From 4501c11cb0a24cf2e76b227b339e77a45efe2a39 Mon Sep 17 00:00:00 2001
From: Nikita Ioffe <ioffe@google.com>
Date: Fri, 22 Feb 2019 11:51:09 +0000
Subject: Require INSTALL_PACKAGES permission for setInstallAsApex

Bug: 123314638
Fixes: 123314638
Test: apex_e2e_tests
Change-Id: I2a78a5e7496554c0c3eecbfd28f2d793b4ba2196
---
 api/current.txt                                                      | 1 -
 api/system-current.txt                                               | 1 +
 core/java/android/content/pm/PackageInstaller.java                   | 4 ++++
 .../core/java/com/android/server/pm/PackageInstallerService.java     | 5 +++--
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/api/current.txt b/api/current.txt
index c8f5662e11be..ddb43c7fc6b6 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -11475,7 +11475,6 @@ package android.content.pm {
     method public void setAppIcon(@Nullable android.graphics.Bitmap);
     method public void setAppLabel(@Nullable CharSequence);
     method public void setAppPackageName(@Nullable String);
-    method public void setInstallAsApex();
     method public void setInstallLocation(int);
     method public void setInstallReason(int);
     method public void setMultiPackage();
diff --git a/api/system-current.txt b/api/system-current.txt
index bcc10c106194..e9e8b5463632 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -1558,6 +1558,7 @@ package android.content.pm {
     method public void setDontKillApp(boolean);
     method public void setEnableRollback();
     method @RequiresPermission(android.Manifest.permission.INSTALL_GRANT_RUNTIME_PERMISSIONS) public void setGrantedRuntimePermissions(String[]);
+    method @RequiresPermission(android.Manifest.permission.INSTALL_PACKAGES) public void setInstallAsApex();
     method public void setInstallAsInstantApp(boolean);
     method public void setInstallAsVirtualPreload();
     method @RequiresPermission(android.Manifest.permission.INSTALL_PACKAGES) public void setStaged();
diff --git a/core/java/android/content/pm/PackageInstaller.java b/core/java/android/content/pm/PackageInstaller.java
index 80954731bffb..badd48f9ea53 100644
--- a/core/java/android/content/pm/PackageInstaller.java
+++ b/core/java/android/content/pm/PackageInstaller.java
@@ -1545,7 +1545,11 @@ public class PackageInstaller {
 
         /**
          * Set this session to be installing an APEX package.
+         *
+         * {@hide}
          */
+        @SystemApi
+        @RequiresPermission(Manifest.permission.INSTALL_PACKAGES)
         public void setInstallAsApex() {
             installFlags |= PackageManager.INSTALL_APEX;
         }
diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java
index f06da49f5b94..bd74174b2e88 100644
--- a/services/core/java/com/android/server/pm/PackageInstallerService.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerService.java
@@ -483,11 +483,12 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements
             }
         }
 
-        if (params.isStaged) {
+        boolean isApex = (params.installFlags & PackageManager.INSTALL_APEX) != 0;
+        if (params.isStaged || isApex) {
             mContext.enforceCallingOrSelfPermission(Manifest.permission.INSTALL_PACKAGES, TAG);
         }
 
-        if ((params.installFlags & PackageManager.INSTALL_APEX) != 0) {
+        if (isApex) {
             if (!mApexManager.isApexSupported()) {
                 throw new IllegalArgumentException(
                     "This device doesn't support the installation of APEX files");
-- 
cgit v1.2.3-59-g8ed1b