reland: pm: Apps with shared UID must also share selinux domain
There are two existing cases where apps that share a sharedUserId
potentially end up in separate SELinux domains.
1. An app installed in /system/priv-app runs in the priv_app domain.
An app installed on the /data partition which shares a
sharedUserId with that priv_app would run in the untrusted_app
domain (e.g. GTS b/72235911). This issue has existed since
Android N.
2. The untrusted_app domain may now deprecate permissions based on
targetSdkVersion, so apps with sharedUserId may have different
permissions based on which targetSdkVersion they use. This issue
has existed since Android O, but is particularly problematic for
feature "Deprecate world accessible app data" which puts every app
targeting P+ into its own selinux domain.
This change fixes #1 and adds a temporary workaround to prevent #2.
Updated version considers both SharedUserSetting.isPrivileged() and
pkg.isPrivileged() for the case where the app has a shared User.
Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Test: confirm via packages.list that apps end up in the same
selinux domain before and after this patch.
Bug: 72290969
Change-Id: I974bea88004622b70633fdeb54a1372fd04c6eff
Loading
Please register or sign in to comment