Merge "Enable low target sdk install block by default" into udc-dev

author: Nick Kovacs <nrkovacs@google.com> 2023-03-14 18:09:39 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2023-03-14 18:09:39 +0000
commit: ac5fd08d68a6ec49865589dc1e30789b7d03c388 (patch)
tree: e4175a4302af59f909d20ea9d910ce31ad64911a
parent: 3e2a533ad1a9ae0ea54ba6ef88d8c88bb4059b90 (diff)
parent: ace5fd11203af0c83fb62cd8e8e2b58b8f950b68 (diff)
2 files changed, 12 insertions, 4 deletions
diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
index 7fe6c7d5aa93..569999e48dea 100644
--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
+++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
@@ -1134,22 +1134,22 @@ final class InstallPackageHelper {
         // behavior.
         if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,
                 "MinInstallableTargetSdk__install_block_enabled",
-                false)) {
+                true)) {
             int minInstallableTargetSdk =
                     DeviceConfig.getInt(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,
                             "MinInstallableTargetSdk__min_installable_target_sdk",
-                            0);
+                            PackageManagerService.MIN_INSTALLABLE_TARGET_SDK);
 
             // Determine if enforcement is in strict mode
             boolean strictMode = false;
 
             if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,
                     "MinInstallableTargetSdk__install_block_strict_mode_enabled",
-                    false)) {
+                    true)) {
                 if (parsedPackage.getTargetSdkVersion()
                         < DeviceConfig.getInt(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,
                         "MinInstallableTargetSdk__strict_mode_target_sdk",
-                        0)) {
+                        PackageManagerService.MIN_INSTALLABLE_TARGET_SDK)) {
                     strictMode = true;
                 }
             }
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index d3ee52c48448..c5d7d075efd1 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -557,6 +557,14 @@ public class PackageManagerService implements PackageSender, TestUtilityService
     // How many required verifiers can be on the system.
     private static final int REQUIRED_VERIFIERS_MAX_COUNT = 2;
 
+    /**
+     * Specifies the minimum target SDK version an apk must specify in order to be installed
+     * on the system. This improves security and privacy by blocking low
+     * target sdk apps as malware can target older sdk versions to avoid
+     * the enforcement of new API behavior.
+     */
+    public static final int MIN_INSTALLABLE_TARGET_SDK = Build.VERSION_CODES.M;
+
     // Compilation reasons.
     // TODO(b/260124949): Clean this up with the legacy dexopt code.
     public static final int REASON_FIRST_BOOT = 0;
author	Nick Kovacs <nrkovacs@google.com>	2023-03-14 18:09:39 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2023-03-14 18:09:39 +0000
commit	ac5fd08d68a6ec49865589dc1e30789b7d03c388 (patch)
tree	e4175a4302af59f909d20ea9d910ce31ad64911a
parent	3e2a533ad1a9ae0ea54ba6ef88d8c88bb4059b90 (diff)
parent	ace5fd11203af0c83fb62cd8e8e2b58b8f950b68 (diff)