Unflag new permission GID implementation and remove legacy code. (97969184) · Commits · e / os / android_frameworks_base

core/java/android/permission/flags.aconfig

+0 −11

Original line number	Diff line number	Diff line
		@@ -120,17 +120,6 @@ flag {
		bug: "323157319"
		}

		flag {
		name: "new_permission_gid_enabled"
		is_fixed_read_only: true
		namespace: "permissions"
		description: "Enable new permission GID implementation"
		bug: "325137277"
		metadata {
		purpose: PURPOSE_BUGFIX
		}
		}

		flag {
		name: "ignore_process_text"
		namespace: "permissions"

services/permission/java/com/android/server/permission/access/AccessCheckingService.kt

+0 −2

Original line number	Diff line number	Diff line
		@@ -106,8 +106,6 @@ class AccessCheckingService(context: Context) : SystemService(context) {
		persistence.read(state)
		this.state = state

		mutateState { with(policy) { onInitialized() } }

		appOpService.initialize()
		permissionService.initialize()
		}

services/permission/java/com/android/server/permission/access/AccessPolicy.kt

+0 −6

Original line number	Diff line number	Diff line
		@@ -98,10 +98,6 @@ private constructor(
		forEachSchemePolicy { with(it) { onStateMutated() } }
		}

		fun MutateStateScope.onInitialized() {
		forEachSchemePolicy { with(it) { onInitialized() } }
		}

		fun MutateStateScope.onUserAdded(userId: Int) {
		newState.mutateExternalState().mutateUserIds() += userId
		newState.mutateUserStatesNoWrite()[userId] = MutableUserState()
		@@ -443,8 +439,6 @@ abstract class SchemePolicy {

		open fun GetStateScope.onStateMutated() {}

		open fun MutateStateScope.onInitialized() {}

		open fun MutateStateScope.onUserAdded(userId: Int) {}

		open fun MutateStateScope.onUserRemoved(userId: Int) {}

services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPersistence.kt

+1 −14

Original line number	Diff line number	Diff line
		@@ -101,10 +101,6 @@ class AppIdPermissionPersistence {
		val type = getAttributeIntOrThrow(ATTR_TYPE)
		when (type) {
		Permission.TYPE_MANIFEST -> {}
		Permission.TYPE_CONFIG -> {
		Slog.w(LOG_TAG, "Ignoring unexpected config permission $name")
		return
		}
		Permission.TYPE_DYNAMIC -> {
		permissionInfo.apply {
		icon = getAttributeIntHexOrDefault(ATTR_ICON, 0)
		@@ -134,20 +130,11 @@ class AppIdPermissionPersistence {
		}

		private fun BinaryXmlSerializer.serializePermission(permission: Permission) {
		val type = permission.type
		when (type) {
		Permission.TYPE_MANIFEST,
		Permission.TYPE_DYNAMIC -> {}
		Permission.TYPE_CONFIG -> return
		else -> {
		Slog.w(LOG_TAG, "Skipping serializing permission $name with unknown type $type")
		return
		}
		}
		tag(TAG_PERMISSION) {
		attributeInterned(ATTR_NAME, permission.name)
		attributeInterned(ATTR_PACKAGE_NAME, permission.packageName)
		attributeIntHex(ATTR_PROTECTION_LEVEL, permission.protectionLevel)
		val type = permission.type
		attributeInt(ATTR_TYPE, type)
		if (type == Permission.TYPE_DYNAMIC) {
		val permissionInfo = permission.permissionInfo

services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt

+64 −153

Original line number	Diff line number	Diff line
		@@ -79,46 +79,6 @@ class AppIdPermissionPolicy : SchemePolicy() {
		onPermissionFlagsChangedListeners.forEachIndexed { _, it -> it.onStateMutated() }
		}

		override fun MutateStateScope.onInitialized() {
		if (!Flags.newPermissionGidEnabled()) {
		newState.externalState.configPermissions.forEach { (permissionName, permissionEntry) ->
		val oldPermission = newState.systemState.permissions[permissionName]
		val newPermission =
		if (oldPermission != null) {
		if (permissionEntry.gids != null) {
		oldPermission.copy(
		gids = permissionEntry.gids,
		areGidsPerUser = permissionEntry.perUser
		)
		} else {
		return@forEach
		}
		} else {
		@Suppress("DEPRECATION")
		val permissionInfo =
		PermissionInfo().apply {
		name = permissionName
		packageName = PLATFORM_PACKAGE_NAME
		protectionLevel = PermissionInfo.PROTECTION_SIGNATURE
		}
		if (permissionEntry.gids != null) {
		Permission(
		permissionInfo,
		false,
		Permission.TYPE_CONFIG,
		0,
		permissionEntry.gids,
		permissionEntry.perUser
		)
		} else {
		Permission(permissionInfo, false, Permission.TYPE_CONFIG, 0)
		}
		}
		newState.mutateSystemState().mutatePermissions()[permissionName] = newPermission
		}
		}
		}

		override fun MutateStateScope.onUserAdded(userId: Int) {
		newState.externalState.packageStates.forEach { (_, packageState) ->
		evaluateAllPermissionStatesForPackageAndUser(packageState, userId, null)
		@@ -488,6 +448,7 @@ class AppIdPermissionPolicy : SchemePolicy() {
		} else {
		newState.systemState.permissions[permissionName]
		}

		// Different from the old implementation, which may add an (incomplete) signature
		// permission inside another package's permission tree, we now consistently ignore such
		// permissions.
		@@ -502,8 +463,9 @@ class AppIdPermissionPolicy : SchemePolicy() {
		)
		return@forEachIndexed
		}
		var newPermission =
		if (oldPermission != null && newPackageName != oldPermission.packageName) {

		if (oldPermission != null) {
		if (newPackageName != oldPermission.packageName) {
		val oldPackageName = oldPermission.packageName
		// Only allow system apps to redefine non-system permissions.
		if (!packageState.isSystem) {
		@@ -515,19 +477,15 @@ class AppIdPermissionPolicy : SchemePolicy() {
		)
		return@forEachIndexed
		}
		if (
		oldPermission.type == Permission.TYPE_CONFIG && !oldPermission.isReconciled
		) {
		// It's a config permission and has no owner, take ownership now.
		oldPermission.copy(
		permissionInfo = newPermissionInfo,
		isReconciled = true,
		type = Permission.TYPE_MANIFEST,
		appId = packageState.appId
		if (newState.externalState.packageStates[oldPackageName]?.isSystem == true) {
		Slog.w(
		LOG_TAG,
		"Ignoring permission $permissionName declared in system package" +
		" $newPackageName: already declared in another system package" +
		" $oldPackageName"
		)
		} else if (
		newState.externalState.packageStates[oldPackageName]?.isSystem != true
		) {
		return@forEachIndexed
		}
		Slog.w(
		LOG_TAG,
		"Overriding permission $permissionName with new declaration in" +
		@@ -540,44 +498,17 @@ class AppIdPermissionPolicy : SchemePolicy() {
		setPermissionFlags(appId, userId, permissionName, 0)
		}
		}
		// Different from the old implementation, which removes the GIDs upon
		// permission
		// override, but adds them back on the next boot, we now just consistently
		// keep
		// the GIDs.
		Permission(
		newPermissionInfo,
		true,
		Permission.TYPE_MANIFEST,
		packageState.appId,
		oldPermission.gids,
		oldPermission.areGidsPerUser
		)
		} else {
		Slog.w(
		LOG_TAG,
		"Ignoring permission $permissionName declared in system package" +
		" $newPackageName: already declared in another system package" +
		" $oldPackageName"
		)
		return@forEachIndexed
		}
		} else {
		if (oldPermission != null && oldPermission.isReconciled) {
		} else if (oldPermission.isReconciled) {
		val isPermissionGroupChanged =
		newPermissionInfo.isRuntime &&
		newPermissionInfo.group != null &&
		newPermissionInfo.group != oldPermission.groupName
		val isPermissionProtectionChanged =
		oldPermission.type != Permission.TYPE_CONFIG &&
		((newPermissionInfo.isRuntime && !oldPermission.isRuntime) \|\|
		(newPermissionInfo.isInternal && !oldPermission.isInternal))
		(newPermissionInfo.isRuntime && !oldPermission.isRuntime) \|\|
		(newPermissionInfo.isInternal && !oldPermission.isInternal)
		if (isPermissionGroupChanged \|\| isPermissionProtectionChanged) {
		newState.externalState.userIds.forEachIndexed { _, userId ->
		newState.externalState.appIdPackageNames.forEachIndexed {
		_,
		appId,
		_ ->
		newState.externalState.appIdPackageNames.forEachIndexed { _, appId, _ ->
		if (isPermissionGroupChanged) {
		// We might auto-grant permissions if any permission of
		// the group is already granted. Hence if the group of
		@@ -604,28 +535,8 @@ class AppIdPermissionPolicy : SchemePolicy() {
		}
		}
		}

		// Different from the old implementation, which doesn't update the permission
		// definition upon app update, but does update it on the next boot, we now
		// consistently update the permission definition upon app update.
		@Suppress("IfThenToElvis")
		if (oldPermission != null) {
		oldPermission.copy(
		permissionInfo = newPermissionInfo,
		isReconciled = true,
		type = Permission.TYPE_MANIFEST,
		appId = packageState.appId
		)
		} else {
		Permission(
		newPermissionInfo,
		true,
		Permission.TYPE_MANIFEST,
		packageState.appId
		)
		}
		}
		if (Flags.newPermissionGidEnabled()) {

		var gids = EmptyArray.INT
		var areGidsPerUser = false
		if (!parsedPermission.isTree && packageState.isSystem) {
		@@ -639,7 +550,8 @@ class AppIdPermissionPolicy : SchemePolicy() {
		}
		}
		}
		newPermission = Permission(
		val newPermission =
		Permission(
		newPermissionInfo,
		true,
		Permission.TYPE_MANIFEST,
		@@ -647,7 +559,6 @@ class AppIdPermissionPolicy : SchemePolicy() {
		gids,
		areGidsPerUser
		)
		}

		if (parsedPermission.isTree) {
		newState.mutateSystemState().mutatePermissionTrees()[permissionName] = newPermission