Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / f56ade365aa22e55655f0149cf47181cb3da6e8d
commitf56ade365aa22e55655f0149cf47181cb3da6e8d[log] [tgz]
authorWinson <chiuwinson@google.com>Wed Dec 04 11:32:41 2019 -0800
committerWinson <chiuwinson@google.com>Wed Feb 26 15:59:44 2020 -0800
treeb20f400f7b598641a8731d3c9624c25ec4491d4b
parent62ac8b56a9f7cf75f3f0677ec37d8acb8def475c [diff]
Actor signature overlayable policy

There are cases where an app can ship overlays for itself,
but the "signature" policy as described would open up
a vulnerability by allowing the system actor to create
and sign any arbitrary overlay that will apply to the target.

To prevent this, redefine "signature" as target package only,
and introduce "actor" for checking against the actor signature.
Any app that wishes to use both can include both policies.

Bug: 130563563

Test: m aapt2_tests idmapt2_tests and run from host test output
Test: atest libandroidfw_tests

Change-Id: I1c583a5b37f4abbeb18fc6a35c502377d8977a41
30 files changed
tree: b20f400f7b598641a8731d3c9624c25ec4491d4b
  1. apct-tests/
  2. apex/
  3. api/
  4. cmds/
  5. config/
  6. core/
  7. data/
  8. docs/
  9. drm/
  10. graphics/
  11. identity/
  12. keystore/
  13. libs/
  14. location/
  15. lowpan/
  16. media/
  17. mime/
  18. mms/
  19. native/
  20. nfc-extras/
  21. obex/
  22. opengl/
  23. packages/
  24. proto/
  25. rs/
  26. samples/
  27. sax/
  28. services/
  29. startop/
  30. telecomm/
  31. telephony/
  32. test-base/
  33. test-legacy/
  34. test-mock/
  35. test-runner/
  36. tests/
  37. tools/
  38. wifi/
  39. .clang-format
  40. .gitignore
  41. .mailmap
  42. Android.bp
  43. Android.mk
  44. ApiDocs.bp
  45. CleanSpec.mk
  46. framework-jarjar-rules.txt
  47. MODULE_LICENSE_APACHE2
  48. NOTICE
  49. pathmap.mk
  50. PREUPLOAD.cfg
  51. StubLibraries.bp
  52. TEST_MAPPING