Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 57582d29 authored by Sudheer Shanka's avatar Sudheer Shanka
Browse files

Allow callers with QUARANTINE_APPS permission to quarantine apps. 

Bug: 301109246
Test: atest tests/tests/content/src/android/content/pm/cts/PackageManagerTest.java
Change-Id: I4e33009a2328554c093d3939fc9a183aaa75d68c
parent 96be87a7

core/api/system-current.txt

+1 −1
Original line number Diff line number Diff line
@@ -3937,7 +3937,7 @@ package android.content.pm { 
    method @RequiresPermission(android.Manifest.permission.SET_HARMFUL_APP_WARNINGS) public void setHarmfulAppWarning(@NonNull String, @Nullable CharSequence);

    method @Deprecated @Nullable @RequiresPermission(android.Manifest.permission.SUSPEND_APPS) public String[] setPackagesSuspended(@Nullable String[], boolean, @Nullable android.os.PersistableBundle, @Nullable android.os.PersistableBundle, @Nullable String);

    method @Nullable @RequiresPermission(value=android.Manifest.permission.SUSPEND_APPS, conditional=true) public String[] setPackagesSuspended(@Nullable String[], boolean, @Nullable android.os.PersistableBundle, @Nullable android.os.PersistableBundle, @Nullable android.content.pm.SuspendDialogInfo);

    method @FlaggedApi("android.content.pm.quarantined_enabled") @Nullable @RequiresPermission(value=android.Manifest.permission.SUSPEND_APPS, conditional=true) public String[] setPackagesSuspended(@Nullable String[], boolean, @Nullable android.os.PersistableBundle, @Nullable android.os.PersistableBundle, @Nullable android.content.pm.SuspendDialogInfo, int);

    method @FlaggedApi("android.content.pm.quarantined_enabled") @Nullable @RequiresPermission(anyOf={android.Manifest.permission.SUSPEND_APPS, android.Manifest.permission.QUARANTINE_APPS}, conditional=true) public String[] setPackagesSuspended(@Nullable String[], boolean, @Nullable android.os.PersistableBundle, @Nullable android.os.PersistableBundle, @Nullable android.content.pm.SuspendDialogInfo, int);

    method @RequiresPermission(value=android.Manifest.permission.CHANGE_COMPONENT_ENABLED_STATE, conditional=true) public void setSyntheticAppDetailsActivityEnabled(@NonNull String, boolean);

    method public void setSystemAppState(@NonNull String, int);

    method @RequiresPermission(android.Manifest.permission.INSTALL_PACKAGES) public abstract void setUpdateAvailable(@NonNull String, boolean);

core/java/android/content/pm/PackageManager.java

+6 −2
Original line number Diff line number Diff line
@@ -9781,7 +9781,8 @@ public abstract class PackageManager { 
     * launcher to support customization that they might need to handle the suspended state.

     *

     * <p>The caller must hold {@link Manifest.permission#SUSPEND_APPS} to use this API except for

     * device owner and profile owner.

     * device owner and profile owner or the {@link Manifest.permission#QUARANTINE_APPS} if the

     * caller is using {@link #FLAG_SUSPEND_QUARANTINED}.

     *

     * @param packageNames The names of the packages to set the suspended status.

     * @param suspended If set to {@code true}, the packages will be suspended, if set to
@@ -9809,7 +9810,10 @@ public abstract class PackageManager { 
     */

    @SystemApi

    @FlaggedApi(android.content.pm.Flags.FLAG_QUARANTINED_ENABLED)

    @RequiresPermission(value=Manifest.permission.SUSPEND_APPS, conditional=true)

    @RequiresPermission(anyOf = {

            Manifest.permission.SUSPEND_APPS,

            Manifest.permission.QUARANTINE_APPS

    }, conditional = true)

    @SuppressLint("NullableCollection")

    @Nullable

    public String[] setPackagesSuspended(@Nullable String[] packageNames, boolean suspended,

core/res/AndroidManifest.xml

+1 −1
Original line number Diff line number Diff line
@@ -2365,7 +2365,7 @@ 
         them from running without explicit user action.

    -->

    <permission android:name="android.permission.QUARANTINE_APPS"

        android:protectionLevel="internal|verifier" />

        android:protectionLevel="signature|verifier" />



    <!-- Allows applications to discover and pair bluetooth devices.

         <p>Protection level: normal

packages/Shell/AndroidManifest.xml

+1 −0
Original line number Diff line number Diff line
@@ -325,6 +325,7 @@ 
    <uses-permission android:name="android.permission.CONTROL_KEYGUARD" />

    <uses-permission android:name="android.permission.CONTROL_REMOTE_APP_TRANSITION_ANIMATIONS" />

    <uses-permission android:name="android.permission.SUSPEND_APPS" />

    <uses-permission android:name="android.permission.QUARANTINE_APPS" />

    <uses-permission android:name="android.permission.OBSERVE_APP_USAGE" />

    <uses-permission android:name="android.permission.READ_CLIPBOARD_IN_BACKGROUND" />

    <!-- Permission needed to wipe the device for Test Harness Mode -->

services/core/java/com/android/server/pm/PackageManagerService.java

+19 −6
Original line number Diff line number Diff line
@@ -3105,7 +3105,8 @@ public class PackageManagerService implements PackageSender, TestUtilityService 
    }



    private void enforceCanSetPackagesSuspendedAsUser(@NonNull Computer snapshot,

            String callingPackage, int callingUid, int userId, String callingMethod) {

            boolean quarantined, String callingPackage, int callingUid, int userId,

            String callingMethod) {

        if (callingUid == Process.ROOT_UID

                // Need to compare app-id to allow system dialogs access on secondary users

                || UserHandle.getAppId(callingUid) == Process.SYSTEM_UID) {
@@ -3120,8 +3121,20 @@ public class PackageManagerService implements PackageSender, TestUtilityService 
            }

        }



        if (quarantined) {

            final boolean hasQuarantineAppsPerm = mContext.checkCallingOrSelfPermission(

                    android.Manifest.permission.QUARANTINE_APPS) == PERMISSION_GRANTED;

            // TODO: b/305256093 - In order to facilitate testing, temporarily allowing apps

            // with SUSPEND_APPS permission to quarantine apps. Remove this once the testing

            // is done and this is no longer needed.

            if (!hasQuarantineAppsPerm) {

                mContext.enforceCallingOrSelfPermission(android.Manifest.permission.SUSPEND_APPS,

                        callingMethod);

            }

        } else {

            mContext.enforceCallingOrSelfPermission(android.Manifest.permission.SUSPEND_APPS,

                    callingMethod);

        }



        final int packageUid = snapshot.getPackageUid(callingPackage, 0, userId);

        final boolean allowedPackageUid = packageUid == callingUid;
@@ -6136,9 +6149,6 @@ public class PackageManagerService implements PackageSender, TestUtilityService 
                PersistableBundle appExtras, PersistableBundle launcherExtras,

                SuspendDialogInfo dialogInfo, int flags, String callingPackage, int userId) {

            final int callingUid = Binder.getCallingUid();

            final Computer snapshot = snapshotComputer();

            enforceCanSetPackagesSuspendedAsUser(snapshot, callingPackage, callingUid, userId,

                    "setPackagesSuspendedAsUser");

            boolean quarantined = false;

            if (Flags.quarantinedEnabled()) {

                if ((flags & PackageManager.FLAG_SUSPEND_QUARANTINED) != 0) {
@@ -6149,6 +6159,9 @@ public class PackageManagerService implements PackageSender, TestUtilityService 
                    quarantined = callingPackage.equals(wellbeingPkg);

                }

            }

            final Computer snapshot = snapshotComputer();

            enforceCanSetPackagesSuspendedAsUser(snapshot, quarantined, callingPackage, callingUid,

                    userId, "setPackagesSuspendedAsUser");

            return mSuspendPackageHelper.setPackagesSuspended(snapshot, packageNames, suspended,

                    appExtras, launcherExtras, dialogInfo, callingPackage, userId, callingUid,

                    quarantined);