Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 25f1b6a1 authored by Evan Severson's avatar Evan Severson
Browse files

Make CheckOp return allowed if any attr tag for a package is excluded 

checkOp doesn't support checking against an attribution tag, this causes
some checkOps to fail when a noteOp is successful meaning that a
preflight routine might fail before delivering data and doing the more
precise check. This only affects when a user restriction is applied and
there are excepted package+tag.

Test: Checkop with test app
Bug: 232502990
Bug: 231496105
Merged-In: Idcf5ac9a5401ad8089f5873da1f978fdf9258b5a
Change-Id: Idcf5ac9a5401ad8089f5873da1f978fdf9258b5a
(cherry picked from commit 61c2d029)
parent 1dddfe1f

services/core/java/com/android/server/appop/AppOpsService.java

+13 −7
Original line number Original line Diff line number Diff line
@@ -3242,7 +3242,7 @@ public class AppOpsService extends IAppOpsService.Stub { 
            return AppOpsManager.MODE_IGNORED;

            return AppOpsManager.MODE_IGNORED;

        }

        }

        synchronized (this) {

        synchronized (this) {

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) {

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, true)) {

                return AppOpsManager.MODE_IGNORED;

                return AppOpsManager.MODE_IGNORED;

            }

            }

            code = AppOpsManager.opToSwitch(code);

            code = AppOpsManager.opToSwitch(code);
@@ -3459,7 +3459,7 @@ public class AppOpsService extends IAppOpsService.Stub { 




            final int switchCode = AppOpsManager.opToSwitch(code);

            final int switchCode = AppOpsManager.opToSwitch(code);

            final UidState uidState = ops.uidState;

            final UidState uidState = ops.uidState;

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) {

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, false)) {

                attributedOp.rejected(uidState.state, flags);

                attributedOp.rejected(uidState.state, flags);

                scheduleOpNotedIfNeededLocked(code, uid, packageName, attributionTag, flags,

                scheduleOpNotedIfNeededLocked(code, uid, packageName, attributionTag, flags,

                        AppOpsManager.MODE_IGNORED);

                        AppOpsManager.MODE_IGNORED);
@@ -3973,7 +3973,8 @@ public class AppOpsService extends IAppOpsService.Stub { 
            final Op op = getOpLocked(ops, code, uid, true);

            final Op op = getOpLocked(ops, code, uid, true);

            final AttributedOp attributedOp = op.getOrCreateAttribution(op, attributionTag);

            final AttributedOp attributedOp = op.getOrCreateAttribution(op, attributionTag);

            final UidState uidState = ops.uidState;

            final UidState uidState = ops.uidState;

            isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass);

            isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass,

                    false);

            final int switchCode = AppOpsManager.opToSwitch(code);

            final int switchCode = AppOpsManager.opToSwitch(code);

            // If there is a non-default per UID policy (we set UID op mode only if

            // If there is a non-default per UID policy (we set UID op mode only if

            // non-default) it takes over, otherwise use the per package policy.

            // non-default) it takes over, otherwise use the per package policy.
@@ -4764,7 +4765,7 @@ public class AppOpsService extends IAppOpsService.Stub { 
    }

    }





    private boolean isOpRestrictedLocked(int uid, int code, String packageName,

    private boolean isOpRestrictedLocked(int uid, int code, String packageName,

            String attributionTag, @Nullable RestrictionBypass appBypass) {

            String attributionTag, @Nullable RestrictionBypass appBypass, boolean isCheckOp) {

        int restrictionSetCount = mOpGlobalRestrictions.size();

        int restrictionSetCount = mOpGlobalRestrictions.size();





        for (int i = 0; i < restrictionSetCount; i++) {

        for (int i = 0; i < restrictionSetCount; i++) {
@@ -4781,7 +4782,8 @@ public class AppOpsService extends IAppOpsService.Stub { 
            // For each client, check that the given op is not restricted, or that the given

            // For each client, check that the given op is not restricted, or that the given

            // package is exempt from the restriction.

            // package is exempt from the restriction.

            ClientUserRestrictionState restrictionState = mOpUserRestrictions.valueAt(i);

            ClientUserRestrictionState restrictionState = mOpUserRestrictions.valueAt(i);

            if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle)) {

            if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle,

                    isCheckOp)) {

                RestrictionBypass opBypass = opAllowSystemBypassRestriction(code);

                RestrictionBypass opBypass = opAllowSystemBypassRestriction(code);

                if (opBypass != null) {

                if (opBypass != null) {

                    // If we are the system, bypass user restrictions for certain codes

                    // If we are the system, bypass user restrictions for certain codes
@@ -7141,7 +7143,7 @@ public class AppOpsService extends IAppOpsService.Stub { 
        }

        }





        public boolean hasRestriction(int restriction, String packageName, String attributionTag,

        public boolean hasRestriction(int restriction, String packageName, String attributionTag,

                int userId) {

                int userId, boolean isCheckOp) {

            if (perUserRestrictions == null) {

            if (perUserRestrictions == null) {

                return false;

                return false;

            }

            }
@@ -7160,6 +7162,9 @@ public class AppOpsService extends IAppOpsService.Stub { 
                return true;

                return true;

            }

            }





            if (isCheckOp) {

                return !perUserExclusions.includes(packageName);

            }

            return !perUserExclusions.contains(packageName, attributionTag);

            return !perUserExclusions.contains(packageName, attributionTag);

        }

        }
@@ -7326,7 +7331,8 @@ public class AppOpsService extends IAppOpsService.Stub { 
                int numRestrictions = mOpUserRestrictions.size();

                int numRestrictions = mOpUserRestrictions.size();

                for (int i = 0; i < numRestrictions; i++) {

                for (int i = 0; i < numRestrictions; i++) {

                    if (mOpUserRestrictions.valueAt(i)

                    if (mOpUserRestrictions.valueAt(i)

                            .hasRestriction(code, pkg, attributionTag, user.getIdentifier())) {

                            .hasRestriction(code, pkg, attributionTag, user.getIdentifier(),

                                    false)) {

                        number++;

                        number++;

                    }

                    }

                }

                }