Guard changing policy_fixed flag behind permission

    field public static final String ACCESS_SHORTCUTS = "android.permission.ACCESS_SHORTCUTS";

    field public static final String ACCESS_SHORTCUTS = "android.permission.ACCESS_SHORTCUTS";

    field public static final String ACCESS_SURFACE_FLINGER = "android.permission.ACCESS_SURFACE_FLINGER";

    field public static final String ACCESS_SURFACE_FLINGER = "android.permission.ACCESS_SURFACE_FLINGER";

    field public static final String ACTIVITY_EMBEDDING = "android.permission.ACTIVITY_EMBEDDING";

    field public static final String ACTIVITY_EMBEDDING = "android.permission.ACTIVITY_EMBEDDING";

    field public static final String ADJUST_RUNTIME_PERMISSIONS_POLICY = "android.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY";

    field public static final String ALLOCATE_AGGRESSIVE = "android.permission.ALLOCATE_AGGRESSIVE";

    field public static final String ALLOCATE_AGGRESSIVE = "android.permission.ALLOCATE_AGGRESSIVE";

    field public static final String ALLOW_ANY_CODEC_FOR_PLAYBACK = "android.permission.ALLOW_ANY_CODEC_FOR_PLAYBACK";

    field public static final String ALLOW_ANY_CODEC_FOR_PLAYBACK = "android.permission.ALLOW_ANY_CODEC_FOR_PLAYBACK";

    field public static final String AMBIENT_WALLPAPER = "android.permission.AMBIENT_WALLPAPER";

    field public static final String AMBIENT_WALLPAPER = "android.permission.AMBIENT_WALLPAPER";

            int flagMask, int flagValues, UserHandle user) {

            int flagMask, int flagValues, UserHandle user) {

        try {

        try {

            mPM.updatePermissionFlags(permissionName, packageName, flagMask,

            mPM.updatePermissionFlags(permissionName, packageName, flagMask,

                    flagValues, user.getIdentifier());

                    flagValues,

                    mContext.getApplicationInfo().targetSdkVersion >= Build.VERSION_CODES.Q,

                    user.getIdentifier());

        } catch (RemoteException e) {

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

            throw e.rethrowFromSystemServer();

        }

        }

    int getPermissionFlags(String permissionName, String packageName, int userId);

    int getPermissionFlags(String permissionName, String packageName, int userId);

    void updatePermissionFlags(String permissionName, String packageName, int flagMask,

    void updatePermissionFlags(String permissionName, String packageName, int flagMask,

            int flagValues, int userId);

            int flagValues, boolean checkAdjustPolicyFlagPermission, int userId);

    void updatePermissionFlagsForAllApps(int flagMask, int flagValues, int userId);

    void updatePermissionFlagsForAllApps(int flagMask, int flagValues, int userId);

    <permission android:name="android.permission.GET_RUNTIME_PERMISSIONS"

    <permission android:name="android.permission.GET_RUNTIME_PERMISSIONS"

                android:protectionLevel="signature" />

                android:protectionLevel="signature" />

    <!-- @SystemApi Allows an application to change policy_fixed permissions.

    @hide -->

    <permission android:name="android.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY"

                android:protectionLevel="signature|installer" />

    <!-- @hide Allows an application to observe permission changes. -->

    <!-- @hide Allows an application to observe permission changes. -->

    <permission android:name="android.permission.OBSERVE_GRANT_REVOKE_PERMISSIONS"

    <permission android:name="android.permission.OBSERVE_GRANT_REVOKE_PERMISSIONS"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged" />

        return -1;

        return -1;

    }

    }

    /**

     * Check if any package sharing/holding a uid has a low enough target SDK.

     *

     * @param uid The uid of the packages

     * @param higherTargetSDK The target SDK that might be higher than the searched package

     *

     * @return {@code true} if there is a package sharing/holding the uid with

     * {@code package.targetSDK < higherTargetSDK}

     */

    private boolean hasTargetSdkInUidLowerThan(int uid, int higherTargetSDK) {

        int userId = UserHandle.getUserId(uid);

        synchronized (mPackages) {

            Object obj = mSettings.getSettingLPr(UserHandle.getAppId(uid));

            if (obj == null) {

                return false;

            }

            if (obj instanceof PackageSetting) {

                final PackageSetting ps = (PackageSetting) obj;

                if (!ps.getInstalled(userId)) {

                    return false;

                }

                return ps.pkg.applicationInfo.targetSdkVersion < higherTargetSDK;

            } else if (obj instanceof SharedUserSetting) {

                final SharedUserSetting sus = (SharedUserSetting) obj;

                final int numPkgs = sus.packages.size();

                for (int i = 0; i < numPkgs; i++) {

                    final PackageSetting ps = sus.packages.valueAt(i);

                    if (!ps.getInstalled(userId)) {

                        continue;

                    }

                    if (ps.pkg.applicationInfo.targetSdkVersion < higherTargetSDK) {

                        return true;

                    }

                }

                return false;

            } else {

                return false;

            }

        }

    }

    @Override

    @Override

    public int[] getPackageGids(String packageName, int flags, int userId) {

    public int[] getPackageGids(String packageName, int flags, int userId) {

        if (!sUserManager.exists(userId)) return null;

        if (!sUserManager.exists(userId)) return null;

    @Override

    @Override

    public void grantRuntimePermission(String packageName, String permName, final int userId) {

    public void grantRuntimePermission(String packageName, String permName, final int userId) {

        mPermissionManager.grantRuntimePermission(permName, packageName, false /*overridePolicy*/,

        boolean overridePolicy = (checkUidPermission(

                Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY, Binder.getCallingUid())

                == PackageManager.PERMISSION_GRANTED);

        mPermissionManager.grantRuntimePermission(permName, packageName, overridePolicy,

                getCallingUid(), userId, mPermissionCallback);

                getCallingUid(), userId, mPermissionCallback);

    }

    }

    @Override

    @Override

    public void revokeRuntimePermission(String packageName, String permName, int userId) {

    public void revokeRuntimePermission(String packageName, String permName, int userId) {

        mPermissionManager.revokeRuntimePermission(permName, packageName, false /*overridePolicy*/,

        boolean overridePolicy = (checkUidPermission(

                Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY, Binder.getCallingUid())

                == PackageManager.PERMISSION_GRANTED);

        mPermissionManager.revokeRuntimePermission(permName, packageName, overridePolicy,

                getCallingUid(), userId, mPermissionCallback);

                getCallingUid(), userId, mPermissionCallback);

    }

    }

    @Override

    @Override

    public void updatePermissionFlags(String permName, String packageName, int flagMask,

    public void updatePermissionFlags(String permName, String packageName, int flagMask,

            int flagValues, int userId) {

            int flagValues, boolean checkAdjustPolicyFlagPermission, int userId) {

        int callingUid = getCallingUid();

        boolean overridePolicy = false;

        if (callingUid != Process.SYSTEM_UID && callingUid != Process.ROOT_UID) {

            long callingIdentity = Binder.clearCallingIdentity();

            try {

                if ((flagMask & FLAG_PERMISSION_POLICY_FIXED) != 0) {

                    if (checkAdjustPolicyFlagPermission) {

                        mContext.enforceCallingOrSelfPermission(

                                Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY,

                                "Need " + Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY

                                        + " to change policy flags");

                    } else if (!hasTargetSdkInUidLowerThan(callingUid, Build.VERSION_CODES.Q)) {

                        throw new IllegalArgumentException(

                                Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY + " needs "

                                        + " to be checked for packages targeting "

                                        + Build.VERSION_CODES.Q + " or later when changing policy "

                                        + "flags");

                    }

                    overridePolicy = true;

                }

            } finally {

                Binder.restoreCallingIdentity(callingIdentity);

            }

        }

        mPermissionManager.updatePermissionFlags(

        mPermissionManager.updatePermissionFlags(

                permName, packageName, flagMask, flagValues, getCallingUid(), userId,

                permName, packageName, flagMask, flagValues, callingUid, userId,

                mPermissionCallback);

                overridePolicy, mPermissionCallback);

    }

    }

    /**

    /**

        public void updatePermissionFlagsTEMP(String permName, String packageName, int flagMask,

        public void updatePermissionFlagsTEMP(String permName, String packageName, int flagMask,

                int flagValues, int userId) {

                int flagValues, int userId) {

            PackageManagerService.this.updatePermissionFlags(

            PackageManagerService.this.updatePermissionFlags(

                    permName, packageName, flagMask, flagValues, userId);

                    permName, packageName, flagMask, flagValues, true, userId);

        }

        }

        @Override

        @Override