[ECM] Defer changing op mode to MODE_DEFAULT (8bca9a43) · Commits · e / os / android_frameworks_base

core/java/android/app/AppOpsManager.java

+1 −3

Original line number	Diff line number	Diff line
		@@ -2981,9 +2981,7 @@ public class AppOpsManager {
		new AppOpInfo.Builder(OP_ESTABLISH_VPN_MANAGER, OPSTR_ESTABLISH_VPN_MANAGER,
		"ESTABLISH_VPN_MANAGER").setDefaultMode(AppOpsManager.MODE_ALLOWED).build(),
		new AppOpInfo.Builder(OP_ACCESS_RESTRICTED_SETTINGS, OPSTR_ACCESS_RESTRICTED_SETTINGS,
		"ACCESS_RESTRICTED_SETTINGS").setDefaultMode(
		android.permission.flags.Flags.enhancedConfirmationModeApisEnabled()
		? MODE_DEFAULT : MODE_ALLOWED)
		"ACCESS_RESTRICTED_SETTINGS").setDefaultMode(AppOpsManager.MODE_ALLOWED)
		.setDisableReset(true).setRestrictRead(true).build(),
		new AppOpInfo.Builder(OP_RECEIVE_AMBIENT_TRIGGER_AUDIO, OPSTR_RECEIVE_AMBIENT_TRIGGER_AUDIO,
		"RECEIVE_SOUNDTRIGGER_AUDIO").setDefaultMode(AppOpsManager.MODE_ALLOWED)

services/core/java/com/android/server/pm/InstallPackageHelper.java

+20 −5

Original line number	Diff line number	Diff line
		@@ -2504,13 +2504,13 @@ final class InstallPackageHelper {
		Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
		}

		private void enableRestrictedSettings(String pkgName, int appId, int userId) {
		private void setAccessRestrictedSettingsMode(String pkgName, int appId, int userId, int mode) {
		final AppOpsManager appOpsManager = mPm.mContext.getSystemService(AppOpsManager.class);
		final int uid = UserHandle.getUid(userId, appId);
		appOpsManager.setMode(AppOpsManager.OP_ACCESS_RESTRICTED_SETTINGS,
		uid,
		pkgName,
		AppOpsManager.MODE_ERRORED);
		mode);
		}

		/**
		@@ -2888,8 +2888,21 @@ final class InstallPackageHelper {
		mPm.notifyPackageChanged(packageName, request.getAppId());
		}

		if (!android.permission.flags.Flags.enhancedConfirmationModeApisEnabled()
		\|\| !android.security.Flags.extendEcmToAllSettings()) {
		// Set the OP_ACCESS_RESTRICTED_SETTINGS op, which is used by ECM (see {@link
		// EnhancedConfirmationManager}) as a persistent state denoting whether an app is
		// currently guarded by ECM, not guarded by ECM, or (in Android V+) that this should
		// be decided later.
		if (android.permission.flags.Flags.enhancedConfirmationModeApisEnabled()
		&& android.security.Flags.extendEcmToAllSettings()) {
		final int appId = request.getAppId();
		mPm.mHandler.post(() -> {
		for (int userId : firstUserIds) {
		// MODE_DEFAULT means that the app's guardedness will be decided lazily
		setAccessRestrictedSettingsMode(packageName, appId, userId,
		AppOpsManager.MODE_DEFAULT);
		}
		});
		} else {
		// Apply restricted settings on potentially dangerous packages. Needs to happen
		// after appOpsManager is notified of the new package
		if (request.getPackageSource() == PackageInstaller.PACKAGE_SOURCE_LOCAL_FILE
		@@ -2898,7 +2911,9 @@ final class InstallPackageHelper {
		final int appId = request.getAppId();
		mPm.mHandler.post(() -> {
		for (int userId : firstUserIds) {
		enableRestrictedSettings(packageName, appId, userId);
		// MODE_ERRORED means that the app is explicitly guarded
		setAccessRestrictedSettingsMode(packageName, appId, userId,
		AppOpsManager.MODE_ERRORED);
		}
		});
		}