Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 44893b71 authored by Evan Severson's avatar Evan Severson Committed by Android (Google) Code Review
Browse files

Merge changes from topics "b231496105",... 

Merge changes from topics "b231496105", "presubmit-am-7c6d0c599e7f4dbf9be275fe29d6dacd", "presubmit-am-ab0d3cb4d9224b16a38358ce19cfc908" into sc-dev

* changes:
  Make CheckOp return allowed if any attr tag for a package is excluded
  Allow system server uid to bypass location restriction
  Disallow privileged apps to bypass location restriction
parents b1cf2a0c 25f1b6a1

core/java/android/app/AppOpsManager.java

+14 −9
Original line number Diff line number Diff line
@@ -2463,8 +2463,8 @@ public class AppOpsManager { 
     * restriction} for a certain app-op.

     */

    private static RestrictionBypass[] sOpAllowSystemRestrictionBypass = new RestrictionBypass[] {

            new RestrictionBypass(true, false), //COARSE_LOCATION

            new RestrictionBypass(true, false), //FINE_LOCATION

            new RestrictionBypass(true, false, false), //COARSE_LOCATION

            new RestrictionBypass(true, false, false), //FINE_LOCATION

            null, //GPS

            null, //VIBRATE

            null, //READ_CONTACTS
@@ -2473,7 +2473,7 @@ public class AppOpsManager { 
            null, //WRITE_CALL_LOG

            null, //READ_CALENDAR

            null, //WRITE_CALENDAR

            new RestrictionBypass(true, false), //WIFI_SCAN

            new RestrictionBypass(false, true, false), //WIFI_SCAN

            null, //POST_NOTIFICATION

            null, //NEIGHBORING_CELLS

            null, //CALL_PHONE
@@ -2487,10 +2487,10 @@ public class AppOpsManager { 
            null, //READ_ICC_SMS

            null, //WRITE_ICC_SMS

            null, //WRITE_SETTINGS

            new RestrictionBypass(true, false), //SYSTEM_ALERT_WINDOW

            new RestrictionBypass(false, true, false), //SYSTEM_ALERT_WINDOW

            null, //ACCESS_NOTIFICATIONS

            null, //CAMERA

            new RestrictionBypass(false, true), //RECORD_AUDIO

            new RestrictionBypass(false, false, true), //RECORD_AUDIO

            null, //PLAY_AUDIO

            null, //READ_CLIPBOARD

            null, //WRITE_CLIPBOARD
@@ -2508,7 +2508,7 @@ public class AppOpsManager { 
            null, //MONITOR_HIGH_POWER_LOCATION

            null, //GET_USAGE_STATS

            null, //MUTE_MICROPHONE

            new RestrictionBypass(true, false), //TOAST_WINDOW

            new RestrictionBypass(false, true, false), //TOAST_WINDOW

            null, //PROJECT_MEDIA

            null, //ACTIVATE_VPN

            null, //WALLPAPER
@@ -2540,7 +2540,7 @@ public class AppOpsManager { 
            null, // ACCEPT_HANDOVER

            null, // MANAGE_IPSEC_HANDOVERS

            null, // START_FOREGROUND

            new RestrictionBypass(true, false), // BLUETOOTH_SCAN

            new RestrictionBypass(false, true, false), // BLUETOOTH_SCAN

            null, // USE_BIOMETRIC

            null, // ACTIVITY_RECOGNITION

            null, // SMS_FINANCIAL_TRANSACTIONS
@@ -3105,6 +3105,9 @@ public class AppOpsManager { 
     * @hide

     */

    public static class RestrictionBypass {

        /** Does the app need to be system uid to bypass the restriction */

        public boolean isSystemUid;



        /** Does the app need to be privileged to bypass the restriction */

        public boolean isPrivileged;
@@ -3114,12 +3117,14 @@ public class AppOpsManager { 
         */

        public boolean isRecordAudioRestrictionExcept;



        public RestrictionBypass(boolean isPrivileged, boolean isRecordAudioRestrictionExcept) {

        public RestrictionBypass(boolean isSystemUid, boolean isPrivileged,

                boolean isRecordAudioRestrictionExcept) {

            this.isSystemUid = isSystemUid;

            this.isPrivileged = isPrivileged;

            this.isRecordAudioRestrictionExcept = isRecordAudioRestrictionExcept;

        }



        public static RestrictionBypass UNRESTRICTED = new RestrictionBypass(true, true);

        public static RestrictionBypass UNRESTRICTED = new RestrictionBypass(false, true, true);

    }



    /**

services/core/java/com/android/server/appop/AppOpsService.java

+19 −9
Original line number Diff line number Diff line
@@ -3242,7 +3242,7 @@ public class AppOpsService extends IAppOpsService.Stub { 
            return AppOpsManager.MODE_IGNORED;

        }

        synchronized (this) {

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) {

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, true)) {

                return AppOpsManager.MODE_IGNORED;

            }

            code = AppOpsManager.opToSwitch(code);
@@ -3459,7 +3459,7 @@ public class AppOpsService extends IAppOpsService.Stub { 


            final int switchCode = AppOpsManager.opToSwitch(code);

            final UidState uidState = ops.uidState;

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) {

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, false)) {

                attributedOp.rejected(uidState.state, flags);

                scheduleOpNotedIfNeededLocked(code, uid, packageName, attributionTag, flags,

                        AppOpsManager.MODE_IGNORED);
@@ -3973,7 +3973,8 @@ public class AppOpsService extends IAppOpsService.Stub { 
            final Op op = getOpLocked(ops, code, uid, true);

            final AttributedOp attributedOp = op.getOrCreateAttribution(op, attributionTag);

            final UidState uidState = ops.uidState;

            isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass);

            isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass,

                    false);

            final int switchCode = AppOpsManager.opToSwitch(code);

            // If there is a non-default per UID policy (we set UID op mode only if

            // non-default) it takes over, otherwise use the per package policy.
@@ -4502,8 +4503,9 @@ public class AppOpsService extends IAppOpsService.Stub { 
     * @return The restriction matching the package

     */

    private RestrictionBypass getBypassforPackage(@NonNull AndroidPackage pkg) {

        return new RestrictionBypass(pkg.isPrivileged(), mContext.checkPermission(

                android.Manifest.permission.EXEMPT_FROM_AUDIO_RECORD_RESTRICTIONS, -1, pkg.getUid())

        return new RestrictionBypass(pkg.getUid() == Process.SYSTEM_UID, pkg.isPrivileged(),

                mContext.checkPermission(android.Manifest.permission

                        .EXEMPT_FROM_AUDIO_RECORD_RESTRICTIONS, -1, pkg.getUid())

                == PackageManager.PERMISSION_GRANTED);

    }
@@ -4763,7 +4765,7 @@ public class AppOpsService extends IAppOpsService.Stub { 
    }



    private boolean isOpRestrictedLocked(int uid, int code, String packageName,

            String attributionTag, @Nullable RestrictionBypass appBypass) {

            String attributionTag, @Nullable RestrictionBypass appBypass, boolean isCheckOp) {

        int restrictionSetCount = mOpGlobalRestrictions.size();



        for (int i = 0; i < restrictionSetCount; i++) {
@@ -4780,11 +4782,15 @@ public class AppOpsService extends IAppOpsService.Stub { 
            // For each client, check that the given op is not restricted, or that the given

            // package is exempt from the restriction.

            ClientUserRestrictionState restrictionState = mOpUserRestrictions.valueAt(i);

            if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle)) {

            if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle,

                    isCheckOp)) {

                RestrictionBypass opBypass = opAllowSystemBypassRestriction(code);

                if (opBypass != null) {

                    // If we are the system, bypass user restrictions for certain codes

                    synchronized (this) {

                        if (opBypass.isSystemUid && appBypass != null && appBypass.isSystemUid) {

                            return false;

                        }

                        if (opBypass.isPrivileged && appBypass != null && appBypass.isPrivileged) {

                            return false;

                        }
@@ -7137,7 +7143,7 @@ public class AppOpsService extends IAppOpsService.Stub { 
        }



        public boolean hasRestriction(int restriction, String packageName, String attributionTag,

                int userId) {

                int userId, boolean isCheckOp) {

            if (perUserRestrictions == null) {

                return false;

            }
@@ -7156,6 +7162,9 @@ public class AppOpsService extends IAppOpsService.Stub { 
                return true;

            }



            if (isCheckOp) {

                return !perUserExclusions.includes(packageName);

            }

            return !perUserExclusions.contains(packageName, attributionTag);

        }
@@ -7322,7 +7331,8 @@ public class AppOpsService extends IAppOpsService.Stub { 
                int numRestrictions = mOpUserRestrictions.size();

                for (int i = 0; i < numRestrictions; i++) {

                    if (mOpUserRestrictions.valueAt(i)

                            .hasRestriction(code, pkg, attributionTag, user.getIdentifier())) {

                            .hasRestriction(code, pkg, attributionTag, user.getIdentifier(),

                                    false)) {

                        number++;

                    }

                }