Pre-Q storage perm should behave hard restricted (8625cdd0) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/pm/permission/PermissionManagerService.java

+9 −1

Original line number	Diff line number	Diff line
		@@ -97,6 +97,7 @@ import com.android.server.pm.SharedUserSetting;
		import com.android.server.pm.UserManagerService;
		import com.android.server.pm.permission.PermissionManagerServiceInternal.PermissionCallback;
		import com.android.server.pm.permission.PermissionsState.PermissionState;
		import com.android.server.policy.SoftRestrictedPermissionPolicy;

		import libcore.util.EmptyArray;

		@@ -2121,11 +2122,18 @@ public class PermissionManagerService {

		if (bp.isHardRestricted()
		&& (flags & PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT) == 0) {
		Log.e(TAG, "Cannot grant restricted non-exempt permission "
		Log.e(TAG, "Cannot grant hard restricted non-exempt permission "
		+ permName + " for package " + packageName);
		return;
		}

		if (bp.isSoftRestricted() && !SoftRestrictedPermissionPolicy.forPermission(mContext,
		pkg.applicationInfo, permName).canBeGranted()) {
		Log.e(TAG, "Cannot grant soft restricted permission " + permName + " for package "
		+ packageName);
		return;
		}

		if (bp.isDevelopment()) {
		// Development permissions must be handled specially, since they are not
		// normal runtime permissions. For now they apply to all users.

services/core/java/com/android/server/policy/SoftRestrictedPermissionPolicy.java

+40 −3

Original line number	Diff line number	Diff line
		@@ -24,17 +24,29 @@ import static android.app.AppOpsManager.MODE_IGNORED;
		import static android.app.AppOpsManager.OP_LEGACY_STORAGE;
		import static android.app.AppOpsManager.OP_NONE;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_APPLY_RESTRICTION;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT;

		import android.annotation.NonNull;
		import android.app.AppOpsManager;
		import android.content.Context;
		import android.content.pm.ApplicationInfo;
		import android.os.Build;
		import android.util.Log;

		/**
		* The behavior of soft restricted permissions is different for each permission. This class collects
		* the policies in one place.
		*/
		public abstract class SoftRestrictedPermissionPolicy {
		private static final String LOG_TAG = SoftRestrictedPermissionPolicy.class.getSimpleName();

		private static final int FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT =
		FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT
		\| FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT
		\| FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;

		private static final SoftRestrictedPermissionPolicy DUMMY_POLICY =
		new SoftRestrictedPermissionPolicy() {
		@Override
		@@ -51,6 +63,11 @@ public abstract class SoftRestrictedPermissionPolicy {
		public boolean shouldSetAppOpIfNotDefault() {
		return false;
		}

		@Override
		public boolean canBeGranted() {
		return true;
		}
		};

		/**
		@@ -70,11 +87,13 @@ public abstract class SoftRestrictedPermissionPolicy {
		// collections.
		case READ_EXTERNAL_STORAGE:
		case WRITE_EXTERNAL_STORAGE: {
		boolean applyRestriction = (context.getPackageManager().getPermissionFlags(
		permission, appInfo.packageName, context.getUser())
		& FLAG_PERMISSION_APPLY_RESTRICTION) != 0;
		int flags = context.getPackageManager().getPermissionFlags(
		permission, appInfo.packageName, context.getUser());
		boolean applyRestriction = (flags & FLAG_PERMISSION_APPLY_RESTRICTION) != 0;
		boolean isWhiteListed = (flags & FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT) != 0;
		boolean hasRequestedLegacyExternalStorage =
		appInfo.hasRequestedLegacyExternalStorage();
		int targetSDK = appInfo.targetSdkVersion;

		return new SoftRestrictedPermissionPolicy() {
		@Override
		@@ -99,6 +118,19 @@ public abstract class SoftRestrictedPermissionPolicy {
		// turn on isolated storage. This will make the app loose all its files.
		return getAppOpMode() != MODE_IGNORED;
		}

		@Override
		public boolean canBeGranted() {
		if (isWhiteListed \|\| targetSDK >= Build.VERSION_CODES.Q) {
		return true;
		} else {
		Log.w(LOG_TAG, permission + " for " + appInfo.packageName
		+ " is not whitelisted and targetSDK " + targetSDK + "<"
		+ Build.VERSION_CODES.Q);

		return false;
		}
		}
		};
		}
		default:
		@@ -122,4 +154,9 @@ public abstract class SoftRestrictedPermissionPolicy {
		* {@link AppOpsManager#MODE_DEFAULT}.
		*/
		public abstract boolean shouldSetAppOpIfNotDefault();

		/**
		* @return If the permission can be granted
		*/
		public abstract boolean canBeGranted();
		}

services/core/java/com/android/server/policy/TEST_MAPPING

+8 −0

Original line number	Diff line number	Diff line
		@@ -27,6 +27,14 @@
		"exclude-annotation": "androidx.test.filters.FlakyTest"
		}
		]
		},
		{
		"name": "CtsPermission2TestCases",
		"options": [
		{
		"include-filter": "android.permission2.cts.RestrictedPermissionsTest"
		}
		]
		}
		],
		"postsubmit": [