don't allow to install APEXes on user builds

APEX installation support slightly increases the attack surface.

Author: muhomorr

services/core/java/com/android/server/pm/PackageInstallerService.java

@@ -831,6 +831,9 @@ int createSessionInternal(SessionParams params, String installerPackageName,
                     == PackageManager.PERMISSION_DENIED) {
                 throw new SecurityException("Not allowed to perform APEX updates");
             }
+            if (Build.IS_USER) {
+                throw new SecurityException("Not allowed to perform APEX updates on user builds");
+            }
         } else if (params.isStaged) {
             mContext.enforceCallingOrSelfPermission(Manifest.permission.INSTALL_PACKAGES, TAG);
         }

services/core/java/com/android/server/pm/PackageInstallerSession.java

@@ -3456,6 +3456,11 @@ boolean containsApkSession() {
     @GuardedBy("mLock")
     private void validateApexInstallLocked()
             throws PackageManagerException {
+        if (Build.IS_USER) {
+            throw new PackageManagerException(PackageManager.INSTALL_FAILED_SESSION_INVALID,
+                    "APEX installation is not allowed on user builds");
+        }
+
         final List<File> addedFiles = getAddedApksLocked();
         if (addedFiles.isEmpty()) {
             throw new PackageManagerException(INSTALL_FAILED_INVALID_APK,