Merge "Persist implicit overlay configurator actor policy" into rvc-dev

Author: RyanMitch16

cmds/idmap2/libidmap2/ResourceMapping.cpp

@@ -61,7 +61,8 @@ Result<Unit> CheckOverlayable(const LoadedPackage& target_package,
                               const ResourceId& target_resource) {
   static constexpr const PolicyBitmask sDefaultPolicies =
       PolicyFlags::ODM_PARTITION | PolicyFlags::OEM_PARTITION | PolicyFlags::SYSTEM_PARTITION |
-      PolicyFlags::VENDOR_PARTITION | PolicyFlags::PRODUCT_PARTITION | PolicyFlags::SIGNATURE;
+      PolicyFlags::VENDOR_PARTITION | PolicyFlags::PRODUCT_PARTITION | PolicyFlags::SIGNATURE |
+      PolicyFlags::ACTOR_SIGNATURE;
 
   // If the resource does not have an overlayable definition, allow the resource to be overlaid if
   // the overlay is preinstalled or signed with the same signature as the target.

cmds/idmap2/tests/ResourceMappingTests.cpp

@@ -287,66 +287,26 @@ TEST(ResourceMappingTests, ResourcesFromApkAssetsNoDefinedOverlayableAndNoTarget
                               R::overlay::string::str4, false /* rewrite */));
 }
 
-// Overlays that are neither pre-installed nor signed with the same signature as the target cannot
-// overlay packages that have not defined overlayable resources.
-TEST(ResourceMappingTests, ResourcesFromApkAssetsDefaultPoliciesPublicFail) {
-  auto resources = TestGetResourceMapping("/target/target-no-overlayable.apk",
-                                          "/overlay/overlay-no-name.apk", PolicyFlags::PUBLIC,
-                                          /* enforce_overlayable */ true);
-
-  ASSERT_TRUE(resources) << resources.GetErrorMessage();
-  ASSERT_EQ(resources->GetTargetToOverlayMap().size(), 0U);
-}
 
-// Overlays that are pre-installed or are signed with the same signature as the target can overlay
-// packages that have not defined overlayable resources.
+// Overlays that are pre-installed or are signed with the same signature as the target/actor can
+// overlay packages that have not defined overlayable resources.
 TEST(ResourceMappingTests, ResourcesFromApkAssetsDefaultPolicies) {
-  auto CheckEntries = [&](const PolicyBitmask& fulfilled_policies) -> void {
+  constexpr PolicyBitmask kDefaultPolicies =
+      PolicyFlags::SIGNATURE | PolicyFlags::ACTOR_SIGNATURE | PolicyFlags::PRODUCT_PARTITION |
+      PolicyFlags::SYSTEM_PARTITION | PolicyFlags::VENDOR_PARTITION | PolicyFlags::ODM_PARTITION |
+      PolicyFlags::OEM_PARTITION;
+
+  for (PolicyBitmask policy = 1U << (sizeof(PolicyBitmask) * 8 - 1); policy > 0;
+       policy = policy >> 1U) {
     auto resources = TestGetResourceMapping("/target/target-no-overlayable.apk",
                                             "/system-overlay-invalid/system-overlay-invalid.apk",
-                                            fulfilled_policies,
-                                            /* enforce_overlayable */ true);
-
+                                            policy, /* enforce_overlayable */ true);
     ASSERT_TRUE(resources) << resources.GetErrorMessage();
-    auto& res = *resources;
-    ASSERT_EQ(resources->GetTargetToOverlayMap().size(), 10U);
-    ASSERT_RESULT(MappingExists(res, R::target::string::not_overlayable, Res_value::TYPE_REFERENCE,
-                                R::system_overlay_invalid::string::not_overlayable,
-                                false /* rewrite */));
-    ASSERT_RESULT(MappingExists(res, R::target::string::other, Res_value::TYPE_REFERENCE,
-                                R::system_overlay_invalid::string::other, false /* rewrite */));
-    ASSERT_RESULT(MappingExists(res, R::target::string::policy_actor, Res_value::TYPE_REFERENCE,
-                                R::system_overlay_invalid::string::policy_actor,
-                                false /* rewrite */));
-    ASSERT_RESULT(MappingExists(res, R::target::string::policy_odm, Res_value::TYPE_REFERENCE,
-                                R::system_overlay_invalid::string::policy_odm,
-                                false /* rewrite */));
-    ASSERT_RESULT(MappingExists(res, R::target::string::policy_oem, Res_value::TYPE_REFERENCE,
-                                R::system_overlay_invalid::string::policy_oem,
-                                false /* rewrite */));
-    ASSERT_RESULT(MappingExists(res, R::target::string::policy_product, Res_value::TYPE_REFERENCE,
-                                R::system_overlay_invalid::string::policy_product,
-                                false /* rewrite */));
-    ASSERT_RESULT(MappingExists(res, R::target::string::policy_public, Res_value::TYPE_REFERENCE,
-                                R::system_overlay_invalid::string::policy_public,
-                                false /* rewrite */));
-    ASSERT_RESULT(MappingExists(res, R::target::string::policy_signature, Res_value::TYPE_REFERENCE,
-                                R::system_overlay_invalid::string::policy_signature,
-                                false /* rewrite */));
-    ASSERT_RESULT(MappingExists(res, R::target::string::policy_system, Res_value::TYPE_REFERENCE,
-                                R::system_overlay_invalid::string::policy_system,
-                                false /* rewrite */));
-    ASSERT_RESULT(MappingExists(
-        res, R::target::string::policy_system_vendor, Res_value::TYPE_REFERENCE,
-        R::system_overlay_invalid::string::policy_system_vendor, false /* rewrite */));
-  };
-
-  CheckEntries(PolicyFlags::SIGNATURE);
-  CheckEntries(PolicyFlags::PRODUCT_PARTITION);
-  CheckEntries(PolicyFlags::SYSTEM_PARTITION);
-  CheckEntries(PolicyFlags::VENDOR_PARTITION);
-  CheckEntries(PolicyFlags::ODM_PARTITION);
-  CheckEntries(PolicyFlags::OEM_PARTITION);
+
+    const size_t expected_overlaid = (policy & kDefaultPolicies) != 0 ? 10U : 0U;
+    ASSERT_EQ(expected_overlaid, resources->GetTargetToOverlayMap().size())
+        << "Incorrect number of resources overlaid through policy " << policy;
+  }
 }
 
 }  // namespace android::idmap2

services/core/java/com/android/server/om/IdmapManager.java

@@ -29,18 +29,15 @@
 import android.os.SystemProperties;
 import android.util.Slog;
 
-import com.android.internal.util.ArrayUtils;
-
 import java.io.IOException;
 
 /**
  * Handle the creation and deletion of idmap files.
  *
- * The actual work is performed by the idmap binary, launched through idmap2d.
- *
- * Note: this class is subclassed in the OMS unit tests, and hence not marked as final.
+ * The actual work is performed by idmap2d.
+ * @see IdmapDaemon
  */
-class IdmapManager {
+final class IdmapManager {
     private static final boolean VENDOR_IS_Q_OR_LATER;
     static {
         final String value = SystemProperties.get("ro.vndk.version", "29");
@@ -57,36 +54,33 @@ class IdmapManager {
 
     private final IdmapDaemon mIdmapDaemon;
     private final OverlayableInfoCallback mOverlayableCallback;
-    private final String mOverlayableConfigurator;
-    private final String[] mOverlayableConfiguratorTargets;
 
     IdmapManager(final IdmapDaemon idmapDaemon, final OverlayableInfoCallback verifyCallback) {
         mOverlayableCallback = verifyCallback;
         mIdmapDaemon = idmapDaemon;
-        mOverlayableConfigurator = verifyCallback.getOverlayableConfigurator();
-        mOverlayableConfiguratorTargets = verifyCallback.getOverlayableConfiguratorTargets() ;
     }
 
     /**
      * Creates the idmap for the target/overlay combination and returns whether the idmap file was
      * modified.
      */
     boolean createIdmap(@NonNull final PackageInfo targetPackage,
-            @NonNull final PackageInfo overlayPackage, int userId) {
+            @NonNull final PackageInfo overlayPackage, int additionalPolicies, int userId) {
         if (DEBUG) {
             Slog.d(TAG, "create idmap for " + targetPackage.packageName + " and "
                     + overlayPackage.packageName);
         }
         final String targetPath = targetPackage.applicationInfo.getBaseCodePath();
         final String overlayPath = overlayPackage.applicationInfo.getBaseCodePath();
         try {
-            int policies = calculateFulfilledPolicies(targetPackage, overlayPackage, userId);
             boolean enforce = enforceOverlayable(overlayPackage);
+            int policies = calculateFulfilledPolicies(targetPackage, overlayPackage, userId)
+                    | additionalPolicies;
             if (mIdmapDaemon.verifyIdmap(targetPath, overlayPath, policies, enforce, userId)) {
                 return false;
             }
-            return mIdmapDaemon.createIdmap(targetPath, overlayPath, policies,
-                    enforce, userId) != null;
+            return mIdmapDaemon.createIdmap(targetPath, overlayPath, policies, enforce, userId)
+                    != null;
         } catch (Exception e) {
             Slog.w(TAG, "failed to generate idmap for " + targetPath + " and "
                     + overlayPath + ": " + e.getMessage());
@@ -190,14 +184,6 @@ private boolean matchesActorSignature(@NonNull PackageInfo targetPackage,
         String targetOverlayableName = overlayPackage.targetOverlayableName;
         if (targetOverlayableName != null) {
             try {
-                if (!mOverlayableConfigurator.isEmpty()
-                        && ArrayUtils.contains(mOverlayableConfiguratorTargets,
-                                targetPackage.packageName)
-                        && mOverlayableCallback.signaturesMatching(mOverlayableConfigurator,
-                                overlayPackage.packageName, userId)) {
-                    return true;
-                }
-
                 OverlayableInfo overlayableInfo = mOverlayableCallback.getOverlayableForTarget(
                         targetPackage.packageName, targetOverlayableName, userId);
                 if (overlayableInfo != null && overlayableInfo.actor != null) {

services/core/java/com/android/server/om/OverlayManagerService.java

@@ -252,7 +252,8 @@ public OverlayManagerService(@NonNull final Context context) {
             mSettings = new OverlayManagerSettings();
             mImpl = new OverlayManagerServiceImpl(mPackageManager, im, mSettings,
                     OverlayConfig.getSystemInstance(), getDefaultOverlayPackages(),
-                    new OverlayChangeListener());
+                    new OverlayChangeListener(), getOverlayableConfigurator(),
+                    getOverlayableConfiguratorTargets());
             mActorEnforcer = new OverlayActorEnforcer(mPackageManager);
 
             final IntentFilter packageFilter = new IntentFilter();
@@ -335,6 +336,28 @@ private static String[] getDefaultOverlayPackages() {
         return defaultPackages.toArray(new String[defaultPackages.size()]);
     }
 
+
+    /**
+     * Retrieves the package name that is recognized as an actor for the packages specified by
+     * {@link #getOverlayableConfiguratorTargets()}.
+     */
+    @Nullable
+    private String getOverlayableConfigurator() {
+        return TextUtils.nullIfEmpty(Resources.getSystem()
+                .getString(R.string.config_overlayableConfigurator));
+    }
+
+    /**
+     * Retrieves the target packages that recognize the {@link #getOverlayableConfigurator} as an
+     * actor for itself. Overlays targeting one of the specified targets that are signed with the
+     * same signature as the overlayable configurator will be granted the "actor" policy.
+     */
+    @Nullable
+    private String[] getOverlayableConfiguratorTargets() {
+        return Resources.getSystem().getStringArray(
+                R.array.config_overlayableConfiguratorTargets);
+    }
+
     private final class PackageReceiver extends BroadcastReceiver {
         @Override
         public void onReceive(@NonNull final Context context, @NonNull final Intent intent) {
@@ -1120,17 +1143,6 @@ public boolean signaturesMatching(@NonNull final String packageName1,
             return false;
         }
 
-        @Override
-        public String getOverlayableConfigurator() {
-            return Resources.getSystem().getString(R.string.config_overlayableConfigurator);
-        }
-
-        @Override
-        public String[] getOverlayableConfiguratorTargets() {
-            return Resources.getSystem().getStringArray(
-                    R.array.config_overlayableConfiguratorTargets);
-        }
-
         @Override
         public List<PackageInfo> getOverlayPackages(final int userId) {
             final List<PackageInfo> overlays = mPackageManagerInternal.getOverlayPackages(userId);

services/core/java/com/android/server/om/OverlayManagerServiceImpl.java

@@ -31,6 +31,7 @@
 import android.content.om.OverlayInfo;
 import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageInfo;
+import android.os.OverlayablePolicy;
 import android.text.TextUtils;
 import android.util.ArrayMap;
 import android.util.ArraySet;
@@ -73,6 +74,9 @@ final class OverlayManagerServiceImpl {
     private final String[] mDefaultOverlays;
     private final OverlayChangeListener mListener;
 
+    private final String mOverlayableConfigurator;
+    private final String[] mOverlayableConfiguratorTargets;
+
     /**
      * Helper method to merge the overlay manager's (as read from overlays.xml)
      * and package manager's (as parsed from AndroidManifest.xml files) views
@@ -115,13 +119,17 @@ private boolean mustReinitializeOverlay(@NonNull final PackageInfo theTruth,
             @NonNull final OverlayManagerSettings settings,
             @NonNull final OverlayConfig overlayConfig,
             @NonNull final String[] defaultOverlays,
-            @NonNull final OverlayChangeListener listener) {
+            @NonNull final OverlayChangeListener listener,
+            @Nullable final String overlayableConfigurator,
+            @Nullable final String[] overlayableConfiguratorTargets) {
         mPackageManager = packageManager;
         mIdmapManager = idmapManager;
         mSettings = settings;
         mOverlayConfig = overlayConfig;
         mDefaultOverlays = defaultOverlays;
         mListener = listener;
+        mOverlayableConfigurator = overlayableConfigurator;
+        mOverlayableConfiguratorTargets = overlayableConfiguratorTargets;
     }
 
     /**
@@ -706,7 +714,25 @@ private boolean updateState(@NonNull final String targetPackageName,
         if (targetPackage != null && overlayPackage != null
                 && !("android".equals(targetPackageName)
                     && !isPackageConfiguredMutable(overlayPackageName))) {
-            modified |= mIdmapManager.createIdmap(targetPackage, overlayPackage, userId);
+
+            int additionalPolicies = 0;
+            if (TextUtils.nullIfEmpty(mOverlayableConfigurator) != null
+                    && ArrayUtils.contains(mOverlayableConfiguratorTargets, targetPackageName)
+                    && isPackageConfiguredMutable(overlayPackageName)
+                    && mPackageManager.signaturesMatching(mOverlayableConfigurator,
+                            overlayPackageName, userId)) {
+                // The overlay targets a package that has the overlayable configurator configured as
+                // its actor. The overlay and this actor are signed with the same signature, so
+                // the overlay fulfills the actor policy.
+                modified |= mSettings.setHasConfiguratorActorPolicy(overlayPackageName, userId,
+                        true);
+                additionalPolicies |= OverlayablePolicy.ACTOR_SIGNATURE;
+            } else if (mSettings.hasConfiguratorActorPolicy(overlayPackageName, userId)) {
+                additionalPolicies |= OverlayablePolicy.ACTOR_SIGNATURE;
+            }
+
+            modified |= mIdmapManager.createIdmap(targetPackage, overlayPackage, additionalPolicies,
+                    userId);
         }
 
         if (overlayPackage != null) {