Loading core/java/android/app/AppOpsManager.java +1 −3 Original line number Diff line number Diff line Loading @@ -2981,9 +2981,7 @@ public class AppOpsManager { new AppOpInfo.Builder(OP_ESTABLISH_VPN_MANAGER, OPSTR_ESTABLISH_VPN_MANAGER, "ESTABLISH_VPN_MANAGER").setDefaultMode(AppOpsManager.MODE_ALLOWED).build(), new AppOpInfo.Builder(OP_ACCESS_RESTRICTED_SETTINGS, OPSTR_ACCESS_RESTRICTED_SETTINGS, "ACCESS_RESTRICTED_SETTINGS").setDefaultMode( android.permission.flags.Flags.enhancedConfirmationModeApisEnabled() ? MODE_DEFAULT : MODE_ALLOWED) "ACCESS_RESTRICTED_SETTINGS").setDefaultMode(AppOpsManager.MODE_ALLOWED) .setDisableReset(true).setRestrictRead(true).build(), new AppOpInfo.Builder(OP_RECEIVE_AMBIENT_TRIGGER_AUDIO, OPSTR_RECEIVE_AMBIENT_TRIGGER_AUDIO, "RECEIVE_SOUNDTRIGGER_AUDIO").setDefaultMode(AppOpsManager.MODE_ALLOWED) Loading services/core/java/com/android/server/pm/InstallPackageHelper.java +20 −5 Original line number Diff line number Diff line Loading @@ -2504,13 +2504,13 @@ final class InstallPackageHelper { Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER); } private void enableRestrictedSettings(String pkgName, int appId, int userId) { private void setAccessRestrictedSettingsMode(String pkgName, int appId, int userId, int mode) { final AppOpsManager appOpsManager = mPm.mContext.getSystemService(AppOpsManager.class); final int uid = UserHandle.getUid(userId, appId); appOpsManager.setMode(AppOpsManager.OP_ACCESS_RESTRICTED_SETTINGS, uid, pkgName, AppOpsManager.MODE_ERRORED); mode); } /** Loading Loading @@ -2888,8 +2888,21 @@ final class InstallPackageHelper { mPm.notifyPackageChanged(packageName, request.getAppId()); } if (!android.permission.flags.Flags.enhancedConfirmationModeApisEnabled() || !android.security.Flags.extendEcmToAllSettings()) { // Set the OP_ACCESS_RESTRICTED_SETTINGS op, which is used by ECM (see {@link // EnhancedConfirmationManager}) as a persistent state denoting whether an app is // currently guarded by ECM, not guarded by ECM, or (in Android V+) that this should // be decided later. if (android.permission.flags.Flags.enhancedConfirmationModeApisEnabled() && android.security.Flags.extendEcmToAllSettings()) { final int appId = request.getAppId(); mPm.mHandler.post(() -> { for (int userId : firstUserIds) { // MODE_DEFAULT means that the app's guardedness will be decided lazily setAccessRestrictedSettingsMode(packageName, appId, userId, AppOpsManager.MODE_DEFAULT); } }); } else { // Apply restricted settings on potentially dangerous packages. Needs to happen // after appOpsManager is notified of the new package if (request.getPackageSource() == PackageInstaller.PACKAGE_SOURCE_LOCAL_FILE Loading @@ -2898,7 +2911,9 @@ final class InstallPackageHelper { final int appId = request.getAppId(); mPm.mHandler.post(() -> { for (int userId : firstUserIds) { enableRestrictedSettings(packageName, appId, userId); // MODE_ERRORED means that the app is explicitly guarded setAccessRestrictedSettingsMode(packageName, appId, userId, AppOpsManager.MODE_ERRORED); } }); } Loading Loading
core/java/android/app/AppOpsManager.java +1 −3 Original line number Diff line number Diff line Loading @@ -2981,9 +2981,7 @@ public class AppOpsManager { new AppOpInfo.Builder(OP_ESTABLISH_VPN_MANAGER, OPSTR_ESTABLISH_VPN_MANAGER, "ESTABLISH_VPN_MANAGER").setDefaultMode(AppOpsManager.MODE_ALLOWED).build(), new AppOpInfo.Builder(OP_ACCESS_RESTRICTED_SETTINGS, OPSTR_ACCESS_RESTRICTED_SETTINGS, "ACCESS_RESTRICTED_SETTINGS").setDefaultMode( android.permission.flags.Flags.enhancedConfirmationModeApisEnabled() ? MODE_DEFAULT : MODE_ALLOWED) "ACCESS_RESTRICTED_SETTINGS").setDefaultMode(AppOpsManager.MODE_ALLOWED) .setDisableReset(true).setRestrictRead(true).build(), new AppOpInfo.Builder(OP_RECEIVE_AMBIENT_TRIGGER_AUDIO, OPSTR_RECEIVE_AMBIENT_TRIGGER_AUDIO, "RECEIVE_SOUNDTRIGGER_AUDIO").setDefaultMode(AppOpsManager.MODE_ALLOWED) Loading
services/core/java/com/android/server/pm/InstallPackageHelper.java +20 −5 Original line number Diff line number Diff line Loading @@ -2504,13 +2504,13 @@ final class InstallPackageHelper { Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER); } private void enableRestrictedSettings(String pkgName, int appId, int userId) { private void setAccessRestrictedSettingsMode(String pkgName, int appId, int userId, int mode) { final AppOpsManager appOpsManager = mPm.mContext.getSystemService(AppOpsManager.class); final int uid = UserHandle.getUid(userId, appId); appOpsManager.setMode(AppOpsManager.OP_ACCESS_RESTRICTED_SETTINGS, uid, pkgName, AppOpsManager.MODE_ERRORED); mode); } /** Loading Loading @@ -2888,8 +2888,21 @@ final class InstallPackageHelper { mPm.notifyPackageChanged(packageName, request.getAppId()); } if (!android.permission.flags.Flags.enhancedConfirmationModeApisEnabled() || !android.security.Flags.extendEcmToAllSettings()) { // Set the OP_ACCESS_RESTRICTED_SETTINGS op, which is used by ECM (see {@link // EnhancedConfirmationManager}) as a persistent state denoting whether an app is // currently guarded by ECM, not guarded by ECM, or (in Android V+) that this should // be decided later. if (android.permission.flags.Flags.enhancedConfirmationModeApisEnabled() && android.security.Flags.extendEcmToAllSettings()) { final int appId = request.getAppId(); mPm.mHandler.post(() -> { for (int userId : firstUserIds) { // MODE_DEFAULT means that the app's guardedness will be decided lazily setAccessRestrictedSettingsMode(packageName, appId, userId, AppOpsManager.MODE_DEFAULT); } }); } else { // Apply restricted settings on potentially dangerous packages. Needs to happen // after appOpsManager is notified of the new package if (request.getPackageSource() == PackageInstaller.PACKAGE_SOURCE_LOCAL_FILE Loading @@ -2898,7 +2911,9 @@ final class InstallPackageHelper { final int appId = request.getAppId(); mPm.mHandler.post(() -> { for (int userId : firstUserIds) { enableRestrictedSettings(packageName, appId, userId); // MODE_ERRORED means that the app is explicitly guarded setAccessRestrictedSettingsMode(packageName, appId, userId, AppOpsManager.MODE_ERRORED); } }); } Loading
