summaryrefslogtreecommitdiffstats
path: root/services
diff options
context:
space:
mode:
authorRobert Craig <rpcraig@tycho.ncsc.mil>2013-03-26 07:42:55 -0400
committerRicardo Cerqueira <cyanogenmod@cerqueira.org>2013-07-18 21:02:24 +0100
commit1f7f1532cd89cac8888498d00959cbb3926cbcd0 (patch)
tree3c9da1f3653ca836d5d37e2de6fe2c4d2975639f /services
parent7e092967f946dd541429f422c0087e50504d2f37 (diff)
downloadframeworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.zip
frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.tar.gz
frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.tar.bz2
Bring install-time code inline with AOSP.
Recent submissions to AOSP rework some of the internal logic of SELinuxMMAC and the PMS. Bring our maintained version inline with those changes while still allowing policy to dictate all seinfo values regardless of location. Change-Id: I11ff4c4089217e6a9d95ca2841c5bc29bfd763ad Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Diffstat (limited to 'services')
-rw-r--r--services/java/com/android/server/pm/PackageManagerService.java6
-rw-r--r--services/java/com/android/server/pm/SELinuxMMAC.java57
2 files changed, 38 insertions, 25 deletions
diff --git a/services/java/com/android/server/pm/PackageManagerService.java b/services/java/com/android/server/pm/PackageManagerService.java
index f0408d6..0c09a7e 100644
--- a/services/java/com/android/server/pm/PackageManagerService.java
+++ b/services/java/com/android/server/pm/PackageManagerService.java
@@ -3881,8 +3881,10 @@ public class PackageManagerService extends IPackageManager.Stub {
if (mSettings.isDisabledSystemPackageLPr(pkg.packageName)) {
pkg.applicationInfo.flags |= ApplicationInfo.FLAG_UPDATED_SYSTEM_APP;
- } else if (mFoundPolicyFile && !SELinuxMMAC.passInstallPolicyChecks(pkg) &&
- SELinuxMMAC.getEnforcingMode()) {
+ }
+
+ if (mFoundPolicyFile && !SELinuxMMAC.passInstallPolicyChecks(pkg) &&
+ SELinuxMMAC.getEnforcingMode()) {
Slog.w(TAG, "Installing application package " + pkg.packageName
+ " failed due to policy.");
mLastScanError = PackageManager.INSTALL_FAILED_POLICY_REJECTED_PERMISSION;
diff --git a/services/java/com/android/server/pm/SELinuxMMAC.java b/services/java/com/android/server/pm/SELinuxMMAC.java
index fbddba7..b2f218b 100644
--- a/services/java/com/android/server/pm/SELinuxMMAC.java
+++ b/services/java/com/android/server/pm/SELinuxMMAC.java
@@ -461,38 +461,49 @@ public final class SELinuxMMAC {
*/
public static boolean passInstallPolicyChecks(PackageParser.Package pkg) {
- // We just want one of the signatures to match.
- for (Signature s : pkg.mSignatures) {
- if (s == null) {
- continue;
+ /*
+ * Non system installed apps should be treated the same. This
+ * means that any post-loaded apk will be assigned the default
+ * tag, if one exists in the policy, else null, without respect
+ * to the signing key.
+ */
+ /*
+ if (((pkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) ||
+ ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0)) {
+ */
+
+ // We just want one of the signatures to match.
+ for (Signature s : pkg.mSignatures) {
+ if (s == null)
+ continue;
+
+ // Check for a non default signature policy.
+ if (SIG_POLICY.containsKey(s)) {
+ InstallPolicy policy = SIG_POLICY.get(s);
+ if (policy.passedPolicyChecks(pkg)) {
+ String seinfo = pkg.applicationInfo.seinfo = policy.getSEinfo(pkg.packageName);
+ if (DEBUG_POLICY_INSTALL)
+ Slog.i(TAG, "package (" + pkg.packageName + ") installed with " +
+ " seinfo=" + (seinfo == null ? "null" : seinfo));
+ return true;
+ }
+ }
}
- // Check for a non default signature policy.
- if (SIG_POLICY.containsKey(s)) {
- InstallPolicy policy = SIG_POLICY.get(s);
+ // Check for a global per-package policy.
+ if (PKG_POLICY.containsKey(pkg.packageName)) {
+ boolean passed = false;
+ InstallPolicy policy = PKG_POLICY.get(pkg.packageName);
if (policy.passedPolicyChecks(pkg)) {
String seinfo = pkg.applicationInfo.seinfo = policy.getSEinfo(pkg.packageName);
if (DEBUG_POLICY_INSTALL)
Slog.i(TAG, "package (" + pkg.packageName + ") installed with " +
" seinfo=" + (seinfo == null ? "null" : seinfo));
- return true;
+ passed = true;
}
+ return passed;
}
- }
-
- // Check for a global per-package policy.
- if (PKG_POLICY.containsKey(pkg.packageName)) {
- boolean passed = false;
- InstallPolicy policy = PKG_POLICY.get(pkg.packageName);
- if (policy.passedPolicyChecks(pkg)) {
- String seinfo = pkg.applicationInfo.seinfo = policy.getSEinfo(pkg.packageName);
- if (DEBUG_POLICY_INSTALL)
- Slog.i(TAG, "package (" + pkg.packageName + ") installed with " +
- " seinfo=" + (seinfo == null ? "null" : seinfo));
- passed = true;
- }
- return passed;
- }
+ //}
// Check for a default policy.
if (SIG_POLICY.containsKey(null)) {