PackageManager: Restrict system packages to protected storage

Don't allow packages signed with the platform key to be installed into user (or app) controlled storage Change-Id: I7390b3bdf5289411f7a335c69635bed9f74bbfb3 PackageManager: Limit the platform-key protection to test-keys builds This block (change I7390b3bdf5289411f7a335c69635bed9f74bbfb3) is intended to protect the system from abuse of well-known keys. That's not the case if the system is signed with dev or release keys. Change-Id: Ifb66f775dd28c577447634ae177442732a18b592
billybore · Oct 22, 2015 · 6f490e2 · 6f490e2
1 parent 75276c2
commit 6f490e2
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -6617,6 +6617,20 @@ private PackageParser.Package scanPackageDirtyLI(PackageParser.Package pkg, int
             }
         }
 
+        if (Build.TAGS.equals("test-keys") &&
+                !pkg.applicationInfo.sourceDir.startsWith(Environment.getRootDirectory().getPath()) &&
+                !pkg.applicationInfo.sourceDir.startsWith("/vendor")) {
+            Object obj = mSettings.getUserIdLPr(1000);
+            Signature[] s1 = null;
+            if (obj instanceof SharedUserSetting) {
+                s1 = ((SharedUserSetting)obj).signatures.mSignatures;
+            }
+            if ((compareSignatures(pkg.mSignatures, s1) == PackageManager.SIGNATURE_MATCH)) {
+                throw new PackageManagerException(INSTALL_FAILED_INVALID_INSTALL_LOCATION,
+                        "Cannot install platform packages to user storage!");
+            }
+        }
+
         // Initialize package source and resource directories
         File destCodeFile = new File(pkg.applicationInfo.getCodePath());
         File destResourceFile = new File(pkg.applicationInfo.getResourcePath());