commit f56ade365aa22e55655f0149cf47181cb3da6e8d
author Winson <chiuwinson@google.com> Wed Dec 04 11:32:41 2019 -0800
committer Winson <chiuwinson@google.com> Wed Feb 26 15:59:44 2020 -0800
tree b20f400f7b598641a8731d3c9624c25ec4491d4b
parent 62ac8b56a9f7cf75f3f0677ec37d8acb8def475c

Actor signature overlayable policy

There are cases where an app can ship overlays for itself,
but the "signature" policy as described would open up
a vulnerability by allowing the system actor to create
and sign any arbitrary overlay that will apply to the target.

To prevent this, redefine "signature" as target package only,
and introduce "actor" for checking against the actor signature.
Any app that wishes to use both can include both policies.

Bug: 130563563

Test: m aapt2_tests idmapt2_tests and run from host test output
Test: atest libandroidfw_tests

Change-Id: I1c583a5b37f4abbeb18fc6a35c502377d8977a41

cmds/idmap2/tests/R.h

diff --git a/cmds/idmap2/tests/R.h b/cmds/idmap2/tests/R.h
index b2a5891..aed263a 100644
--- a/cmds/idmap2/tests/R.h
+++ b/cmds/idmap2/tests/R.h
@@ -40,16 +40,17 @@
   namespace string {
     constexpr ResourceId not_overlayable = 0x7f020003;
     constexpr ResourceId other = 0x7f020004;
-    constexpr ResourceId policy_odm = 0x7f020005;
-    constexpr ResourceId policy_oem = 0x7f020006;
-    constexpr ResourceId policy_product = 0x7f020007;
-    constexpr ResourceId policy_public = 0x7f020008;
-    constexpr ResourceId policy_signature = 0x7f020009;
-    constexpr ResourceId policy_system = 0x7f02000a;
-    constexpr ResourceId policy_system_vendor = 0x7f02000b;
-    constexpr ResourceId str1 = 0x7f02000c;
-    constexpr ResourceId str3 = 0x7f02000e;
-    constexpr ResourceId str4 = 0x7f02000f;
+    constexpr ResourceId policy_actor = 0x7f020005;
+    constexpr ResourceId policy_odm = 0x7f020006;
+    constexpr ResourceId policy_oem = 0x7f020007;
+    constexpr ResourceId policy_product = 0x7f020008;
+    constexpr ResourceId policy_public = 0x7f020009;
+    constexpr ResourceId policy_signature = 0x7f02000a;
+    constexpr ResourceId policy_system = 0x7f02000b;
+    constexpr ResourceId policy_system_vendor = 0x7f02000c;
+    constexpr ResourceId str1 = 0x7f02000d;
+    constexpr ResourceId str3 = 0x7f02000f;
+    constexpr ResourceId str4 = 0x7f020010;
 
     namespace literal {
       inline const std::string str1 = hexify(R::target::string::str1);
@@ -70,6 +71,17 @@
   }
 }
 
+namespace R::overlay_shared {
+  namespace integer {
+    constexpr ResourceId int1 = 0x00010000;
+  }
+  namespace string {
+    constexpr ResourceId str1 = 0x00020000;
+    constexpr ResourceId str3 = 0x00020001;
+    constexpr ResourceId str4 = 0x00020002;
+  }
+}
+
 namespace R::system_overlay::string {
   constexpr ResourceId policy_public = 0x7f010000;
   constexpr ResourceId policy_system = 0x7f010001;
@@ -79,13 +91,14 @@
 namespace R::system_overlay_invalid::string {
   constexpr ResourceId not_overlayable = 0x7f010000;
   constexpr ResourceId other = 0x7f010001;
-  constexpr ResourceId policy_odm = 0x7f010002;
-  constexpr ResourceId policy_oem = 0x7f010003;
-  constexpr ResourceId policy_product = 0x7f010004;
-  constexpr ResourceId policy_public = 0x7f010005;
-  constexpr ResourceId policy_signature = 0x7f010006;
-  constexpr ResourceId policy_system = 0x7f010007;
-  constexpr ResourceId policy_system_vendor = 0x7f010008;
+  constexpr ResourceId policy_actor = 0x7f010002;
+  constexpr ResourceId policy_odm = 0x7f010003;
+  constexpr ResourceId policy_oem = 0x7f010004;
+  constexpr ResourceId policy_product = 0x7f010005;
+  constexpr ResourceId policy_public = 0x7f010006;
+  constexpr ResourceId policy_signature = 0x7f010007;
+  constexpr ResourceId policy_system = 0x7f010008;
+  constexpr ResourceId policy_system_vendor = 0x7f010009;
 };
 // clang-format on