Actor signature overlayable policy

There are cases where an app can ship overlays for itself,
but the "signature" policy as described would open up
a vulnerability by allowing the system actor to create
and sign any arbitrary overlay that will apply to the target.

To prevent this, redefine "signature" as target package only,
and introduce "actor" for checking against the actor signature.
Any app that wishes to use both can include both policies.

Bug: 130563563

Test: m aapt2_tests idmapt2_tests and run from host test output
Test: atest libandroidfw_tests

Change-Id: I1c583a5b37f4abbeb18fc6a35c502377d8977a41

1 files changed, 4 insertions, 0 deletions

diff --git a/core/java/android/content/om/OverlayInfo.java b/core/java/android/content/om/OverlayInfo.java
index 55a6cab2f2d5..62815ddcfc19 100644
--- a/core/java/android/content/om/OverlayInfo.java
+++ b/core/java/android/content/om/OverlayInfo.java
@@ -138,6 +138,7 @@ public final class OverlayInfo implements Parcelable {
      *
      * @hide
      */
+    @NonNull
     public final String packageName;
 
     /**
@@ -145,6 +146,7 @@ public final class OverlayInfo implements Parcelable {
      *
      * @hide
      */
+    @NonNull
     public final String targetPackageName;
 
     /**
@@ -165,6 +167,7 @@ public final class OverlayInfo implements Parcelable {
      * Full path to the base APK for this overlay package
      * @hide
      */
+    @NonNull
     public final String baseCodePath;
 
     /**
@@ -292,6 +295,7 @@ public final class OverlayInfo implements Parcelable {
         return targetOverlayableName;
     }
 
+    @SuppressWarnings("ConstantConditions")
     private void ensureValidState() {
         if (packageName == null) {
             throw new IllegalArgumentException("packageName must not be null");