diff options
| -rw-r--r-- | services/core/java/com/android/server/pm/PackageManagerService.java | 40 |
1 files changed, 27 insertions, 13 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index 8d43959fb2c2..46f2de4404a8 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -14926,19 +14926,33 @@ public class PackageManagerService extends IPackageManager.Stub // Verify: if target already has an installer package, it must // be signed with the same cert as the caller. - if (targetPackageSetting.installerPackageName != null) { - PackageSetting setting = mSettings.mPackages.get( - targetPackageSetting.installerPackageName); - // If the currently set package isn't valid, then it's always - // okay to change it. - if (setting != null) { - if (compareSignatures(callerSignature, - setting.signatures.mSigningDetails.signatures) - != PackageManager.SIGNATURE_MATCH) { - throw new SecurityException( - "Caller does not have same cert as old installer package " - + targetPackageSetting.installerPackageName); - } + String targetInstallerPackageName = + targetPackageSetting.installerPackageName; + PackageSetting targetInstallerPkgSetting = targetInstallerPackageName == null ? null : + mSettings.mPackages.get(targetInstallerPackageName); + + if (targetInstallerPkgSetting != null) { + if (compareSignatures(callerSignature, + targetInstallerPkgSetting.signatures.mSigningDetails.signatures) + != PackageManager.SIGNATURE_MATCH) { + throw new SecurityException( + "Caller does not have same cert as old installer package " + + targetInstallerPackageName); + } + } else if (mContext.checkCallingOrSelfPermission(Manifest.permission.INSTALL_PACKAGES) + != PackageManager.PERMISSION_GRANTED) { + // This is probably an attempt to exploit vulnerability b/150857253 of taking + // privileged installer permissions when the installer has been uninstalled or + // was never set. + EventLog.writeEvent(0x534e4554, "150857253", callingUid, ""); + + // Backport, use raw SDK value + if (getUidTargetSdkVersionLockedLPr(callingUid) > 29) { + throw new SecurityException("Neither user " + callingUid + + " nor current process has " + Manifest.permission.INSTALL_PACKAGES); + } else { + // If not targeting >29, fail silently for backwards compatibility + return; } } |