Loading core/java/android/permission/flags.aconfig +0 −11 Original line number Diff line number Diff line Loading @@ -120,17 +120,6 @@ flag { bug: "323157319" } flag { name: "new_permission_gid_enabled" is_fixed_read_only: true namespace: "permissions" description: "Enable new permission GID implementation" bug: "325137277" metadata { purpose: PURPOSE_BUGFIX } } flag { name: "ignore_process_text" namespace: "permissions" Loading services/permission/java/com/android/server/permission/access/AccessCheckingService.kt +0 −2 Original line number Diff line number Diff line Loading @@ -106,8 +106,6 @@ class AccessCheckingService(context: Context) : SystemService(context) { persistence.read(state) this.state = state mutateState { with(policy) { onInitialized() } } appOpService.initialize() permissionService.initialize() } Loading services/permission/java/com/android/server/permission/access/AccessPolicy.kt +0 −6 Original line number Diff line number Diff line Loading @@ -98,10 +98,6 @@ private constructor( forEachSchemePolicy { with(it) { onStateMutated() } } } fun MutateStateScope.onInitialized() { forEachSchemePolicy { with(it) { onInitialized() } } } fun MutateStateScope.onUserAdded(userId: Int) { newState.mutateExternalState().mutateUserIds() += userId newState.mutateUserStatesNoWrite()[userId] = MutableUserState() Loading Loading @@ -443,8 +439,6 @@ abstract class SchemePolicy { open fun GetStateScope.onStateMutated() {} open fun MutateStateScope.onInitialized() {} open fun MutateStateScope.onUserAdded(userId: Int) {} open fun MutateStateScope.onUserRemoved(userId: Int) {} Loading services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPersistence.kt +1 −14 Original line number Diff line number Diff line Loading @@ -101,10 +101,6 @@ class AppIdPermissionPersistence { val type = getAttributeIntOrThrow(ATTR_TYPE) when (type) { Permission.TYPE_MANIFEST -> {} Permission.TYPE_CONFIG -> { Slog.w(LOG_TAG, "Ignoring unexpected config permission $name") return } Permission.TYPE_DYNAMIC -> { permissionInfo.apply { icon = getAttributeIntHexOrDefault(ATTR_ICON, 0) Loading Loading @@ -134,20 +130,11 @@ class AppIdPermissionPersistence { } private fun BinaryXmlSerializer.serializePermission(permission: Permission) { val type = permission.type when (type) { Permission.TYPE_MANIFEST, Permission.TYPE_DYNAMIC -> {} Permission.TYPE_CONFIG -> return else -> { Slog.w(LOG_TAG, "Skipping serializing permission $name with unknown type $type") return } } tag(TAG_PERMISSION) { attributeInterned(ATTR_NAME, permission.name) attributeInterned(ATTR_PACKAGE_NAME, permission.packageName) attributeIntHex(ATTR_PROTECTION_LEVEL, permission.protectionLevel) val type = permission.type attributeInt(ATTR_TYPE, type) if (type == Permission.TYPE_DYNAMIC) { val permissionInfo = permission.permissionInfo Loading services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt +64 −153 Original line number Diff line number Diff line Loading @@ -79,46 +79,6 @@ class AppIdPermissionPolicy : SchemePolicy() { onPermissionFlagsChangedListeners.forEachIndexed { _, it -> it.onStateMutated() } } override fun MutateStateScope.onInitialized() { if (!Flags.newPermissionGidEnabled()) { newState.externalState.configPermissions.forEach { (permissionName, permissionEntry) -> val oldPermission = newState.systemState.permissions[permissionName] val newPermission = if (oldPermission != null) { if (permissionEntry.gids != null) { oldPermission.copy( gids = permissionEntry.gids, areGidsPerUser = permissionEntry.perUser ) } else { return@forEach } } else { @Suppress("DEPRECATION") val permissionInfo = PermissionInfo().apply { name = permissionName packageName = PLATFORM_PACKAGE_NAME protectionLevel = PermissionInfo.PROTECTION_SIGNATURE } if (permissionEntry.gids != null) { Permission( permissionInfo, false, Permission.TYPE_CONFIG, 0, permissionEntry.gids, permissionEntry.perUser ) } else { Permission(permissionInfo, false, Permission.TYPE_CONFIG, 0) } } newState.mutateSystemState().mutatePermissions()[permissionName] = newPermission } } } override fun MutateStateScope.onUserAdded(userId: Int) { newState.externalState.packageStates.forEach { (_, packageState) -> evaluateAllPermissionStatesForPackageAndUser(packageState, userId, null) Loading Loading @@ -507,6 +467,7 @@ class AppIdPermissionPolicy : SchemePolicy() { } else { newState.systemState.permissions[permissionName] } // Different from the old implementation, which may add an (incomplete) signature // permission inside another package's permission tree, we now consistently ignore such // permissions. Loading @@ -521,8 +482,9 @@ class AppIdPermissionPolicy : SchemePolicy() { ) return@forEachIndexed } var newPermission = if (oldPermission != null && newPackageName != oldPermission.packageName) { if (oldPermission != null) { if (newPackageName != oldPermission.packageName) { val oldPackageName = oldPermission.packageName // Only allow system apps to redefine non-system permissions. if (!packageState.isSystem) { Loading @@ -534,19 +496,15 @@ class AppIdPermissionPolicy : SchemePolicy() { ) return@forEachIndexed } if ( oldPermission.type == Permission.TYPE_CONFIG && !oldPermission.isReconciled ) { // It's a config permission and has no owner, take ownership now. oldPermission.copy( permissionInfo = newPermissionInfo, isReconciled = true, type = Permission.TYPE_MANIFEST, appId = packageState.appId if (newState.externalState.packageStates[oldPackageName]?.isSystem == true) { Slog.w( LOG_TAG, "Ignoring permission $permissionName declared in system package" + " $newPackageName: already declared in another system package" + " $oldPackageName" ) } else if ( newState.externalState.packageStates[oldPackageName]?.isSystem != true ) { return@forEachIndexed } Slog.w( LOG_TAG, "Overriding permission $permissionName with new declaration in" + Loading @@ -559,44 +517,17 @@ class AppIdPermissionPolicy : SchemePolicy() { setPermissionFlags(appId, userId, permissionName, 0) } } // Different from the old implementation, which removes the GIDs upon // permission // override, but adds them back on the next boot, we now just consistently // keep // the GIDs. Permission( newPermissionInfo, true, Permission.TYPE_MANIFEST, packageState.appId, oldPermission.gids, oldPermission.areGidsPerUser ) } else { Slog.w( LOG_TAG, "Ignoring permission $permissionName declared in system package" + " $newPackageName: already declared in another system package" + " $oldPackageName" ) return@forEachIndexed } } else { if (oldPermission != null && oldPermission.isReconciled) { } else if (oldPermission.isReconciled) { val isPermissionGroupChanged = newPermissionInfo.isRuntime && newPermissionInfo.group != null && newPermissionInfo.group != oldPermission.groupName val isPermissionProtectionChanged = oldPermission.type != Permission.TYPE_CONFIG && ((newPermissionInfo.isRuntime && !oldPermission.isRuntime) || (newPermissionInfo.isInternal && !oldPermission.isInternal)) (newPermissionInfo.isRuntime && !oldPermission.isRuntime) || (newPermissionInfo.isInternal && !oldPermission.isInternal) if (isPermissionGroupChanged || isPermissionProtectionChanged) { newState.externalState.userIds.forEachIndexed { _, userId -> newState.externalState.appIdPackageNames.forEachIndexed { _, appId, _ -> newState.externalState.appIdPackageNames.forEachIndexed { _, appId, _ -> if (isPermissionGroupChanged) { // We might auto-grant permissions if any permission of // the group is already granted. Hence if the group of Loading @@ -623,28 +554,8 @@ class AppIdPermissionPolicy : SchemePolicy() { } } } // Different from the old implementation, which doesn't update the permission // definition upon app update, but does update it on the next boot, we now // consistently update the permission definition upon app update. @Suppress("IfThenToElvis") if (oldPermission != null) { oldPermission.copy( permissionInfo = newPermissionInfo, isReconciled = true, type = Permission.TYPE_MANIFEST, appId = packageState.appId ) } else { Permission( newPermissionInfo, true, Permission.TYPE_MANIFEST, packageState.appId ) } } if (Flags.newPermissionGidEnabled()) { var gids = EmptyArray.INT var areGidsPerUser = false if (!parsedPermission.isTree && packageState.isSystem) { Loading @@ -658,7 +569,8 @@ class AppIdPermissionPolicy : SchemePolicy() { } } } newPermission = Permission( val newPermission = Permission( newPermissionInfo, true, Permission.TYPE_MANIFEST, Loading @@ -666,7 +578,6 @@ class AppIdPermissionPolicy : SchemePolicy() { gids, areGidsPerUser ) } if (parsedPermission.isTree) { newState.mutateSystemState().mutatePermissionTrees()[permissionName] = newPermission Loading Loading
core/java/android/permission/flags.aconfig +0 −11 Original line number Diff line number Diff line Loading @@ -120,17 +120,6 @@ flag { bug: "323157319" } flag { name: "new_permission_gid_enabled" is_fixed_read_only: true namespace: "permissions" description: "Enable new permission GID implementation" bug: "325137277" metadata { purpose: PURPOSE_BUGFIX } } flag { name: "ignore_process_text" namespace: "permissions" Loading
services/permission/java/com/android/server/permission/access/AccessCheckingService.kt +0 −2 Original line number Diff line number Diff line Loading @@ -106,8 +106,6 @@ class AccessCheckingService(context: Context) : SystemService(context) { persistence.read(state) this.state = state mutateState { with(policy) { onInitialized() } } appOpService.initialize() permissionService.initialize() } Loading
services/permission/java/com/android/server/permission/access/AccessPolicy.kt +0 −6 Original line number Diff line number Diff line Loading @@ -98,10 +98,6 @@ private constructor( forEachSchemePolicy { with(it) { onStateMutated() } } } fun MutateStateScope.onInitialized() { forEachSchemePolicy { with(it) { onInitialized() } } } fun MutateStateScope.onUserAdded(userId: Int) { newState.mutateExternalState().mutateUserIds() += userId newState.mutateUserStatesNoWrite()[userId] = MutableUserState() Loading Loading @@ -443,8 +439,6 @@ abstract class SchemePolicy { open fun GetStateScope.onStateMutated() {} open fun MutateStateScope.onInitialized() {} open fun MutateStateScope.onUserAdded(userId: Int) {} open fun MutateStateScope.onUserRemoved(userId: Int) {} Loading
services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPersistence.kt +1 −14 Original line number Diff line number Diff line Loading @@ -101,10 +101,6 @@ class AppIdPermissionPersistence { val type = getAttributeIntOrThrow(ATTR_TYPE) when (type) { Permission.TYPE_MANIFEST -> {} Permission.TYPE_CONFIG -> { Slog.w(LOG_TAG, "Ignoring unexpected config permission $name") return } Permission.TYPE_DYNAMIC -> { permissionInfo.apply { icon = getAttributeIntHexOrDefault(ATTR_ICON, 0) Loading Loading @@ -134,20 +130,11 @@ class AppIdPermissionPersistence { } private fun BinaryXmlSerializer.serializePermission(permission: Permission) { val type = permission.type when (type) { Permission.TYPE_MANIFEST, Permission.TYPE_DYNAMIC -> {} Permission.TYPE_CONFIG -> return else -> { Slog.w(LOG_TAG, "Skipping serializing permission $name with unknown type $type") return } } tag(TAG_PERMISSION) { attributeInterned(ATTR_NAME, permission.name) attributeInterned(ATTR_PACKAGE_NAME, permission.packageName) attributeIntHex(ATTR_PROTECTION_LEVEL, permission.protectionLevel) val type = permission.type attributeInt(ATTR_TYPE, type) if (type == Permission.TYPE_DYNAMIC) { val permissionInfo = permission.permissionInfo Loading
services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt +64 −153 Original line number Diff line number Diff line Loading @@ -79,46 +79,6 @@ class AppIdPermissionPolicy : SchemePolicy() { onPermissionFlagsChangedListeners.forEachIndexed { _, it -> it.onStateMutated() } } override fun MutateStateScope.onInitialized() { if (!Flags.newPermissionGidEnabled()) { newState.externalState.configPermissions.forEach { (permissionName, permissionEntry) -> val oldPermission = newState.systemState.permissions[permissionName] val newPermission = if (oldPermission != null) { if (permissionEntry.gids != null) { oldPermission.copy( gids = permissionEntry.gids, areGidsPerUser = permissionEntry.perUser ) } else { return@forEach } } else { @Suppress("DEPRECATION") val permissionInfo = PermissionInfo().apply { name = permissionName packageName = PLATFORM_PACKAGE_NAME protectionLevel = PermissionInfo.PROTECTION_SIGNATURE } if (permissionEntry.gids != null) { Permission( permissionInfo, false, Permission.TYPE_CONFIG, 0, permissionEntry.gids, permissionEntry.perUser ) } else { Permission(permissionInfo, false, Permission.TYPE_CONFIG, 0) } } newState.mutateSystemState().mutatePermissions()[permissionName] = newPermission } } } override fun MutateStateScope.onUserAdded(userId: Int) { newState.externalState.packageStates.forEach { (_, packageState) -> evaluateAllPermissionStatesForPackageAndUser(packageState, userId, null) Loading Loading @@ -507,6 +467,7 @@ class AppIdPermissionPolicy : SchemePolicy() { } else { newState.systemState.permissions[permissionName] } // Different from the old implementation, which may add an (incomplete) signature // permission inside another package's permission tree, we now consistently ignore such // permissions. Loading @@ -521,8 +482,9 @@ class AppIdPermissionPolicy : SchemePolicy() { ) return@forEachIndexed } var newPermission = if (oldPermission != null && newPackageName != oldPermission.packageName) { if (oldPermission != null) { if (newPackageName != oldPermission.packageName) { val oldPackageName = oldPermission.packageName // Only allow system apps to redefine non-system permissions. if (!packageState.isSystem) { Loading @@ -534,19 +496,15 @@ class AppIdPermissionPolicy : SchemePolicy() { ) return@forEachIndexed } if ( oldPermission.type == Permission.TYPE_CONFIG && !oldPermission.isReconciled ) { // It's a config permission and has no owner, take ownership now. oldPermission.copy( permissionInfo = newPermissionInfo, isReconciled = true, type = Permission.TYPE_MANIFEST, appId = packageState.appId if (newState.externalState.packageStates[oldPackageName]?.isSystem == true) { Slog.w( LOG_TAG, "Ignoring permission $permissionName declared in system package" + " $newPackageName: already declared in another system package" + " $oldPackageName" ) } else if ( newState.externalState.packageStates[oldPackageName]?.isSystem != true ) { return@forEachIndexed } Slog.w( LOG_TAG, "Overriding permission $permissionName with new declaration in" + Loading @@ -559,44 +517,17 @@ class AppIdPermissionPolicy : SchemePolicy() { setPermissionFlags(appId, userId, permissionName, 0) } } // Different from the old implementation, which removes the GIDs upon // permission // override, but adds them back on the next boot, we now just consistently // keep // the GIDs. Permission( newPermissionInfo, true, Permission.TYPE_MANIFEST, packageState.appId, oldPermission.gids, oldPermission.areGidsPerUser ) } else { Slog.w( LOG_TAG, "Ignoring permission $permissionName declared in system package" + " $newPackageName: already declared in another system package" + " $oldPackageName" ) return@forEachIndexed } } else { if (oldPermission != null && oldPermission.isReconciled) { } else if (oldPermission.isReconciled) { val isPermissionGroupChanged = newPermissionInfo.isRuntime && newPermissionInfo.group != null && newPermissionInfo.group != oldPermission.groupName val isPermissionProtectionChanged = oldPermission.type != Permission.TYPE_CONFIG && ((newPermissionInfo.isRuntime && !oldPermission.isRuntime) || (newPermissionInfo.isInternal && !oldPermission.isInternal)) (newPermissionInfo.isRuntime && !oldPermission.isRuntime) || (newPermissionInfo.isInternal && !oldPermission.isInternal) if (isPermissionGroupChanged || isPermissionProtectionChanged) { newState.externalState.userIds.forEachIndexed { _, userId -> newState.externalState.appIdPackageNames.forEachIndexed { _, appId, _ -> newState.externalState.appIdPackageNames.forEachIndexed { _, appId, _ -> if (isPermissionGroupChanged) { // We might auto-grant permissions if any permission of // the group is already granted. Hence if the group of Loading @@ -623,28 +554,8 @@ class AppIdPermissionPolicy : SchemePolicy() { } } } // Different from the old implementation, which doesn't update the permission // definition upon app update, but does update it on the next boot, we now // consistently update the permission definition upon app update. @Suppress("IfThenToElvis") if (oldPermission != null) { oldPermission.copy( permissionInfo = newPermissionInfo, isReconciled = true, type = Permission.TYPE_MANIFEST, appId = packageState.appId ) } else { Permission( newPermissionInfo, true, Permission.TYPE_MANIFEST, packageState.appId ) } } if (Flags.newPermissionGidEnabled()) { var gids = EmptyArray.INT var areGidsPerUser = false if (!parsedPermission.isTree && packageState.isSystem) { Loading @@ -658,7 +569,8 @@ class AppIdPermissionPolicy : SchemePolicy() { } } } newPermission = Permission( val newPermission = Permission( newPermissionInfo, true, Permission.TYPE_MANIFEST, Loading @@ -666,7 +578,6 @@ class AppIdPermissionPolicy : SchemePolicy() { gids, areGidsPerUser ) } if (parsedPermission.isTree) { newState.mutateSystemState().mutatePermissionTrees()[permissionName] = newPermission Loading
