Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 61c2d029 authored by Evan Severson's avatar Evan Severson
Browse files

Make CheckOp return allowed if any attr tag for a package is excluded 

checkOp doesn't support checking against an attribution tag, this causes
some checkOps to fail when a noteOp is successful meaning that a
preflight routine might fail before delivering data and doing the more
precise check. This only affects when a user restriction is applied and
there are excepted package+tag.

Test: Checkop with test app
Bug: 232502990
Change-Id: Idcf5ac9a5401ad8089f5873da1f978fdf9258b5a
parent 866cd169

services/core/java/com/android/server/appop/AppOpsService.java

+13 −7
Original line number Diff line number Diff line
@@ -3256,7 +3256,7 @@ public class AppOpsService extends IAppOpsService.Stub { 
            return AppOpsManager.MODE_IGNORED;

        }

        synchronized (this) {

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) {

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, true)) {

                return AppOpsManager.MODE_IGNORED;

            }

            code = AppOpsManager.opToSwitch(code);
@@ -3481,7 +3481,7 @@ public class AppOpsService extends IAppOpsService.Stub { 


            final int switchCode = AppOpsManager.opToSwitch(code);

            final UidState uidState = ops.uidState;

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) {

            if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, false)) {

                attributedOp.rejected(uidState.state, flags);

                scheduleOpNotedIfNeededLocked(code, uid, packageName, attributionTag, flags,

                        AppOpsManager.MODE_IGNORED);
@@ -3995,7 +3995,8 @@ public class AppOpsService extends IAppOpsService.Stub { 
            final Op op = getOpLocked(ops, code, uid, true);

            final AttributedOp attributedOp = op.getOrCreateAttribution(op, attributionTag);

            final UidState uidState = ops.uidState;

            isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass);

            isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass,

                    false);

            final int switchCode = AppOpsManager.opToSwitch(code);

            // If there is a non-default per UID policy (we set UID op mode only if

            // non-default) it takes over, otherwise use the per package policy.
@@ -4832,7 +4833,7 @@ public class AppOpsService extends IAppOpsService.Stub { 
    }



    private boolean isOpRestrictedLocked(int uid, int code, String packageName,

            String attributionTag, @Nullable RestrictionBypass appBypass) {

            String attributionTag, @Nullable RestrictionBypass appBypass, boolean isCheckOp) {

        int restrictionSetCount = mOpGlobalRestrictions.size();



        for (int i = 0; i < restrictionSetCount; i++) {
@@ -4849,7 +4850,8 @@ public class AppOpsService extends IAppOpsService.Stub { 
            // For each client, check that the given op is not restricted, or that the given

            // package is exempt from the restriction.

            ClientUserRestrictionState restrictionState = mOpUserRestrictions.valueAt(i);

            if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle)) {

            if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle,

                    isCheckOp)) {

                RestrictionBypass opBypass = opAllowSystemBypassRestriction(code);

                if (opBypass != null) {

                    // If we are the system, bypass user restrictions for certain codes
@@ -7221,7 +7223,7 @@ public class AppOpsService extends IAppOpsService.Stub { 
        }



        public boolean hasRestriction(int restriction, String packageName, String attributionTag,

                int userId) {

                int userId, boolean isCheckOp) {

            if (perUserRestrictions == null) {

                return false;

            }
@@ -7240,6 +7242,9 @@ public class AppOpsService extends IAppOpsService.Stub { 
                return true;

            }



            if (isCheckOp) {

                return !perUserExclusions.includes(packageName);

            }

            return !perUserExclusions.contains(packageName, attributionTag);

        }
@@ -7406,7 +7411,8 @@ public class AppOpsService extends IAppOpsService.Stub { 
                int numRestrictions = mOpUserRestrictions.size();

                for (int i = 0; i < numRestrictions; i++) {

                    if (mOpUserRestrictions.valueAt(i)

                            .hasRestriction(code, pkg, attributionTag, user.getIdentifier())) {

                            .hasRestriction(code, pkg, attributionTag, user.getIdentifier(),

                                    false)) {

                        number++;

                    }

                }