[ECM] Do not restrict packages based on installer

Previously, we had a business rule was that if a package is installed
by a non-allowlisted installer, we would not trust the package.

However, we're changing this requirement. Now, a package's
trustworthiness won't depend on which app installed it.

LOW_COVERAGE_REASON=327533775
Bug: 327469699
Test: atest CtsPermissionUiTestCases:android.permissionui.cts.EnhancedConfirmationManagerTest
Change-Id: Ie9c1b48f19c719b931724a044d06da27f95a004a

1 files changed, 7 insertions, 0 deletions

diff --git a/service/java/com/android/ecm/EnhancedConfirmationService.java b/service/java/com/android/ecm/EnhancedConfirmationService.java
index 4ac83e1e3..c5700f3ed 100644
--- a/service/java/com/android/ecm/EnhancedConfirmationService.java
+++ b/service/java/com/android/ecm/EnhancedConfirmationService.java
@@ -279,6 +279,9 @@ public class EnhancedConfirmationService extends SystemService {
                 return true;
             }
 
+            // If applicable, trust packages installed via non-allowlisted installers
+            if (trustPackagesInstalledViaNonAllowlistedInstallers()) return false;
+
             // ECM doesn't consider a transitive chain of trust for install sources.
             // If this package hasn't been explicitly handled by this point
             // then it is exempt from ECM if the immediate parent is a trusted installer
@@ -308,6 +311,10 @@ public class EnhancedConfirmationService extends SystemService {
             return false;
         }
 
+        private boolean trustPackagesInstalledViaNonAllowlistedInstallers() {
+            return true; // TODO(b/327469700): Make this configurable
+        }
+
         private boolean isPackagePreinstalled(@NonNull String packageName, @UserIdInt int userId) {
             ApplicationInfo applicationInfo;
             try {