diff options
| author | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-03-26 07:42:55 -0400 |
|---|---|---|
| committer | Ricardo Cerqueira <cyanogenmod@cerqueira.org> | 2013-07-18 21:02:24 +0100 |
| commit | 1f7f1532cd89cac8888498d00959cbb3926cbcd0 (patch) | |
| tree | 3c9da1f3653ca836d5d37e2de6fe2c4d2975639f /services | |
| parent | 7e092967f946dd541429f422c0087e50504d2f37 (diff) | |
| download | frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.zip frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.tar.gz frameworks_base-1f7f1532cd89cac8888498d00959cbb3926cbcd0.tar.bz2 | |
Bring install-time code inline with AOSP.
Recent submissions to AOSP rework some of the
internal logic of SELinuxMMAC and the PMS.
Bring our maintained version inline with
those changes while still allowing policy
to dictate all seinfo values regardless
of location.
Change-Id: I11ff4c4089217e6a9d95ca2841c5bc29bfd763ad
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Diffstat (limited to 'services')
| -rw-r--r-- | services/java/com/android/server/pm/PackageManagerService.java | 6 | ||||
| -rw-r--r-- | services/java/com/android/server/pm/SELinuxMMAC.java | 57 |
2 files changed, 38 insertions, 25 deletions
diff --git a/services/java/com/android/server/pm/PackageManagerService.java b/services/java/com/android/server/pm/PackageManagerService.java index f0408d6..0c09a7e 100644 --- a/services/java/com/android/server/pm/PackageManagerService.java +++ b/services/java/com/android/server/pm/PackageManagerService.java @@ -3881,8 +3881,10 @@ public class PackageManagerService extends IPackageManager.Stub { if (mSettings.isDisabledSystemPackageLPr(pkg.packageName)) { pkg.applicationInfo.flags |= ApplicationInfo.FLAG_UPDATED_SYSTEM_APP; - } else if (mFoundPolicyFile && !SELinuxMMAC.passInstallPolicyChecks(pkg) && - SELinuxMMAC.getEnforcingMode()) { + } + + if (mFoundPolicyFile && !SELinuxMMAC.passInstallPolicyChecks(pkg) && + SELinuxMMAC.getEnforcingMode()) { Slog.w(TAG, "Installing application package " + pkg.packageName + " failed due to policy."); mLastScanError = PackageManager.INSTALL_FAILED_POLICY_REJECTED_PERMISSION; diff --git a/services/java/com/android/server/pm/SELinuxMMAC.java b/services/java/com/android/server/pm/SELinuxMMAC.java index fbddba7..b2f218b 100644 --- a/services/java/com/android/server/pm/SELinuxMMAC.java +++ b/services/java/com/android/server/pm/SELinuxMMAC.java @@ -461,38 +461,49 @@ public final class SELinuxMMAC { */ public static boolean passInstallPolicyChecks(PackageParser.Package pkg) { - // We just want one of the signatures to match. - for (Signature s : pkg.mSignatures) { - if (s == null) { - continue; + /* + * Non system installed apps should be treated the same. This + * means that any post-loaded apk will be assigned the default + * tag, if one exists in the policy, else null, without respect + * to the signing key. + */ + /* + if (((pkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) || + ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0)) { + */ + + // We just want one of the signatures to match. + for (Signature s : pkg.mSignatures) { + if (s == null) + continue; + + // Check for a non default signature policy. + if (SIG_POLICY.containsKey(s)) { + InstallPolicy policy = SIG_POLICY.get(s); + if (policy.passedPolicyChecks(pkg)) { + String seinfo = pkg.applicationInfo.seinfo = policy.getSEinfo(pkg.packageName); + if (DEBUG_POLICY_INSTALL) + Slog.i(TAG, "package (" + pkg.packageName + ") installed with " + + " seinfo=" + (seinfo == null ? "null" : seinfo)); + return true; + } + } } - // Check for a non default signature policy. - if (SIG_POLICY.containsKey(s)) { - InstallPolicy policy = SIG_POLICY.get(s); + // Check for a global per-package policy. + if (PKG_POLICY.containsKey(pkg.packageName)) { + boolean passed = false; + InstallPolicy policy = PKG_POLICY.get(pkg.packageName); if (policy.passedPolicyChecks(pkg)) { String seinfo = pkg.applicationInfo.seinfo = policy.getSEinfo(pkg.packageName); if (DEBUG_POLICY_INSTALL) Slog.i(TAG, "package (" + pkg.packageName + ") installed with " + " seinfo=" + (seinfo == null ? "null" : seinfo)); - return true; + passed = true; } + return passed; } - } - - // Check for a global per-package policy. - if (PKG_POLICY.containsKey(pkg.packageName)) { - boolean passed = false; - InstallPolicy policy = PKG_POLICY.get(pkg.packageName); - if (policy.passedPolicyChecks(pkg)) { - String seinfo = pkg.applicationInfo.seinfo = policy.getSEinfo(pkg.packageName); - if (DEBUG_POLICY_INSTALL) - Slog.i(TAG, "package (" + pkg.packageName + ") installed with " + - " seinfo=" + (seinfo == null ? "null" : seinfo)); - passed = true; - } - return passed; - } + //} // Check for a default policy. if (SIG_POLICY.containsKey(null)) { |