Whitelist package verifiers for bg operation

When spinning up the package verifier at install time, whitelist it for
quiet background operation in a way that is robust to system load &
broadcast queue latency spikes.

Intent-filter (autoVerify) invocation was already being whitelisted in
this way.  This CL adds the latency-insensitive whitelisting to the
PACKAGE_NEEDS_VERIFICATION and PACKAGE_NEEDS_INTEGRITY_VERIFICATION
invocations as well.

Also fix an underlying bug exposed in the course of testing this change:
temp whitelist manipulation during early boot wasn't guarding against
the system's partially-online situation in that phase, so would NPE the
system_server process.  Fixed.

Bug: 156670156
Test: install apps, observe whitelist logging at broadcast dispatch
Test: atest CtsStagedInstallHostTestCases:com.android.tests.stagedinstall.host.StagedInstallTest#testInstallStagedApexAndApk
Change-Id: I1947bbfeac25fa04346be4d3970da032c3e2b022

3 files changed, 25 insertions, 6 deletions

diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index e77b361c8c06..74a34a20893d 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -18278,11 +18278,15 @@ public class ActivityManagerService extends IActivityManager.Stub
             }
         }
 
-        // Now safely dispatch changes to device idle controller.
-        for (int i = 0; i < N; i++) {
-            PendingTempWhitelist ptw = list[i];
-            mLocalDeviceIdleController.addPowerSaveTempWhitelistAppDirect(ptw.targetUid,
-                    ptw.duration, true, ptw.tag);
+        // Now safely dispatch changes to device idle controller.  Skip this if we're early
+        // in boot and the controller hasn't yet been brought online:  we do not apply
+        // device idle policy anyway at this phase.
+        if (mLocalDeviceIdleController != null) {
+            for (int i = 0; i < N; i++) {
+                PendingTempWhitelist ptw = list[i];
+                mLocalDeviceIdleController.addPowerSaveTempWhitelistAppDirect(ptw.targetUid,
+                        ptw.duration, true, ptw.tag);
+            }
         }
 
         // And now we can safely remove them from the map.
diff --git a/services/core/java/com/android/server/am/BroadcastQueue.java b/services/core/java/com/android/server/am/BroadcastQueue.java
index 1cc41b22838e..5124c4a4797e 100644
--- a/services/core/java/com/android/server/am/BroadcastQueue.java
+++ b/services/core/java/com/android/server/am/BroadcastQueue.java
@@ -904,6 +904,10 @@ public final class BroadcastQueue {
         } else if (r.intent.getData() != null) {
             b.append(r.intent.getData());
         }
+        if (DEBUG_BROADCAST) {
+            Slog.v(TAG, "Broadcast temp whitelist uid=" + uid + " duration=" + duration
+                    + " : " + b.toString());
+        }
         mService.tempWhitelistUidLocked(uid, duration, b.toString());
     }
 
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 088c5daf30a4..670b88e4a0c9 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -15173,8 +15173,13 @@ public class PackageManagerService extends IPackageManager.Stub
             idleController.addPowerSaveTempWhitelistAppDirect(Process.myUid(),
                      idleDuration,
                     false, "integrity component");
+            final BroadcastOptions options = BroadcastOptions.makeBasic();
+            options.setTemporaryAppWhitelistDuration(idleDuration);
+
             mContext.sendOrderedBroadcastAsUser(integrityVerification, UserHandle.SYSTEM,
                     /* receiverPermission= */ null,
+                    /* appOp= */ AppOpsManager.OP_NONE,
+                    /* options= */ options.toBundle(),
                     new BroadcastReceiver() {
                         @Override
                         public void onReceive(Context context, Intent intent) {
@@ -15274,6 +15279,8 @@ public class PackageManagerService extends IPackageManager.Stub
                 DeviceIdleInternal idleController =
                         mInjector.getLocalDeviceIdleController();
                 final long idleDuration = getVerificationTimeout();
+                final BroadcastOptions options = BroadcastOptions.makeBasic();
+                options.setTemporaryAppWhitelistDuration(idleDuration);
 
                 /*
                  * If any sufficient verifiers were listed in the package
@@ -15293,7 +15300,9 @@ public class PackageManagerService extends IPackageManager.Stub
 
                             final Intent sufficientIntent = new Intent(verification);
                             sufficientIntent.setComponent(verifierComponent);
-                            mContext.sendBroadcastAsUser(sufficientIntent, verifierUser);
+                            mContext.sendBroadcastAsUser(sufficientIntent, verifierUser,
+                                    /* receiverPermission= */ null,
+                                    options.toBundle());
                         }
                     }
                 }
@@ -15312,6 +15321,8 @@ public class PackageManagerService extends IPackageManager.Stub
                             verifierUser.getIdentifier(), false, "package verifier");
                     mContext.sendOrderedBroadcastAsUser(verification, verifierUser,
                             android.Manifest.permission.PACKAGE_VERIFICATION_AGENT,
+                            /* appOp= */ AppOpsManager.OP_NONE,
+                            /* options= */ options.toBundle(),
                             new BroadcastReceiver() {
                                 @Override
                                 public void onReceive(Context context, Intent intent) {