diff options
author | Winson <chiuwinson@google.com> | 2019-12-04 11:32:41 -0800 |
---|---|---|
committer | Winson <chiuwinson@google.com> | 2020-02-26 15:59:44 -0800 |
commit | f56ade365aa22e55655f0149cf47181cb3da6e8d (patch) | |
tree | b20f400f7b598641a8731d3c9624c25ec4491d4b /libs | |
parent | 62ac8b56a9f7cf75f3f0677ec37d8acb8def475c (diff) | |
download | base-f56ade365aa22e55655f0149cf47181cb3da6e8d.tar.gz |
Actor signature overlayable policy
There are cases where an app can ship overlays for itself,
but the "signature" policy as described would open up
a vulnerability by allowing the system actor to create
and sign any arbitrary overlay that will apply to the target.
To prevent this, redefine "signature" as target package only,
and introduce "actor" for checking against the actor signature.
Any app that wishes to use both can include both policies.
Bug: 130563563
Test: m aapt2_tests idmapt2_tests and run from host test output
Test: atest libandroidfw_tests
Change-Id: I1c583a5b37f4abbeb18fc6a35c502377d8977a41
Diffstat (limited to 'libs')
-rw-r--r-- | libs/androidfw/include/androidfw/ResourceTypes.h | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/libs/androidfw/include/androidfw/ResourceTypes.h b/libs/androidfw/include/androidfw/ResourceTypes.h index d15a3a27cbb1..2bfc7fc38d1c 100644 --- a/libs/androidfw/include/androidfw/ResourceTypes.h +++ b/libs/androidfw/include/androidfw/ResourceTypes.h @@ -1682,7 +1682,6 @@ struct ResTable_overlayable_policy_header * Flags for a bitmask for all possible overlayable policy options. * * Any changes to this set should also update aidl/android/os/OverlayablePolicy.aidl - * and proto/OverlayablePolicy.proto. */ enum PolicyFlags : uint32_t { // Base @@ -1703,8 +1702,8 @@ struct ResTable_overlayable_policy_header // partition before an upgrade to overlay these resources. PRODUCT_PARTITION = 0x00000008, - // The overlay must be signed with the same signature as the actor of the target resource, - // which can be separate or the same as the target package with the resource. + // The overlay must be signed with the same signature as the package containing the target + // resource SIGNATURE = 0x00000010, // The overlay must reside of the odm partition or must have existed on the odm @@ -1714,6 +1713,10 @@ struct ResTable_overlayable_policy_header // The overlay must reside of the oem partition or must have existed on the oem // partition before an upgrade to overlay these resources. OEM_PARTITION = 0x00000040, + + // The overlay must be signed with the same signature as the actor declared for the target + // resource + ACTOR_SIGNATURE = 0x00000080, }; using PolicyBitmask = uint32_t; |