Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 773862fd authored by Svet Ganov's avatar Svet Ganov
Browse files

Add fallback for datasource without UPDATE_APP_OP_STATS 

If the datasource is not in a trusted platform component then in would not
have UPDATE_APP_OPS_STATS. The problem is that an app is exposing runtime
permission protected data but cannot blame others in a trusted way which
would not properly show in permission usage UIs. As a fallback we are
adding a proxy op handling blaming the datasource and the caller.

bug: 183960997

Test: Assustant on auto projection works

Change-Id: I8a341a6c46c75eff86bac7a79c4219ebb7991071
parent befdba37

core/java/android/content/PermissionChecker.java

+37 −9
Original line number Diff line number Diff line
@@ -1064,11 +1064,25 @@ public final class PermissionChecker { 
                return AppOpsManager.MODE_ERRORED;

            }

            if (selfAccess) {

                // If the datasource is not in a trusted platform component then in would not

                // have UPDATE_APP_OPS_STATS and the call below would fail. The problem is that

                // an app is exposing runtime permission protected data but cannot blame others

                // in a trusted way which would not properly show in permission usage UIs.

                // As a fallback we note a proxy op that blames the app and the datasource.

                try {

                    return appOpsManager.startOpNoThrow(op, resolvedAttributionSource.getUid(),

                            resolvedAttributionSource.getPackageName(),

                            /*startIfModeDefault*/ false,

                            resolvedAttributionSource.getAttributionTag(),

                            message);

                } catch (SecurityException e) {

                    Slog.w(LOG_TAG, "Datasource " + attributionSource + " protecting data with"

                            + " platform defined runtime permission "

                            + AppOpsManager.opToPermission(op) + " while not having "

                            + Manifest.permission.UPDATE_APP_OPS_STATS);

                    return appOpsManager.startProxyOpNoThrow(op, attributionSource, message,

                            skipProxyOperation);

                }

            } else {

                return appOpsManager.startProxyOpNoThrow(op, resolvedAttributionSource, message,

                        skipProxyOperation);
@@ -1080,10 +1094,24 @@ public final class PermissionChecker { 
                return AppOpsManager.MODE_ERRORED;

            }

            if (selfAccess) {

                // If the datasource is not in a trusted platform component then in would not

                // have UPDATE_APP_OPS_STATS and the call below would fail. The problem is that

                // an app is exposing runtime permission protected data but cannot blame others

                // in a trusted way which would not properly show in permission usage UIs.

                // As a fallback we note a proxy op that blames the app and the datasource.

                try {

                    return appOpsManager.noteOpNoThrow(op, resolvedAttributionSource.getUid(),

                            resolvedAttributionSource.getPackageName(),

                            resolvedAttributionSource.getAttributionTag(),

                            message);

                } catch (SecurityException e) {

                    Slog.w(LOG_TAG, "Datasource " + attributionSource + " protecting data with"

                            + " platform defined runtime permission "

                            + AppOpsManager.opToPermission(op) + " while not having "

                            + Manifest.permission.UPDATE_APP_OPS_STATS);

                    return appOpsManager.noteProxyOpNoThrow(op, attributionSource, message,

                            skipProxyOperation);

                }

            } else {

                return appOpsManager.noteProxyOpNoThrow(op, resolvedAttributionSource, message,

                        skipProxyOperation);