Loading core/java/com/android/internal/os/RoSystemProperties.java +2 −0 Original line number Diff line number Diff line Loading @@ -27,6 +27,8 @@ public class RoSystemProperties { SystemProperties.getInt("ro.debuggable", 0) == 1; public static final int FACTORYTEST = SystemProperties.getInt("ro.factorytest", 0); public static final boolean CONTROL_PRIVAPP_PERMISSIONS = SystemProperties.getBoolean("ro.control_privapp_permissions", false); // ------ ro.config.* -------- // public static final boolean CONFIG_LOW_RAM = Loading core/java/com/android/server/SystemConfig.java +38 −0 Original line number Diff line number Diff line Loading @@ -25,6 +25,7 @@ import android.content.pm.PackageManager; import android.os.Environment; import android.os.Process; import android.os.storage.StorageManager; import android.text.TextUtils; import android.util.ArrayMap; import android.util.ArraySet; import android.util.Slog; Loading Loading @@ -129,6 +130,9 @@ public class SystemConfig { final ArrayMap<String, List<String>> mDisabledUntilUsedPreinstalledCarrierAssociatedApps = new ArrayMap<>(); final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>(); public static SystemConfig getInstance() { synchronized (SystemConfig.class) { if (sInstance == null) { Loading Loading @@ -194,6 +198,10 @@ public class SystemConfig { return mDisabledUntilUsedPreinstalledCarrierAssociatedApps; } public ArraySet<String> getPrivAppPermissions(String packageName) { return mPrivAppPermissions.get(packageName); } SystemConfig() { // Read configuration from system readPermissions(Environment.buildPath( Loading Loading @@ -507,6 +515,8 @@ public class SystemConfig { associatedPkgs.add(pkgname); } XmlUtils.skipCurrentTag(parser); } else if ("privapp-permissions".equals(name) && allowAppConfigs) { readPrivAppPermissions(parser); } else { XmlUtils.skipCurrentTag(parser); continue; Loading Loading @@ -584,4 +594,32 @@ public class SystemConfig { XmlUtils.skipCurrentTag(parser); } } void readPrivAppPermissions(XmlPullParser parser) throws IOException, XmlPullParserException { String packageName = parser.getAttributeValue(null, "package"); if (TextUtils.isEmpty(packageName)) { Slog.w(TAG, "package is required for <privapp-permissions> in " + parser.getPositionDescription()); return; } ArraySet<String> permissions = mPrivAppPermissions.get(packageName); if (permissions == null) { permissions = new ArraySet<>(); } int depth = parser.getDepth(); while (XmlUtils.nextElementWithin(parser, depth)) { String name = parser.getName(); if ("permission".equals(name)) { String permName = parser.getAttributeValue(null, "name"); if (TextUtils.isEmpty(permName)) { Slog.w(TAG, "name is required for <permission> in " + parser.getPositionDescription()); continue; } permissions.add(permName); } } mPrivAppPermissions.put(packageName, permissions); } } data/etc/Android.mk +6 −19 Original line number Diff line number Diff line Loading @@ -18,30 +18,17 @@ LOCAL_PATH := $(my-dir) ######################## include $(CLEAR_VARS) LOCAL_MODULE := platform.xml LOCAL_MODULE_CLASS := ETC # This will install the file in /system/etc/permissions # LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions LOCAL_SRC_FILES := $(LOCAL_MODULE) include $(BUILD_PREBUILT) ######################## #include $(CLEAR_VARS) #LOCAL_MODULE := required_hardware.xml #LOCAL_MODULE_CLASS := ETC # This will install the file in /system/etc/permissions # #LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions #LOCAL_SRC_FILES := $(LOCAL_MODULE) include $(CLEAR_VARS) LOCAL_MODULE := privapp-permissions-platform.xml LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions LOCAL_SRC_FILES := $(LOCAL_MODULE) include $(BUILD_PREBUILT) #include $(BUILD_PREBUILT) data/etc/privapp-permissions-platform.xml 0 → 100644 +324 −0 Original line number Diff line number Diff line <?xml version="1.0" encoding="utf-8"?> <!-- ~ Copyright (C) 2016 The Android Open Source Project ~ ~ Licensed under the Apache License, Version 2.0 (the "License"); ~ you may not use this file except in compliance with the License. ~ You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 ~ ~ Unless required by applicable law or agreed to in writing, software ~ distributed under the License is distributed on an "AS IS" BASIS, ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ~ See the License for the specific language governing permissions and ~ limitations under the License --> <!-- This XML file declares which signature|privileged permissions should be granted to privileged applications that come with the platform --> <permissions> <privapp-permissions package="com.android.backupconfirm"> <permission name="android.permission.BACKUP"/> <permission name="android.permission.CRYPT_KEEPER"/> </privapp-permissions> <privapp-permissions package="com.android.cellbroadcastreceiver"> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/> <permission name="android.permission.RECEIVE_EMERGENCY_BROADCAST"/> </privapp-permissions> <privapp-permissions package="com.android.contacts"> <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/> </privapp-permissions> <privapp-permissions package="com.android.defcontainer"> <permission name="android.permission.ACCESS_CACHE_FILESYSTEM"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> </privapp-permissions> <privapp-permissions package="com.android.dialer"> <permission name="android.permission.ALLOW_ANY_CODEC_FOR_PLAYBACK"/> <permission name="android.permission.CONTROL_INCALL_EXPERIENCE"/> <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.STOP_APP_SWITCHES"/> <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/> <permission name="com.android.voicemail.permission.WRITE_VOICEMAIL"/> </privapp-permissions> <privapp-permissions package="com.android.emergency"> <permission name="android.permission.MANAGE_USERS"/> </privapp-permissions> <privapp-permissions package="com.android.externalstorage"> <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> </privapp-permissions> <privapp-permissions package="com.android.launcher"> <permission name="android.permission.BIND_APPWIDGET"/> <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> </privapp-permissions> <privapp-permissions package="com.android.location.fused"> <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/> </privapp-permissions> <privapp-permissions package="com.android.managedprovisioning"> <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> <permission name="android.permission.CHANGE_CONFIGURATION"/> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.CRYPT_KEEPER"/> <permission name="android.permission.DELETE_PACKAGES"/> <permission name="android.permission.INSTALL_PACKAGES"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_DEVICE_ADMINS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MASTER_CLEAR"/> <permission name="android.permission.PERFORM_CDMA_PROVISIONING"/> <permission name="android.permission.SET_TIME"/> <permission name="android.permission.SET_TIME_ZONE"/> <permission name="android.permission.SHUTDOWN"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.mms.service"> <permission name="android.permission.BIND_CARRIER_MESSAGING_SERVICE"/> <permission name="android.permission.BIND_CARRIER_SERVICES"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> </privapp-permissions> <privapp-permissions package="com.android.mtp"> <permission name="android.permission.MANAGE_USB"/> </privapp-permissions> <privapp-permissions package="com.android.musicfx"> <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> </privapp-permissions> <privapp-permissions package="com.android.packageinstaller"> <permission name="android.permission.CLEAR_APP_CACHE"/> <permission name="android.permission.DELETE_PACKAGES"/> <permission name="android.permission.INSTALL_PACKAGES"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> </privapp-permissions> <privapp-permissions package="com.android.phone"> <permission name="android.permission.ACCESS_IMS_CALL_SERVICE"/> <permission name="android.permission.BIND_CARRIER_MESSAGING_SERVICE"/> <permission name="android.permission.BIND_CARRIER_SERVICES"/> <permission name="android.permission.CALL_PRIVILEGED"/> <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> <permission name="android.permission.CHANGE_CONFIGURATION"/> <permission name="android.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST"/> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.DUMP"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.LOCAL_MAC_ADDRESS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.PERFORM_CDMA_PROVISIONING"/> <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/> <permission name="android.permission.READ_SEARCH_INDEXABLES"/> <permission name="android.permission.REBOOT"/> <permission name="android.permission.REGISTER_CALL_PROVIDER"/> <permission name="android.permission.REGISTER_SIM_SUBSCRIPTION"/> <permission name="android.permission.SEND_RESPOND_VIA_MESSAGE"/> <permission name="android.permission.SET_TIME"/> <permission name="android.permission.SET_TIME_ZONE"/> <permission name="android.permission.SHUTDOWN"/> <permission name="android.permission.STATUS_BAR"/> <permission name="android.permission.STOP_APP_SWITCHES"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> <permission name="android.permission.UPDATE_DEVICE_STATS"/> <permission name="android.permission.UPDATE_LOCK"/> <permission name="android.permission.WRITE_APN_SETTINGS"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/> <permission name="com.android.voicemail.permission.WRITE_VOICEMAIL"/> </privapp-permissions> <privapp-permissions package="com.android.providers.calendar"> <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> </privapp-permissions> <privapp-permissions package="com.android.providers.contacts"> <permission name="android.permission.BIND_DIRECTORY_SEARCH"/> <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> </privapp-permissions> <privapp-permissions package="com.android.providers.downloads"> <permission name="android.permission.ACCESS_CACHE_FILESYSTEM"/> <permission name="android.permission.CLEAR_APP_CACHE"/> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.MODIFY_NETWORK_ACCOUNTING"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> <permission name="android.permission.UPDATE_DEVICE_STATS"/> </privapp-permissions> <privapp-permissions package="com.android.providers.media"> <permission name="android.permission.ACCESS_MTP"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> </privapp-permissions> <privapp-permissions package="com.android.providers.telephony"> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> </privapp-permissions> <privapp-permissions package="com.android.provision"> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.server.telecom"> <permission name="android.permission.BIND_CONNECTION_SERVICE"/> <permission name="android.permission.BIND_INCALL_SERVICE"/> <permission name="android.permission.CALL_PRIVILEGED"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.STOP_APP_SWITCHES"/> </privapp-permissions> <privapp-permissions package="com.android.settings"> <permission name="android.permission.ACCESS_CHECKIN_PROPERTIES"/> <permission name="android.permission.ACCESS_NOTIFICATIONS"/> <permission name="android.permission.BACKUP"/> <permission name="android.permission.BATTERY_STATS"/> <permission name="android.permission.BLUETOOTH_PRIVILEGED"/> <permission name="android.permission.CHANGE_CONFIGURATION"/> <permission name="android.permission.DELETE_PACKAGES"/> <permission name="android.permission.FORCE_STOP_PACKAGES"/> <permission name="android.permission.MANAGE_DEVICE_ADMINS"/> <permission name="android.permission.MANAGE_FINGERPRINT"/> <permission name="android.permission.MANAGE_USB"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MASTER_CLEAR"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> <permission name="android.permission.MOVE_PACKAGE"/> <permission name="android.permission.OVERRIDE_WIFI_CONFIG"/> <permission name="android.permission.PACKAGE_USAGE_STATS"/> <permission name="android.permission.READ_SEARCH_INDEXABLES"/> <permission name="android.permission.REBOOT"/> <permission name="android.permission.SET_TIME"/> <permission name="android.permission.STATUS_BAR"/> <permission name="android.permission.TETHER_PRIVILEGED"/> <permission name="android.permission.USER_ACTIVITY"/> <permission name="android.permission.WRITE_APN_SETTINGS"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.sharedstoragebackup"> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> </privapp-permissions> <privapp-permissions package="com.android.shell"> <permission name="android.permission.BACKUP"/> <permission name="android.permission.BATTERY_STATS"/> <permission name="android.permission.BIND_APPWIDGET"/> <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> <permission name="android.permission.CHANGE_CONFIGURATION"/> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.DELETE_CACHE_FILES"/> <permission name="android.permission.DELETE_PACKAGES"/> <permission name="android.permission.DUMP"/> <permission name="android.permission.FORCE_STOP_PACKAGES"/> <permission name="android.permission.GET_APP_OPS_STATS"/> <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/> <permission name="android.permission.INSTALL_PACKAGES"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_ACTIVITY_STACKS"/> <permission name="android.permission.MANAGE_DEVICE_ADMINS"/> <permission name="android.permission.MODIFY_APPWIDGET_BIND_PERMISSIONS"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.MOUNT_FORMAT_FILESYSTEMS"/> <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> <permission name="android.permission.MOVE_PACKAGE"/> <permission name="android.permission.READ_FRAME_BUFFER"/> <permission name="android.permission.REAL_GET_TASKS"/> <permission name="android.permission.REGISTER_CALL_PROVIDER"/> <permission name="android.permission.REGISTER_CONNECTION_MANAGER"/> <permission name="android.permission.REGISTER_SIM_SUBSCRIPTION"/> <permission name="android.permission.RETRIEVE_WINDOW_CONTENT"/> <permission name="android.permission.SET_ALWAYS_FINISH"/> <permission name="android.permission.SET_ANIMATION_SCALE"/> <permission name="android.permission.SET_DEBUG_APP"/> <permission name="android.permission.SET_PROCESS_LIMIT"/> <permission name="android.permission.SIGNAL_PERSISTENT_PROCESSES"/> <permission name="android.permission.STOP_APP_SWITCHES"/> <permission name="android.permission.SUBSTITUTE_NOTIFICATION_APP_NAME"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.statementservice"> <permission name="android.permission.INTENT_FILTER_VERIFICATION_AGENT"/> </privapp-permissions> <privapp-permissions package="com.android.storagemanager"> <permission name="android.permission.DELETE_PACKAGES"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.PACKAGE_USAGE_STATS"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.systemui"> <permission name="android.permission.BATTERY_STATS"/> <permission name="android.permission.BIND_APPWIDGET"/> <permission name="android.permission.BLUETOOTH_PRIVILEGED"/> <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.CONTROL_VPN"/> <permission name="android.permission.DUMP"/> <permission name="android.permission.GET_APP_OPS_STATS"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_ACTIVITY_STACKS"/> <permission name="android.permission.MANAGE_USB"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MASTER_CLEAR"/> <permission name="android.permission.MEDIA_CONTENT_CONTROL"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> <permission name="android.permission.OVERRIDE_WIFI_CONFIG"/> <permission name="android.permission.READ_DREAM_STATE"/> <permission name="android.permission.READ_FRAME_BUFFER"/> <permission name="android.permission.READ_NETWORK_USAGE_HISTORY"/> <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/> <permission name="android.permission.REAL_GET_TASKS"/> <permission name="android.permission.RECEIVE_MEDIA_RESOURCE_USAGE"/> <permission name="android.permission.START_TASKS_FROM_RECENTS"/> <permission name="android.permission.STATUS_BAR"/> <permission name="android.permission.STOP_APP_SWITCHES"/> <permission name="android.permission.SUBSTITUTE_NOTIFICATION_APP_NAME"/> <permission name="android.permission.TETHER_PRIVILEGED"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> <permission name="android.permission.WRITE_DREAM_STATE"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.vpndialogs"> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.CONTROL_VPN"/> </privapp-permissions> </permissions> No newline at end of file services/core/java/com/android/server/pm/PackageManagerService.java +19 −4 Original line number Diff line number Diff line Loading @@ -233,6 +233,7 @@ import com.android.internal.content.PackageHelper; import com.android.internal.logging.MetricsLogger; import com.android.internal.os.IParcelFileDescriptorFactory; import com.android.internal.os.InstallerConnection.InstallerException; import com.android.internal.os.RoSystemProperties; import com.android.internal.os.SomeArgs; import com.android.internal.os.Zygote; import com.android.internal.telephony.CarrierAppUtils; Loading Loading @@ -10394,14 +10395,28 @@ public class PackageManagerService extends IPackageManager.Stub { private boolean grantSignaturePermission(String perm, PackageParser.Package pkg, BasePermission bp, PermissionsState origPermissions) { boolean allowed; allowed = (compareSignatures( boolean privilegedPermission = (bp.protectionLevel & PermissionInfo.PROTECTION_FLAG_PRIVILEGED) != 0; boolean controlPrivappPermissions = RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS; boolean platformPermission = PLATFORM_PACKAGE_NAME.equals(bp.sourcePackage); boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName); if (controlPrivappPermissions && privilegedPermission && pkg.isPrivilegedApp() && !platformPackage && platformPermission) { ArraySet<String> wlPermissions = SystemConfig.getInstance() .getPrivAppPermissions(pkg.packageName); boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm); if (!whitelisted) { Slog.e(TAG, "Not granting privileged permission " + perm + " for package " + pkg.packageName + " - not in privapp-permissions whitelist"); return false; } } boolean allowed = (compareSignatures( bp.packageSetting.signatures.mSignatures, pkg.mSignatures) == PackageManager.SIGNATURE_MATCH) || (compareSignatures(mPlatformPackage.mSignatures, pkg.mSignatures) == PackageManager.SIGNATURE_MATCH); if (!allowed && (bp.protectionLevel & PermissionInfo.PROTECTION_FLAG_PRIVILEGED) != 0) { if (!allowed && privilegedPermission) { if (isSystemApp(pkg)) { // For updated system applications, a system permission // is granted only if it had been defined by the original application. Loading Loading
core/java/com/android/internal/os/RoSystemProperties.java +2 −0 Original line number Diff line number Diff line Loading @@ -27,6 +27,8 @@ public class RoSystemProperties { SystemProperties.getInt("ro.debuggable", 0) == 1; public static final int FACTORYTEST = SystemProperties.getInt("ro.factorytest", 0); public static final boolean CONTROL_PRIVAPP_PERMISSIONS = SystemProperties.getBoolean("ro.control_privapp_permissions", false); // ------ ro.config.* -------- // public static final boolean CONFIG_LOW_RAM = Loading
core/java/com/android/server/SystemConfig.java +38 −0 Original line number Diff line number Diff line Loading @@ -25,6 +25,7 @@ import android.content.pm.PackageManager; import android.os.Environment; import android.os.Process; import android.os.storage.StorageManager; import android.text.TextUtils; import android.util.ArrayMap; import android.util.ArraySet; import android.util.Slog; Loading Loading @@ -129,6 +130,9 @@ public class SystemConfig { final ArrayMap<String, List<String>> mDisabledUntilUsedPreinstalledCarrierAssociatedApps = new ArrayMap<>(); final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>(); public static SystemConfig getInstance() { synchronized (SystemConfig.class) { if (sInstance == null) { Loading Loading @@ -194,6 +198,10 @@ public class SystemConfig { return mDisabledUntilUsedPreinstalledCarrierAssociatedApps; } public ArraySet<String> getPrivAppPermissions(String packageName) { return mPrivAppPermissions.get(packageName); } SystemConfig() { // Read configuration from system readPermissions(Environment.buildPath( Loading Loading @@ -507,6 +515,8 @@ public class SystemConfig { associatedPkgs.add(pkgname); } XmlUtils.skipCurrentTag(parser); } else if ("privapp-permissions".equals(name) && allowAppConfigs) { readPrivAppPermissions(parser); } else { XmlUtils.skipCurrentTag(parser); continue; Loading Loading @@ -584,4 +594,32 @@ public class SystemConfig { XmlUtils.skipCurrentTag(parser); } } void readPrivAppPermissions(XmlPullParser parser) throws IOException, XmlPullParserException { String packageName = parser.getAttributeValue(null, "package"); if (TextUtils.isEmpty(packageName)) { Slog.w(TAG, "package is required for <privapp-permissions> in " + parser.getPositionDescription()); return; } ArraySet<String> permissions = mPrivAppPermissions.get(packageName); if (permissions == null) { permissions = new ArraySet<>(); } int depth = parser.getDepth(); while (XmlUtils.nextElementWithin(parser, depth)) { String name = parser.getName(); if ("permission".equals(name)) { String permName = parser.getAttributeValue(null, "name"); if (TextUtils.isEmpty(permName)) { Slog.w(TAG, "name is required for <permission> in " + parser.getPositionDescription()); continue; } permissions.add(permName); } } mPrivAppPermissions.put(packageName, permissions); } }
data/etc/Android.mk +6 −19 Original line number Diff line number Diff line Loading @@ -18,30 +18,17 @@ LOCAL_PATH := $(my-dir) ######################## include $(CLEAR_VARS) LOCAL_MODULE := platform.xml LOCAL_MODULE_CLASS := ETC # This will install the file in /system/etc/permissions # LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions LOCAL_SRC_FILES := $(LOCAL_MODULE) include $(BUILD_PREBUILT) ######################## #include $(CLEAR_VARS) #LOCAL_MODULE := required_hardware.xml #LOCAL_MODULE_CLASS := ETC # This will install the file in /system/etc/permissions # #LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions #LOCAL_SRC_FILES := $(LOCAL_MODULE) include $(CLEAR_VARS) LOCAL_MODULE := privapp-permissions-platform.xml LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions LOCAL_SRC_FILES := $(LOCAL_MODULE) include $(BUILD_PREBUILT) #include $(BUILD_PREBUILT)
data/etc/privapp-permissions-platform.xml 0 → 100644 +324 −0 Original line number Diff line number Diff line <?xml version="1.0" encoding="utf-8"?> <!-- ~ Copyright (C) 2016 The Android Open Source Project ~ ~ Licensed under the Apache License, Version 2.0 (the "License"); ~ you may not use this file except in compliance with the License. ~ You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 ~ ~ Unless required by applicable law or agreed to in writing, software ~ distributed under the License is distributed on an "AS IS" BASIS, ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ~ See the License for the specific language governing permissions and ~ limitations under the License --> <!-- This XML file declares which signature|privileged permissions should be granted to privileged applications that come with the platform --> <permissions> <privapp-permissions package="com.android.backupconfirm"> <permission name="android.permission.BACKUP"/> <permission name="android.permission.CRYPT_KEEPER"/> </privapp-permissions> <privapp-permissions package="com.android.cellbroadcastreceiver"> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/> <permission name="android.permission.RECEIVE_EMERGENCY_BROADCAST"/> </privapp-permissions> <privapp-permissions package="com.android.contacts"> <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/> </privapp-permissions> <privapp-permissions package="com.android.defcontainer"> <permission name="android.permission.ACCESS_CACHE_FILESYSTEM"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> </privapp-permissions> <privapp-permissions package="com.android.dialer"> <permission name="android.permission.ALLOW_ANY_CODEC_FOR_PLAYBACK"/> <permission name="android.permission.CONTROL_INCALL_EXPERIENCE"/> <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.STOP_APP_SWITCHES"/> <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/> <permission name="com.android.voicemail.permission.WRITE_VOICEMAIL"/> </privapp-permissions> <privapp-permissions package="com.android.emergency"> <permission name="android.permission.MANAGE_USERS"/> </privapp-permissions> <privapp-permissions package="com.android.externalstorage"> <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> </privapp-permissions> <privapp-permissions package="com.android.launcher"> <permission name="android.permission.BIND_APPWIDGET"/> <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> </privapp-permissions> <privapp-permissions package="com.android.location.fused"> <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/> </privapp-permissions> <privapp-permissions package="com.android.managedprovisioning"> <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> <permission name="android.permission.CHANGE_CONFIGURATION"/> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.CRYPT_KEEPER"/> <permission name="android.permission.DELETE_PACKAGES"/> <permission name="android.permission.INSTALL_PACKAGES"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_DEVICE_ADMINS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MASTER_CLEAR"/> <permission name="android.permission.PERFORM_CDMA_PROVISIONING"/> <permission name="android.permission.SET_TIME"/> <permission name="android.permission.SET_TIME_ZONE"/> <permission name="android.permission.SHUTDOWN"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.mms.service"> <permission name="android.permission.BIND_CARRIER_MESSAGING_SERVICE"/> <permission name="android.permission.BIND_CARRIER_SERVICES"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> </privapp-permissions> <privapp-permissions package="com.android.mtp"> <permission name="android.permission.MANAGE_USB"/> </privapp-permissions> <privapp-permissions package="com.android.musicfx"> <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> </privapp-permissions> <privapp-permissions package="com.android.packageinstaller"> <permission name="android.permission.CLEAR_APP_CACHE"/> <permission name="android.permission.DELETE_PACKAGES"/> <permission name="android.permission.INSTALL_PACKAGES"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> </privapp-permissions> <privapp-permissions package="com.android.phone"> <permission name="android.permission.ACCESS_IMS_CALL_SERVICE"/> <permission name="android.permission.BIND_CARRIER_MESSAGING_SERVICE"/> <permission name="android.permission.BIND_CARRIER_SERVICES"/> <permission name="android.permission.CALL_PRIVILEGED"/> <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> <permission name="android.permission.CHANGE_CONFIGURATION"/> <permission name="android.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST"/> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.DUMP"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.LOCAL_MAC_ADDRESS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.PERFORM_CDMA_PROVISIONING"/> <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/> <permission name="android.permission.READ_SEARCH_INDEXABLES"/> <permission name="android.permission.REBOOT"/> <permission name="android.permission.REGISTER_CALL_PROVIDER"/> <permission name="android.permission.REGISTER_SIM_SUBSCRIPTION"/> <permission name="android.permission.SEND_RESPOND_VIA_MESSAGE"/> <permission name="android.permission.SET_TIME"/> <permission name="android.permission.SET_TIME_ZONE"/> <permission name="android.permission.SHUTDOWN"/> <permission name="android.permission.STATUS_BAR"/> <permission name="android.permission.STOP_APP_SWITCHES"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> <permission name="android.permission.UPDATE_DEVICE_STATS"/> <permission name="android.permission.UPDATE_LOCK"/> <permission name="android.permission.WRITE_APN_SETTINGS"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/> <permission name="com.android.voicemail.permission.WRITE_VOICEMAIL"/> </privapp-permissions> <privapp-permissions package="com.android.providers.calendar"> <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> </privapp-permissions> <privapp-permissions package="com.android.providers.contacts"> <permission name="android.permission.BIND_DIRECTORY_SEARCH"/> <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> </privapp-permissions> <privapp-permissions package="com.android.providers.downloads"> <permission name="android.permission.ACCESS_CACHE_FILESYSTEM"/> <permission name="android.permission.CLEAR_APP_CACHE"/> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.MODIFY_NETWORK_ACCOUNTING"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> <permission name="android.permission.UPDATE_DEVICE_STATS"/> </privapp-permissions> <privapp-permissions package="com.android.providers.media"> <permission name="android.permission.ACCESS_MTP"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> </privapp-permissions> <privapp-permissions package="com.android.providers.telephony"> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> </privapp-permissions> <privapp-permissions package="com.android.provision"> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.server.telecom"> <permission name="android.permission.BIND_CONNECTION_SERVICE"/> <permission name="android.permission.BIND_INCALL_SERVICE"/> <permission name="android.permission.CALL_PRIVILEGED"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.STOP_APP_SWITCHES"/> </privapp-permissions> <privapp-permissions package="com.android.settings"> <permission name="android.permission.ACCESS_CHECKIN_PROPERTIES"/> <permission name="android.permission.ACCESS_NOTIFICATIONS"/> <permission name="android.permission.BACKUP"/> <permission name="android.permission.BATTERY_STATS"/> <permission name="android.permission.BLUETOOTH_PRIVILEGED"/> <permission name="android.permission.CHANGE_CONFIGURATION"/> <permission name="android.permission.DELETE_PACKAGES"/> <permission name="android.permission.FORCE_STOP_PACKAGES"/> <permission name="android.permission.MANAGE_DEVICE_ADMINS"/> <permission name="android.permission.MANAGE_FINGERPRINT"/> <permission name="android.permission.MANAGE_USB"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MASTER_CLEAR"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> <permission name="android.permission.MOVE_PACKAGE"/> <permission name="android.permission.OVERRIDE_WIFI_CONFIG"/> <permission name="android.permission.PACKAGE_USAGE_STATS"/> <permission name="android.permission.READ_SEARCH_INDEXABLES"/> <permission name="android.permission.REBOOT"/> <permission name="android.permission.SET_TIME"/> <permission name="android.permission.STATUS_BAR"/> <permission name="android.permission.TETHER_PRIVILEGED"/> <permission name="android.permission.USER_ACTIVITY"/> <permission name="android.permission.WRITE_APN_SETTINGS"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.sharedstoragebackup"> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> </privapp-permissions> <privapp-permissions package="com.android.shell"> <permission name="android.permission.BACKUP"/> <permission name="android.permission.BATTERY_STATS"/> <permission name="android.permission.BIND_APPWIDGET"/> <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> <permission name="android.permission.CHANGE_CONFIGURATION"/> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.DELETE_CACHE_FILES"/> <permission name="android.permission.DELETE_PACKAGES"/> <permission name="android.permission.DUMP"/> <permission name="android.permission.FORCE_STOP_PACKAGES"/> <permission name="android.permission.GET_APP_OPS_STATS"/> <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/> <permission name="android.permission.INSTALL_PACKAGES"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_ACTIVITY_STACKS"/> <permission name="android.permission.MANAGE_DEVICE_ADMINS"/> <permission name="android.permission.MODIFY_APPWIDGET_BIND_PERMISSIONS"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.MOUNT_FORMAT_FILESYSTEMS"/> <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> <permission name="android.permission.MOVE_PACKAGE"/> <permission name="android.permission.READ_FRAME_BUFFER"/> <permission name="android.permission.REAL_GET_TASKS"/> <permission name="android.permission.REGISTER_CALL_PROVIDER"/> <permission name="android.permission.REGISTER_CONNECTION_MANAGER"/> <permission name="android.permission.REGISTER_SIM_SUBSCRIPTION"/> <permission name="android.permission.RETRIEVE_WINDOW_CONTENT"/> <permission name="android.permission.SET_ALWAYS_FINISH"/> <permission name="android.permission.SET_ANIMATION_SCALE"/> <permission name="android.permission.SET_DEBUG_APP"/> <permission name="android.permission.SET_PROCESS_LIMIT"/> <permission name="android.permission.SIGNAL_PERSISTENT_PROCESSES"/> <permission name="android.permission.STOP_APP_SWITCHES"/> <permission name="android.permission.SUBSTITUTE_NOTIFICATION_APP_NAME"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.statementservice"> <permission name="android.permission.INTENT_FILTER_VERIFICATION_AGENT"/> </privapp-permissions> <privapp-permissions package="com.android.storagemanager"> <permission name="android.permission.DELETE_PACKAGES"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.PACKAGE_USAGE_STATS"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.systemui"> <permission name="android.permission.BATTERY_STATS"/> <permission name="android.permission.BIND_APPWIDGET"/> <permission name="android.permission.BLUETOOTH_PRIVILEGED"/> <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.CONTROL_VPN"/> <permission name="android.permission.DUMP"/> <permission name="android.permission.GET_APP_OPS_STATS"/> <permission name="android.permission.INTERACT_ACROSS_USERS"/> <permission name="android.permission.MANAGE_ACTIVITY_STACKS"/> <permission name="android.permission.MANAGE_USB"/> <permission name="android.permission.MANAGE_USERS"/> <permission name="android.permission.MASTER_CLEAR"/> <permission name="android.permission.MEDIA_CONTENT_CONTROL"/> <permission name="android.permission.MODIFY_PHONE_STATE"/> <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> <permission name="android.permission.OVERRIDE_WIFI_CONFIG"/> <permission name="android.permission.READ_DREAM_STATE"/> <permission name="android.permission.READ_FRAME_BUFFER"/> <permission name="android.permission.READ_NETWORK_USAGE_HISTORY"/> <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/> <permission name="android.permission.REAL_GET_TASKS"/> <permission name="android.permission.RECEIVE_MEDIA_RESOURCE_USAGE"/> <permission name="android.permission.START_TASKS_FROM_RECENTS"/> <permission name="android.permission.STATUS_BAR"/> <permission name="android.permission.STOP_APP_SWITCHES"/> <permission name="android.permission.SUBSTITUTE_NOTIFICATION_APP_NAME"/> <permission name="android.permission.TETHER_PRIVILEGED"/> <permission name="android.permission.UPDATE_APP_OPS_STATS"/> <permission name="android.permission.WRITE_DREAM_STATE"/> <permission name="android.permission.WRITE_MEDIA_STORAGE"/> <permission name="android.permission.WRITE_SECURE_SETTINGS"/> </privapp-permissions> <privapp-permissions package="com.android.vpndialogs"> <permission name="android.permission.CONNECTIVITY_INTERNAL"/> <permission name="android.permission.CONTROL_VPN"/> </privapp-permissions> </permissions> No newline at end of file
services/core/java/com/android/server/pm/PackageManagerService.java +19 −4 Original line number Diff line number Diff line Loading @@ -233,6 +233,7 @@ import com.android.internal.content.PackageHelper; import com.android.internal.logging.MetricsLogger; import com.android.internal.os.IParcelFileDescriptorFactory; import com.android.internal.os.InstallerConnection.InstallerException; import com.android.internal.os.RoSystemProperties; import com.android.internal.os.SomeArgs; import com.android.internal.os.Zygote; import com.android.internal.telephony.CarrierAppUtils; Loading Loading @@ -10394,14 +10395,28 @@ public class PackageManagerService extends IPackageManager.Stub { private boolean grantSignaturePermission(String perm, PackageParser.Package pkg, BasePermission bp, PermissionsState origPermissions) { boolean allowed; allowed = (compareSignatures( boolean privilegedPermission = (bp.protectionLevel & PermissionInfo.PROTECTION_FLAG_PRIVILEGED) != 0; boolean controlPrivappPermissions = RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS; boolean platformPermission = PLATFORM_PACKAGE_NAME.equals(bp.sourcePackage); boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName); if (controlPrivappPermissions && privilegedPermission && pkg.isPrivilegedApp() && !platformPackage && platformPermission) { ArraySet<String> wlPermissions = SystemConfig.getInstance() .getPrivAppPermissions(pkg.packageName); boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm); if (!whitelisted) { Slog.e(TAG, "Not granting privileged permission " + perm + " for package " + pkg.packageName + " - not in privapp-permissions whitelist"); return false; } } boolean allowed = (compareSignatures( bp.packageSetting.signatures.mSignatures, pkg.mSignatures) == PackageManager.SIGNATURE_MATCH) || (compareSignatures(mPlatformPackage.mSignatures, pkg.mSignatures) == PackageManager.SIGNATURE_MATCH); if (!allowed && (bp.protectionLevel & PermissionInfo.PROTECTION_FLAG_PRIVILEGED) != 0) { if (!allowed && privilegedPermission) { if (isSystemApp(pkg)) { // For updated system applications, a system permission // is granted only if it had been defined by the original application. Loading
