diff options
| author | 2022-04-15 16:57:29 -0700 | |
|---|---|---|
| committer | 2022-04-15 17:11:12 -0700 | |
| commit | 148fa19a60c7be30a57968a3c9c263f2659ad2f0 (patch) | |
| tree | 197b18beaa6709ed096cc5ca187d34f26ded73ec /libs/androidfw/StringPool.cpp | |
| parent | b497365a27328a77ae0eb85218e23ab49cab5410 (diff) | |
Allow revoked capabilities to be restored in sharedUserId lineage
When APK key rotation was initially introduced in P, an update to the
capabilities of a previous signer in the sharedUserId lineage only
took effect when the signing key of the package being updated was
changed. Android R addressed this by always merging the lineage of
a package being installed / updated in the sharedUserId with the
existing sharedUserId lineage; however, this approach always used
the most restrictive capabilities in the lineage, so once a
capability was revoked from a previous signer, it could not be
restored. This commit allows a capability to be restored by
initially applying the capabilities of the package being installed
with those in the sharedUserId; if a change in the signers or
capabilities is detected, then the most restrictive capabilities
from all packages in the sharedUserId are used to update the shared
lineage. This allows a package to restore a previously revoked
capability if no other packages have revoked the capability; however,
if a package in the sharedUserId has revoked a capability and a newly
installed package restores this capability, the restrictive rule will
ensure the capability is still revoked.
Bug: 227823594
Test: atest PkgInstallSignatureVerificationTest
Test: atest SigningDetailsTest
Change-Id: Id53a2cd235c7a557822b9a1bfc2f431801d415e4
Diffstat (limited to 'libs/androidfw/StringPool.cpp')
0 files changed, 0 insertions, 0 deletions