Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3ee1def6 authored by Hai Zhang's avatar Hai Zhang
Browse files

Fix privileged permission handling for ODM apps. 

SystemConfig mentioned ODM is just another vendor partition and reads
ODM privileged permission allowlist XML files into the vendor allowlist,
so we should handle vendor apps and ODM apps in the same way.

This is the same thing as aosp/2873695 for the new subsystem.

Bug: 230028571
Test: presubmit
Change-Id: I33f21e6d08d76045d62786edb9266e3fe942a2c5
parent 6e728461

services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt

+7 −4
Original line number Diff line number Diff line
@@ -1262,7 +1262,7 @@ class AppIdPermissionPolicy : SchemePolicy() { 
        val apexModuleName = packageState.apexModuleName

        val packageName = packageState.packageName

        return when {

            packageState.isVendor ->

            packageState.isVendor || packageState.isOdm ->

                permissionAllowlist.getVendorPrivilegedAppAllowlistState(

                    packageName,

                    permissionName
@@ -1471,12 +1471,15 @@ class AppIdPermissionPolicy : SchemePolicy() { 
                    // In any case, don't grant a privileged permission to privileged vendor apps,

                    // if the permission's protectionLevel does not have the extra vendorPrivileged

                    // flag.

                    if (packageState.isVendor && !permission.isVendorPrivileged) {

                    if (

                        (packageState.isVendor || packageState.isOdm) &&

                            !permission.isVendorPrivileged

                    ) {

                        Slog.w(

                            LOG_TAG,

                            "Permission $permissionName cannot be granted to privileged" +

                                " vendor app $packageName because it isn't a vendorPrivileged" +

                                " permission"

                                " vendor (or odm) app $packageName because it isn't a" +

                                " vendorPrivileged permission"

                        )

                        return false

                    }