Allow APEX to customize signature permission allowlist. (7c1b2f10) · Commits · e / os / android_frameworks_base

core/java/android/permission/flags.aconfig

+13 −2

Original line number	Diff line number	Diff line
		@@ -202,3 +202,14 @@ flag {
		description: "Persist device attributed AppOp accesses on the disk"
		bug: "308201969"
		}

		flag {
		name: "apex_signature_permission_allowlist_enabled"
		is_fixed_read_only: true
		namespace: "permissions"
		description: "Enable reading signature permission allowlist from APEXes"
		bug: "308573169"
		metadata {
		purpose: PURPOSE_BUGFIX
		}
		}

+8 −0

Original line number	Diff line number	Diff line
		@@ -720,6 +720,9 @@ public class SystemConfig {
		}
		// Read configuration of features, libs and priv-app permissions from apex module.
		int apexPermissionFlag = ALLOW_LIBS \| ALLOW_FEATURES \| ALLOW_PRIVAPP_PERMISSIONS;
		if (android.permission.flags.Flags.apexSignaturePermissionAllowlistEnabled()) {
		apexPermissionFlag \|= ALLOW_SIGNATURE_PERMISSIONS;
		}
		// TODO: Use a solid way to filter apex module folders?
		for (File f: FileUtils.listFilesOrEmpty(Environment.getApexDirectory())) {
		if (f.isFile() \|\| f.getPath().contains("@")) {
		@@ -1322,6 +1325,8 @@ public class SystemConfig {
		Environment.getProductDirectory().toPath() + "/");
		boolean systemExt = permFile.toPath().startsWith(
		Environment.getSystemExtDirectory().toPath() + "/");
		boolean apex = permFile.toPath().startsWith(
		Environment.getApexDirectory().toPath() + "/");
		if (vendor) {
		readSignatureAppPermissions(parser,
		mPermissionAllowlist.getVendorSignatureAppAllowlist());
		@@ -1331,6 +1336,9 @@ public class SystemConfig {
		} else if (systemExt) {
		readSignatureAppPermissions(parser,
		mPermissionAllowlist.getSystemExtSignatureAppAllowlist());
		} else if (apex) {
		readSignatureAppPermissions(parser,
		mPermissionAllowlist.getApexSignatureAppAllowlist());
		} else {
		readSignatureAppPermissions(parser,
		mPermissionAllowlist.getSignatureAppAllowlist());

+4 −1

Original line number	Diff line number	Diff line
		@@ -2946,6 +2946,9 @@ class PackageManagerShellCommand extends ShellCommand {
		case "system-ext":
		allowlist = permissionAllowlist.getSystemExtSignatureAppAllowlist();
		break;
		case "apex":
		allowlist = permissionAllowlist.getApexSignatureAppAllowlist();
		break;
		default:
		getErrPrintWriter().println("Error: unknown partition: " + partition);
		return 1;
		@@ -4923,7 +4926,7 @@ class PackageManagerShellCommand extends ShellCommand {
		pw.println("");
		pw.println(" get-signature-permission-allowlist PARTITION");
		pw.println(" Prints the signature permission allowlist for a partition.");
		pw.println(" PARTITION is one of system, vendor, product and system-ext");
		pw.println(" PARTITION is one of system, vendor, product, system-ext and apex");
		pw.println("");
		pw.println(" get-shared-uid-allowlist");
		pw.println(" Prints the shared UID allowlist.");

+18 −0

Original line number	Diff line number	Diff line
		@@ -55,6 +55,9 @@ public final class PermissionAllowlist {
		@NonNull
		private final ArrayMap<String, ArrayMap<String, Boolean>> mSystemExtSignatureAppAllowlist =
		new ArrayMap<>();
		@NonNull
		private final ArrayMap<String, ArrayMap<String, Boolean>> mApexSignatureAppAllowlist =
		new ArrayMap<>();

		@NonNull
		public ArrayMap<String, ArrayMap<String, Boolean>> getOemAppAllowlist() {
		@@ -107,6 +110,11 @@ public final class PermissionAllowlist {
		return mSystemExtSignatureAppAllowlist;
		}

		@NonNull
		public ArrayMap<String, ArrayMap<String, Boolean>> getApexSignatureAppAllowlist() {
		return mApexSignatureAppAllowlist;
		}

		@Nullable
		public Boolean getOemAppAllowlistState(@NonNull String packageName,
		@NonNull String permissionName) {
		@@ -211,4 +219,14 @@ public final class PermissionAllowlist {
		}
		return permissions.get(permissionName);
		}

		@Nullable
		public Boolean getApexSignatureAppAllowlistState(@NonNull String packageName,
		@NonNull String permissionName) {
		ArrayMap<String, Boolean> permissions = mApexSignatureAppAllowlist.get(packageName);
		if (permissions == null) {
		return null;
		}
		return permissions.get(permissionName);
		}
		}

+5 −4

Original line number	Diff line number	Diff line
		@@ -1277,7 +1277,8 @@ class AppIdPermissionPolicy : SchemePolicy() {
		permissionName
		)
		else ->
		permissionAllowlist.getProductSignatureAppAllowlistState(
		permissionAllowlist.getApexSignatureAppAllowlistState(packageName, permissionName)
		?: permissionAllowlist.getProductSignatureAppAllowlistState(
		packageName,
		permissionName
		)