Merge "Device aware permission schema/policy changes" into main (4f69320b) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/pm/permission/PermissionManagerService.java

+29 −25

Original line number	Diff line number	Diff line
		@@ -72,6 +72,7 @@ import android.util.SparseArray;
		import com.android.internal.annotations.GuardedBy;
		import com.android.internal.util.ArrayUtils;
		import com.android.internal.util.Preconditions;
		import com.android.internal.util.function.QuadFunction;
		import com.android.internal.util.function.TriFunction;
		import com.android.server.LocalServices;
		import com.android.server.pm.UserManagerInternal;
		@@ -93,7 +94,6 @@ import java.util.WeakHashMap;
		import java.util.concurrent.ConcurrentHashMap;
		import java.util.concurrent.atomic.AtomicBoolean;
		import java.util.concurrent.atomic.AtomicInteger;
		import java.util.function.BiFunction;

		/**
		* Manages all permissions and handles permissions related tasks.
		@@ -233,11 +233,11 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		}

		if (checkPermissionDelegate == null) {
		return mPermissionManagerServiceImpl.checkPermission(
		packageName, permissionName, userId);
		return mPermissionManagerServiceImpl.checkPermission(packageName, permissionName,
		deviceId, userId);
		}
		return checkPermissionDelegate.checkPermission(packageName, permissionName, userId,
		mPermissionManagerServiceImpl::checkPermission);
		return checkPermissionDelegate.checkPermission(packageName, permissionName,
		deviceId, userId, mPermissionManagerServiceImpl::checkPermission);
		}

		@Override
		@@ -254,10 +254,10 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		}

		if (checkPermissionDelegate == null) {
		return mPermissionManagerServiceImpl.checkUidPermission(uid, permissionName);
		return mPermissionManagerServiceImpl.checkUidPermission(uid, permissionName, deviceId);
		}
		return checkPermissionDelegate.checkUidPermission(uid, permissionName,
		mPermissionManagerServiceImpl::checkUidPermission);
		deviceId, mPermissionManagerServiceImpl::checkUidPermission);
		}

		@Override
		@@ -511,14 +511,14 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		public int getPermissionFlags(String packageName, String permissionName, int deviceId,
		int userId) {
		return mPermissionManagerServiceImpl
		.getPermissionFlags(packageName, permissionName, userId);
		.getPermissionFlags(packageName, permissionName, deviceId, userId);
		}

		@Override
		public void updatePermissionFlags(String packageName, String permissionName, int flagMask,
		int flagValues, boolean checkAdjustPolicyFlagPermission, int deviceId, int userId) {
		mPermissionManagerServiceImpl.updatePermissionFlags(packageName, permissionName, flagMask,
		flagValues, checkAdjustPolicyFlagPermission, userId);
		flagValues, checkAdjustPolicyFlagPermission, deviceId, userId);
		}

		@Override
		@@ -560,14 +560,15 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		@Override
		public void grantRuntimePermission(String packageName, String permissionName, int deviceId,
		int userId) {
		mPermissionManagerServiceImpl.grantRuntimePermission(packageName, permissionName, userId);
		mPermissionManagerServiceImpl.grantRuntimePermission(packageName, permissionName,
		deviceId, userId);
		}

		@Override
		public void revokeRuntimePermission(String packageName, String permissionName, int deviceId,
		int userId, String reason) {
		mPermissionManagerServiceImpl.revokeRuntimePermission(packageName, permissionName,
		userId, reason);
		deviceId, userId, reason);
		}

		@Override
		@@ -580,14 +581,14 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		public boolean shouldShowRequestPermissionRationale(String packageName, String permissionName,
		int deviceId, int userId) {
		return mPermissionManagerServiceImpl.shouldShowRequestPermissionRationale(packageName,
		permissionName, userId);
		permissionName, deviceId, userId);
		}

		@Override
		public boolean isPermissionRevokedByPolicy(String packageName, String permissionName,
		int deviceId, int userId) {
		return mPermissionManagerServiceImpl
		.isPermissionRevokedByPolicy(packageName, permissionName, userId);
		return mPermissionManagerServiceImpl.isPermissionRevokedByPolicy(packageName,
		permissionName, deviceId, userId);
		}

		@Override
		@@ -868,6 +869,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		*
		* @param packageName the name of the package to be checked
		* @param permissionName the name of the permission to be checked
		* @param deviceId The device ID
		* @param userId the user ID
		* @param superImpl the original implementation that can be delegated to
		* @return {@link android.content.pm.PackageManager#PERMISSION_GRANTED} if the package has
		@@ -876,20 +878,21 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		* @see android.content.pm.PackageManager#checkPermission(String, String)
		*/
		int checkPermission(@NonNull String packageName, @NonNull String permissionName,
		@UserIdInt int userId,
		@NonNull TriFunction<String, String, Integer, Integer> superImpl);
		int deviceId, @UserIdInt int userId,
		@NonNull QuadFunction<String, String, Integer, Integer, Integer> superImpl);

		/**
		* Check whether the given UID has been granted the specified permission.
		*
		* @param uid the UID to be checked
		* @param permissionName the name of the permission to be checked
		* @param deviceId The device ID
		* @param superImpl the original implementation that can be delegated to
		* @return {@link android.content.pm.PackageManager#PERMISSION_GRANTED} if the package has
		* the permission, or {@link android.content.pm.PackageManager#PERMISSION_DENIED} otherwise
		*/
		int checkUidPermission(int uid, @NonNull String permissionName,
		BiFunction<Integer, String, Integer> superImpl);
		int checkUidPermission(int uid, @NonNull String permissionName, int deviceId,
		TriFunction<Integer, String, Integer, Integer> superImpl);

		/**
		* @return list of delegated permissions
		@@ -918,31 +921,32 @@ public class PermissionManagerService extends IPermissionManager.Stub {

		@Override
		public int checkPermission(@NonNull String packageName, @NonNull String permissionName,
		int userId, @NonNull TriFunction<String, String, Integer, Integer> superImpl) {
		int deviceId, int userId,
		@NonNull QuadFunction<String, String, Integer, Integer, Integer> superImpl) {
		if (mDelegatedPackageName.equals(packageName)
		&& isDelegatedPermission(permissionName)) {
		final long identity = Binder.clearCallingIdentity();
		try {
		return superImpl.apply("com.android.shell", permissionName, userId);
		return superImpl.apply("com.android.shell", permissionName, deviceId, userId);
		} finally {
		Binder.restoreCallingIdentity(identity);
		}
		}
		return superImpl.apply(packageName, permissionName, userId);
		return superImpl.apply(packageName, permissionName, deviceId, userId);
		}

		@Override
		public int checkUidPermission(int uid, @NonNull String permissionName,
		@NonNull BiFunction<Integer, String, Integer> superImpl) {
		public int checkUidPermission(int uid, @NonNull String permissionName, int deviceId,
		@NonNull TriFunction<Integer, String, Integer, Integer> superImpl) {
		if (uid == mDelegatedUid && isDelegatedPermission(permissionName)) {
		final long identity = Binder.clearCallingIdentity();
		try {
		return superImpl.apply(Process.SHELL_UID, permissionName);
		return superImpl.apply(Process.SHELL_UID, permissionName, deviceId);
		} finally {
		Binder.restoreCallingIdentity(identity);
		}
		}
		return superImpl.apply(uid, permissionName);
		return superImpl.apply(uid, permissionName, deviceId);
		}

		@Override

services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java

+25 −15

Original line number	Diff line number	Diff line
		@@ -681,7 +681,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
		}

		@Override
		public int getPermissionFlags(String packageName, String permName, int userId) {
		public int getPermissionFlags(String packageName, String permName, int deviceId, int userId) {
		final int callingUid = Binder.getCallingUid();
		return getPermissionFlagsInternal(packageName, permName, callingUid, userId);
		}
		@@ -724,7 +724,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt

		@Override
		public void updatePermissionFlags(String packageName, String permName, int flagMask,
		int flagValues, boolean checkAdjustPolicyFlagPermission, int userId) {
		int flagValues, boolean checkAdjustPolicyFlagPermission, int deviceId, int userId) {
		final int callingUid = Binder.getCallingUid();
		boolean overridePolicy = false;

		@@ -908,8 +908,12 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
		}
		}

		private int checkPermission(String pkgName, String permName, int userId) {
		return checkPermission(pkgName, permName, Context.DEVICE_ID_DEFAULT, userId);
		}

		@Override
		public int checkPermission(String pkgName, String permName, int userId) {
		public int checkPermission(String pkgName, String permName, int deviceId, int userId) {
		if (!mUserManagerInt.exists(userId)) {
		return PackageManager.PERMISSION_DENIED;
		}
		@@ -975,8 +979,12 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
		return true;
		}

		private int checkUidPermission(int uid, String permName) {
		return checkUidPermission(uid, permName, Context.DEVICE_ID_DEFAULT);
		}

		@Override
		public int checkUidPermission(int uid, String permName) {
		public int checkUidPermission(int uid, String permName, int deviceId) {
		final int userId = UserHandle.getUserId(uid);
		if (!mUserManagerInt.exists(userId)) {
		return PackageManager.PERMISSION_DENIED;
		@@ -1295,7 +1303,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
		}

		@Override
		public void grantRuntimePermission(String packageName, String permName, final int userId) {
		public void grantRuntimePermission(String packageName, String permName, int deviceId,
		int userId) {
		final int callingUid = Binder.getCallingUid();
		final boolean overridePolicy =
		checkUidPermission(callingUid, ADJUST_RUNTIME_PERMISSIONS_POLICY)
		@@ -1468,11 +1477,11 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
		}

		@Override
		public void revokeRuntimePermission(String packageName, String permName, int userId,
		String reason) {
		public void revokeRuntimePermission(String packageName, String permName, int deviceId,
		int userId, String reason) {
		final int callingUid = Binder.getCallingUid();
		final boolean overridePolicy =
		checkUidPermission(callingUid, ADJUST_RUNTIME_PERMISSIONS_POLICY)
		checkUidPermission(callingUid, ADJUST_RUNTIME_PERMISSIONS_POLICY, deviceId)
		== PackageManager.PERMISSION_GRANTED;

		revokeRuntimePermissionInternal(packageName, permName, overridePolicy, callingUid, userId,
		@@ -1859,7 +1868,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt

		@Override
		public boolean shouldShowRequestPermissionRationale(String packageName, String permName,
		@UserIdInt int userId) {
		int deviceId, @UserIdInt int userId) {
		final int callingUid = Binder.getCallingUid();
		if (UserHandle.getCallingUserId() != userId) {
		mContext.enforceCallingPermission(
		@@ -1922,7 +1931,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
		}

		@Override
		public boolean isPermissionRevokedByPolicy(String packageName, String permName, int userId) {
		public boolean isPermissionRevokedByPolicy(String packageName, String permName, int deviceId,
		int userId) {
		if (UserHandle.getCallingUserId() != userId) {
		mContext.enforceCallingPermission(
		android.Manifest.permission.INTERACT_ACROSS_USERS_FULL,
		@@ -2059,8 +2069,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
		continue;
		}
		boolean isSystemOrPolicyFixed = (getPermissionFlags(newPackage.getPackageName(),
		permInfo.name, userId) & (FLAG_PERMISSION_SYSTEM_FIXED
		\| FLAG_PERMISSION_POLICY_FIXED)) != 0;
		permInfo.name, Context.DEVICE_ID_DEFAULT, userId) & (
		FLAG_PERMISSION_SYSTEM_FIXED \| FLAG_PERMISSION_POLICY_FIXED)) != 0;
		if (isSystemOrPolicyFixed) {
		continue;
		}
		@@ -2226,7 +2236,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt
		for (final int userId : userIds) {
		final int permissionState = checkPermission(packageName, permName,
		userId);
		final int flags = getPermissionFlags(packageName, permName, userId);
		final int flags = getPermissionFlags(packageName, permName,
		Context.DEVICE_ID_DEFAULT, userId);
		final int flagMask = FLAG_PERMISSION_SYSTEM_FIXED
		\| FLAG_PERMISSION_POLICY_FIXED
		\| FLAG_PERMISSION_GRANTED_BY_DEFAULT
		@@ -5122,8 +5133,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt

		@NonNull
		@Override
		public Set<String> getGrantedPermissions(@NonNull String packageName,
		@UserIdInt int userId) {
		public Set<String> getGrantedPermissions(@NonNull String packageName, @UserIdInt int userId) {
		Objects.requireNonNull(packageName, "packageName");
		Preconditions.checkArgumentNonNegative(userId, "userId");
		return getGrantedPermissionsInternal(packageName, userId);

services/core/java/com/android/server/pm/permission/PermissionManagerServiceInterface.java

+43 −26

Original line number	Diff line number	Diff line
		@@ -25,7 +25,6 @@ import android.content.pm.PermissionGroupInfo;
		import android.content.pm.PermissionInfo;
		import android.content.pm.permission.SplitPermissionInfoParcelable;
		import android.permission.IOnPermissionsChangeListener;
		import android.permission.PermissionManager;
		import android.permission.PermissionManagerInternal;

		import com.android.server.pm.pkg.AndroidPackage;
		@@ -137,14 +136,16 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte
		void removePermission(String permName);

		/**
		* Gets the state flags associated with a permission.
		* Gets the permission state flags associated with a permission.
		*
		* @param packageName the package name for which to get the flags
		* @param permName the permission for which to get the flags
		* @param deviceId The device for which to get the flags
		* @param userId the user for which to get permission flags
		* @return the permission flags
		*/
		int getPermissionFlags(String packageName, String permName, int userId);
		int getPermissionFlags(String packageName, String permName, int deviceId,
		@UserIdInt int userId);

		/**
		* Updates the flags associated with a permission by replacing the flags in the specified mask
		@@ -154,10 +155,11 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte
		* @param permName The permission for which to update the flags
		* @param flagMask The flags which to replace
		* @param flagValues The flags with which to replace
		* @param deviceId The device for which to update the permission flags
		* @param userId The user for which to update the permission flags
		*/
		void updatePermissionFlags(String packageName, String permName, int flagMask,
		int flagValues, boolean checkAdjustPolicyFlagPermission, int userId);
		void updatePermissionFlags(String packageName, String permName, int flagMask, int flagValues,
		boolean checkAdjustPolicyFlagPermission, int deviceId, @UserIdInt int userId);

		/**
		* Update the permission flags for all packages and runtime permissions of a user in order
		@@ -291,11 +293,13 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte
		*
		* @param packageName the package to which to grant the permission
		* @param permName the permission name to grant
		* @param deviceId the device for which to grant the permission
		* @param userId the user for which to grant the permission
		*
		* @see #revokeRuntimePermission(String, String, android.os.UserHandle, String)
		* @see #revokeRuntimePermission(String, String, int, int, String)
		*/
		void grantRuntimePermission(String packageName, String permName, int userId);
		void grantRuntimePermission(String packageName, String permName, int deviceId,
		@UserIdInt int userId);

		/**
		* Revoke a runtime permission that was previously granted by
		@@ -310,13 +314,14 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte
		*
		* @param packageName the package from which to revoke the permission
		* @param permName the permission name to revoke
		* @param deviceId the device for which to revoke the permission
		* @param userId the user for which to revoke the permission
		* @param reason the reason for the revoke, or {@code null} for unspecified
		*
		* @see #grantRuntimePermission(String, String, android.os.UserHandle)
		* @see #grantRuntimePermission(String, String, int, int)
		*/
		void revokeRuntimePermission(String packageName, String permName, int userId,
		String reason);
		void revokeRuntimePermission(String packageName, String permName, int deviceId,
		@UserIdInt int userId, String reason);

		/**
		* Revoke the POST_NOTIFICATIONS permission, without killing the app. This method must ONLY BE
		@@ -333,24 +338,29 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte
		* does not clearly communicate to the user what would be the benefit from grating this
		* permission.
		*
		* @param packageName the package name
		* @param permName a permission your app wants to request
		* @param deviceId the device for which to check the permission
		* @param userId the user for which to check the permission
		* @return whether you can show permission rationale UI
		*/
		boolean shouldShowRequestPermissionRationale(String packageName, String permName,
		@UserIdInt int userId);
		int deviceId, @UserIdInt int userId);

		/**
		* Checks whether a particular permissions has been revoked for a package by policy. Typically
		* Checks whether a particular permission has been revoked for a package by policy. Typically,
		* the device owner or the profile owner may apply such a policy. The user cannot grant policy
		* revoked permissions, hence the only way for an app to get such a permission is by a policy
		* change.
		*
		* @param packageName the name of the package you are checking against
		* @param permName the name of the permission you are checking for
		*
		* @param deviceId the device for which you are checking the permission
		* @param userId the device for which you are checking the permission
		* @return whether the permission is restricted by policy
		*/
		boolean isPermissionRevokedByPolicy(String packageName, String permName, int userId);
		boolean isPermissionRevokedByPolicy(String packageName, String permName, int deviceId,
		@UserIdInt int userId);

		/**
		* Get set of permissions that have been split into more granular or dependent permissions.
		@@ -373,14 +383,25 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte
		List<SplitPermissionInfoParcelable> getSplitPermissions();

		/**
		* TODO:theianchen add doc describing this is the old checkPermissionImpl
		* Check whether a permission is granted or not to a package.
		*
		* @param pkgName package name
		* @param permName permission name
		* @param deviceId device ID
		* @param userId user ID
		* @return permission result {@link PackageManager.PermissionResult}
		*/
		int checkPermission(String pkgName, String permName, int userId);
		int checkPermission(String pkgName, String permName, int deviceId, @UserIdInt int userId);

		/**
		* TODO:theianchen add doc describing this is the old checkUidPermissionImpl
		* Check whether a permission is granted or not to an UID.
		*
		* @param uid UID
		* @param permName permission name
		* @param deviceId device ID
		* @return permission result {@link PackageManager.PermissionResult}
		*/
		int checkUidPermission(int uid, String permName);
		int checkUidPermission(int uid, String permName, int deviceId);

		/**
		* Get all the package names requesting app op permissions.
		@@ -400,15 +421,11 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte
		@UserIdInt int userId);

		/**
		* Reset the runtime permission state changes for a package.
		* Reset the runtime permission state changes for a package for all devices.
		*
		* TODO(zhanghai): Turn this into package change callback?
		*
		* @param pkg the package
		* @param userId the user ID
		*/
		void resetRuntimePermissions(@NonNull AndroidPackage pkg,
		@UserIdInt int userId);
		void resetRuntimePermissions(@NonNull AndroidPackage pkg, @UserIdInt int userId);

		/**
		* Reset the runtime permission state changes for all packages in a user.
		@@ -449,8 +466,8 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte
		/**
		* Get all the permissions granted to a package.
		*
		* @param packageName the name of the package
		* @param userId the user ID
		* @param packageName package name
		* @param userId user ID
		* @return the names of the granted permissions
		*/
		@NonNull

services/core/java/com/android/server/pm/permission/PermissionManagerServiceLoggingDecorator.java

+31 −25

File changed.

Preview size limit exceeded, changes collapsed.

services/core/java/com/android/server/pm/permission/PermissionManagerServiceTestingShim.java

+33 −29

File changed.

Preview size limit exceeded, changes collapsed.