Perform the user-allowlist check after all other fixed allowlist check (95e7a3ee) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/am/AppRestrictionController.java

+19 −14

Original line number	Diff line number	Diff line
		@@ -2790,13 +2790,6 @@ public final class AppRestrictionController {
		if (isOnSystemDeviceIdleAllowlist(uid)) {
		return REASON_SYSTEM_ALLOW_LISTED;
		}
		if (isOnDeviceIdleAllowlist(uid)) {
		return REASON_ALLOWLISTED_PACKAGE;
		}
		final ActivityManagerInternal am = mInjector.getActivityManagerInternal();
		if (am.isAssociatedCompanionApp(UserHandle.getUserId(uid), uid)) {
		return REASON_COMPANION_DEVICE_MANAGER;
		}
		if (UserManager.isDeviceInDemoMode(mContext)) {
		return REASON_DEVICE_DEMO_MODE;
		}
		@@ -2805,6 +2798,7 @@ public final class AppRestrictionController {
		.hasUserRestriction(UserManager.DISALLOW_APPS_CONTROL, userId)) {
		return REASON_DISALLOW_APPS_CONTROL;
		}
		final ActivityManagerInternal am = mInjector.getActivityManagerInternal();
		if (am.isDeviceOwner(uid)) {
		return REASON_DEVICE_OWNER;
		}
		@@ -2822,14 +2816,9 @@ public final class AppRestrictionController {
		final AppOpsManager appOpsManager = mInjector.getAppOpsManager();
		final PackageManagerInternal pm = mInjector.getPackageManagerInternal();
		final AppStandbyInternal appStandbyInternal = mInjector.getAppStandbyInternal();
		// Check each packages to see if any of them is in the "fixed" exemption cases.
		for (String pkg : packages) {
		if (appOpsManager.checkOpNoThrow(AppOpsManager.OP_ACTIVATE_VPN,
		uid, pkg) == AppOpsManager.MODE_ALLOWED) {
		return REASON_OP_ACTIVATE_VPN;
		} else if (appOpsManager.checkOpNoThrow(AppOpsManager.OP_ACTIVATE_PLATFORM_VPN,
		uid, pkg) == AppOpsManager.MODE_ALLOWED) {
		return REASON_OP_ACTIVATE_PLATFORM_VPN;
		} else if (isSystemModule(pkg)) {
		if (isSystemModule(pkg)) {
		return REASON_SYSTEM_MODULE;
		} else if (isCarrierApp(pkg)) {
		return REASON_CARRIER_PRIVILEGED_APP;
		@@ -2843,6 +2832,16 @@ public final class AppRestrictionController {
		return REASON_ACTIVE_DEVICE_ADMIN;
		}
		}
		// Loop the packages again, and check the user-configurable exemptions.
		for (String pkg : packages) {
		if (appOpsManager.checkOpNoThrow(AppOpsManager.OP_ACTIVATE_VPN,
		uid, pkg) == AppOpsManager.MODE_ALLOWED) {
		return REASON_OP_ACTIVATE_VPN;
		} else if (appOpsManager.checkOpNoThrow(AppOpsManager.OP_ACTIVATE_PLATFORM_VPN,
		uid, pkg) == AppOpsManager.MODE_ALLOWED) {
		return REASON_OP_ACTIVATE_PLATFORM_VPN;
		}
		}
		}
		if (isRoleHeldByUid(RoleManager.ROLE_DIALER, uid)) {
		return REASON_ROLE_DIALER;
		@@ -2850,6 +2849,12 @@ public final class AppRestrictionController {
		if (isRoleHeldByUid(RoleManager.ROLE_EMERGENCY, uid)) {
		return REASON_ROLE_EMERGENCY;
		}
		if (isOnDeviceIdleAllowlist(uid)) {
		return REASON_ALLOWLISTED_PACKAGE;
		}
		if (am.isAssociatedCompanionApp(UserHandle.getUserId(uid), uid)) {
		return REASON_COMPANION_DEVICE_MANAGER;
		}
		return REASON_DENIED;
		}