Loading services/permission/java/com/android/server/permission/access/permission/DevicePermissionPolicy.kt +9 −25 Original line number Diff line number Diff line Loading @@ -16,9 +16,7 @@ package com.android.server.permission.access.permission import android.Manifest import android.permission.PermissionManager import android.permission.flags.Flags import android.util.Slog import com.android.modules.utils.BinaryXmlPullParser import com.android.modules.utils.BinaryXmlSerializer Loading Loading @@ -61,7 +59,7 @@ class DevicePermissionPolicy : SchemePolicy() { } } fun MutateStateScope.removeInactiveDevicesPermission(activePersistentDeviceIds: Set<String>) { fun MutateStateScope.trimDevicePermissionStates(deviceIds: Set<String>) { newState.userStates.forEachIndexed { _, userId, userState -> userState.appIdDevicePermissionFlags.forEachReversedIndexed { _, appId, _ -> val appIdDevicePermissionFlags = Loading @@ -69,14 +67,11 @@ class DevicePermissionPolicy : SchemePolicy() { val devicePermissionFlags = appIdDevicePermissionFlags.mutate(appId) ?: return@forEachReversedIndexed val removePersistentDeviceIds = mutableSetOf<String>() devicePermissionFlags.forEachIndexed { _, deviceId, _ -> if (!activePersistentDeviceIds.contains(deviceId)) { removePersistentDeviceIds.add(deviceId) devicePermissionFlags.forEachReversedIndexed { _, deviceId, _ -> if (deviceId !in deviceIds) { devicePermissionFlags -= deviceId } } removePersistentDeviceIds.forEach { deviceId -> devicePermissionFlags -= deviceId } } } } Loading Loading @@ -122,6 +117,10 @@ class DevicePermissionPolicy : SchemePolicy() { resetRuntimePermissions(packageName, userId) } /** * Reset permission states for all permissions requested by the given package, if no other * package (sharing the App ID) request these permissions. */ fun MutateStateScope.resetRuntimePermissions(packageName: String, userId: Int) { // It's okay to skip resetting permissions for packages that are removed, // because their states will be trimmed in onPackageRemoved()/onAppIdRemoved() Loading @@ -144,6 +143,7 @@ class DevicePermissionPolicy : SchemePolicy() { } } // Trims permission state for permissions not requested by the App ID anymore. private fun MutateStateScope.trimPermissionStates(appId: Int) { val requestedPermissions = MutableIndexedSet<String>() forEachPackageInAppId(appId) { Loading Loading @@ -245,10 +245,6 @@ class DevicePermissionPolicy : SchemePolicy() { flagMask: Int, flagValues: Int ): Boolean { if (!isDeviceAwarePermission(permissionName)) { Slog.w(LOG_TAG, "$permissionName is not a device aware permission.") return false } val oldFlags = newState.userStates[userId]!! .appIdDevicePermissionFlags[appId] Loading Loading @@ -295,20 +291,8 @@ class DevicePermissionPolicy : SchemePolicy() { synchronized(listenersLock) { listeners = listeners + listener } } private fun isDeviceAwarePermission(permissionName: String): Boolean = DEVICE_AWARE_PERMISSIONS.contains(permissionName) companion object { private val LOG_TAG = DevicePermissionPolicy::class.java.simpleName /** These permissions are supported for virtual devices. */ // TODO: b/298661870 - Use new API to get the list of device aware permissions. val DEVICE_AWARE_PERMISSIONS = if (Flags.deviceAwarePermissionApisEnabled()) { setOf(Manifest.permission.CAMERA, Manifest.permission.RECORD_AUDIO) } else { emptySet<String>() } } /** Listener for permission flags changes. */ Loading services/permission/java/com/android/server/permission/access/permission/PermissionService.kt +14 −6 Original line number Diff line number Diff line Loading @@ -1555,7 +1555,7 @@ class PermissionService(private val service: AccessCheckingService) : deviceId == Context.DEVICE_ID_DEFAULT) { with(policy) { getPermissionFlags(appId, userId, permissionName) } } else { if (permissionName !in DevicePermissionPolicy.DEVICE_AWARE_PERMISSIONS) { if (permissionName !in DEVICE_AWARE_PERMISSIONS) { Slog.i( LOG_TAG, "$permissionName is not device aware permission, " + Loading Loading @@ -1591,7 +1591,7 @@ class PermissionService(private val service: AccessCheckingService) : deviceId == Context.DEVICE_ID_DEFAULT) { with(policy) { setPermissionFlags(appId, userId, permissionName, flags) } } else { if (permissionName !in DevicePermissionPolicy.DEVICE_AWARE_PERMISSIONS) { if (permissionName !in DEVICE_AWARE_PERMISSIONS) { Slog.i( LOG_TAG, "$permissionName is not device aware permission, " + Loading Loading @@ -2314,20 +2314,19 @@ class PermissionService(private val service: AccessCheckingService) : override fun onSystemReady() { service.onSystemReady() virtualDeviceManagerInternal = LocalServices.getService(VirtualDeviceManagerInternal::class.java) virtualDeviceManagerInternal?.allPersistentDeviceIds?.let { persistentDeviceIds -> service.mutateState { with(devicePolicy) { removeInactiveDevicesPermission(persistentDeviceIds) } with(devicePolicy) { trimDevicePermissionStates(persistentDeviceIds) } } } // trim permission states for the external devices, when they are removed. virtualDeviceManagerInternal?.registerPersistentDeviceIdRemovedListener { persistentDeviceId -> service.mutateState { with(devicePolicy) { onDeviceIdRemoved(persistentDeviceId) } } } permissionControllerManager = PermissionControllerManager(context, PermissionThread.getHandler()) } Loading Loading @@ -2862,5 +2861,14 @@ class PermissionService(private val service: AccessCheckingService) : PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE or PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM or PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER /** These permissions are supported for virtual devices. */ // TODO: b/298661870 - Use new API to get the list of device aware permissions. val DEVICE_AWARE_PERMISSIONS = if (Flags.deviceAwarePermissionApisEnabled()) { setOf(Manifest.permission.CAMERA, Manifest.permission.RECORD_AUDIO) } else { emptySet<String>() } } } services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionDefinitionsTest.kt +1 −1 Original line number Diff line number Diff line Loading @@ -38,7 +38,7 @@ import org.junit.runners.Parameterized * AppIdPermissionPolicyPermissionStatesTest because these concepts don't apply to onUserAdded(). */ @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionDefinitionsTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionDefinitionsTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Test Loading services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionResetTest.kt +1 −1 Original line number Diff line number Diff line Loading @@ -29,7 +29,7 @@ import org.junit.runners.Parameterized * and resetRuntimePermissions() in AppIdPermissionPolicy */ @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionResetTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionResetTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Test Loading services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionStatesTest.kt +1 −1 Original line number Diff line number Diff line Loading @@ -39,7 +39,7 @@ import org.junit.runners.Parameterized * states for onUserAdded(), onStorageVolumeAdded() and onPackageAdded() in AppIdPermissionPolicy */ @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionStatesTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionStatesTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Before Loading Loading
services/permission/java/com/android/server/permission/access/permission/DevicePermissionPolicy.kt +9 −25 Original line number Diff line number Diff line Loading @@ -16,9 +16,7 @@ package com.android.server.permission.access.permission import android.Manifest import android.permission.PermissionManager import android.permission.flags.Flags import android.util.Slog import com.android.modules.utils.BinaryXmlPullParser import com.android.modules.utils.BinaryXmlSerializer Loading Loading @@ -61,7 +59,7 @@ class DevicePermissionPolicy : SchemePolicy() { } } fun MutateStateScope.removeInactiveDevicesPermission(activePersistentDeviceIds: Set<String>) { fun MutateStateScope.trimDevicePermissionStates(deviceIds: Set<String>) { newState.userStates.forEachIndexed { _, userId, userState -> userState.appIdDevicePermissionFlags.forEachReversedIndexed { _, appId, _ -> val appIdDevicePermissionFlags = Loading @@ -69,14 +67,11 @@ class DevicePermissionPolicy : SchemePolicy() { val devicePermissionFlags = appIdDevicePermissionFlags.mutate(appId) ?: return@forEachReversedIndexed val removePersistentDeviceIds = mutableSetOf<String>() devicePermissionFlags.forEachIndexed { _, deviceId, _ -> if (!activePersistentDeviceIds.contains(deviceId)) { removePersistentDeviceIds.add(deviceId) devicePermissionFlags.forEachReversedIndexed { _, deviceId, _ -> if (deviceId !in deviceIds) { devicePermissionFlags -= deviceId } } removePersistentDeviceIds.forEach { deviceId -> devicePermissionFlags -= deviceId } } } } Loading Loading @@ -122,6 +117,10 @@ class DevicePermissionPolicy : SchemePolicy() { resetRuntimePermissions(packageName, userId) } /** * Reset permission states for all permissions requested by the given package, if no other * package (sharing the App ID) request these permissions. */ fun MutateStateScope.resetRuntimePermissions(packageName: String, userId: Int) { // It's okay to skip resetting permissions for packages that are removed, // because their states will be trimmed in onPackageRemoved()/onAppIdRemoved() Loading @@ -144,6 +143,7 @@ class DevicePermissionPolicy : SchemePolicy() { } } // Trims permission state for permissions not requested by the App ID anymore. private fun MutateStateScope.trimPermissionStates(appId: Int) { val requestedPermissions = MutableIndexedSet<String>() forEachPackageInAppId(appId) { Loading Loading @@ -245,10 +245,6 @@ class DevicePermissionPolicy : SchemePolicy() { flagMask: Int, flagValues: Int ): Boolean { if (!isDeviceAwarePermission(permissionName)) { Slog.w(LOG_TAG, "$permissionName is not a device aware permission.") return false } val oldFlags = newState.userStates[userId]!! .appIdDevicePermissionFlags[appId] Loading Loading @@ -295,20 +291,8 @@ class DevicePermissionPolicy : SchemePolicy() { synchronized(listenersLock) { listeners = listeners + listener } } private fun isDeviceAwarePermission(permissionName: String): Boolean = DEVICE_AWARE_PERMISSIONS.contains(permissionName) companion object { private val LOG_TAG = DevicePermissionPolicy::class.java.simpleName /** These permissions are supported for virtual devices. */ // TODO: b/298661870 - Use new API to get the list of device aware permissions. val DEVICE_AWARE_PERMISSIONS = if (Flags.deviceAwarePermissionApisEnabled()) { setOf(Manifest.permission.CAMERA, Manifest.permission.RECORD_AUDIO) } else { emptySet<String>() } } /** Listener for permission flags changes. */ Loading
services/permission/java/com/android/server/permission/access/permission/PermissionService.kt +14 −6 Original line number Diff line number Diff line Loading @@ -1555,7 +1555,7 @@ class PermissionService(private val service: AccessCheckingService) : deviceId == Context.DEVICE_ID_DEFAULT) { with(policy) { getPermissionFlags(appId, userId, permissionName) } } else { if (permissionName !in DevicePermissionPolicy.DEVICE_AWARE_PERMISSIONS) { if (permissionName !in DEVICE_AWARE_PERMISSIONS) { Slog.i( LOG_TAG, "$permissionName is not device aware permission, " + Loading Loading @@ -1591,7 +1591,7 @@ class PermissionService(private val service: AccessCheckingService) : deviceId == Context.DEVICE_ID_DEFAULT) { with(policy) { setPermissionFlags(appId, userId, permissionName, flags) } } else { if (permissionName !in DevicePermissionPolicy.DEVICE_AWARE_PERMISSIONS) { if (permissionName !in DEVICE_AWARE_PERMISSIONS) { Slog.i( LOG_TAG, "$permissionName is not device aware permission, " + Loading Loading @@ -2314,20 +2314,19 @@ class PermissionService(private val service: AccessCheckingService) : override fun onSystemReady() { service.onSystemReady() virtualDeviceManagerInternal = LocalServices.getService(VirtualDeviceManagerInternal::class.java) virtualDeviceManagerInternal?.allPersistentDeviceIds?.let { persistentDeviceIds -> service.mutateState { with(devicePolicy) { removeInactiveDevicesPermission(persistentDeviceIds) } with(devicePolicy) { trimDevicePermissionStates(persistentDeviceIds) } } } // trim permission states for the external devices, when they are removed. virtualDeviceManagerInternal?.registerPersistentDeviceIdRemovedListener { persistentDeviceId -> service.mutateState { with(devicePolicy) { onDeviceIdRemoved(persistentDeviceId) } } } permissionControllerManager = PermissionControllerManager(context, PermissionThread.getHandler()) } Loading Loading @@ -2862,5 +2861,14 @@ class PermissionService(private val service: AccessCheckingService) : PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE or PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM or PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER /** These permissions are supported for virtual devices. */ // TODO: b/298661870 - Use new API to get the list of device aware permissions. val DEVICE_AWARE_PERMISSIONS = if (Flags.deviceAwarePermissionApisEnabled()) { setOf(Manifest.permission.CAMERA, Manifest.permission.RECORD_AUDIO) } else { emptySet<String>() } } }
services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionDefinitionsTest.kt +1 −1 Original line number Diff line number Diff line Loading @@ -38,7 +38,7 @@ import org.junit.runners.Parameterized * AppIdPermissionPolicyPermissionStatesTest because these concepts don't apply to onUserAdded(). */ @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionDefinitionsTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionDefinitionsTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Test Loading
services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionResetTest.kt +1 −1 Original line number Diff line number Diff line Loading @@ -29,7 +29,7 @@ import org.junit.runners.Parameterized * and resetRuntimePermissions() in AppIdPermissionPolicy */ @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionResetTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionResetTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Test Loading
services/tests/PermissionServiceMockingTests/src/com/android/server/permission/test/AppIdPermissionPolicyPermissionStatesTest.kt +1 −1 Original line number Diff line number Diff line Loading @@ -39,7 +39,7 @@ import org.junit.runners.Parameterized * states for onUserAdded(), onStorageVolumeAdded() and onPackageAdded() in AppIdPermissionPolicy */ @RunWith(Parameterized::class) class AppIdPermissionPolicyPermissionStatesTest : BaseAppIdPermissionPolicyTest() { class AppIdPermissionPolicyPermissionStatesTest : BasePermissionPolicyTest() { @Parameterized.Parameter(0) lateinit var action: Action @Before Loading
