Loading core/java/com/android/server/SystemConfig.java +20 −0 Original line number Diff line number Diff line Loading @@ -141,6 +141,7 @@ public class SystemConfig { final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>(); final ArrayMap<String, ArraySet<String>> mPrivAppDenyPermissions = new ArrayMap<>(); public static SystemConfig getInstance() { synchronized (SystemConfig.class) { Loading Loading @@ -219,6 +220,10 @@ public class SystemConfig { return mPrivAppPermissions.get(packageName); } public ArraySet<String> getPrivAppDenyPermissions(String packageName) { return mPrivAppDenyPermissions.get(packageName); } SystemConfig() { // Read configuration from system readPermissions(Environment.buildPath( Loading Loading @@ -660,6 +665,7 @@ public class SystemConfig { if (permissions == null) { permissions = new ArraySet<>(); } ArraySet<String> denyPermissions = mPrivAppDenyPermissions.get(packageName); int depth = parser.getDepth(); while (XmlUtils.nextElementWithin(parser, depth)) { String name = parser.getName(); Loading @@ -671,8 +677,22 @@ public class SystemConfig { continue; } permissions.add(permName); } else if ("deny-permission".equals(name)) { String permName = parser.getAttributeValue(null, "name"); if (TextUtils.isEmpty(permName)) { Slog.w(TAG, "name is required for <deny-permission> in " + parser.getPositionDescription()); continue; } if (denyPermissions == null) { denyPermissions = new ArraySet<>(); } denyPermissions.add(permName); } } mPrivAppPermissions.put(packageName, permissions); if (denyPermissions != null) { mPrivAppDenyPermissions.put(packageName, denyPermissions); } } } services/core/java/com/android/server/pm/PackageManagerService.java +15 −5 Original line number Diff line number Diff line Loading @@ -13191,18 +13191,28 @@ public class PackageManagerService extends IPackageManager.Stub boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName); if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivilegedApp() && !platformPackage && platformPermission) { ArraySet<String> wlPermissions = SystemConfig.getInstance() final ArraySet<String> allowedPermissions = SystemConfig.getInstance() .getPrivAppPermissions(pkg.packageName); boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm); final boolean whitelisted = allowedPermissions != null && allowedPermissions.contains(perm); if (!whitelisted) { Slog.w(TAG, "Privileged permission " + perm + " for package " + pkg.packageName + " - not in privapp-permissions whitelist"); // Only report violations for apps on system image if (!mSystemReady && !pkg.isUpdatedSystemApp()) { // it's only a reportable violation if the permission isn't explicitly denied final ArraySet<String> deniedPermissions = SystemConfig.getInstance() .getPrivAppDenyPermissions(pkg.packageName); final boolean permissionViolation = deniedPermissions == null || !deniedPermissions.contains(perm); if (permissionViolation) { if (mPrivappPermissionsViolations == null) { mPrivappPermissionsViolations = new ArraySet<>(); } mPrivappPermissionsViolations.add(pkg.packageName + ": " + perm); } else { return false; } } if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { return false; services/core/java/com/android/server/pm/PackageManagerShellCommand.java +15 −0 Original line number Diff line number Diff line Loading @@ -148,6 +148,8 @@ class PackageManagerShellCommand extends ShellCommand { return runSetHomeActivity(); case "get-privapp-permissions": return runGetPrivappPermissions(); case "get-privapp-deny-permissions": return runGetPrivappDenyPermissions(); case "get-instantapp-resolver": return runGetInstantAppResolver(); case "has-feature": Loading Loading @@ -1293,6 +1295,19 @@ class PackageManagerShellCommand extends ShellCommand { return 0; } private int runGetPrivappDenyPermissions() { final String pkg = getNextArg(); if (pkg == null) { System.err.println("Error: no package specified."); return 1; } ArraySet<String> privAppDenyPermissions = SystemConfig.getInstance().getPrivAppDenyPermissions(pkg); getOutPrintWriter().println(privAppDenyPermissions == null ? "{}" : privAppDenyPermissions.toString()); return 0; } private int runGetInstantAppResolver() { final PrintWriter pw = getOutPrintWriter(); try { Loading Loading
core/java/com/android/server/SystemConfig.java +20 −0 Original line number Diff line number Diff line Loading @@ -141,6 +141,7 @@ public class SystemConfig { final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>(); final ArrayMap<String, ArraySet<String>> mPrivAppDenyPermissions = new ArrayMap<>(); public static SystemConfig getInstance() { synchronized (SystemConfig.class) { Loading Loading @@ -219,6 +220,10 @@ public class SystemConfig { return mPrivAppPermissions.get(packageName); } public ArraySet<String> getPrivAppDenyPermissions(String packageName) { return mPrivAppDenyPermissions.get(packageName); } SystemConfig() { // Read configuration from system readPermissions(Environment.buildPath( Loading Loading @@ -660,6 +665,7 @@ public class SystemConfig { if (permissions == null) { permissions = new ArraySet<>(); } ArraySet<String> denyPermissions = mPrivAppDenyPermissions.get(packageName); int depth = parser.getDepth(); while (XmlUtils.nextElementWithin(parser, depth)) { String name = parser.getName(); Loading @@ -671,8 +677,22 @@ public class SystemConfig { continue; } permissions.add(permName); } else if ("deny-permission".equals(name)) { String permName = parser.getAttributeValue(null, "name"); if (TextUtils.isEmpty(permName)) { Slog.w(TAG, "name is required for <deny-permission> in " + parser.getPositionDescription()); continue; } if (denyPermissions == null) { denyPermissions = new ArraySet<>(); } denyPermissions.add(permName); } } mPrivAppPermissions.put(packageName, permissions); if (denyPermissions != null) { mPrivAppDenyPermissions.put(packageName, denyPermissions); } } }
services/core/java/com/android/server/pm/PackageManagerService.java +15 −5 Original line number Diff line number Diff line Loading @@ -13191,18 +13191,28 @@ public class PackageManagerService extends IPackageManager.Stub boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName); if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivilegedApp() && !platformPackage && platformPermission) { ArraySet<String> wlPermissions = SystemConfig.getInstance() final ArraySet<String> allowedPermissions = SystemConfig.getInstance() .getPrivAppPermissions(pkg.packageName); boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm); final boolean whitelisted = allowedPermissions != null && allowedPermissions.contains(perm); if (!whitelisted) { Slog.w(TAG, "Privileged permission " + perm + " for package " + pkg.packageName + " - not in privapp-permissions whitelist"); // Only report violations for apps on system image if (!mSystemReady && !pkg.isUpdatedSystemApp()) { // it's only a reportable violation if the permission isn't explicitly denied final ArraySet<String> deniedPermissions = SystemConfig.getInstance() .getPrivAppDenyPermissions(pkg.packageName); final boolean permissionViolation = deniedPermissions == null || !deniedPermissions.contains(perm); if (permissionViolation) { if (mPrivappPermissionsViolations == null) { mPrivappPermissionsViolations = new ArraySet<>(); } mPrivappPermissionsViolations.add(pkg.packageName + ": " + perm); } else { return false; } } if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { return false;
services/core/java/com/android/server/pm/PackageManagerShellCommand.java +15 −0 Original line number Diff line number Diff line Loading @@ -148,6 +148,8 @@ class PackageManagerShellCommand extends ShellCommand { return runSetHomeActivity(); case "get-privapp-permissions": return runGetPrivappPermissions(); case "get-privapp-deny-permissions": return runGetPrivappDenyPermissions(); case "get-instantapp-resolver": return runGetInstantAppResolver(); case "has-feature": Loading Loading @@ -1293,6 +1295,19 @@ class PackageManagerShellCommand extends ShellCommand { return 0; } private int runGetPrivappDenyPermissions() { final String pkg = getNextArg(); if (pkg == null) { System.err.println("Error: no package specified."); return 1; } ArraySet<String> privAppDenyPermissions = SystemConfig.getInstance().getPrivAppDenyPermissions(pkg); getOutPrintWriter().println(privAppDenyPermissions == null ? "{}" : privAppDenyPermissions.toString()); return 0; } private int runGetInstantAppResolver() { final PrintWriter pw = getOutPrintWriter(); try { Loading
