From 262cf4f5ed67cd8343ccb912bc8d265ea331af3e Mon Sep 17 00:00:00 2001
From: Andy CrossGate Yan <GeForce8800Ultra@gmail.com>
Date: Sun, 7 Jul 2024 21:55:42 +0800
Subject: [PATCH 6/6] Allow APKs of a certain signature to install/work like
 platform-signed

Intended usecase - one authoritative set of signed IMS APKs for any GSI, regardless of their signature

Change-Id: Ia1a13edec8eb8ecf0ea25fffaee4aeff9c75a5e1
---
 .../android/server/pm/PackageManagerServiceUtils.java | 11 +++++++++++
 .../core/java/com/android/server/pm/SELinuxMMAC.java  |  5 +++++
 .../java/com/android/server/pm/ScanPackageUtils.java  |  5 ++++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java b/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java
index d7e0fca87059..675be60ea412 100644
--- a/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java
+++ b/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java
@@ -221,6 +221,8 @@ public class PackageManagerServiceUtils {
      */
     private static final boolean FORCE_PACKAGE_PARSED_CACHE_ENABLED = false;
 
+    private static final Signature PHH_SIGNATURE = new Signature("308205fb308203e3a00302010202144cd9cede3ae98180d0c500b979c371be9189d42d300d06092a864886f70d01010b050030818b310b3009060355040613024652310f300d06035504080c064672616e6365310e300c06035504070c05506172697331143012060355040a0c0b547265626c6544726f696431143012060355040b0c0b547265626c6544726f69643114301206035504030c0b547265626c6544726f69643119301706092a864886f70d010901160a706868407068682e6d653020170d3234303731333136313435375a180f32303531313132393136313435375a30818b310b3009060355040613024652310f300d06035504080c064672616e6365310e300c06035504070c05506172697331143012060355040a0c0b547265626c6544726f696431143012060355040b0c0b547265626c6544726f69643114301206035504030c0b547265626c6544726f69643119301706092a864886f70d010901160a706868407068682e6d6530820222300d06092a864886f70d01010105000382020f003082020a0282020100ea313fa144409b3f52c489fb1401f98c0e2c1f66933c67e4f4b3ec1757b33b72d996de4f60fb6316aaab04b1c973e27833f8dca1bd109cb74525c48fda9a2d0f3fe2ff943e69042290f41f36c996b3c3c327a9cc6398ec3b4da7bd4a281005d10b6d022f4d871c113051b685d9e2059b68ffb00c174c2516cfa3c64d3d1e51f7f100fde5bf4a7af00f2c8bbb258f066fa1c4a077ee32ba1a3f56edec8f1e05b609aadb6dbe63487275812b8447881ada997d1ddf278008246565e97f1665943b6cbc6f4fe2f2982894d3b2dfec0eb5bc2f91e6d6d7497aef732b90c82531d7065bbacf234a73d53111cb8f2d117c67c9e873c326117410b9ea7a18d12811db8e2d0b183c37b53b5a4d066b7b5e2a6741748c7082f7fb0d7d8b21ad0c93ded88c71844f54fd25255f9a6eb7a7910475a1a2264110f5e0f267df671ea42d76a3381a632dde6c7f63f5e15d8d573b7f926e3106ead126d1ef0c0b22d909a6bfd6f3c444803d782a9aec3e4695016b055e180ccc1b7c24b532c226839d1ad1a5d7fe51f6e9e43460b8d706ca3d484b5994fb68fe212dbc2662935d0effb52ff018a9c760086b5ad5b7cd6549543677742cbf2f6bf409b2f70abb0ec6e042d30768eac5b61e1038f8b9c8dd4e801357cc7bfa2bfaebcbe59dc27331b5f388642d829a20893be0384bedab4287b881ef7a9a27765ba6910036a70128d8606f194acf070203010001a3533051301d0603551d0e04160414124752cf65d60fd9a632855450ae4124ebe78e3c301f0603551d23041830168014124752cf65d60fd9a632855450ae4124ebe78e3c300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038202010045d310fab3cf34fda5c59a651853fe47ba759195db454b18727692fd54613fef6401ed31aff26a2579362fd6c0ae563b3c32472bafb919eb3e0a1173b0a3a9b0c475bf10db328d157eead62af2615b2b5bfa84cf51a3af38222ba737e5e47c5cdad3d2c8505796fa8b205e5fe39f2ff2516c961972c279c9197e913c2e6cc5951fe69bd8cbc09a9ee1664ce7a784b17ce721b8b61fa7a79c7919bed3de48b386eec4b5a1dd0bc4cde32ada097c2cb0fe13fc772d38740235866b0b304e79071a292ba77a8fb5532545df2452a11d53e7365851a515a9640c691d6d2570fee2d9b97cb1d52213411b3a29a16a5eb789000e2e2e2a4a33d38fc93d32c2511c57e6c420c29b5d1346904d9346537290bbefd7566c2ff3245db663ab5e21e721cbac1adada3e84defbc9758dbd1340cbd9b2a8e98542057eb517938462a5401825e31d640d57f881305d8474a9372db8459293fc9a2ccace877517bbedb759eb6eea45b5fcd5ea149d531ddf6a1ccf5f7dbe4d139a308af94049f717c09ff022a5ba0a2fbd35c4ce18671dfce2eccf292ac48b073d8e85a158ceac6f9253a1e6607b743fc2f557f55a1366716eda5653e9cb272e611c77e7949310ca3f294f1689efdfde087512a53bdf460029b9f0adb8fb7fada5e1443bdfdc8c8c29914b7856aa995c8cbf1866ac7d6c65e2d4c7c6738d7a8cb56d7ba9230ba9bc056d02e48f41");
+
     /**
      * Returns the registered PackageManagerLocal instance, or else throws an unchecked error.
      */
@@ -306,6 +308,11 @@ public class PackageManagerServiceUtils {
         return maxModifiedTime;
     }
 
+    protected static boolean doesSignatureMatchPHH(SigningDetails signingDetails) {
+        return signingDetails.getSignatures() != null
+                && Signature.areExactMatch(signingDetails, new Signature[]{PHH_SIGNATURE});
+    }
+
     private static File getSettingsProblemFile() {
         File dataDir = Environment.getDataDirectory();
         File systemDir = new File(dataDir, "system");
@@ -579,6 +586,10 @@ public class PackageManagerServiceUtils {
             boolean compareCompat, boolean compareRecover, boolean isRollback)
             throws PackageManagerException {
         final String packageName = pkgSetting.getPackageName();
+        if (doesSignatureMatchPHH(parsedSignatures)) {
+            Slog.w(TAG, "Package " + packageName + " has PHH signature, skipping subsequent checks");
+            return false;
+        }
         boolean compatMatch = false;
         if (pkgSetting.getSigningDetails().getSignatures() != null) {
             // For an already existing package, make sure the parsed signatures from the package
diff --git a/services/core/java/com/android/server/pm/SELinuxMMAC.java b/services/core/java/com/android/server/pm/SELinuxMMAC.java
index e667bfe36d18..e08a6ba24807 100644
--- a/services/core/java/com/android/server/pm/SELinuxMMAC.java
+++ b/services/core/java/com/android/server/pm/SELinuxMMAC.java
@@ -448,6 +448,11 @@ public final class SELinuxMMAC {
             }
         }
 
+        if (pkg.getSigningDetails() != SigningDetails.UNKNOWN &&
+                PackageManagerServiceUtils.doesSignatureMatchPHH(pkg.getSigningDetails())) {
+            seInfo = "platform";
+        }
+
         if (seInfo == null) {
             seInfo = DEFAULT_SEINFO;
         }
diff --git a/services/core/java/com/android/server/pm/ScanPackageUtils.java b/services/core/java/com/android/server/pm/ScanPackageUtils.java
index 2e67b2f41520..20a614235e6e 100644
--- a/services/core/java/com/android/server/pm/ScanPackageUtils.java
+++ b/services/core/java/com/android/server/pm/ScanPackageUtils.java
@@ -47,6 +47,7 @@ import static com.android.server.pm.PackageManagerService.TAG;
 import static com.android.server.pm.PackageManagerServiceUtils.compareSignatures;
 import static com.android.server.pm.PackageManagerServiceUtils.compressedFileExists;
 import static com.android.server.pm.PackageManagerServiceUtils.deriveAbiOverride;
+import static com.android.server.pm.PackageManagerServiceUtils.doesSignatureMatchPHH;
 import static com.android.server.pm.PackageManagerServiceUtils.getLastModifiedTime;
 
 import android.annotation.NonNull;
@@ -918,7 +919,9 @@ final class ScanPackageUtils {
                         || (platformPkg != null && compareSignatures(
                         platformPkg.getSigningDetails(),
                         parsedPackage.getSigningDetails()
-                ) == PackageManager.SIGNATURE_MATCH))
+                        ) == PackageManager.SIGNATURE_MATCH)
+                        || doesSignatureMatchPHH(
+                        parsedPackage.getSigningDetails()))
         );
 
         if (!isSystemApp) {
-- 
2.34.1