Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5d32e772 authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

Enforce READ_EXTERNAL on non-user builds. 

Enable default enforcement of READ_EXTERNAL_STORAGE on non-user
builds. Users can still explicitly enable enforcement in Settings.

Bug: 6131916
Change-Id: I7dc66b624ad252ed2a2ad3647f3ea85dda7f8e82
parent 9492947a

core/java/android/content/pm/IPackageManager.aidl

+2 −2
Original line number Diff line number Diff line
@@ -373,6 +373,6 @@ interface IPackageManager { 
    List<UserInfo> getUsers();

    UserInfo getUser(int userId);



    void setPermissionEnforcement(String permission, int enforcement);

    int getPermissionEnforcement(String permission);

    void setPermissionEnforced(String permission, boolean enforced);

    boolean isPermissionEnforced(String permission);

}

core/java/android/content/pm/PackageManager.java

+2 −15
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ import android.content.res.Resources; 
import android.content.res.XmlResourceParser;

import android.graphics.drawable.Drawable;

import android.net.Uri;

import android.os.Build;

import android.os.Environment;

import android.util.AndroidException;

import android.util.DisplayMetrics;
@@ -1091,21 +1092,7 @@ public abstract class PackageManager { 
            = "android.content.pm.extra.VERIFICATION_INSTALL_FLAGS";



    /** {@hide} */

    public static final int ENFORCEMENT_DEFAULT = 0;

    /** {@hide} */

    public static final int ENFORCEMENT_YES = 1;



    /** {@hide} */

    public static String enforcementToString(int enforcement) {

        switch (enforcement) {

            case ENFORCEMENT_DEFAULT:

                return "DEFAULT";

            case ENFORCEMENT_YES:

                return "YES";

            default:

                return Integer.toString(enforcement);

        }

    }

    public static final boolean DEFAULT_ENFORCE_READ_EXTERNAL_STORAGE = !"user".equals(Build.TYPE);



    /**

     * Retrieve overall information about an application package that is

services/java/com/android/server/pm/PackageManagerService.java

+9 −20
Original line number Diff line number Diff line
@@ -20,8 +20,6 @@ import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DEFAULT; 
import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DISABLED;

import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DISABLED_USER;

import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_ENABLED;

import static android.content.pm.PackageManager.ENFORCEMENT_DEFAULT;

import static android.content.pm.PackageManager.ENFORCEMENT_YES;

import static android.Manifest.permission.READ_EXTERNAL_STORAGE;

import static android.Manifest.permission.GRANT_REVOKE_PERMISSIONS;

import static libcore.io.OsConstants.S_ISLNK;
@@ -9030,12 +9028,12 @@ public class PackageManagerService extends IPackageManager.Stub { 
    }



    @Override

    public void setPermissionEnforcement(String permission, int enforcement) {

    public void setPermissionEnforced(String permission, boolean enforced) {

        mContext.enforceCallingOrSelfPermission(GRANT_REVOKE_PERMISSIONS, null);

        if (READ_EXTERNAL_STORAGE.equals(permission)) {

            synchronized (mPackages) {

                if (mSettings.mReadExternalStorageEnforcement != enforcement) {

                    mSettings.mReadExternalStorageEnforcement = enforcement;

                if (mSettings.mReadExternalStorageEnforced != enforced) {

                    mSettings.mReadExternalStorageEnforced = enforced;

                    mSettings.writeLPr();



                    // kill any non-foreground processes so we restart them and
@@ -9058,27 +9056,18 @@ public class PackageManagerService extends IPackageManager.Stub { 
    }



    @Override

    public int getPermissionEnforcement(String permission) {

    public boolean isPermissionEnforced(String permission) {

        mContext.enforceCallingOrSelfPermission(GRANT_REVOKE_PERMISSIONS, null);

        if (READ_EXTERNAL_STORAGE.equals(permission)) {

        synchronized (mPackages) {

                return mSettings.mReadExternalStorageEnforcement;

            }

        } else {

            throw new IllegalArgumentException("No selective enforcement for " + permission);

            return isPermissionEnforcedLocked(permission);

        }

    }



    private boolean isPermissionEnforcedLocked(String permission) {

        if (READ_EXTERNAL_STORAGE.equals(permission)) {

            switch (mSettings.mReadExternalStorageEnforcement) {

                case ENFORCEMENT_DEFAULT:

                    return false;

                case ENFORCEMENT_YES:

            return mSettings.mReadExternalStorageEnforced;

        } else {

            return true;

        }

    }



        return true;

    }

}

services/java/com/android/server/pm/Settings.java

+7 −10
Original line number Diff line number Diff line
@@ -20,7 +20,6 @@ import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DEFAULT; 
import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DISABLED;

import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DISABLED_USER;

import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_ENABLED;

import static android.content.pm.PackageManager.ENFORCEMENT_DEFAULT;

import static android.Manifest.permission.READ_EXTERNAL_STORAGE;



import com.android.internal.util.FastXmlSerializer;
@@ -112,7 +111,7 @@ final class Settings { 
    int mInternalSdkPlatform;

    int mExternalSdkPlatform;



    int mReadExternalStorageEnforcement = ENFORCEMENT_DEFAULT;

    boolean mReadExternalStorageEnforced = PackageManager.DEFAULT_ENFORCE_READ_EXTERNAL_STORAGE;



    /** Device identity for the purpose of package verification. */

    private VerifierDeviceIdentity mVerifierDeviceIdentity;
@@ -1140,10 +1139,11 @@ final class Settings { 
                serializer.endTag(null, "verifier");

            }



            if (mReadExternalStorageEnforcement != ENFORCEMENT_DEFAULT) {

            if (mReadExternalStorageEnforced

                    != PackageManager.DEFAULT_ENFORCE_READ_EXTERNAL_STORAGE) {

                serializer.startTag(null, TAG_READ_EXTERNAL_STORAGE);

                serializer.attribute(

                        null, ATTR_ENFORCEMENT, Integer.toString(mReadExternalStorageEnforcement));

                        null, ATTR_ENFORCEMENT, mReadExternalStorageEnforced ? "1" : "0");

                serializer.endTag(null, TAG_READ_EXTERNAL_STORAGE);

            }
@@ -1548,10 +1548,7 @@ final class Settings { 
                    }

                } else if (TAG_READ_EXTERNAL_STORAGE.equals(tagName)) {

                    final String enforcement = parser.getAttributeValue(null, ATTR_ENFORCEMENT);

                    try {

                        mReadExternalStorageEnforcement = Integer.parseInt(enforcement);

                    } catch (NumberFormatException e) {

                    }

                    mReadExternalStorageEnforced = "1".equals(enforcement);

                } else {

                    Slog.w(PackageManagerService.TAG, "Unknown element under <packages>: "

                            + parser.getName());
@@ -2560,8 +2557,8 @@ final class Settings { 
                pw.print("    perm="); pw.println(p.perm);

            }

            if (READ_EXTERNAL_STORAGE.equals(p.name)) {

                pw.print("    enforcement=");

                pw.println(PackageManager.enforcementToString(mReadExternalStorageEnforcement));

                pw.print("    enforced=");

                pw.println(mReadExternalStorageEnforced);

            }

        }

    }