Loading services/permission/java/com/android/server/permission/access/permission/DevicePermissionPolicy.kt +9 −25 Original line number Original line Diff line number Diff line Loading @@ -16,9 +16,7 @@ package com.android.server.permission.access.permission package com.android.server.permission.access.permission import android.Manifest import android.permission.PermissionManager import android.permission.PermissionManager import android.permission.flags.Flags import android.util.Slog import android.util.Slog import com.android.modules.utils.BinaryXmlPullParser import com.android.modules.utils.BinaryXmlPullParser import com.android.modules.utils.BinaryXmlSerializer import com.android.modules.utils.BinaryXmlSerializer Loading Loading @@ -61,7 +59,7 @@ class DevicePermissionPolicy : SchemePolicy() { } } } } fun MutateStateScope.removeInactiveDevicesPermission(activePersistentDeviceIds: Set<String>) { fun MutateStateScope.trimDevicePermissionStates(deviceIds: Set<String>) { newState.userStates.forEachIndexed { _, userId, userState -> newState.userStates.forEachIndexed { _, userId, userState -> userState.appIdDevicePermissionFlags.forEachReversedIndexed { _, appId, _ -> userState.appIdDevicePermissionFlags.forEachReversedIndexed { _, appId, _ -> val appIdDevicePermissionFlags = val appIdDevicePermissionFlags = Loading @@ -69,14 +67,11 @@ class DevicePermissionPolicy : SchemePolicy() { val devicePermissionFlags = val devicePermissionFlags = appIdDevicePermissionFlags.mutate(appId) ?: return@forEachReversedIndexed appIdDevicePermissionFlags.mutate(appId) ?: return@forEachReversedIndexed val removePersistentDeviceIds = mutableSetOf<String>() devicePermissionFlags.forEachReversedIndexed { _, deviceId, _ -> devicePermissionFlags.forEachIndexed { _, deviceId, _ -> if (deviceId !in deviceIds) { if (!activePersistentDeviceIds.contains(deviceId)) { devicePermissionFlags -= deviceId removePersistentDeviceIds.add(deviceId) } } } } removePersistentDeviceIds.forEach { deviceId -> devicePermissionFlags -= deviceId } } } } } } } Loading Loading @@ -122,6 +117,10 @@ class DevicePermissionPolicy : SchemePolicy() { resetRuntimePermissions(packageName, userId) resetRuntimePermissions(packageName, userId) } } /** * Reset permission states for all permissions requested by the given package, if no other * package (sharing the App ID) request these permissions. */ fun MutateStateScope.resetRuntimePermissions(packageName: String, userId: Int) { fun MutateStateScope.resetRuntimePermissions(packageName: String, userId: Int) { // It's okay to skip resetting permissions for packages that are removed, // It's okay to skip resetting permissions for packages that are removed, // because their states will be trimmed in onPackageRemoved()/onAppIdRemoved() // because their states will be trimmed in onPackageRemoved()/onAppIdRemoved() Loading @@ -144,6 +143,7 @@ class DevicePermissionPolicy : SchemePolicy() { } } } } // Trims permission state for permissions not requested by the App ID anymore. private fun MutateStateScope.trimPermissionStates(appId: Int) { private fun MutateStateScope.trimPermissionStates(appId: Int) { val requestedPermissions = MutableIndexedSet<String>() val requestedPermissions = MutableIndexedSet<String>() forEachPackageInAppId(appId) { forEachPackageInAppId(appId) { Loading Loading @@ -245,10 +245,6 @@ class DevicePermissionPolicy : SchemePolicy() { flagMask: Int, flagMask: Int, flagValues: Int flagValues: Int ): Boolean { ): Boolean { if (!isDeviceAwarePermission(permissionName)) { Slog.w(LOG_TAG, "$permissionName is not a device aware permission.") return false } val oldFlags = val oldFlags = newState.userStates[userId]!! newState.userStates[userId]!! .appIdDevicePermissionFlags[appId] .appIdDevicePermissionFlags[appId] Loading Loading @@ -295,20 +291,8 @@ class DevicePermissionPolicy : SchemePolicy() { synchronized(listenersLock) { listeners = listeners + listener } synchronized(listenersLock) { listeners = listeners + listener } } } private fun isDeviceAwarePermission(permissionName: String): Boolean = DEVICE_AWARE_PERMISSIONS.contains(permissionName) companion object { companion object { private val LOG_TAG = DevicePermissionPolicy::class.java.simpleName private val LOG_TAG = DevicePermissionPolicy::class.java.simpleName /** These permissions are supported for virtual devices. */ // TODO: b/298661870 - Use new API to get the list of device aware permissions. val DEVICE_AWARE_PERMISSIONS = if (Flags.deviceAwarePermissionApisEnabled()) { setOf(Manifest.permission.CAMERA, Manifest.permission.RECORD_AUDIO) } else { emptySet<String>() } } } /** Listener for permission flags changes. */ /** Listener for permission flags changes. */ Loading services/permission/java/com/android/server/permission/access/permission/PermissionService.kt +14 −6 Original line number Original line Diff line number Diff line Loading @@ -1555,7 +1555,7 @@ class PermissionService(private val service: AccessCheckingService) : deviceId == Context.DEVICE_ID_DEFAULT) { deviceId == Context.DEVICE_ID_DEFAULT) { with(policy) { getPermissionFlags(appId, userId, permissionName) } with(policy) { getPermissionFlags(appId, userId, permissionName) } } else { } else { if (permissionName !in DevicePermissionPolicy.DEVICE_AWARE_PERMISSIONS) { if (permissionName !in DEVICE_AWARE_PERMISSIONS) { Slog.i( Slog.i( LOG_TAG, LOG_TAG, "$permissionName is not device aware permission, " + "$permissionName is not device aware permission, " + Loading Loading @@ -1591,7 +1591,7 @@ class PermissionService(private val service: AccessCheckingService) : deviceId == Context.DEVICE_ID_DEFAULT) { deviceId == Context.DEVICE_ID_DEFAULT) { with(policy) { setPermissionFlags(appId, userId, permissionName, flags) } with(policy) { setPermissionFlags(appId, userId, permissionName, flags) } } else { } else { if (permissionName !in DevicePermissionPolicy.DEVICE_AWARE_PERMISSIONS) { if (permissionName !in DEVICE_AWARE_PERMISSIONS) { Slog.i( Slog.i( LOG_TAG, LOG_TAG, "$permissionName is not device aware permission, " + "$permissionName is not device aware permission, " + Loading Loading @@ -2314,20 +2314,19 @@ class PermissionService(private val service: AccessCheckingService) : override fun onSystemReady() { override fun onSystemReady() { service.onSystemReady() service.onSystemReady() virtualDeviceManagerInternal = virtualDeviceManagerInternal = LocalServices.getService(VirtualDeviceManagerInternal::class.java) LocalServices.getService(VirtualDeviceManagerInternal::class.java) virtualDeviceManagerInternal?.allPersistentDeviceIds?.let { persistentDeviceIds -> virtualDeviceManagerInternal?.allPersistentDeviceIds?.let { persistentDeviceIds -> service.mutateState { service.mutateState { with(devicePolicy) { removeInactiveDevicesPermission(persistentDeviceIds) } with(devicePolicy) { trimDevicePermissionStates(persistentDeviceIds) } } } } } // trim permission states for the external devices, when they are removed. virtualDeviceManagerInternal?.registerPersistentDeviceIdRemovedListener { persistentDeviceId virtualDeviceManagerInternal?.registerPersistentDeviceIdRemovedListener { persistentDeviceId -> -> service.mutateState { with(devicePolicy) { onDeviceIdRemoved(persistentDeviceId) } } service.mutateState { with(devicePolicy) { onDeviceIdRemoved(persistentDeviceId) } } } } permissionControllerManager = permissionControllerManager = PermissionControllerManager(context, PermissionThread.getHandler()) PermissionControllerManager(context, PermissionThread.getHandler()) } } Loading Loading @@ -2862,5 +2861,14 @@ class PermissionService(private val service: AccessCheckingService) : PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE or PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE or PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM or PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM or PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER /** These permissions are supported for virtual devices. */ // TODO: b/298661870 - Use new API to get the list of device aware permissions. val DEVICE_AWARE_PERMISSIONS = if (Flags.deviceAwarePermissionApisEnabled()) { setOf(Manifest.permission.CAMERA, Manifest.permission.RECORD_AUDIO) } else { emptySet<String>() } } } } } services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionDefinitionsTest.kt +1 −1 Original line number Original line Diff line number Diff line Loading @@ -38,7 +38,7 @@ import org.junit.runners.Parameterized * AppIdPermissionPolicyPermissionStatesTest because these concepts don't apply to onUserAdded(). * AppIdPermissionPolicyPermissionStatesTest because these concepts don't apply to onUserAdded(). */ */ @RunWith(Parameterized::class) @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionDefinitionsTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionDefinitionsTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Parameterized.Parameter(0) lateinit var action: Action @Test @Test Loading services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionResetTest.kt +1 −1 Original line number Original line Diff line number Diff line Loading @@ -29,7 +29,7 @@ import org.junit.runners.Parameterized * and resetRuntimePermissions() in AppIdPermissionPolicy * and resetRuntimePermissions() in AppIdPermissionPolicy */ */ @RunWith(Parameterized::class) @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionResetTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionResetTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Parameterized.Parameter(0) lateinit var action: Action @Test @Test Loading services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionStatesTest.kt +1 −1 Original line number Original line Diff line number Diff line Loading @@ -39,7 +39,7 @@ import org.junit.runners.Parameterized * states for onUserAdded(), onStorageVolumeAdded() and onPackageAdded() in AppIdPermissionPolicy * states for onUserAdded(), onStorageVolumeAdded() and onPackageAdded() in AppIdPermissionPolicy */ */ @RunWith(Parameterized::class) @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionStatesTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionStatesTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Parameterized.Parameter(0) lateinit var action: Action @Before @Before Loading Loading
services/permission/java/com/android/server/permission/access/permission/DevicePermissionPolicy.kt +9 −25 Original line number Original line Diff line number Diff line Loading @@ -16,9 +16,7 @@ package com.android.server.permission.access.permission package com.android.server.permission.access.permission import android.Manifest import android.permission.PermissionManager import android.permission.PermissionManager import android.permission.flags.Flags import android.util.Slog import android.util.Slog import com.android.modules.utils.BinaryXmlPullParser import com.android.modules.utils.BinaryXmlPullParser import com.android.modules.utils.BinaryXmlSerializer import com.android.modules.utils.BinaryXmlSerializer Loading Loading @@ -61,7 +59,7 @@ class DevicePermissionPolicy : SchemePolicy() { } } } } fun MutateStateScope.removeInactiveDevicesPermission(activePersistentDeviceIds: Set<String>) { fun MutateStateScope.trimDevicePermissionStates(deviceIds: Set<String>) { newState.userStates.forEachIndexed { _, userId, userState -> newState.userStates.forEachIndexed { _, userId, userState -> userState.appIdDevicePermissionFlags.forEachReversedIndexed { _, appId, _ -> userState.appIdDevicePermissionFlags.forEachReversedIndexed { _, appId, _ -> val appIdDevicePermissionFlags = val appIdDevicePermissionFlags = Loading @@ -69,14 +67,11 @@ class DevicePermissionPolicy : SchemePolicy() { val devicePermissionFlags = val devicePermissionFlags = appIdDevicePermissionFlags.mutate(appId) ?: return@forEachReversedIndexed appIdDevicePermissionFlags.mutate(appId) ?: return@forEachReversedIndexed val removePersistentDeviceIds = mutableSetOf<String>() devicePermissionFlags.forEachReversedIndexed { _, deviceId, _ -> devicePermissionFlags.forEachIndexed { _, deviceId, _ -> if (deviceId !in deviceIds) { if (!activePersistentDeviceIds.contains(deviceId)) { devicePermissionFlags -= deviceId removePersistentDeviceIds.add(deviceId) } } } } removePersistentDeviceIds.forEach { deviceId -> devicePermissionFlags -= deviceId } } } } } } } Loading Loading @@ -122,6 +117,10 @@ class DevicePermissionPolicy : SchemePolicy() { resetRuntimePermissions(packageName, userId) resetRuntimePermissions(packageName, userId) } } /** * Reset permission states for all permissions requested by the given package, if no other * package (sharing the App ID) request these permissions. */ fun MutateStateScope.resetRuntimePermissions(packageName: String, userId: Int) { fun MutateStateScope.resetRuntimePermissions(packageName: String, userId: Int) { // It's okay to skip resetting permissions for packages that are removed, // It's okay to skip resetting permissions for packages that are removed, // because their states will be trimmed in onPackageRemoved()/onAppIdRemoved() // because their states will be trimmed in onPackageRemoved()/onAppIdRemoved() Loading @@ -144,6 +143,7 @@ class DevicePermissionPolicy : SchemePolicy() { } } } } // Trims permission state for permissions not requested by the App ID anymore. private fun MutateStateScope.trimPermissionStates(appId: Int) { private fun MutateStateScope.trimPermissionStates(appId: Int) { val requestedPermissions = MutableIndexedSet<String>() val requestedPermissions = MutableIndexedSet<String>() forEachPackageInAppId(appId) { forEachPackageInAppId(appId) { Loading Loading @@ -245,10 +245,6 @@ class DevicePermissionPolicy : SchemePolicy() { flagMask: Int, flagMask: Int, flagValues: Int flagValues: Int ): Boolean { ): Boolean { if (!isDeviceAwarePermission(permissionName)) { Slog.w(LOG_TAG, "$permissionName is not a device aware permission.") return false } val oldFlags = val oldFlags = newState.userStates[userId]!! newState.userStates[userId]!! .appIdDevicePermissionFlags[appId] .appIdDevicePermissionFlags[appId] Loading Loading @@ -295,20 +291,8 @@ class DevicePermissionPolicy : SchemePolicy() { synchronized(listenersLock) { listeners = listeners + listener } synchronized(listenersLock) { listeners = listeners + listener } } } private fun isDeviceAwarePermission(permissionName: String): Boolean = DEVICE_AWARE_PERMISSIONS.contains(permissionName) companion object { companion object { private val LOG_TAG = DevicePermissionPolicy::class.java.simpleName private val LOG_TAG = DevicePermissionPolicy::class.java.simpleName /** These permissions are supported for virtual devices. */ // TODO: b/298661870 - Use new API to get the list of device aware permissions. val DEVICE_AWARE_PERMISSIONS = if (Flags.deviceAwarePermissionApisEnabled()) { setOf(Manifest.permission.CAMERA, Manifest.permission.RECORD_AUDIO) } else { emptySet<String>() } } } /** Listener for permission flags changes. */ /** Listener for permission flags changes. */ Loading
services/permission/java/com/android/server/permission/access/permission/PermissionService.kt +14 −6 Original line number Original line Diff line number Diff line Loading @@ -1555,7 +1555,7 @@ class PermissionService(private val service: AccessCheckingService) : deviceId == Context.DEVICE_ID_DEFAULT) { deviceId == Context.DEVICE_ID_DEFAULT) { with(policy) { getPermissionFlags(appId, userId, permissionName) } with(policy) { getPermissionFlags(appId, userId, permissionName) } } else { } else { if (permissionName !in DevicePermissionPolicy.DEVICE_AWARE_PERMISSIONS) { if (permissionName !in DEVICE_AWARE_PERMISSIONS) { Slog.i( Slog.i( LOG_TAG, LOG_TAG, "$permissionName is not device aware permission, " + "$permissionName is not device aware permission, " + Loading Loading @@ -1591,7 +1591,7 @@ class PermissionService(private val service: AccessCheckingService) : deviceId == Context.DEVICE_ID_DEFAULT) { deviceId == Context.DEVICE_ID_DEFAULT) { with(policy) { setPermissionFlags(appId, userId, permissionName, flags) } with(policy) { setPermissionFlags(appId, userId, permissionName, flags) } } else { } else { if (permissionName !in DevicePermissionPolicy.DEVICE_AWARE_PERMISSIONS) { if (permissionName !in DEVICE_AWARE_PERMISSIONS) { Slog.i( Slog.i( LOG_TAG, LOG_TAG, "$permissionName is not device aware permission, " + "$permissionName is not device aware permission, " + Loading Loading @@ -2314,20 +2314,19 @@ class PermissionService(private val service: AccessCheckingService) : override fun onSystemReady() { override fun onSystemReady() { service.onSystemReady() service.onSystemReady() virtualDeviceManagerInternal = virtualDeviceManagerInternal = LocalServices.getService(VirtualDeviceManagerInternal::class.java) LocalServices.getService(VirtualDeviceManagerInternal::class.java) virtualDeviceManagerInternal?.allPersistentDeviceIds?.let { persistentDeviceIds -> virtualDeviceManagerInternal?.allPersistentDeviceIds?.let { persistentDeviceIds -> service.mutateState { service.mutateState { with(devicePolicy) { removeInactiveDevicesPermission(persistentDeviceIds) } with(devicePolicy) { trimDevicePermissionStates(persistentDeviceIds) } } } } } // trim permission states for the external devices, when they are removed. virtualDeviceManagerInternal?.registerPersistentDeviceIdRemovedListener { persistentDeviceId virtualDeviceManagerInternal?.registerPersistentDeviceIdRemovedListener { persistentDeviceId -> -> service.mutateState { with(devicePolicy) { onDeviceIdRemoved(persistentDeviceId) } } service.mutateState { with(devicePolicy) { onDeviceIdRemoved(persistentDeviceId) } } } } permissionControllerManager = permissionControllerManager = PermissionControllerManager(context, PermissionThread.getHandler()) PermissionControllerManager(context, PermissionThread.getHandler()) } } Loading Loading @@ -2862,5 +2861,14 @@ class PermissionService(private val service: AccessCheckingService) : PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE or PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE or PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM or PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM or PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER /** These permissions are supported for virtual devices. */ // TODO: b/298661870 - Use new API to get the list of device aware permissions. val DEVICE_AWARE_PERMISSIONS = if (Flags.deviceAwarePermissionApisEnabled()) { setOf(Manifest.permission.CAMERA, Manifest.permission.RECORD_AUDIO) } else { emptySet<String>() } } } } }
services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionDefinitionsTest.kt +1 −1 Original line number Original line Diff line number Diff line Loading @@ -38,7 +38,7 @@ import org.junit.runners.Parameterized * AppIdPermissionPolicyPermissionStatesTest because these concepts don't apply to onUserAdded(). * AppIdPermissionPolicyPermissionStatesTest because these concepts don't apply to onUserAdded(). */ */ @RunWith(Parameterized::class) @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionDefinitionsTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionDefinitionsTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Parameterized.Parameter(0) lateinit var action: Action @Test @Test Loading
services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionResetTest.kt +1 −1 Original line number Original line Diff line number Diff line Loading @@ -29,7 +29,7 @@ import org.junit.runners.Parameterized * and resetRuntimePermissions() in AppIdPermissionPolicy * and resetRuntimePermissions() in AppIdPermissionPolicy */ */ @RunWith(Parameterized::class) @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionResetTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionResetTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Parameterized.Parameter(0) lateinit var action: Action @Test @Test Loading
services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionStatesTest.kt +1 −1 Original line number Original line Diff line number Diff line Loading @@ -39,7 +39,7 @@ import org.junit.runners.Parameterized * states for onUserAdded(), onStorageVolumeAdded() and onPackageAdded() in AppIdPermissionPolicy * states for onUserAdded(), onStorageVolumeAdded() and onPackageAdded() in AppIdPermissionPolicy */ */ @RunWith(Parameterized::class) @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionStatesTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionStatesTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Parameterized.Parameter(0) lateinit var action: Action @Before @Before Loading
