软件平台:Android 11
硬件平台:展锐
具体需求:android系统起来后,会有apk后台静默安装一些apk,为了防止三方apk恶意篡改安装,添加了如下处理逻辑,包括包名匹配校验和系统签名校验:
--- a/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -17501,6 +17501,16 @@ public class PackageManagerService extends PackageManagerServiceExAbs
"Instant app package must be signed with APK Signature Scheme v2 or greater");
}
+ //block 3rd app with no platform signature
+ boolean platformPackage = mPlatformPackage != null
+ && compareSignatures(mPlatformPackage.getSigningDetails().signatures,
+ parsedPackage.getSigningDetails().signatures) == PackageManager.SIGNATURE_MATCH;
+ if (android.os.Build.IS_USER && (pkgName == null
+ || !pkgName.startsWith("com.tal.xpp")
+ || !platformPackage)) {
+ throw new PrepareFailure(-1000, "install package not allowed!");
+ }
+
boolean systemApp = false;
boolean replace = false;
synchronized (mLock) {
专门防止三方软件,盗取包名后台安装替换。