Allow revoked capabilities to be restored in sharedUserId lineage
When APK key rotation was initially introduced in P, an update to the
capabilities of a previous signer in the sharedUserId lineage only
took effect when the signing key of the package being updated was
changed. Android R addressed this by always merging the lineage of
a package being installed / updated in the sharedUserId with the
existing sharedUserId lineage; however, this approach always used
the most restrictive capabilities in the lineage, so once a
capability was revoked from a previous signer, it could not be
restored. This commit allows a capability to be restored by
initially applying the capabilities of the package being installed
with those in the sharedUserId; if a change in the signers or
capabilities is detected, then the most restrictive capabilities
from all packages in the sharedUserId are used to update the shared
lineage. This allows a package to restore a previously revoked
capability if no other packages have revoked the capability; however,
if a package in the sharedUserId has revoked a capability and a newly
installed package restores this capability, the restrictive rule will
ensure the capability is still revoked.
Bug: 227823594
Test: atest PkgInstallSignatureVerificationTest
Test: atest SigningDetailsTest
Change-Id: Id53a2cd235c7a557822b9a1bfc2f431801d415e4
3 files changed