Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a440a043 authored by Atneya Nair's avatar Atneya Nair
Browse files

[RESTRICT AUTOMERGE] [appops] Preflight skip datasource validation 

The forDataDelivery logic always skips checking the first attribution in
the chain from datasources, either via singleReceiverFromDataSource, or
internal in startProxyOp, since skipProxy=true is passed for non-trivial
chains.

Make the preflight check consistent with this behavior, by also skipping
a checkOp on the first entry in this case. This avoids cases where
the preflight fails when the delivery would succeed, which should never
happen. This is implicitly relied on by audioserver, as it happens to
fail checkOp due to not having a valid Uid/PackageState.

Test: manual: start and stop recording with toggle restriction
Test: atest CtsMediaAudioPermissionTestCases
Test: atest RuntimePermissionsAppOpTrackingTest
Test: atest SensorPrivacyMicrophoneTest
Bug: 293603271
Bug: 325912429
Flag: EXEMPT bugfix
Change-Id: I509e7f8da501f5e32d336adb412662e078eab500
parent 40d0f547

services/core/java/com/android/server/pm/permission/PermissionManagerService.java

+13 −2
Original line number Diff line number Diff line
@@ -1535,8 +1535,19 @@ public class PermissionManagerService extends IPermissionManager.Stub { 
                if (resolvedAccessorPackageName == null) {

                    return AppOpsManager.MODE_ERRORED;

                }

                final int opMode = appOpsManager.unsafeCheckOpRawNoThrow(op,

                        accessorSource.getUid(), resolvedAccessorPackageName);

                // Avoid checking the first attr in the chain in some cases for consistency with

                // checks for data delivery.

                // In particular, for chains of 2 or more, when skipProxyOperation is true, the

                // for data delivery implementation does not actually check the first link in the

                // chain. If the attribution is just a singleReceiverFromDatasource, this

                // exemption does not apply, since it does not go through proxyOp flow, and the top

                // of the chain is actually removed above.

                // Skipping the check avoids situations where preflight checks fail since the data

                // source itself does not have the op (e.g. audioserver).

                final int opMode = (skipProxyOperation && !singleReceiverFromDatasource) ?

                        AppOpsManager.MODE_ALLOWED :

                        appOpsManager.unsafeCheckOpRawNoThrow(op, accessorSource.getUid(),

                                resolvedAccessorPackageName);

                final AttributionSource next = accessorSource.getNext();

                if (!selfAccess && opMode == AppOpsManager.MODE_ALLOWED && next != null) {

                    final String resolvedNextPackageName = resolvePackageName(context, next);