Bring install-time code inline with AOSP.

Recent submissions to AOSP rework some of the internal logic of SELinuxMMAC and the PMS. Bring our maintained version inline with those changes while still allowing policy to dictate all seinfo values regardless of location. Change-Id: I11ff4c4089217e6a9d95ca2841c5bc29bfd763ad Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
author: Robert Craig <rpcraig@tycho.ncsc.mil> 2013-03-26 07:42:55 -0400
committer: Ricardo Cerqueira <cyanogenmod@cerqueira.org> 2013-07-18 21:02:24 +0100
commit: 1f7f1532cd89cac8888498d00959cbb3926cbcd0 (patch)
tree: 3c9da1f3653ca836d5d37e2de6fe2c4d2975639f
parent: 7e092967f946dd541429f422c0087e50504d2f37 (diff)
download: frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.zip
frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.tar.gz
frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.tar.bz2
2 files changed, 38 insertions, 25 deletions
diff --git a/services/java/com/android/server/pm/PackageManagerService.java b/services/java/com/android/server/pm/PackageManagerService.java
index f0408d6..0c09a7e 100644
--- a/services/java/com/android/server/pm/PackageManagerService.java
+++ b/services/java/com/android/server/pm/PackageManagerService.java
@@ -3881,8 +3881,10 @@ public class PackageManagerService extends IPackageManager.Stub {
             
             if (mSettings.isDisabledSystemPackageLPr(pkg.packageName)) {
                 pkg.applicationInfo.flags |= ApplicationInfo.FLAG_UPDATED_SYSTEM_APP;
-            } else if (mFoundPolicyFile && !SELinuxMMAC.passInstallPolicyChecks(pkg) &&
-                       SELinuxMMAC.getEnforcingMode()) {
+            }
+
+            if (mFoundPolicyFile && !SELinuxMMAC.passInstallPolicyChecks(pkg) &&
+                SELinuxMMAC.getEnforcingMode()) {
                 Slog.w(TAG, "Installing application package " + pkg.packageName
                        + " failed due to policy.");
                 mLastScanError = PackageManager.INSTALL_FAILED_POLICY_REJECTED_PERMISSION;
diff --git a/services/java/com/android/server/pm/SELinuxMMAC.java b/services/java/com/android/server/pm/SELinuxMMAC.java
index fbddba7..b2f218b 100644
--- a/services/java/com/android/server/pm/SELinuxMMAC.java
+++ b/services/java/com/android/server/pm/SELinuxMMAC.java
@@ -461,38 +461,49 @@ public final class SELinuxMMAC {
      */
     public static boolean passInstallPolicyChecks(PackageParser.Package pkg) {
 
-        // We just want one of the signatures to match.
-        for (Signature s : pkg.mSignatures) {
-            if (s == null) {
-                continue;
+        /*
+         * Non system installed apps should be treated the same. This
+         * means that any post-loaded apk will be assigned the default
+         * tag, if one exists in the policy, else null, without respect
+         * to the signing key.
+         */
+        /*
+        if (((pkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) ||
+            ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0)) {
+        */
+
+            // We just want one of the signatures to match.
+            for (Signature s : pkg.mSignatures) {
+                if (s == null)
+                    continue;
+
+                // Check for a non default signature policy.
+                if (SIG_POLICY.containsKey(s)) {
+                    InstallPolicy policy = SIG_POLICY.get(s);
+                    if (policy.passedPolicyChecks(pkg)) {
+                        String seinfo = pkg.applicationInfo.seinfo = policy.getSEinfo(pkg.packageName);
+                        if (DEBUG_POLICY_INSTALL)
+                            Slog.i(TAG, "package (" + pkg.packageName + ") installed with " +
+                                   " seinfo=" + (seinfo == null ? "null" : seinfo));
+                        return true;
+                    }
+                }
             }
 
-            // Check for a non default signature policy.
-            if (SIG_POLICY.containsKey(s)) {
-                InstallPolicy policy = SIG_POLICY.get(s);
+            // Check for a global per-package policy.
+            if (PKG_POLICY.containsKey(pkg.packageName)) {
+                boolean passed = false;
+                InstallPolicy policy = PKG_POLICY.get(pkg.packageName);
                 if (policy.passedPolicyChecks(pkg)) {
                     String seinfo = pkg.applicationInfo.seinfo = policy.getSEinfo(pkg.packageName);
                     if (DEBUG_POLICY_INSTALL)
                         Slog.i(TAG, "package (" + pkg.packageName + ") installed with " +
                                " seinfo=" + (seinfo == null ? "null" : seinfo));
-                    return true;
+                    passed = true;
                 }
+                return passed;
             }
-        }
-
-        // Check for a global per-package policy.
-        if (PKG_POLICY.containsKey(pkg.packageName)) {
-            boolean passed = false;
-            InstallPolicy policy = PKG_POLICY.get(pkg.packageName);
-            if (policy.passedPolicyChecks(pkg)) {
-                String seinfo = pkg.applicationInfo.seinfo = policy.getSEinfo(pkg.packageName);
-                if (DEBUG_POLICY_INSTALL)
-                    Slog.i(TAG, "package (" + pkg.packageName + ") installed with " +
-                           " seinfo=" + (seinfo == null ? "null" : seinfo));
-                passed = true;
-            }
-            return passed;
-        }
+        //}
 
         // Check for a default policy.
         if (SIG_POLICY.containsKey(null)) {
author	Robert Craig <rpcraig@tycho.ncsc.mil>	2013-03-26 07:42:55 -0400
committer	Ricardo Cerqueira <cyanogenmod@cerqueira.org>	2013-07-18 21:02:24 +0100
commit	1f7f1532cd89cac8888498d00959cbb3926cbcd0 (patch)
tree	3c9da1f3653ca836d5d37e2de6fe2c4d2975639f
parent	7e092967f946dd541429f422c0087e50504d2f37 (diff)
download	frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.zip frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.tar.gz frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.tar.bz2