent verifierIntent = new Intent(Intent.ACTION_PACKAGE_NEEDS_VERIFICATION);
- verifierIntent.setType(PACKAGE_MIME_TYPE);
- List<PackageParser.Package> verifierPackages =
- getPrivilegedHandlerReceiverPackagesLPr(verifierIntent, userId);
- final int verifierCount = verifierPackages.size();
- for (int i = 0; i < verifierCount; i++) {
- PackageParser.Package verifierPackage = verifierPackages.get(i);
- grantInstallPermissionsLPw(verifierPackage, VERIFIER_PERMISSIONS, userId);
- grantRuntimePermissionsLPw(verifierPackage, STORAGE_PERMISSIONS, userId);
+ // Installer
+ PackageParser.Package installerPackage = getSystemPackageLPr(
+ mService.mRequiredInstallerPackage);
+ if (installerPackage != null
+ && doesPackageSupportRuntimePermissions(installerPackage)) {
+ grantRuntimePermissionsLPw(installerPackage, STORAGE_PERMISSIONS, true, userId);
+ }
+
+ // Verifier
+ PackageParser.Package verifierPackage = getSystemPackageLPr(
+ mService.mRequiredVerifierPackage);
+ if (verifierPackage != null
+ && doesPackageSupportRuntimePermissions(verifierPackage)) {
+ grantRuntimePermissionsLPw(verifierPackage, STORAGE_PERMISSIONS, true, userId);
}
// SetupWizard
@@ -636,39 +612,10 @@ final class DefaultPermissionGrantPolicy {
}
}
- private List<PackageParser.Package> getPrivilegedHandlerReceiverPackagesLPr(
- Intent intent, int userId) {
- List<ResolveInfo> handlers = mService.queryIntentReceivers(
- intent, intent.resolveTypeIfNeeded(mService.mContext.getContentResolver()),
- 0, userId);
- return getPrivilegedPackages(handlers);
- }
-
- private List<PackageParser.Package> getPrivilegedHandlerActivityPackagesLPr(
- Intent intent, int userId) {
- List<ResolveInfo> handlers = mService.queryIntentActivities(
- intent, intent.resolveTypeIfNeeded(mService.mContext.getContentResolver()),
- 0, userId);
- return getPrivilegedPackages(handlers);
- }
-
- private List<PackageParser.Package> getPrivilegedPackages(List<ResolveInfo> resolveInfos) {
- List<PackageParser.Package> handlerPackages = new ArrayList<>();
- final int handlerCount = resolveInfos.size();
- for (int i = 0; i < handlerCount; i++) {
- ResolveInfo handler = resolveInfos.get(i);
- PackageParser.Package handlerPackage = getPrivilegedPackageLPr(
- handler.activityInfo.packageName);
- if (handlerPackage != null) {
- handlerPackages.add(handlerPackage);
- }
- }
- return handlerPackages;
- }
-
private PackageParser.Package getDefaultSystemHandlerActivityPackageLPr(
Intent intent, int userId) {
- List<ResolveInfo> handlers = mService.queryIntentActivities(intent, null, 0, userId);
+ List<ResolveInfo> handlers = mService.queryIntentActivities(intent,
+ intent.resolveType(mService.mContext.getContentResolver()), 0, userId);
final int handlerCount = handlers.size();
for (int i = 0; i < handlerCount; i++) {
ResolveInfo handler = handlers.get(i);
@@ -728,18 +675,9 @@ final class DefaultPermissionGrantPolicy {
return null;
}
- private PackageParser.Package getPrivilegedPackageLPr(String packageName) {
- PackageParser.Package pkg = mService.mPackages.get(packageName);
- if (pkg != null && pkg.applicationInfo.isPrivilegedApp()) {
- return !isSysComponentOrPersistentPrivApp(pkg) ? pkg : null;
- }
- return null;
- }
-
private void grantRuntimePermissionsLPw(PackageParser.Package pkg, Set<String> permissions,
int userId) {
grantRuntimePermissionsLPw(pkg, permissions, false, userId);
-
}
private void grantRuntimePermissionsLPw(PackageParser.Package pkg, Set<String> permissions,
@@ -781,36 +719,6 @@ final class DefaultPermissionGrantPolicy {
}
}
- private void grantInstallPermissionsLPw(PackageParser.Package pkg, Set<String> permissions,
- int userId) {
- List<String> requestedPermissions = pkg.requestedPermissions;
-
- if (pkg.isUpdatedSystemApp()) {
- PackageSetting sysPs = mService.mSettings.getDisabledSystemPkgLPr(pkg.packageName);
- if (sysPs != null) {
- requestedPermissions = sysPs.pkg.requestedPermissions;
- }
- }
-
- final int permissionCount = requestedPermissions.size();
- for (int i = 0; i < permissionCount; i++) {
- String permission = requestedPermissions.get(i);
- if (permissions.contains(permission)) {
- final int flags = mService.getPermissionFlags(permission, pkg.packageName, userId);
-
- // If any flags are set to the permission, then it is either set in
- // its current state by the system or device/profile owner or the user.
- // In all these cases we do not want to clobber the current state.
- if (flags == 0) {
- mService.grantInstallPermissionLPw(permission, pkg);
- if (DEBUG) {
- Log.i(TAG, "Granted install " + permission + " to " + pkg.packageName);
- }
- }
- }
- }
- }
-
private static boolean isSysComponentOrPersistentPrivApp(PackageParser.Package pkg) {
return UserHandle.getAppId(pkg.applicationInfo.uid) < FIRST_APPLICATION_UID
|| ((pkg.applicationInfo.privateFlags
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 0240dbb..5e0d3d8 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -928,7 +928,8 @@ public class PackageManagerService extends IPackageManager.Stub {
private static final String TAG_DEFAULT_APPS = "da";
private static final String TAG_INTENT_FILTER_VERIFICATION = "iv";
- private final String mRequiredVerifierPackage;
+ final String mRequiredVerifierPackage;
+ final String mRequiredInstallerPackage;
private final PackageUsage mPackageUsage = new PackageUsage();
@@ -2262,6 +2263,7 @@ public class PackageManagerService extends IPackageManager.Stub {
SystemClock.uptimeMillis());
mRequiredVerifierPackage = getRequiredVerifierLPr();
+ mRequiredInstallerPackage = getRequiredInstallerLPr();
mInstallerService = new PackageInstallerService(context, this);
@@ -2328,6 +2330,39 @@ public class PackageManagerService extends IPackageManager.Stub {
return requiredVerifier;
}
+ private String getRequiredInstallerLPr() {
+ Intent installerIntent = new Intent(Intent.ACTION_INSTALL_PACKAGE);
+ installerIntent.addCategory(Intent.CATEGORY_DEFAULT);
+ installerIntent.setDataAndType(Uri.fromFile(new File("foo.apk")), PACKAGE_MIME_TYPE);
+
+ final List<ResolveInfo> installers = queryIntentActivities(installerIntent,
+ PACKAGE_MIME_TYPE, 0, 0);
+
+ String requiredInstaller = null;
+
+ final int N = installers.size();
+ for (int i = 0; i < N; i++) {
+ final ResolveInfo info = installers.get(i);
+ final String packageName = info.activityInfo.packageName;
+
+ if (!info.activityInfo.applicationInfo.isSystemApp()) {
+ continue;
+ }
+
+ if (requiredInstaller != null) {
+ throw new RuntimeException("There must be one required installer");
+ }
+
+ requiredInstaller = packageName;
+ }
+
+ if (requiredInstaller == null) {
+ throw new RuntimeException("There must be one required installer");
+ }
+
+ return requiredInstaller;
+ }
+
private ComponentName getIntentFilterVerifierComponentNameLPr() {
final Intent verification = new Intent(Intent.ACTION_INTENT_FILTER_NEEDS_VERIFICATION);
final List<ResolveInfo> receivers = queryIntentReceivers(verification, PACKAGE_MIME_TYPE,
@@ -8428,6 +8463,18 @@ public class PackageManagerService extends IPackageManager.Stub {
// we still want to blindly grant it to old apps.
allowed = true;
}
+ if (!allowed && (bp.protectionLevel & PermissionInfo.PROTECTION_FLAG_INSTALLER) != 0
+ && pkg.packageName.equals(mRequiredInstallerPackage)) {
+ // If this permission is to be granted to the system installer and
+ // this app is an installer, then it gets the permission.
+ allowed = true;
+ }
+ if (!allowed && (bp.protectionLevel & PermissionInfo.PROTECTION_FLAG_VERIFIER) != 0
+ && pkg.packageName.equals(mRequiredVerifierPackage)) {
+ // If this permission is to be granted to the system verifier and
+ // this app is a verifier, then it gets the permission.
+ allowed = true;
+ }
if (!allowed && (bp.protectionLevel
& PermissionInfo.PROTECTION_FLAG_DEVELOPMENT) != 0) {
// For development permissions, a development permission