pm: Scan as privileged apps that share a privileged user

Bug: 72235911 Test: build/flash Taimen, verify userdictionary provider is scanned as priv-app. Test: gts-tradefed run everything Change-Id: I6b99135e1264a7ad7be818feb9a52c299349e96d
author: Jeff Vander Stoep <jeffv@google.com> 2018-01-23 01:16:18 -0800
committer: Jeff Vander Stoep <jeffv@google.com> 2018-01-23 09:45:54 -0800
commit: 2ede04735081bd8c0e399a280484fb9e6089f33f (patch)
tree: fb3dc5e70c9338e433e001fb3c4744ce2206ba5f
parent: d66cfdfc9a13be412a5a832149071ea3154e4a6f (diff)
1 files changed, 28 insertions, 3 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index faf6114237cd..8a250bfef836 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -9765,8 +9765,9 @@ Slog.e("TODD",
      * <li>{@link #SCAN_AS_VIRTUAL_PRELOAD}</li>
      * </ul>
      */
-    private static @ScanFlags int adjustScanFlags(@ScanFlags int scanFlags,
-            PackageSetting pkgSetting, PackageSetting disabledPkgSetting, UserHandle user) {
+    private @ScanFlags int adjustScanFlags(@ScanFlags int scanFlags,
+            PackageSetting pkgSetting, PackageSetting disabledPkgSetting, UserHandle user,
+            PackageParser.Package pkg) {
         if (disabledPkgSetting != null) {
             // updated system application, must at least have SCAN_AS_SYSTEM
             scanFlags |= SCAN_AS_SYSTEM;
@@ -9792,6 +9793,30 @@ Slog.e("TODD",
                 scanFlags |= SCAN_AS_VIRTUAL_PRELOAD;
             }
         }
+
+        // Scan as privileged apps that share a user with a priv-app.
+        if (((scanFlags & SCAN_AS_PRIVILEGED) == 0) && !pkg.isPrivileged()
+                && (pkg.mSharedUserId != null)) {
+            SharedUserSetting sharedUserSetting = null;
+            try {
+                sharedUserSetting = mSettings.getSharedUserLPw(pkg.mSharedUserId, 0, 0, false);
+            } catch (PackageManagerException ignore) {}
+            if (sharedUserSetting != null && sharedUserSetting.isPrivileged()) {
+                // Exempt SharedUsers signed with the platform key.
+                // TODO(b/72378145) Fix this exemption. Force signature apps
+                // to whitelist their privileged permissions just like other
+                // priv-apps.
+                synchronized (mPackages) {
+                    PackageSetting platformPkgSetting = mSettings.mPackages.get("android");
+                    if (!pkg.packageName.equals("android")
+                            && (compareSignatures(platformPkgSetting.signatures.mSignatures,
+                                pkg.mSigningDetails.signatures) != PackageManager.SIGNATURE_MATCH)) {
+                        scanFlags |= SCAN_AS_PRIVILEGED;
+                    }
+                }
+            }
+        }
+
         return scanFlags;
     }
 
@@ -9815,7 +9840,7 @@ Slog.e("TODD",
                     + " was transferred to another, but its .apk remains");
         }
 
-        scanFlags = adjustScanFlags(scanFlags, pkgSetting, disabledPkgSetting, user);
+        scanFlags = adjustScanFlags(scanFlags, pkgSetting, disabledPkgSetting, user, pkg);
         synchronized (mPackages) {
             applyPolicy(pkg, parseFlags, scanFlags);
             assertPackageIsValid(pkg, parseFlags, scanFlags);
author	Jeff Vander Stoep <jeffv@google.com>	2018-01-23 01:16:18 -0800
committer	Jeff Vander Stoep <jeffv@google.com>	2018-01-23 09:45:54 -0800
commit	2ede04735081bd8c0e399a280484fb9e6089f33f (patch)
tree	fb3dc5e70c9338e433e001fb3c4744ce2206ba5f
parent	d66cfdfc9a13be412a5a832149071ea3154e4a6f (diff)