Remove role exempt flag (c5d33bfd) · Commits · e / os / android_frameworks_base

core/api/current.txt

+0 −1

Original line number	Diff line number	Diff line
		@@ -12527,7 +12527,6 @@ package android.content.pm {
		field public static final String FEATURE_WIFI_DIRECT = "android.hardware.wifi.direct";
		field public static final String FEATURE_WIFI_PASSPOINT = "android.hardware.wifi.passpoint";
		field public static final String FEATURE_WIFI_RTT = "android.hardware.wifi.rtt";
		field public static final int FLAG_PERMISSION_ALLOWLIST_ROLE = 8; // 0x8
		field public static final int FLAG_PERMISSION_WHITELIST_INSTALLER = 2; // 0x2
		field public static final int FLAG_PERMISSION_WHITELIST_SYSTEM = 1; // 0x1
		field public static final int FLAG_PERMISSION_WHITELIST_UPGRADE = 4; // 0x4

core/api/system-current.txt

+0 −1

Original line number	Diff line number	Diff line
		@@ -2562,7 +2562,6 @@ package android.content.pm {
		field public static final int FLAG_PERMISSION_ONE_TIME = 65536; // 0x10000
		field public static final int FLAG_PERMISSION_POLICY_FIXED = 4; // 0x4
		field public static final int FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT = 2048; // 0x800
		field public static final int FLAG_PERMISSION_RESTRICTION_ROLE_EXEMPT = 262144; // 0x40000
		field public static final int FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT = 4096; // 0x1000
		field public static final int FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT = 8192; // 0x2000
		field public static final int FLAG_PERMISSION_REVIEW_REQUIRED = 64; // 0x40

core/java/android/content/pm/PackageManager.java

+2 −33

Original line number	Diff line number	Diff line
		@@ -4059,16 +4059,6 @@ public abstract class PackageManager {
		@SystemApi
		public static final int FLAG_PERMISSION_AUTO_REVOKED = 1 << 17;

		/**
		* Permission flag: The permission is restricted but the app is exempt
		* from the restriction and is allowed to hold this permission in its
		* full form and the exemption is provided by the held roles.
		*
		* @hide
		*/
		@SystemApi
		public static final int FLAG_PERMISSION_RESTRICTION_ROLE_EXEMPT = 1 << 18;

		/**
		* Permission flag: This location permission is selected as the level of granularity of
		* location accuracy.
		@@ -4098,8 +4088,7 @@ public abstract class PackageManager {
		public static final int FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT =
		FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT
		\| FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT
		\| FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT
		\| FLAG_PERMISSION_RESTRICTION_ROLE_EXEMPT;
		\| FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT;

		/**
		* Mask for all permission flags.
		@@ -4184,20 +4173,11 @@ public abstract class PackageManager {
		*/
		public static final int FLAG_PERMISSION_WHITELIST_UPGRADE = 1 << 2;

		/**
		* Permission allowlist flag: permissions exempted by the system
		* when being granted a role.
		* Permissions can also be exempted by the installer, the system, or on
		* upgrade.
		*/
		public static final int FLAG_PERMISSION_ALLOWLIST_ROLE = 1 << 3;

		/** @hide */
		@IntDef(flag = true, prefix = {"FLAG_PERMISSION_WHITELIST_"}, value = {
		FLAG_PERMISSION_WHITELIST_SYSTEM,
		FLAG_PERMISSION_WHITELIST_INSTALLER,
		FLAG_PERMISSION_WHITELIST_UPGRADE,
		FLAG_PERMISSION_ALLOWLIST_ROLE
		FLAG_PERMISSION_WHITELIST_UPGRADE
		})
		@Retention(RetentionPolicy.SOURCE)
		public @interface PermissionWhitelistFlags {}
		@@ -5229,10 +5209,6 @@ public abstract class PackageManager {
		* This list corresponds to the {@link #FLAG_PERMISSION_WHITELIST_INSTALLER} flag.
		* Can be accessed by pre-installed holders of a dedicated permission or the
		* installer on record.
		*
		* <li>one for cases where the system exempts the permission when granting a role.
		* This list corresponds to the {@link #FLAG_PERMISSION_ALLOWLIST_ROLE} flag. Can
		* be accessed by pre-installed holders of a dedicated permission.
		* </ol>
		*
		* <p>
		@@ -5251,7 +5227,6 @@ public abstract class PackageManager {
		* @see #FLAG_PERMISSION_WHITELIST_SYSTEM
		* @see #FLAG_PERMISSION_WHITELIST_UPGRADE
		* @see #FLAG_PERMISSION_WHITELIST_INSTALLER
		* @see #FLAG_PERMISSION_ALLOWLIST_ROLE
		*
		* @throws SecurityException if you try to access a whitelist that you have no access to.
		*/
		@@ -5291,10 +5266,6 @@ public abstract class PackageManager {
		* This list corresponds to the {@link #FLAG_PERMISSION_WHITELIST_INSTALLER} flag.
		* Can be modified by pre-installed holders of a dedicated permission or the installer
		* on record.
		*
		* <li>one for cases where the system exempts the permission when permission when
		* granting a role. This list corresponds to the {@link #FLAG_PERMISSION_ALLOWLIST_ROLE}
		* flag. Can be modified by pre-installed holders of a dedicated permission.
		* </ol>
		*
		* <p>You need to specify the whitelists for which to set the whitelisted permissions
		@@ -5318,7 +5289,6 @@ public abstract class PackageManager {
		* @see #FLAG_PERMISSION_WHITELIST_SYSTEM
		* @see #FLAG_PERMISSION_WHITELIST_UPGRADE
		* @see #FLAG_PERMISSION_WHITELIST_INSTALLER
		* @see #FLAG_PERMISSION_ALLOWLIST_ROLE
		*
		* @throws SecurityException if you try to modify a whitelist that you have no access to.
		*/
		@@ -5388,7 +5358,6 @@ public abstract class PackageManager {
		* @see #FLAG_PERMISSION_WHITELIST_SYSTEM
		* @see #FLAG_PERMISSION_WHITELIST_UPGRADE
		* @see #FLAG_PERMISSION_WHITELIST_INSTALLER
		* @see #FLAG_PERMISSION_ALLOWLIST_ROLE
		*
		* @throws SecurityException if you try to modify a whitelist that you have no access to.
		*/

core/java/android/permission/PermissionManager.java

+0 −15

Original line number	Diff line number	Diff line
		@@ -485,10 +485,6 @@ public final class PermissionManager {
		* One for cases where the installer of the package allowlists a permission. This list
		* corresponds to the {@link PackageManager#FLAG_PERMISSION_WHITELIST_INSTALLER} flag. Can be
		* accessed by pre-installed holders of a dedicated permission or the installer on record.
		* <li>
		* One for cases where the system exempts the permission when granting a role. This list
		* corresponds to the {@link PackageManager#FLAG_PERMISSION_ALLOWLIST_ROLE} flag. Can be
		* accessed by pre-installed holders of a dedicated permission.
		* </ol>
		*
		* @param packageName the app for which to get allowlisted permissions
		@@ -502,7 +498,6 @@ public final class PermissionManager {
		* @see PackageManager#FLAG_PERMISSION_WHITELIST_SYSTEM
		* @see PackageManager#FLAG_PERMISSION_WHITELIST_UPGRADE
		* @see PackageManager#FLAG_PERMISSION_WHITELIST_INSTALLER
		* @see PackageManager#FLAG_PERMISSION_ALLOWLIST_ROLE
		*
		* @hide Pending API
		*/
		@@ -549,10 +544,6 @@ public final class PermissionManager {
		* One for cases where the installer of the package allowlists a permission. This list
		* corresponds to the {@link PackageManager#FLAG_PERMISSION_WHITELIST_INSTALLER} flag. Can be
		* accessed by pre-installed holders of a dedicated permission or the installer on record.
		* <li>
		* One for cases where the system exempts the permission when granting a role. This list
		* corresponds to the {@link PackageManager#FLAG_PERMISSION_ALLOWLIST_ROLE} flag. Can be
		* accessed by pre-installed holders of a dedicated permission.
		* </ol>
		* <p>
		* You need to specify the allowlists for which to set the allowlisted permissions which will
		@@ -570,7 +561,6 @@ public final class PermissionManager {
		* @see PackageManager#FLAG_PERMISSION_WHITELIST_SYSTEM
		* @see PackageManager#FLAG_PERMISSION_WHITELIST_UPGRADE
		* @see PackageManager#FLAG_PERMISSION_WHITELIST_INSTALLER
		* @see PackageManager#FLAG_PERMISSION_ALLOWLIST_ROLE
		*
		* @hide Pending API
		*/
		@@ -613,10 +603,6 @@ public final class PermissionManager {
		* One for cases where the installer of the package allowlists a permission. This list
		* corresponds to the {@link PackageManager#FLAG_PERMISSION_WHITELIST_INSTALLER} flag. Can be
		* accessed by pre-installed holders of a dedicated permission or the installer on record.
		* <li>
		* One for cases where the system exempts the permission when granting a role. This list
		* corresponds to the {@link PackageManager#FLAG_PERMISSION_ALLOWLIST_ROLE} flag. Can be
		* accessed by pre-installed holders of a dedicated permission.
		* </ol>
		* <p>
		* You need to specify the allowlists for which to set the allowlisted permissions which will
		@@ -634,7 +620,6 @@ public final class PermissionManager {
		* @see PackageManager#FLAG_PERMISSION_WHITELIST_SYSTEM
		* @see PackageManager#FLAG_PERMISSION_WHITELIST_UPGRADE
		* @see PackageManager#FLAG_PERMISSION_WHITELIST_INSTALLER
		* @see PackageManager#FLAG_PERMISSION_ALLOWLIST_ROLE
		*
		* @hide Pending API
		*/

services/core/java/com/android/server/pm/permission/PermissionManagerService.java

+7 −25

Original line number	Diff line number	Diff line
		@@ -24,14 +24,12 @@ import static android.app.AppOpsManager.MODE_IGNORED;
		import static android.content.pm.ApplicationInfo.AUTO_REVOKE_DISALLOWED;
		import static android.content.pm.ApplicationInfo.AUTO_REVOKE_DISCOURAGED;
		import static android.content.pm.PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_ALLOWLIST_ROLE;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_APPLY_RESTRICTION;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_GRANTED_BY_ROLE;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_ONE_TIME;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_POLICY_FIXED;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_ROLE_EXEMPT;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT;
		import static android.content.pm.PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED;
		@@ -1014,8 +1012,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		Preconditions.checkFlagsArgument(flags,
		PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE
		\| PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM
		\| PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER
		\| PackageManager.FLAG_PERMISSION_ALLOWLIST_ROLE);
		\| PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER);
		Preconditions.checkArgumentNonNegative(userId, null);

		if (UserHandle.getCallingUserId() != userId) {
		@@ -1039,9 +1036,9 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		final boolean isCallerInstallerOnRecord =
		mPackageManagerInt.isCallerInstallerOfRecord(pkg, callingUid);

		if ((flags & (PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM
		\| PackageManager.FLAG_PERMISSION_ALLOWLIST_ROLE)) != 0 && !isCallerPrivileged) {
		throw new SecurityException("Querying system or role allowlist requires "
		if ((flags & PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM) != 0
		&& !isCallerPrivileged) {
		throw new SecurityException("Querying system allowlist requires "
		+ Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS);
		}

		@@ -1083,9 +1080,6 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		if ((flags & PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER) != 0) {
		queryFlags \|= FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
		}
		if ((flags & PackageManager.FLAG_PERMISSION_ALLOWLIST_ROLE) != 0) {
		queryFlags \|= FLAG_PERMISSION_RESTRICTION_ROLE_EXEMPT;
		}

		ArrayList<String> allowlistedPermissions = null;

		@@ -1178,8 +1172,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		Preconditions.checkFlagsArgument(flags,
		PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE
		\| PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM
		\| PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER
		\| PackageManager.FLAG_PERMISSION_ALLOWLIST_ROLE);
		\| PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER);
		Preconditions.checkArgument(Integer.bitCount(flags) == 1);
		Preconditions.checkArgumentNonNegative(userId, null);

		@@ -1205,10 +1198,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		final boolean isCallerInstallerOnRecord =
		mPackageManagerInt.isCallerInstallerOfRecord(pkg, callingUid);

		if ((flags & (PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM
		\| PackageManager.FLAG_PERMISSION_ALLOWLIST_ROLE)) != 0
		&& !isCallerPrivileged) {
		throw new SecurityException("Modifying system or role allowlist requires "
		if ((flags & PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM) != 0 && !isCallerPrivileged) {
		throw new SecurityException("Modifying system allowlist requires "
		+ Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS);
		}

		@@ -3714,15 +3705,6 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		}
		}
		break;
		case FLAG_PERMISSION_ALLOWLIST_ROLE: {
		mask \|= FLAG_PERMISSION_RESTRICTION_ROLE_EXEMPT;
		if (permissions != null && permissions.contains(permissionName)) {
		newFlags \|= FLAG_PERMISSION_RESTRICTION_ROLE_EXEMPT;
		} else {
		newFlags &= ~FLAG_PERMISSION_RESTRICTION_ROLE_EXEMPT;
		}
		}
		break;
		}
		}