Enable low target sdk install block by default

Update the feature flags to enable the install block by default. This will ensure that non-GMS devices without feature flagging have this enforcement as well. Bug: 237321649 Test: atest PackageManagerTests Change-Id: I4f6815906455175cfedf126df4ac694ba6f4684c
author: Nick Kovacs <nrkovacs@google.com> 2023-03-03 20:37:46 +0000
committer: Nick Kovacs <nrkovacs@google.com> 2023-03-13 18:43:56 +0000
commit: ace5fd11203af0c83fb62cd8e8e2b58b8f950b68 (patch)
tree: ecd1d2e05209076b2b3083c7e50d1519ca3594bb
parent: 3eb0a87531cbdbbe38b041e3cabf0109055b7884 (diff)
2 files changed, 12 insertions, 4 deletions
diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
index 7fe6c7d5aa93..569999e48dea 100644
--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
+++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
@@ -1134,22 +1134,22 @@ final class InstallPackageHelper {
         // behavior.
         if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,
                 "MinInstallableTargetSdk__install_block_enabled",
-                false)) {
+                true)) {
             int minInstallableTargetSdk =
                     DeviceConfig.getInt(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,
                             "MinInstallableTargetSdk__min_installable_target_sdk",
-                            0);
+                            PackageManagerService.MIN_INSTALLABLE_TARGET_SDK);
 
             // Determine if enforcement is in strict mode
             boolean strictMode = false;
 
             if (DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,
                     "MinInstallableTargetSdk__install_block_strict_mode_enabled",
-                    false)) {
+                    true)) {
                 if (parsedPackage.getTargetSdkVersion()
                         < DeviceConfig.getInt(DeviceConfig.NAMESPACE_PACKAGE_MANAGER_SERVICE,
                         "MinInstallableTargetSdk__strict_mode_target_sdk",
-                        0)) {
+                        PackageManagerService.MIN_INSTALLABLE_TARGET_SDK)) {
                     strictMode = true;
                 }
             }
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index d3ee52c48448..c5d7d075efd1 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -557,6 +557,14 @@ public class PackageManagerService implements PackageSender, TestUtilityService
     // How many required verifiers can be on the system.
     private static final int REQUIRED_VERIFIERS_MAX_COUNT = 2;
 
+    /**
+     * Specifies the minimum target SDK version an apk must specify in order to be installed
+     * on the system. This improves security and privacy by blocking low
+     * target sdk apps as malware can target older sdk versions to avoid
+     * the enforcement of new API behavior.
+     */
+    public static final int MIN_INSTALLABLE_TARGET_SDK = Build.VERSION_CODES.M;
+
     // Compilation reasons.
     // TODO(b/260124949): Clean this up with the legacy dexopt code.
     public static final int REASON_FIRST_BOOT = 0;
author	Nick Kovacs <nrkovacs@google.com>	2023-03-03 20:37:46 +0000
committer	Nick Kovacs <nrkovacs@google.com>	2023-03-13 18:43:56 +0000
commit	ace5fd11203af0c83fb62cd8e8e2b58b8f950b68 (patch)
tree	ecd1d2e05209076b2b3083c7e50d1519ca3594bb
parent	3eb0a87531cbdbbe38b041e3cabf0109055b7884 (diff)