Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0281cea6 authored by Evan Severson's avatar Evan Severson
Browse files

Short circuit system and root uids in appop checks 

When switching to using the permission state for the appop value we'll
have the problem that system and root don't have permission state in the
unified permission system so the result will be a rejection. We can
simply avoid making the check for UIDs that are always supposed to
permit.

Test: Boot
Bug: 266164193
Fixes: 333938416
Change-Id: I39d5125cc7b59970b2c7cc8bfbc71f89bdee5771
parent 7b3ff2c8

services/core/java/com/android/server/appop/AppOpsService.java

+26 −7
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@ import static android.content.Intent.ACTION_PACKAGE_REMOVED; 
import static android.content.Intent.EXTRA_REPLACING;

import static android.content.pm.PermissionInfo.PROTECTION_DANGEROUS;

import static android.content.pm.PermissionInfo.PROTECTION_FLAG_APPOP;

import static android.permission.flags.Flags.runtimePermissionAppopsMappingEnabled;



import static com.android.server.appop.AppOpsService.ModeCallback.ALL_OPS;
@@ -2682,6 +2683,15 @@ public class AppOpsService extends IAppOpsService.Stub { 
        }

    }



    /**

     * When querying the mode these should always be allowed and the checking service might not

     * have information on them.

     */

    private static boolean isOpAllowedForUid(int uid) {

        return runtimePermissionAppopsMappingEnabled()

                && (uid == Process.ROOT_UID || uid == Process.SYSTEM_UID);

    }



    @Override

    public int checkOperationRaw(int code, int uid, String packageName,

            @Nullable String attributionTag) {
@@ -2757,6 +2767,9 @@ public class AppOpsService extends IAppOpsService.Stub { 
                    pvr.bypass, true)) {

                return AppOpsManager.MODE_IGNORED;

            }

            if (isOpAllowedForUid(uid)) {

                return MODE_ALLOWED;

            }

            code = AppOpsManager.opToSwitch(code);

            UidState uidState = getUidStateLocked(uid, false);

            if (uidState != null
@@ -3071,9 +3084,12 @@ public class AppOpsService extends IAppOpsService.Stub { 
                return new SyncNotedAppOp(AppOpsManager.MODE_IGNORED, code, attributionTag,

                        packageName);

            }

            if (isOpAllowedForUid(uid)) {

                // Op is always allowed for the UID, do nothing.



                // If there is a non-default per UID policy (we set UID op mode only if

                // non-default) it takes over, otherwise use the per package policy.

            if (mAppOpsCheckingService.getUidMode(

            } else if (mAppOpsCheckingService.getUidMode(

                            uidState.uid, getPersistentId(virtualDeviceId), switchCode)

                    != AppOpsManager.opToDefaultMode(switchCode)) {

                final int uidMode =
@@ -3665,9 +3681,12 @@ public class AppOpsService extends IAppOpsService.Stub { 
            isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag,

                    virtualDeviceId, pvr.bypass, false);

            final int switchCode = AppOpsManager.opToSwitch(code);

            if (isOpAllowedForUid(uid)) {

                // Op is always allowed for the UID, do nothing.



                // If there is a non-default per UID policy (we set UID op mode only if

                // non-default) it takes over, otherwise use the per package policy.

            if (mAppOpsCheckingService.getUidMode(

            } else if (mAppOpsCheckingService.getUidMode(

                    uidState.uid, getPersistentId(virtualDeviceId), switchCode)

                    != AppOpsManager.opToDefaultMode(switchCode)) {

                final int uidMode =