pm: Verify shared-user priv-app install location

Apps that share a UID with a privileged app are privleged and should live in /system/priv-app. Otherwise, fail assertPackageIsValid(). On Taimen, this results in two additional apps failing: com.android.providers.userdictionary com.android.providers.downloads.ui Test: Boot Taimen, verify apps are scanned correctly. Bug: 71593002 Change-Id: I29b4dc8a2fea18248fe1f6aeee87ae3798028c60
author: Jeff Vander Stoep <jeffv@google.com> 2018-01-11 16:09:58 -0800
committer: Jeff Vander Stoep <jeffv@google.com> 2018-01-17 07:24:30 -0800
commit: d1cf49904ba79c70446f27b51e3d736bb1324009 (patch)
tree: 9b13930a2b8145597d4c8bf6d396f34ebf94117f
parent: 7b71dfe2f61e3d6234c6c8ffd2036ca79383e9e8 (diff)
2 files changed, 25 insertions, 0 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 1e2f2b2df863..54b68b1aa280 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -10652,6 +10652,26 @@ public class PackageManagerService extends IPackageManager.Stub
                     }
                 }
             }
+
+            // Verify that packages sharing a user with a privileged app are marked as privileged.
+            if (!pkg.isPrivileged() && (pkg.mSharedUserId != null)) {
+                SharedUserSetting sharedUserSetting = null;
+                try {
+                    sharedUserSetting = mSettings.getSharedUserLPw(pkg.mSharedUserId, 0, 0, false);
+                } catch (PackageManagerException ignore) {}
+                if (sharedUserSetting != null && sharedUserSetting.isPrivileged()) {
+                    // Exempt SharedUsers signed with the platform key.
+                    PackageSetting platformPkgSetting = mSettings.mPackages.get("android");
+                    if ((platformPkgSetting.signatures.mSignatures != null) &&
+                            (compareSignatures(platformPkgSetting.signatures.mSignatures,
+                                pkg.mSigningDetails.signatures) != PackageManager.SIGNATURE_MATCH)) {
+                        throw new PackageManagerException("Apps that share a user with a " +
+                                "privileged app must themselves be marked as privileged. " +
+                                pkg.packageName + " shares privileged user " +
+                                pkg.mSharedUserId + ".");
+                    }
+                }
+            }
         }
     }
 
diff --git a/services/core/java/com/android/server/pm/SharedUserSetting.java b/services/core/java/com/android/server/pm/SharedUserSetting.java
index 877da144730f..244613180d00 100644
--- a/services/core/java/com/android/server/pm/SharedUserSetting.java
+++ b/services/core/java/com/android/server/pm/SharedUserSetting.java
@@ -17,6 +17,7 @@
 package com.android.server.pm;
 
 import android.annotation.Nullable;
+import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageParser;
 import android.service.pm.PackageServiceDumpProto;
 import android.util.ArraySet;
@@ -102,4 +103,8 @@ public final class SharedUserSetting extends SettingBase {
         }
         return pkgList;
     }
+
+    public boolean isPrivileged() {
+        return (this.pkgPrivateFlags & ApplicationInfo.PRIVATE_FLAG_PRIVILEGED) != 0;
+    }
 }
author	Jeff Vander Stoep <jeffv@google.com>	2018-01-11 16:09:58 -0800
committer	Jeff Vander Stoep <jeffv@google.com>	2018-01-17 07:24:30 -0800
commit	d1cf49904ba79c70446f27b51e3d736bb1324009 (patch)
tree	9b13930a2b8145597d4c8bf6d396f34ebf94117f
parent	7b71dfe2f61e3d6234c6c8ffd2036ca79383e9e8 (diff)