Start defining strongly-typed storage permissions. (4aacd8b6) · Commits · e / os / android_frameworks_base

api/current.txt

+12 −3

api/system-current.txt

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -201,6 +201,7 @@ package android {
	field public static final java.lang.String WRITE_EMBEDDED_SUBSCRIPTIONS = "android.permission.WRITE_EMBEDDED_SUBSCRIPTIONS";		field public static final java.lang.String WRITE_EMBEDDED_SUBSCRIPTIONS = "android.permission.WRITE_EMBEDDED_SUBSCRIPTIONS";
	field public static final java.lang.String WRITE_GSERVICES = "android.permission.WRITE_GSERVICES";		field public static final java.lang.String WRITE_GSERVICES = "android.permission.WRITE_GSERVICES";
	field public static final java.lang.String WRITE_MEDIA_STORAGE = "android.permission.WRITE_MEDIA_STORAGE";		field public static final java.lang.String WRITE_MEDIA_STORAGE = "android.permission.WRITE_MEDIA_STORAGE";
			field public static final java.lang.String WRITE_OBB = "android.permission.WRITE_OBB";
	field public static final java.lang.String WRITE_SECURE_SETTINGS = "android.permission.WRITE_SECURE_SETTINGS";		field public static final java.lang.String WRITE_SECURE_SETTINGS = "android.permission.WRITE_SECURE_SETTINGS";
	}		}

core/java/android/content/pm/PackageParser.java

+43 −0

Original line number	Original line	Diff line number	Diff line
	@@ -2507,6 +2507,49 @@ public class PackageParser {
	if (pkg.applicationInfo.usesCompatibilityMode()) {		if (pkg.applicationInfo.usesCompatibilityMode()) {
	adjustPackageToBeUnresizeableAndUnpipable(pkg);		adjustPackageToBeUnresizeableAndUnpipable(pkg);
	}		}

			// If the storage model feature flag is disabled, we need to fiddle
			// around with permission definitions to return us to pre-Q behavior.
			// STOPSHIP(b/112545973): remove once feature enabled by default
			if (!SystemProperties.getBoolean(StorageManager.PROP_ISOLATED_STORAGE, false)) {
			if ("android".equals(pkg.packageName)) {
			final ArraySet<String> newGroups = new ArraySet<>();
			newGroups.add(android.Manifest.permission_group.MEDIA_AURAL);
			newGroups.add(android.Manifest.permission_group.MEDIA_VISUAL);

			for (int i = pkg.permissionGroups.size() - 1; i >= 0; i--) {
			final PermissionGroup pg = pkg.permissionGroups.get(i);
			if (newGroups.contains(pg.info.name)) {
			pkg.permissionGroups.remove(i);
			}
			}

			final ArraySet<String> newPermissions = new ArraySet<>();
			newPermissions.add(android.Manifest.permission.READ_MEDIA_AUDIO);
			newPermissions.add(android.Manifest.permission.WRITE_MEDIA_AUDIO);
			newPermissions.add(android.Manifest.permission.READ_MEDIA_VIDEO);
			newPermissions.add(android.Manifest.permission.WRITE_MEDIA_VIDEO);
			newPermissions.add(android.Manifest.permission.READ_MEDIA_IMAGES);
			newPermissions.add(android.Manifest.permission.WRITE_MEDIA_IMAGES);
			newPermissions.add(android.Manifest.permission.ACCESS_MEDIA_LOCATION);
			newPermissions.add(android.Manifest.permission.WRITE_OBB);

			final ArraySet<String> dangerousPermissions = new ArraySet<>();
			dangerousPermissions.add(android.Manifest.permission.READ_EXTERNAL_STORAGE);
			dangerousPermissions.add(android.Manifest.permission.WRITE_EXTERNAL_STORAGE);

			for (int i = pkg.permissions.size() - 1; i >= 0; i--) {
			final Permission p = pkg.permissions.get(i);
			if (newPermissions.contains(p.info.name)) {
			pkg.permissions.remove(i);
			} else if (dangerousPermissions.contains(p.info.name)) {
			p.info.protectionLevel &= ~PermissionInfo.PROTECTION_MASK_BASE;
			p.info.protectionLevel \|= PermissionInfo.PROTECTION_DANGEROUS;
			}
			}
			}
			}

	return pkg;		return pkg;
	}		}

core/java/android/os/storage/StorageManager.java

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -124,6 +124,8 @@ public class StorageManager {
	public static final String PROP_SDCARDFS = "persist.sys.sdcardfs";		public static final String PROP_SDCARDFS = "persist.sys.sdcardfs";
	/** {@hide} */		/** {@hide} */
	public static final String PROP_VIRTUAL_DISK = "persist.sys.virtual_disk";		public static final String PROP_VIRTUAL_DISK = "persist.sys.virtual_disk";
			/** {@hide} */
			public static final String PROP_ISOLATED_STORAGE = "persist.sys.isolated_storage";

	/** {@hide} */		/** {@hide} */
	public static final String UUID_PRIVATE_INTERNAL = null;		public static final String UUID_PRIVATE_INTERNAL = null;

core/res/AndroidManifest.xml

+78 −4

Original line number	Original line	Diff line number	Diff line
	@@ -764,7 +764,8 @@
	<!-- ====================================================================== -->		<!-- ====================================================================== -->
	<eat-comment />		<eat-comment />

	<!-- Used for runtime permissions related to the shared external storage. -->		<!-- Used for runtime permissions related to the shared external storage.
			@deprecated replaced by new strongly-typed permission groups in Q. -->
	<permission-group android:name="android.permission-group.STORAGE"		<permission-group android:name="android.permission-group.STORAGE"
	android:icon="@drawable/perm_group_storage"		android:icon="@drawable/perm_group_storage"
	android:label="@string/permgrouplab_storage"		android:label="@string/permgrouplab_storage"
	@@ -792,13 +793,13 @@
	grants your app this permission. If you don't need this permission, be sure your <a		grants your app this permission. If you don't need this permission, be sure your <a
	href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code		href="{@docRoot}guide/topics/manifest/uses-sdk-element.html#target">{@code
	targetSdkVersion}</a> is 4 or higher.		targetSdkVersion}</a> is 4 or higher.
	<p>Protection level: dangerous		@deprecated replaced by new strongly-typed permission groups in Q.
	-->		-->
	<permission android:name="android.permission.READ_EXTERNAL_STORAGE"		<permission android:name="android.permission.READ_EXTERNAL_STORAGE"
	android:permissionGroup="android.permission-group.STORAGE"		android:permissionGroup="android.permission-group.STORAGE"
	android:label="@string/permlab_sdcardRead"		android:label="@string/permlab_sdcardRead"
	android:description="@string/permdesc_sdcardRead"		android:description="@string/permdesc_sdcardRead"
	android:protectionLevel="dangerous" />		android:protectionLevel="normal" />

	<!-- Allows an application to write to external storage.		<!-- Allows an application to write to external storage.
	<p class="note"><strong>Note:</strong> If <em>both</em> your <a		<p class="note"><strong>Note:</strong> If <em>both</em> your <a
	@@ -813,14 +814,87 @@
	read/write files in your application-specific directories returned by		read/write files in your application-specific directories returned by
	{@link android.content.Context#getExternalFilesDir} and		{@link android.content.Context#getExternalFilesDir} and
	{@link android.content.Context#getExternalCacheDir}.		{@link android.content.Context#getExternalCacheDir}.
	<p>Protection level: dangerous		@deprecated replaced by new strongly-typed permission groups in Q.
	-->		-->
	<permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"		<permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"
	android:permissionGroup="android.permission-group.STORAGE"		android:permissionGroup="android.permission-group.STORAGE"
	android:label="@string/permlab_sdcardWrite"		android:label="@string/permlab_sdcardWrite"
	android:description="@string/permdesc_sdcardWrite"		android:description="@string/permdesc_sdcardWrite"
			android:protectionLevel="normal" />

			<!-- Runtime permission controlling access to the user's shared aural media
			collection. -->
			<permission-group android:name="android.permission-group.MEDIA_AURAL"
			android:icon="@drawable/perm_group_aural"
			android:label="@string/permgrouplab_aural"
			android:description="@string/permgroupdesc_aural"
			android:request="@string/permgrouprequest_aural"
			android:priority="910" />

			<!-- Allows an application to read the user's shared audio collection. -->
			<permission android:name="android.permission.READ_MEDIA_AUDIO"
			android:permissionGroup="android.permission-group.MEDIA_AURAL"
			android:label="@string/permlab_audioRead"
			android:description="@string/permdesc_audioRead"
			android:protectionLevel="dangerous" />

			<!-- Allows an application to modify the user's shared audio collection. -->
			<permission android:name="android.permission.WRITE_MEDIA_AUDIO"
			android:permissionGroup="android.permission-group.MEDIA_AURAL"
			android:label="@string/permlab_audioWrite"
			android:description="@string/permdesc_audioWrite"
			android:protectionLevel="dangerous" />

			<!-- Runtime permission controlling access to the user's shared visual media
			collection, including images and videos. -->
			<permission-group android:name="android.permission-group.MEDIA_VISUAL"
			android:icon="@drawable/perm_group_visual"
			android:label="@string/permgrouplab_visual"
			android:description="@string/permgroupdesc_visual"
			android:request="@string/permgrouprequest_visual"
			android:priority="920" />

			<!-- Allows an application to read the user's shared images collection. -->
			<permission android:name="android.permission.READ_MEDIA_IMAGES"
			android:permissionGroup="android.permission-group.MEDIA_VISUAL"
			android:label="@string/permlab_imagesRead"
			android:description="@string/permdesc_imagesRead"
	android:protectionLevel="dangerous" />		android:protectionLevel="dangerous" />

			<!-- Allows an application to modify the user's shared images collection. -->
			<permission android:name="android.permission.WRITE_MEDIA_IMAGES"
			android:permissionGroup="android.permission-group.MEDIA_VISUAL"
			android:label="@string/permlab_imagesWrite"
			android:description="@string/permdesc_imagesWrite"
			android:protectionLevel="dangerous" />

			<!-- Allows an application to read the user's shared video collection. -->
			<permission android:name="android.permission.READ_MEDIA_VIDEO"
			android:permissionGroup="android.permission-group.MEDIA_VISUAL"
			android:label="@string/permlab_videoRead"
			android:description="@string/permdesc_videoRead"
			android:protectionLevel="dangerous" />

			<!-- Allows an application to modify the user's shared video collection. -->
			<permission android:name="android.permission.WRITE_MEDIA_VIDEO"
			android:permissionGroup="android.permission-group.MEDIA_VISUAL"
			android:label="@string/permlab_videoWrite"
			android:description="@string/permdesc_videoWrite"
			android:protectionLevel="dangerous" />

			<!-- Allows an application to access any geographic locations persisted in the
			user's shared collection. -->
			<permission android:name="android.permission.ACCESS_MEDIA_LOCATION"
			android:permissionGroup="android.permission-group.MEDIA_VISUAL"
			android:label="@string/permlab_mediaLocation"
			android:description="@string/permdesc_mediaLocation"
			android:protectionLevel="dangerous" />

			<!-- @hide @SystemApi
			Allows an application to modify OBB files visible to other apps. -->
			<permission android:name="android.permission.WRITE_OBB"
			android:protectionLevel="signature\|privileged" />

	<!-- ====================================================================== -->		<!-- ====================================================================== -->
	<!-- Permissions for accessing the device location -->		<!-- Permissions for accessing the device location -->
	<!-- ====================================================================== -->		<!-- ====================================================================== -->