diff options
| -rw-r--r-- | services/core/java/com/android/server/pm/PackageManagerService.java | 17 | ||||
| -rw-r--r-- | services/core/java/com/android/server/pm/SELinuxMMAC.java | 8 |
2 files changed, 6 insertions, 19 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index 6402b5d2e4b2..fdb157e7e929 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -9988,7 +9988,8 @@ Slog.e("TODD", // priv-apps. synchronized (mPackages) { PackageSetting platformPkgSetting = mSettings.mPackages.get("android"); - if ((compareSignatures(platformPkgSetting.signatures.mSigningDetails.signatures, + if (!pkg.packageName.equals("android") + && (compareSignatures(platformPkgSetting.signatures.mSigningDetails.signatures, pkg.mSigningDetails.signatures) != PackageManager.SIGNATURE_MATCH)) { scanFlags |= SCAN_AS_PRIVILEGED; } @@ -10439,19 +10440,7 @@ Slog.e("TODD", pkg.applicationInfo.flags |= ApplicationInfo.FLAG_UPDATED_SYSTEM_APP; } - // SELinux sandboxes become more restrictive as targetSdkVersion increases. - // To ensure that apps with sharedUserId are placed in the same selinux domain - // without breaking any assumptions about access, put them into the least - // restrictive targetSdkVersion=25 domain. - // TODO(b/72290969): Base this on the actual targetSdkVersion(s) of the apps within the - // sharedUserSetting, instead of defaulting to the least restrictive domain. - final int targetSdk = (sharedUserSetting != null) ? 25 - : pkg.applicationInfo.targetSdkVersion; - // TODO(b/71593002): isPrivileged for sharedUser and appInfo should never be out of sync. - // They currently can be if the sharedUser apps are signed with the platform key. - final boolean isPrivileged = (sharedUserSetting != null) ? sharedUserSetting.isPrivileged() - : pkg.applicationInfo.isPrivilegedApp(); - SELinuxMMAC.assignSeInfoValue(pkg, isPrivileged, targetSdk); + SELinuxMMAC.assignSeInfoValue(pkg); pkg.mExtras = pkgSetting; pkg.applicationInfo.processName = fixProcessName( diff --git a/services/core/java/com/android/server/pm/SELinuxMMAC.java b/services/core/java/com/android/server/pm/SELinuxMMAC.java index 805734bcd9de..2552643a6a22 100644 --- a/services/core/java/com/android/server/pm/SELinuxMMAC.java +++ b/services/core/java/com/android/server/pm/SELinuxMMAC.java @@ -287,8 +287,7 @@ public final class SELinuxMMAC { * * @param pkg object representing the package to be labeled. */ - public static void assignSeInfoValue(PackageParser.Package pkg, boolean isPrivileged, - int targetSdkVersion) { + public static void assignSeInfoValue(PackageParser.Package pkg) { synchronized (sPolicies) { if (!sPolicyRead) { if (DEBUG_POLICY) { @@ -308,11 +307,10 @@ public final class SELinuxMMAC { if (pkg.applicationInfo.targetSandboxVersion == 2) pkg.applicationInfo.seInfo += SANDBOX_V2_STR; - if (isPrivileged) { + if (pkg.applicationInfo.isPrivilegedApp()) pkg.applicationInfo.seInfo += PRIVILEGED_APP_STR; - } - pkg.applicationInfo.seInfo += TARGETSDKVERSION_STR + targetSdkVersion; + pkg.applicationInfo.seInfo += TARGETSDKVERSION_STR + pkg.applicationInfo.targetSdkVersion; if (DEBUG_POLICY_INSTALL) { Slog.i(TAG, "package (" + pkg.packageName + ") labeled with " + |