Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 916ccd97 authored by Roman Birg's avatar Roman Birg Committed by Michael Bestas
Browse files

Allow permissions to be granted via whitelisted signatures 

When an application defines a permission, it can now add a new
attribute "allowViaWhitelist", a boolean value. If set to true,
the permission may be granted to a package signed with a predefined key,
if it is defined via <allow-permission> in
/system/etc/permissions/someapp.xml.

Since this is a hidden attribute, it must use the prv namespace XML
declaration. E.g.: add the following to the <manifest> tag:

       xmlns:androidprv="http://schemas.android.com/apk/prv/res/android

"

In the permission declaration:

        <permission
            android:name=""
            android:protectionLevel="signature"
            androidprv:allowViaWhitelist"true" />

And a corresponding entry in /system/etc/permissions/someapp.xml:

        <allow-permission
            name="some.android.PERMISSION"
            signature="<known public signature>" />

Note: if the permission never declares "allowViaWhitelist", then the
whitelisted permissions will be ignored.

Change-Id: Ie4597a07eb0a193375fa2724bd9cf468184a7926
Signed-off-by: default avatarRoman Birg <roman@cyngn.com>

PackageManager: copy allowViaWhitelist flag for perm trees

Ref: CYNGNOS-622
Change-Id: Ic52f179d79ac69a055f994df05a502f893435a26
Signed-off-by: default avatarRoman Birg <roman@cyngn.com>

Explicitly declare which permissions can be granted via signature

This moves the older <allow-permissions> implementation inline with the
newer one, which requires any permission that can be granted via a
signature to explicitly add the attribute allowViaWhitelist="true".

Change-Id: Ie9f9bf6e2138075b750c58090dcd7030eff174f1
Signed-off-by: default avatarRoman Birg <roman@cyngn.com>

Allow CAPTURE_AUDIO_HOTWORD to be whitelisted by signature.

Change-Id: Ia4589c0fd5480a6f462812f5081160262632f09f

Allow additional permissions to be whitelisted by signature.

- android.permission.SET_PREFERRED_APPLICATIONS.
- android.permission.INTERACT_ACROSS_USERS_FULL.

Change-Id: I3fdb3fd412d3eb641a5745eb298afa1121540ccf

allow GET_ACCOUNTS_PRIVELEGED to be whitelisted

Change-Id: Idc5e5535476015800e47f0a3a472729a926dd7b1
Signed-off-by: default avatarRoman Birg <roman@cyngn.com>

allow priveleged phone state permission to be whitelisted

Ref: CYNGNOS-1660

Change-Id: I377ad833e44d5c54bbcf2f7447fe5383edc457fb
Signed-off-by: default avatarRoman Birg <roman@cyngn.com>

allow whitelisting of ACCESS_KEYGUARD_SECURE_STORAGE

Ref: CYNGNOS-1727

Change-Id: I7151ce3fa7c57ee89fecf691d6e92c4ab39ecf37
Signed-off-by: default avatarRoman Birg <roman@cyngn.com>

Allow granting permissions based on signature in <allow-permission/>

This patch allows us to either specify a sharedUserId or a package
signature to use when granting the specific permission.

Change-Id: I8aed78d40316e0e94ac1bfefc7c4a3016a2a9a6b

Explicitly declare which permissions can be granted via signature

This moves the older <allow-permissions> implementation inline with the
newer one, which requires any permission that can be granted via a
signature to explicitly add the attribute allowViaWhitelist="true".

Change-Id: Ie9f9bf6e2138075b750c58090dcd7030eff174f1
Signed-off-by: default avatarRoman Birg <roman@cyngn.com>
parent 4b01d621

core/java/android/content/pm/PackageParser.java

+4 −0
Original line number Diff line number Diff line
@@ -2630,6 +2630,10 @@ public class PackageParser { 
        perm.info.flags = sa.getInt(

                com.android.internal.R.styleable.AndroidManifestPermission_permissionFlags, 0);



        perm.info.allowViaWhitelist = sa.getBoolean(

                com.android.internal.R.styleable.AndroidManifestPermission_allowViaWhitelist,

                false);



        sa.recycle();



        if (perm.info.protectionLevel == -1) {

core/java/android/content/pm/PermissionInfo.java

+11 −0
Original line number Diff line number Diff line
@@ -187,6 +187,14 @@ public class PermissionInfo extends PackageItemInfo implements Parcelable { 
     */

    public CharSequence nonLocalizedDescription;



    /**

     * Whether this permission will be granted to apps signed with white-listed keys in

     * /system/etc/permissions/someapp.xml

     *

     * @hide

     */

    public boolean allowViaWhitelist;



    /** @hide */

    public static int fixProtectionLevel(int level) {

        if (level == PROTECTION_SIGNATURE_OR_SYSTEM) {
@@ -249,6 +257,7 @@ public class PermissionInfo extends PackageItemInfo implements Parcelable { 
        group = orig.group;

        descriptionRes = orig.descriptionRes;

        nonLocalizedDescription = orig.nonLocalizedDescription;

        allowViaWhitelist = orig.allowViaWhitelist;

    }



    /**
@@ -291,6 +300,7 @@ public class PermissionInfo extends PackageItemInfo implements Parcelable { 
        dest.writeInt(flags);

        dest.writeString(group);

        dest.writeInt(descriptionRes);

        dest.writeInt(allowViaWhitelist ? 1 : 0);

        TextUtils.writeToParcel(nonLocalizedDescription, dest, parcelableFlags);

    }
@@ -310,6 +320,7 @@ public class PermissionInfo extends PackageItemInfo implements Parcelable { 
        flags = source.readInt();

        group = source.readString();

        descriptionRes = source.readInt();

        allowViaWhitelist = source.readInt() == 1;

        nonLocalizedDescription = TextUtils.CHAR_SEQUENCE_CREATOR.createFromParcel(source);

    }

}

core/java/com/android/server/SystemConfig.java

+47 −0
Original line number Diff line number Diff line
@@ -22,6 +22,7 @@ import android.app.ActivityManager; 
import android.content.ComponentName;

import android.content.pm.FeatureInfo;

import android.content.pm.PackageManager;

import android.content.pm.Signature;

import android.os.Environment;

import android.os.Process;

import android.os.storage.StorageManager;
@@ -130,6 +131,9 @@ public class SystemConfig { 
    final ArrayMap<String, List<String>> mDisabledUntilUsedPreinstalledCarrierAssociatedApps =

            new ArrayMap<>();



    final ArrayMap<Signature, ArraySet<String>> mSignatureAllowances =

            new ArrayMap<Signature, ArraySet<String>>();



    public static SystemConfig getInstance() {

        synchronized (SystemConfig.class) {

            if (sInstance == null) {
@@ -191,10 +195,15 @@ public class SystemConfig { 
        return mBackupTransportWhitelist;

    }





    public ArrayMap<String, List<String>> getDisabledUntilUsedPreinstalledCarrierAssociatedApps() {

        return mDisabledUntilUsedPreinstalledCarrierAssociatedApps;

    }



    public ArrayMap<Signature, ArraySet<String>> getSignatureAllowances() {

        return mSignatureAllowances;

    }



    SystemConfig() {

        // Read configuration from system

        readPermissions(Environment.buildPath(
@@ -314,6 +323,44 @@ public class SystemConfig { 


                    XmlUtils.skipCurrentTag(parser);

                    continue;



                } else if ("allow-permission".equals(name)) {

                    String perm = parser.getAttributeValue(null, "name");

                    if (perm == null) {

                        Slog.w(TAG,

                                "<allow-permission> without name at "

                                        + parser.getPositionDescription());

                        XmlUtils.skipCurrentTag(parser);

                        continue;

                    }

                    String signature = parser.getAttributeValue(null, "signature");

                    if (signature == null) {

                        Slog.w(TAG,

                                "<allow-permission> without signature at "

                                        + parser.getPositionDescription());

                        XmlUtils.skipCurrentTag(parser);

                        continue;

                    }

                    Signature sig = null;

                    try {

                        sig = new Signature(signature);

                    } catch (IllegalArgumentException e) {

                        // sig will be null so we will log it below

                    }

                    if (sig != null) {

                        ArraySet<String> perms = mSignatureAllowances.get(sig);

                        if (perms == null) {

                            perms = new ArraySet<String>();

                            mSignatureAllowances.put(sig, perms);

                        }

                        perms.add(perm);

                    } else {

                        Slog.w(TAG,

                                "<allow-permission> with bad signature at "

                                        + parser.getPositionDescription());

                    }

                    XmlUtils.skipCurrentTag(parser);



                } else if ("permission".equals(name) && allowPermissions) {

                    String perm = parser.getAttributeValue(null, "name");

                    if (perm == null) {

core/res/AndroidManifest.xml

+35 −17
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ 
*/

-->

<manifest xmlns:android="http://schemas.android.com/apk/res/android"

    xmlns:androidprv="http://schemas.android.com/apk/prv/res/android"

    package="android" coreApp="true" android:sharedUserId="android.uid.system"

    android:sharedUserLabel="@string/android_system_label">
@@ -1512,7 +1513,8 @@ 
    <!-- @SystemApi Allows read access to privileged phone state.

         @hide Used internally. -->

    <permission android:name="android.permission.READ_PRIVILEGED_PHONE_STATE"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



    <!-- @SystemApi Protects the ability to register any PhoneAccount with

         PhoneAccount#CAPABILITY_SIM_SUBSCRIPTION. This capability indicates that the PhoneAccount
@@ -1581,7 +1583,8 @@ 
    <!-- @SystemApi Allows an application to write to internal media storage

         @hide  -->

    <permission android:name="android.permission.WRITE_MEDIA_STORAGE"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



    <!-- Allows an application to manage access to documents, usually as part

         of a document picker.
@@ -1654,7 +1657,8 @@ 
         types of interactions

         @hide -->

    <permission android:name="android.permission.INTERACT_ACROSS_USERS_FULL"

        android:protectionLevel="signature|installer" />

        android:protectionLevel="signature|installer"

        androidprv:allowViaWhitelist="true" />



    <!-- @SystemApi @hide Allows an application to call APIs that allow it to query and manage

         users on the device. This permission is not available to
@@ -1935,7 +1939,8 @@ 
         {@link android.content.pm.PackageManager#addPackageToPreferred}

         for details. -->

    <permission android:name="android.permission.SET_PREFERRED_APPLICATIONS"

        android:protectionLevel="signature" />

        android:protectionLevel="signature"

        androidprv:allowViaWhitelist="true" />



    <!-- Allows an application to receive the

         {@link android.content.Intent#ACTION_BOOT_COMPLETED} that is
@@ -2040,7 +2045,8 @@ 
         interacting with the recovery (system update) system.

         @hide -->

    <permission android:name="android.permission.RECOVERY"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



    <!-- Allows the system to bind to an application's task services

         @hide -->
@@ -2069,7 +2075,8 @@ 
    <!-- @SystemApi Allows an application to read or write the secure system settings.

    <p>Not for use by third-party applications. -->

    <permission android:name="android.permission.WRITE_SECURE_SETTINGS"

        android:protectionLevel="signature|privileged|development" />

        android:protectionLevel="signature|privileged|development"

        androidprv:allowViaWhitelist="true" />



    <!-- @SystemApi Allows an application to retrieve state dump information from system services.

    <p>Not for use by third-party applications. -->
@@ -2111,7 +2118,8 @@ 


    <!-- @SystemApi Allows access to the list of accounts in the Accounts Service. -->

    <permission android:name="android.permission.GET_ACCOUNTS_PRIVILEGED"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



    <!-- Allows but does not guarantee access to user passwords at the conclusion of add account

    @hide -->
@@ -2228,7 +2236,8 @@ 
         @hide

    -->

    <permission android:name="android.permission.SET_ACTIVITY_WATCHER"

        android:protectionLevel="signature" />

        android:protectionLevel="signature"

        androidprv:allowViaWhitelist="true" />



    <!-- @SystemApi Allows an application to call the activity manager shutdown() API

         to put the higher-level system there into a shutdown state.
@@ -2530,7 +2539,8 @@ 
         get access to the frame buffer data.

         <p>Not for use by third-party applications. -->

    <permission android:name="android.permission.READ_FRAME_BUFFER"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



    <!-- Allows an application to use InputFlinger's low level features.

         @hide -->
@@ -2571,7 +2581,8 @@ 
         <p>Not for use by third-party applications.</p>

         @hide -->

    <permission android:name="android.permission.CAPTURE_AUDIO_HOTWORD"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



    <!-- @SystemApi Allows an application to modify audio routing and override policy decisions.

         <p>Not for use by third-party applications.</p>
@@ -2582,12 +2593,14 @@ 
    <!-- @SystemApi Allows an application to capture video output.

         <p>Not for use by third-party applications.</p> -->

    <permission android:name="android.permission.CAPTURE_VIDEO_OUTPUT"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



    <!-- @SystemApi Allows an application to capture secure video output.

         <p>Not for use by third-party applications.</p> -->

    <permission android:name="android.permission.CAPTURE_SECURE_VIDEO_OUTPUT"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



    <!-- @SystemApi Allows an application to know what content is playing and control its playback.

         <p>Not for use by third-party applications due to privacy of media consumption</p>  -->
@@ -2604,7 +2617,8 @@ 
    <!-- @SystemApi Required to be able to reboot the device.

    <p>Not for use by third-party applications. -->

    <permission android:name="android.permission.REBOOT"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



   <!-- @SystemApi Allows low-level access to power management.

        <p>Not for use by third-party applications.
@@ -2718,7 +2732,8 @@ 
    <p>Not for use by third-party applications.

         @hide pending API council -->

    <permission android:name="android.permission.BACKUP"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



    <!-- Allows a package to launch the secure full-backup confirmation UI.

         ONLY the system process may hold this permission.
@@ -2803,7 +2818,8 @@ 
    <!-- @SystemApi Allow an application to read and write the cache partition.

         @hide -->

    <permission android:name="android.permission.ACCESS_CACHE_FILESYSTEM"

        android:protectionLevel="signature|privileged" />

        android:protectionLevel="signature|privileged"

        androidprv:allowViaWhitelist="true" />



    <!-- Must be required by default container service so that only

         the system can bind to it and use it to copy
@@ -2911,7 +2927,8 @@ 
    <!-- Allows access to keyguard secure storage.  Only allowed for system processes.

        @hide -->

    <permission android:name="android.permission.ACCESS_KEYGUARD_SECURE_STORAGE"

        android:protectionLevel="signature" />

        android:protectionLevel="signature"

        androidprv:allowViaWhitelist="true" />



    <!-- Allows managing (adding, removing) fingerprint templates. Reserved for the system. @hide -->

    <permission android:name="android.permission.MANAGE_FINGERPRINT"
@@ -2924,7 +2941,8 @@ 
    <!-- Allows an application to control keyguard.  Only allowed for system processes.

        @hide -->

    <permission android:name="android.permission.CONTROL_KEYGUARD"

        android:protectionLevel="signature" />

        android:protectionLevel="signature"

        androidprv:allowViaWhitelist="true" />



    <!-- Allows an application to listen to trust changes.  Only allowed for system processes.

        @hide -->

core/res/res/values/attrs_manifest.xml

+3 −0
Original line number Diff line number Diff line
@@ -1357,6 +1357,9 @@ 
        <attr name="description" />

        <attr name="protectionLevel" />

        <attr name="permissionFlags" />

        <!--  @hide Allows permissions to be granted to specific application signatures,

              which are defined in /system/etc/permissions/someapp.xml. -->

        <attr name="allowViaWhitelist" format="boolean" />

    </declare-styleable>



    <!-- The <code>permission-group</code> tag declares a logical grouping of