Deprecate targetSandboxVersion=2
Most of the targetSandboxVersion=2 protections have moved to target O
MR1 or P, or were reverted, so move the remaining checks to isInstantApp
and remove the requirement for Instant Apps to target
targetSandboxVersion=2
Change-Id: I448a7565e26d4eafece1bdc657192117d790ff3a
Fixes: 111314398
Test: atest cts/hostsidetests/appsecurity/src/android/appsecurity/cts/EphemeralTest.java
diff --git a/api/current.txt b/api/current.txt
index 7f4fae5..49a82df 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -1323,7 +1323,7 @@
field public static final int targetName = 16843853; // 0x101044d
field public static final int targetPackage = 16842785; // 0x1010021
field public static final int targetProcesses = 16844097; // 0x1010541
- field public static final int targetSandboxVersion = 16844108; // 0x101054c
+ field public static final deprecated int targetSandboxVersion = 16844108; // 0x101054c
field public static final int targetSdkVersion = 16843376; // 0x1010270
field public static final int taskAffinity = 16842770; // 0x1010012
field public static final int taskCloseEnterAnimation = 16842942; // 0x10100be
diff --git a/core/java/android/security/net/config/ManifestConfigSource.java b/core/java/android/security/net/config/ManifestConfigSource.java
index 79115a5..b885e72 100644
--- a/core/java/android/security/net/config/ManifestConfigSource.java
+++ b/core/java/android/security/net/config/ManifestConfigSource.java
@@ -75,7 +75,7 @@
// should use the network security config.
boolean usesCleartextTraffic =
(mApplicationInfo.flags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0
- && mApplicationInfo.targetSandboxVersion < 2;
+ && !mApplicationInfo.isInstantApp();
source = new DefaultConfigSource(usesCleartextTraffic, mApplicationInfo);
}
mConfigSource = source;
diff --git a/core/java/android/security/net/config/NetworkSecurityConfig.java b/core/java/android/security/net/config/NetworkSecurityConfig.java
index 52f48ef..57068fa 100644
--- a/core/java/android/security/net/config/NetworkSecurityConfig.java
+++ b/core/java/android/security/net/config/NetworkSecurityConfig.java
@@ -185,7 +185,7 @@
.addCertificatesEntryRef(
new CertificatesEntryRef(SystemCertificateSource.getInstance(), false));
final boolean cleartextTrafficPermitted = info.targetSdkVersion < Build.VERSION_CODES.P
- && info.targetSandboxVersion < 2;
+ && !info.isInstantApp();
builder.setCleartextTrafficPermitted(cleartextTrafficPermitted);
// Applications targeting N and above must opt in into trusting the user added certificate
// store.
diff --git a/core/res/res/values/attrs_manifest.xml b/core/res/res/values/attrs_manifest.xml
index 4c96c1b..74663c9 100644
--- a/core/res/res/values/attrs_manifest.xml
+++ b/core/res/res/values/attrs_manifest.xml
@@ -1358,7 +1358,10 @@
<!-- Specifies the target sandbox this app wants to use. Higher sandbox versions
will have increasing levels of security.
- <p>The default value of this attribute is <code>1</code>. -->
+ <p>The default value of this attribute is <code>1</code>.
+ <p>
+ @deprecated The security properties have been moved to
+ {@link android.os.Build.VERSION Build.VERSION} 27 and 28. -->
<attr name="targetSandboxVersion" format="integer" />
<!-- The user-visible SDK version (ex. 26) of the framework against which the application was
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 48d554c..b209984 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -6019,10 +6019,9 @@
}
// We deprecated Build.SERIAL and it is not accessible to
- // apps that target the v2 security sandbox and to apps that
- // target APIs higher than O MR1. Since access to the serial
+ // Instant Apps and target APIs higher than O MR1. Since access to the serial
// is now behind a permission we push down the value.
- final String buildSerial = (appInfo.targetSandboxVersion < 2
+ final String buildSerial = (!appInfo.isInstantApp()
&& appInfo.targetSdkVersion < Build.VERSION_CODES.P)
? sTheRealBuildSerial : Build.UNKNOWN;
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 3d6b3fb..bfa45e1 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -17293,13 +17293,6 @@
"Instant app package must target at least O");
return;
}
- if (pkg.applicationInfo.targetSandboxVersion != 2) {
- Slog.w(TAG, "Instant app package " + pkg.packageName
- + " does not target targetSandboxVersion 2");
- res.setError(INSTALL_FAILED_INSTANT_APP_INVALID,
- "Instant app package must use targetSandboxVersion 2");
- return;
- }
if (pkg.mSharedUserId != null) {
Slog.w(TAG, "Instant app package " + pkg.packageName
+ " may not declare sharedUserId.");