Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 29a9ab42 authored by Michael Groover's avatar Michael Groover
Browse files

Allow AMS fgs notification rate limit with ALLOWLIST permission 

Android 16 limits the shell user to only modify the DeviceConfig
flags that have been allowlisted; to support this, the
WRITE_DEVICE_CONFIG permission will be removed from the shell user.
Some CTS tests adopt the shell permission identity to invoke the AMS
service method enableFgsNotificationRateLimit which is currently
guarded with the WRITE_DEVICE_CONFIG permission. To support these
tests, this commit updates this method to also allow the action if
the caller has the WRITE_ALLOWLISTED_DEVICE_CONFIG permission.

Bug: 364083026
Flag: android.security.protect_device_config_flags
Test: atest ServiceTest
Change-Id: I7ac4d3d92a73bc60546bbfcb9c9d5469004f76ce
parent 255746a3

core/java/android/app/IActivityManager.aidl

+2 −1
Original line number Diff line number Diff line
@@ -864,7 +864,8 @@ interface IActivityManager { 


    /**

     * Suppress or reenable the rate limit on foreground service notification deferral.

     * This is for use within CTS and is protected by android.permission.WRITE_DEVICE_CONFIG.

     * This is for use within CTS and is protected by android.permission.WRITE_DEVICE_CONFIG

     * and WRITE_ALLOWLISTED_DEVICE_CONFIG.

     *

     * @param enable false to suppress rate-limit policy; true to reenable it.

     */

services/core/java/com/android/server/am/ActivityManagerService.java

+7 −2
Original line number Diff line number Diff line
@@ -19066,8 +19066,13 @@ public class ActivityManagerService extends IActivityManager.Stub 
     */

    @Override

    public boolean enableFgsNotificationRateLimit(boolean enable) {

        if (android.security.Flags.protectDeviceConfigFlags()) {

            enforceCallingHasAtLeastOnePermission("enableFgsNotificationRateLimit",

                    permission.WRITE_DEVICE_CONFIG, permission.WRITE_ALLOWLISTED_DEVICE_CONFIG);

        } else {

            enforceCallingPermission(permission.WRITE_DEVICE_CONFIG,

                    "enableFgsNotificationRateLimit");

        }

        synchronized (this) {

            return mServices.enableFgsNotificationRateLimitLocked(enable);

        }