Use shared app gid for forward-locked processes

Use a shared app gid for each app across different users which allows
forward-locked applications to share the same APK file.

Change-Id: Ifecf51ee7865547117746f83e9733083d3dd5111

Author: kruton

core/java/android/os/Process.java

@@ -151,11 +151,25 @@ public class Process {
      */
     public static final int LAST_ISOLATED_UID = 99999;
 
+    /**
+     * First gid for applications to share resources. Used when forward-locking
+     * is enabled but all UserHandles need to be able to read the resources.
+     * @hide
+     */
+    public static final int FIRST_SHARED_APPLICATION_GID = 50000;
+
+    /**
+     * Last gid for applications to share resources. Used when forward-locking
+     * is enabled but all UserHandles need to be able to read the resources.
+     * @hide
+     */
+    public static final int LAST_SHARED_APPLICATION_GID = 59999;
+
     /**
      * Defines a secondary group id for access to the bluetooth hardware.
      */
     public static final int BLUETOOTH_GID = 2000;
-    
+
     /**
      * Standard priority of application threads.
      * Use with {@link #setThreadPriority(int)} and

core/java/android/os/UserHandle.java

@@ -138,6 +138,15 @@ public static final int getAppId(int uid) {
         return uid % PER_USER_RANGE;
     }
 
+    /**
+     * Returns the shared app gid for a given uid or appId.
+     * @hide
+     */
+    public static final int getSharedAppGid(int id) {
+        return Process.FIRST_SHARED_APPLICATION_GID + (id % PER_USER_RANGE)
+                - Process.FIRST_APPLICATION_UID;
+    }
+
     /**
      * Returns the user id of the current process
      * @return user id of the current process

services/java/com/android/server/am/ActivityManagerService.java

@@ -2008,9 +2008,10 @@ private final void startProcessLocked(ProcessRecord app,
             int[] gids = null;
             int mountExternal = Zygote.MOUNT_EXTERNAL_NONE;
             if (!app.isolated) {
+                int[] permGids = null;
                 try {
                     final PackageManager pm = mContext.getPackageManager();
-                    gids = pm.getPackageGids(app.info.packageName);
+                    permGids = pm.getPackageGids(app.info.packageName);
 
                     if (Environment.isExternalStorageEmulated()) {
                         if (pm.checkPermission(
@@ -2024,6 +2025,18 @@ private final void startProcessLocked(ProcessRecord app,
                 } catch (PackageManager.NameNotFoundException e) {
                     Slog.w(TAG, "Unable to retrieve gids", e);
                 }
+
+                /*
+                 * Add shared application GID so applications can share some
+                 * resources like shared libraries
+                 */
+                if (permGids == null) {
+                    gids = new int[1];
+                } else {
+                    gids = new int[permGids.length + 1];
+                    System.arraycopy(permGids, 0, gids, 1, permGids.length);
+                }
+                gids[0] = UserHandle.getSharedAppGid(UserHandle.getAppId(uid));
             }
             if (mFactoryTest != SystemServer.FACTORY_TEST_OFF) {
                 if (mFactoryTest == SystemServer.FACTORY_TEST_LOW_LEVEL

services/java/com/android/server/pm/PackageManagerService.java

@@ -7285,7 +7285,7 @@ int doPostInstall(int status, int uid) {
                 final int groupOwner;
                 final String protectedFile;
                 if (isFwdLocked()) {
-                    groupOwner = uid;
+                    groupOwner = UserHandle.getSharedAppGid(uid);
                     protectedFile = RES_FILE_NAME;
                 } else {
                     groupOwner = -1;
@@ -7367,7 +7367,8 @@ int doPreCopy() {
         int doPostCopy(int uid) {
             if (isFwdLocked()) {
                 if (uid < Process.FIRST_APPLICATION_UID
-                        || !PackageHelper.fixSdPermissions(cid, uid, RES_FILE_NAME)) {
+                        || !PackageHelper.fixSdPermissions(cid, UserHandle.getSharedAppGid(uid),
+                                RES_FILE_NAME)) {
                     Slog.e(TAG, "Failed to finalize " + cid);
                     PackageHelper.destroySdDir(cid);
                     return PackageManager.INSTALL_FAILED_CONTAINER_ERROR;