pm: Apps with shared UID must also share selinux domain
There are two existing cases where apps that share a sharedUserId
potentially end up in separate SELinux domains.
1. An app installed in /system/priv-app runs in the priv_app domain.
An app installed on the /data partition which shares a
sharedUserId with that priv_app would run in the untrusted_app
domain (e.g. GTS b/72235911). This issue has existed since
Android N.
2. The untrusted_app domain may now deprecate permissions based on
targetSdkVersion, so apps with sharedUserId may have different
permissions based on which targetSdkVersion they use. This issue
has existed since Android O, but is particularly problematic for
feature "Deprecate world accessible app data" which puts every app
targeting P+ into its own selinux domain.
This change fixes #1 and adds a temporary workaround to prevent #2.
Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Bug: 72290969
Change-Id: I211de05ad6f10b69e3e082cfe977f2dd43d90549
2 files changed