Merge "Revert "DO NOT MERGE: Revert "Make CheckOp return allowed if any..."" into sc-dev (5d31eda9) · Commits · e / os / android_frameworks_base

core/java/android/app/AppOpsManager.java

+14 −9

Original line number	Diff line number	Diff line
		@@ -2463,8 +2463,8 @@ public class AppOpsManager {
		* restriction} for a certain app-op.
		*/
		private static RestrictionBypass[] sOpAllowSystemRestrictionBypass = new RestrictionBypass[] {
		new RestrictionBypass(true, false), //COARSE_LOCATION
		new RestrictionBypass(true, false), //FINE_LOCATION
		new RestrictionBypass(true, false, false), //COARSE_LOCATION
		new RestrictionBypass(true, false, false), //FINE_LOCATION
		null, //GPS
		null, //VIBRATE
		null, //READ_CONTACTS
		@@ -2473,7 +2473,7 @@ public class AppOpsManager {
		null, //WRITE_CALL_LOG
		null, //READ_CALENDAR
		null, //WRITE_CALENDAR
		new RestrictionBypass(true, false), //WIFI_SCAN
		new RestrictionBypass(false, true, false), //WIFI_SCAN
		null, //POST_NOTIFICATION
		null, //NEIGHBORING_CELLS
		null, //CALL_PHONE
		@@ -2487,10 +2487,10 @@ public class AppOpsManager {
		null, //READ_ICC_SMS
		null, //WRITE_ICC_SMS
		null, //WRITE_SETTINGS
		new RestrictionBypass(true, false), //SYSTEM_ALERT_WINDOW
		new RestrictionBypass(false, true, false), //SYSTEM_ALERT_WINDOW
		null, //ACCESS_NOTIFICATIONS
		null, //CAMERA
		new RestrictionBypass(false, true), //RECORD_AUDIO
		new RestrictionBypass(false, false, true), //RECORD_AUDIO
		null, //PLAY_AUDIO
		null, //READ_CLIPBOARD
		null, //WRITE_CLIPBOARD
		@@ -2508,7 +2508,7 @@ public class AppOpsManager {
		null, //MONITOR_HIGH_POWER_LOCATION
		null, //GET_USAGE_STATS
		null, //MUTE_MICROPHONE
		new RestrictionBypass(true, false), //TOAST_WINDOW
		new RestrictionBypass(false, true, false), //TOAST_WINDOW
		null, //PROJECT_MEDIA
		null, //ACTIVATE_VPN
		null, //WALLPAPER
		@@ -2540,7 +2540,7 @@ public class AppOpsManager {
		null, // ACCEPT_HANDOVER
		null, // MANAGE_IPSEC_HANDOVERS
		null, // START_FOREGROUND
		new RestrictionBypass(true, false), // BLUETOOTH_SCAN
		new RestrictionBypass(false, true, false), // BLUETOOTH_SCAN
		null, // USE_BIOMETRIC
		null, // ACTIVITY_RECOGNITION
		null, // SMS_FINANCIAL_TRANSACTIONS
		@@ -3105,6 +3105,9 @@ public class AppOpsManager {
		* @hide
		*/
		public static class RestrictionBypass {
		/** Does the app need to be system uid to bypass the restriction */
		public boolean isSystemUid;

		/** Does the app need to be privileged to bypass the restriction */
		public boolean isPrivileged;

		@@ -3114,12 +3117,14 @@ public class AppOpsManager {
		*/
		public boolean isRecordAudioRestrictionExcept;

		public RestrictionBypass(boolean isPrivileged, boolean isRecordAudioRestrictionExcept) {
		public RestrictionBypass(boolean isSystemUid, boolean isPrivileged,
		boolean isRecordAudioRestrictionExcept) {
		this.isSystemUid = isSystemUid;
		this.isPrivileged = isPrivileged;
		this.isRecordAudioRestrictionExcept = isRecordAudioRestrictionExcept;
		}

		public static RestrictionBypass UNRESTRICTED = new RestrictionBypass(true, true);
		public static RestrictionBypass UNRESTRICTED = new RestrictionBypass(false, true, true);
		}

		/**

services/core/java/com/android/server/appop/AppOpsService.java

+19 −9

Original line number	Diff line number	Diff line
		@@ -3242,7 +3242,7 @@ public class AppOpsService extends IAppOpsService.Stub {
		return AppOpsManager.MODE_IGNORED;
		}
		synchronized (this) {
		if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) {
		if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, true)) {
		return AppOpsManager.MODE_IGNORED;
		}
		code = AppOpsManager.opToSwitch(code);
		@@ -3459,7 +3459,7 @@ public class AppOpsService extends IAppOpsService.Stub {

		final int switchCode = AppOpsManager.opToSwitch(code);
		final UidState uidState = ops.uidState;
		if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) {
		if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, false)) {
		attributedOp.rejected(uidState.state, flags);
		scheduleOpNotedIfNeededLocked(code, uid, packageName, attributionTag, flags,
		AppOpsManager.MODE_IGNORED);
		@@ -3973,7 +3973,8 @@ public class AppOpsService extends IAppOpsService.Stub {
		final Op op = getOpLocked(ops, code, uid, true);
		final AttributedOp attributedOp = op.getOrCreateAttribution(op, attributionTag);
		final UidState uidState = ops.uidState;
		isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass);
		isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass,
		false);
		final int switchCode = AppOpsManager.opToSwitch(code);
		// If there is a non-default per UID policy (we set UID op mode only if
		// non-default) it takes over, otherwise use the per package policy.
		@@ -4502,8 +4503,9 @@ public class AppOpsService extends IAppOpsService.Stub {
		* @return The restriction matching the package
		*/
		private RestrictionBypass getBypassforPackage(@NonNull AndroidPackage pkg) {
		return new RestrictionBypass(pkg.isPrivileged(), mContext.checkPermission(
		android.Manifest.permission.EXEMPT_FROM_AUDIO_RECORD_RESTRICTIONS, -1, pkg.getUid())
		return new RestrictionBypass(pkg.getUid() == Process.SYSTEM_UID, pkg.isPrivileged(),
		mContext.checkPermission(android.Manifest.permission
		.EXEMPT_FROM_AUDIO_RECORD_RESTRICTIONS, -1, pkg.getUid())
		== PackageManager.PERMISSION_GRANTED);
		}

		@@ -4763,7 +4765,7 @@ public class AppOpsService extends IAppOpsService.Stub {
		}

		private boolean isOpRestrictedLocked(int uid, int code, String packageName,
		String attributionTag, @Nullable RestrictionBypass appBypass) {
		String attributionTag, @Nullable RestrictionBypass appBypass, boolean isCheckOp) {
		int restrictionSetCount = mOpGlobalRestrictions.size();

		for (int i = 0; i < restrictionSetCount; i++) {
		@@ -4780,11 +4782,15 @@ public class AppOpsService extends IAppOpsService.Stub {
		// For each client, check that the given op is not restricted, or that the given
		// package is exempt from the restriction.
		ClientUserRestrictionState restrictionState = mOpUserRestrictions.valueAt(i);
		if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle)) {
		if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle,
		isCheckOp)) {
		RestrictionBypass opBypass = opAllowSystemBypassRestriction(code);
		if (opBypass != null) {
		// If we are the system, bypass user restrictions for certain codes
		synchronized (this) {
		if (opBypass.isSystemUid && appBypass != null && appBypass.isSystemUid) {
		return false;
		}
		if (opBypass.isPrivileged && appBypass != null && appBypass.isPrivileged) {
		return false;
		}
		@@ -7137,7 +7143,7 @@ public class AppOpsService extends IAppOpsService.Stub {
		}

		public boolean hasRestriction(int restriction, String packageName, String attributionTag,
		int userId) {
		int userId, boolean isCheckOp) {
		if (perUserRestrictions == null) {
		return false;
		}
		@@ -7156,6 +7162,9 @@ public class AppOpsService extends IAppOpsService.Stub {
		return true;
		}

		if (isCheckOp) {
		return !perUserExclusions.includes(packageName);
		}
		return !perUserExclusions.contains(packageName, attributionTag);
		}

		@@ -7322,7 +7331,8 @@ public class AppOpsService extends IAppOpsService.Stub {
		int numRestrictions = mOpUserRestrictions.size();
		for (int i = 0; i < numRestrictions; i++) {
		if (mOpUserRestrictions.valueAt(i)
		.hasRestriction(code, pkg, attributionTag, user.getIdentifier())) {
		.hasRestriction(code, pkg, attributionTag, user.getIdentifier(),
		false)) {
		number++;
		}
		}