Loading core/java/android/app/AppOpsManager.java +1 −1 Original line number Diff line number Diff line Loading @@ -3290,7 +3290,7 @@ public class AppOpsManager { } /** * Retrieve whether the op can be read by apps with manage appops permission. * Retrieve whether the op can be read by apps with privileged appops permission. * @hide */ public static boolean opRestrictsRead(int op) { Loading services/core/java/com/android/server/appop/AppOpsService.java +26 −5 Original line number Diff line number Diff line Loading @@ -2186,16 +2186,26 @@ public class AppOpsService extends IAppOpsService.Stub { private ArrayList<AppOpsManager.OpEntry> collectOps(Ops pkgOps, int[] ops) { ArrayList<AppOpsManager.OpEntry> resOps = null; final long elapsedNow = SystemClock.elapsedRealtime(); boolean shouldReturnRestrictedAppOps = mContext.checkPermission( Manifest.permission.GET_APP_OPS_STATS, Binder.getCallingPid(), Binder.getCallingUid()) == PackageManager.PERMISSION_GRANTED; if (ops == null) { resOps = new ArrayList<>(); for (int j = 0; j < pkgOps.size(); j++) { Op curOp = pkgOps.valueAt(j); if (opRestrictsRead(curOp.op) && !shouldReturnRestrictedAppOps) { continue; } resOps.add(getOpEntryForResult(curOp, elapsedNow)); } } else { for (int j = 0; j < ops.length; j++) { Op curOp = pkgOps.get(ops[j]); if (curOp != null) { if (opRestrictsRead(curOp.op) && !shouldReturnRestrictedAppOps) { continue; } if (resOps == null) { resOps = new ArrayList<>(); } Loading Loading @@ -4400,10 +4410,21 @@ public class AppOpsService extends IAppOpsService.Stub { private void verifyIncomingOp(int op) { if (op >= 0 && op < AppOpsManager._NUM_OP) { // Enforce manage appops permission if it's a restricted read op. // Enforce privileged appops permission if it's a restricted read op. if (opRestrictsRead(op)) { mContext.enforcePermission(Manifest.permission.MANAGE_APPOPS, Binder.getCallingPid(), Binder.getCallingUid(), "verifyIncomingOp"); if (!(mContext.checkPermission(Manifest.permission.MANAGE_APPOPS, Binder.getCallingPid(), Binder.getCallingUid()) == PackageManager.PERMISSION_GRANTED || mContext.checkPermission( Manifest.permission.GET_APP_OPS_STATS, Binder.getCallingPid(), Binder.getCallingUid()) == PackageManager.PERMISSION_GRANTED || mContext.checkPermission( Manifest.permission.MANAGE_APP_OPS_MODES, Binder.getCallingPid(), Binder.getCallingUid()) == PackageManager.PERMISSION_GRANTED)) { throw new SecurityException("verifyIncomingOp: uid " + Binder.getCallingUid() + " does not have any of {MANAGE_APPOPS, GET_APP_OPS_STATS, " + "MANAGE_APP_OPS_MODES}"); } } return; } Loading Loading
core/java/android/app/AppOpsManager.java +1 −1 Original line number Diff line number Diff line Loading @@ -3290,7 +3290,7 @@ public class AppOpsManager { } /** * Retrieve whether the op can be read by apps with manage appops permission. * Retrieve whether the op can be read by apps with privileged appops permission. * @hide */ public static boolean opRestrictsRead(int op) { Loading
services/core/java/com/android/server/appop/AppOpsService.java +26 −5 Original line number Diff line number Diff line Loading @@ -2186,16 +2186,26 @@ public class AppOpsService extends IAppOpsService.Stub { private ArrayList<AppOpsManager.OpEntry> collectOps(Ops pkgOps, int[] ops) { ArrayList<AppOpsManager.OpEntry> resOps = null; final long elapsedNow = SystemClock.elapsedRealtime(); boolean shouldReturnRestrictedAppOps = mContext.checkPermission( Manifest.permission.GET_APP_OPS_STATS, Binder.getCallingPid(), Binder.getCallingUid()) == PackageManager.PERMISSION_GRANTED; if (ops == null) { resOps = new ArrayList<>(); for (int j = 0; j < pkgOps.size(); j++) { Op curOp = pkgOps.valueAt(j); if (opRestrictsRead(curOp.op) && !shouldReturnRestrictedAppOps) { continue; } resOps.add(getOpEntryForResult(curOp, elapsedNow)); } } else { for (int j = 0; j < ops.length; j++) { Op curOp = pkgOps.get(ops[j]); if (curOp != null) { if (opRestrictsRead(curOp.op) && !shouldReturnRestrictedAppOps) { continue; } if (resOps == null) { resOps = new ArrayList<>(); } Loading Loading @@ -4400,10 +4410,21 @@ public class AppOpsService extends IAppOpsService.Stub { private void verifyIncomingOp(int op) { if (op >= 0 && op < AppOpsManager._NUM_OP) { // Enforce manage appops permission if it's a restricted read op. // Enforce privileged appops permission if it's a restricted read op. if (opRestrictsRead(op)) { mContext.enforcePermission(Manifest.permission.MANAGE_APPOPS, Binder.getCallingPid(), Binder.getCallingUid(), "verifyIncomingOp"); if (!(mContext.checkPermission(Manifest.permission.MANAGE_APPOPS, Binder.getCallingPid(), Binder.getCallingUid()) == PackageManager.PERMISSION_GRANTED || mContext.checkPermission( Manifest.permission.GET_APP_OPS_STATS, Binder.getCallingPid(), Binder.getCallingUid()) == PackageManager.PERMISSION_GRANTED || mContext.checkPermission( Manifest.permission.MANAGE_APP_OPS_MODES, Binder.getCallingPid(), Binder.getCallingUid()) == PackageManager.PERMISSION_GRANTED)) { throw new SecurityException("verifyIncomingOp: uid " + Binder.getCallingUid() + " does not have any of {MANAGE_APPOPS, GET_APP_OPS_STATS, " + "MANAGE_APP_OPS_MODES}"); } } return; } Loading
