Merge "Allow setting app op permissions to support...

    private static final int ADB_DEV_MODE = PackageManager.INSTALL_FROM_ADB

            | PackageManager.INSTALL_ALLOW_TEST;

    private static final Set<String> ALLOWED_PERMISSION_STATE_NAMES = Set.of(

    /**

     * Set of app op permissions that the installer of a session is allowed to change through

     * {@link PackageInstaller.SessionParams#setPermissionState(String, int)}.

     */

    public static final Set<String> INSTALLER_CHANGEABLE_APP_OP_PERMISSIONS = Set.of(

            Manifest.permission.USE_FULL_SCREEN_INTENT

    );

                if (!hasInstallGrantRuntimePermissions) {

                    for (int index = 0; index < permissionStates.size(); index++) {

                        var permissionName = permissionStates.keyAt(index);

                        if (!ALLOWED_PERMISSION_STATE_NAMES.contains(permissionName)) {

                        if (!INSTALLER_CHANGEABLE_APP_OP_PERMISSIONS.contains(permissionName)) {

                            throw new SecurityException("You need the "

                                    + Manifest.permission.INSTALL_GRANT_RUNTIME_PERMISSIONS

                                    + " permission to grant runtime permissions for a session");

 * Manages all permissions and handles permissions related tasks.

 */

public class PermissionManagerService extends IPermissionManager.Stub {

    private static final String LOG_TAG = PermissionManagerService.class.getSimpleName();

    /** Map of IBinder -> Running AttributionSource */

import static android.Manifest.permission.POST_NOTIFICATIONS;

import static android.Manifest.permission.READ_EXTERNAL_STORAGE;

import static android.Manifest.permission.WRITE_EXTERNAL_STORAGE;

import static android.app.AppOpsManager.MODE_ALLOWED;

import static android.app.AppOpsManager.MODE_ERRORED;

import static android.content.pm.PackageInstaller.SessionParams.PERMISSION_STATE_DEFAULT;

import static android.content.pm.PackageInstaller.SessionParams.PERMISSION_STATE_GRANTED;

import static android.content.pm.PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT;

import static android.content.pm.PackageManager.FLAG_PERMISSION_APPLY_RESTRICTION;

import static android.content.pm.PackageManager.FLAG_PERMISSION_AUTO_REVOKED;

import android.annotation.Nullable;

import android.annotation.UserIdInt;

import android.app.ActivityManager;

import android.app.AppOpsManager;

import android.app.IActivityManager;

import android.app.admin.DevicePolicyManagerInternal;

import android.compat.annotation.ChangeId;

import android.content.Context;

import android.content.pm.ApplicationInfo;

import android.content.pm.FeatureInfo;

import android.content.pm.PackageInstaller;

import android.content.pm.PackageManager;

import android.content.pm.PackageManagerInternal;

import android.content.pm.PermissionGroupInfo;

import com.android.server.Watchdog;

import com.android.server.pm.ApexManager;

import com.android.server.pm.KnownPackages;

import com.android.server.pm.PackageInstallerService;

import com.android.server.pm.UserManagerInternal;

import com.android.server.pm.UserManagerService;

import com.android.server.pm.parsing.PackageInfoUtils;

        }

    }

    private void grantRequestedRuntimePermissionsInternal(@NonNull AndroidPackage pkg,

            @Nullable List<String> permissions, int userId) {

    private void grantRequestedPermissionsInternal(@NonNull AndroidPackage pkg,

            @Nullable ArrayMap<String, Integer> permissionStates, int userId) {

        final int immutableFlags = PackageManager.FLAG_PERMISSION_SYSTEM_FIXED

                | PackageManager.FLAG_PERMISSION_POLICY_FIXED;

        final int myUid = Process.myUid();

        for (String permission : pkg.getRequestedPermissions()) {

            final boolean shouldGrantPermission;

            Integer permissionState = permissionStates.get(permission);

            if (permissionState == null || permissionState == PERMISSION_STATE_DEFAULT) {

                continue;

            }

            final boolean shouldGrantRuntimePermission;

            final boolean isAppOpPermission;

            synchronized (mLock) {

                final Permission bp = mRegistry.getPermission(permission);

                shouldGrantPermission = bp != null && (bp.isRuntime() || bp.isDevelopment())

                if (bp == null) {

                    continue;

                }

                shouldGrantRuntimePermission = (bp.isRuntime() || bp.isDevelopment())

                        && (!instantApp || bp.isInstant())

                        && (supportsRuntimePermissions || !bp.isRuntimeOnly())

                        && (permissions.contains(permission));

                        && permissionState == PERMISSION_STATE_GRANTED;

                isAppOpPermission = bp.isAppOp();

            }

            if (shouldGrantPermission) {

            if (shouldGrantRuntimePermission) {

                final int flags = getPermissionFlagsInternal(pkg.getPackageName(), permission,

                        myUid, userId);

                if (supportsRuntimePermissions) {

                                0, myUid, userId, false, mDefaultPermissionCallback);

                    }

                }

            } else if (isAppOpPermission

                    && PackageInstallerService.INSTALLER_CHANGEABLE_APP_OP_PERMISSIONS

                    .contains(permission)) {

                int mode =

                        permissionState == PERMISSION_STATE_GRANTED ? MODE_ALLOWED : MODE_ERRORED;

                int uid = UserHandle.getUid(userId, pkg.getUid());

                String appOp = AppOpsManager.permissionToOp(permission);

                mHandler.post(() -> {

                    AppOpsManager appOpsManager = mContext.getSystemService(AppOpsManager.class);

                    appOpsManager.setUidMode(appOp, uid, mode);

                });

            }

        }

    }

            addAllowlistedRestrictedPermissionsInternal(pkg,

                    params.getAllowlistedRestrictedPermissions(),

                    FLAG_PERMISSION_WHITELIST_INSTALLER, userId);

            var grantedPermissions = new ArrayList<String>();

            var permissionStates = params.getPermissionStates();

            for (int index = 0; index < permissionStates.size(); index++) {

                if (permissionStates.valueAt(index)

                        == PackageInstaller.SessionParams.PERMISSION_STATE_GRANTED) {

                    grantedPermissions.add(permissionStates.keyAt(index));

                }

            }

            grantRequestedRuntimePermissionsInternal(pkg, grantedPermissions, userId);

            grantRequestedPermissionsInternal(pkg, params.getPermissionStates(), userId);

        }

    }

import com.android.server.permission.access.util.hasBits

import com.android.server.permission.access.util.withClearedCallingIdentity

import com.android.server.pm.KnownPackages

import com.android.server.pm.PackageInstallerService

import com.android.server.pm.PackageManagerLocal

import com.android.server.pm.UserManagerInternal

import com.android.server.pm.UserManagerService

                            )

                        }

                    }

                    permission.isAppOp -> setAppOpPermissionGranted(

                        packageState, userId, permissionName,

                        permissionState == PackageInstaller.SessionParams.PERMISSION_STATE_GRANTED

                    permission.isAppOp && permissionName in

                            PackageInstallerService.INSTALLER_CHANGEABLE_APP_OP_PERMISSIONS ->

                        setAppOpPermissionGranted(

                            packageState, userId, permissionName, permissionState ==

                                    PackageInstaller.SessionParams.PERMISSION_STATE_GRANTED

                        )

                    else -> {}

                }