Merge "DO NOT MERGE: Verify INSTALL_PACKAGES permissions when adding installer package" into pi-dev

author: Winson Chiu <chiuwinson@google.com> 2020-06-03 18:34:30 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2020-06-03 18:34:30 +0000
commit: 2faaf6f47f34f6202776eed09183b71b6940b6f8 (patch)
tree: 7e50910d5c0c5eee657e3b79839dfcd7aded7dbe
parent: 63369efdc77e23be04c7b41524cfdefcb8a1ffc8 (diff)
parent: 8220483a2ed83dbaf838803d45bc58cadede4208 (diff)
1 files changed, 27 insertions, 13 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 8d43959fb2c2..46f2de4404a8 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -14926,19 +14926,33 @@ public class PackageManagerService extends IPackageManager.Stub
 
             // Verify: if target already has an installer package, it must
             // be signed with the same cert as the caller.
-            if (targetPackageSetting.installerPackageName != null) {
-                PackageSetting setting = mSettings.mPackages.get(
-                        targetPackageSetting.installerPackageName);
-                // If the currently set package isn't valid, then it's always
-                // okay to change it.
-                if (setting != null) {
-                    if (compareSignatures(callerSignature,
-                            setting.signatures.mSigningDetails.signatures)
-                            != PackageManager.SIGNATURE_MATCH) {
-                        throw new SecurityException(
-                                "Caller does not have same cert as old installer package "
-                                + targetPackageSetting.installerPackageName);
-                    }
+            String targetInstallerPackageName =
+                    targetPackageSetting.installerPackageName;
+            PackageSetting targetInstallerPkgSetting = targetInstallerPackageName == null ? null :
+                    mSettings.mPackages.get(targetInstallerPackageName);
+
+            if (targetInstallerPkgSetting != null) {
+                if (compareSignatures(callerSignature,
+                        targetInstallerPkgSetting.signatures.mSigningDetails.signatures)
+                        != PackageManager.SIGNATURE_MATCH) {
+                    throw new SecurityException(
+                            "Caller does not have same cert as old installer package "
+                                    + targetInstallerPackageName);
+                }
+            } else if (mContext.checkCallingOrSelfPermission(Manifest.permission.INSTALL_PACKAGES)
+                    != PackageManager.PERMISSION_GRANTED) {
+                // This is probably an attempt to exploit vulnerability b/150857253 of taking
+                // privileged installer permissions when the installer has been uninstalled or
+                // was never set.
+                EventLog.writeEvent(0x534e4554, "150857253", callingUid, "");
+
+                // Backport, use raw SDK value
+                if (getUidTargetSdkVersionLockedLPr(callingUid) > 29) {
+                    throw new SecurityException("Neither user " + callingUid
+                            + " nor current process has " + Manifest.permission.INSTALL_PACKAGES);
+                } else {
+                    // If not targeting >29, fail silently for backwards compatibility
+                    return;
                 }
             }
author	Winson Chiu <chiuwinson@google.com>	2020-06-03 18:34:30 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2020-06-03 18:34:30 +0000
commit	2faaf6f47f34f6202776eed09183b71b6940b6f8 (patch)
tree	7e50910d5c0c5eee657e3b79839dfcd7aded7dbe
parent	63369efdc77e23be04c7b41524cfdefcb8a1ffc8 (diff)
parent	8220483a2ed83dbaf838803d45bc58cadede4208 (diff)