Merge "Merge "Allow explicit permission denial" into oc-mr1-dev am:... (d22603eb) · Commits · e / os / android_frameworks_base

core/java/com/android/server/SystemConfig.java

+20 −0

Original line number	Original line	Diff line number	Diff line
	@@ -141,6 +141,7 @@ public class SystemConfig {


	final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>();		final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>();
			final ArrayMap<String, ArraySet<String>> mPrivAppDenyPermissions = new ArrayMap<>();

	public static SystemConfig getInstance() {		public static SystemConfig getInstance() {
	synchronized (SystemConfig.class) {		synchronized (SystemConfig.class) {
	@@ -219,6 +220,10 @@ public class SystemConfig {
	return mPrivAppPermissions.get(packageName);		return mPrivAppPermissions.get(packageName);
	}		}

			public ArraySet<String> getPrivAppDenyPermissions(String packageName) {
			return mPrivAppDenyPermissions.get(packageName);
			}

	SystemConfig() {		SystemConfig() {
	// Read configuration from system		// Read configuration from system
	readPermissions(Environment.buildPath(		readPermissions(Environment.buildPath(
	@@ -660,6 +665,7 @@ public class SystemConfig {
	if (permissions == null) {		if (permissions == null) {
	permissions = new ArraySet<>();		permissions = new ArraySet<>();
	}		}
			ArraySet<String> denyPermissions = mPrivAppDenyPermissions.get(packageName);
	int depth = parser.getDepth();		int depth = parser.getDepth();
	while (XmlUtils.nextElementWithin(parser, depth)) {		while (XmlUtils.nextElementWithin(parser, depth)) {
	String name = parser.getName();		String name = parser.getName();
	@@ -671,8 +677,22 @@ public class SystemConfig {
	continue;		continue;
	}		}
	permissions.add(permName);		permissions.add(permName);
			} else if ("deny-permission".equals(name)) {
			String permName = parser.getAttributeValue(null, "name");
			if (TextUtils.isEmpty(permName)) {
			Slog.w(TAG, "name is required for <deny-permission> in "
			+ parser.getPositionDescription());
			continue;
			}
			if (denyPermissions == null) {
			denyPermissions = new ArraySet<>();
			}
			denyPermissions.add(permName);
	}		}
	}		}
	mPrivAppPermissions.put(packageName, permissions);		mPrivAppPermissions.put(packageName, permissions);
			if (denyPermissions != null) {
			mPrivAppDenyPermissions.put(packageName, denyPermissions);
			}
	}		}
	}		}

services/core/java/com/android/server/pm/PackageManagerService.java

+15 −5

Original line number	Original line	Diff line number	Diff line
	@@ -13191,18 +13191,28 @@ public class PackageManagerService extends IPackageManager.Stub
	boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName);		boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName);
	if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivilegedApp()		if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivilegedApp()
	&& !platformPackage && platformPermission) {		&& !platformPackage && platformPermission) {
	ArraySet<String> wlPermissions = SystemConfig.getInstance()		final ArraySet<String> allowedPermissions = SystemConfig.getInstance()
	.getPrivAppPermissions(pkg.packageName);		.getPrivAppPermissions(pkg.packageName);
	boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm);		final boolean whitelisted =
			allowedPermissions != null && allowedPermissions.contains(perm);
	if (!whitelisted) {		if (!whitelisted) {
	Slog.w(TAG, "Privileged permission " + perm + " for package "		Slog.w(TAG, "Privileged permission " + perm + " for package "
	+ pkg.packageName + " - not in privapp-permissions whitelist");		+ pkg.packageName + " - not in privapp-permissions whitelist");
	// Only report violations for apps on system image		// Only report violations for apps on system image
	if (!mSystemReady && !pkg.isUpdatedSystemApp()) {		if (!mSystemReady && !pkg.isUpdatedSystemApp()) {
			// it's only a reportable violation if the permission isn't explicitly denied
			final ArraySet<String> deniedPermissions = SystemConfig.getInstance()
			.getPrivAppDenyPermissions(pkg.packageName);
			final boolean permissionViolation =
			deniedPermissions == null \|\| !deniedPermissions.contains(perm);
			if (permissionViolation) {
	if (mPrivappPermissionsViolations == null) {		if (mPrivappPermissionsViolations == null) {
	mPrivappPermissionsViolations = new ArraySet<>();		mPrivappPermissionsViolations = new ArraySet<>();
	}		}
	mPrivappPermissionsViolations.add(pkg.packageName + ": " + perm);		mPrivappPermissionsViolations.add(pkg.packageName + ": " + perm);
			} else {
			return false;
			}
	}		}
	if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) {		if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) {
	return false;		return false;

services/core/java/com/android/server/pm/PackageManagerShellCommand.java

+15 −0

Original line number	Original line	Diff line number	Diff line
	@@ -148,6 +148,8 @@ class PackageManagerShellCommand extends ShellCommand {
	return runSetHomeActivity();		return runSetHomeActivity();
	case "get-privapp-permissions":		case "get-privapp-permissions":
	return runGetPrivappPermissions();		return runGetPrivappPermissions();
			case "get-privapp-deny-permissions":
			return runGetPrivappDenyPermissions();
	case "get-instantapp-resolver":		case "get-instantapp-resolver":
	return runGetInstantAppResolver();		return runGetInstantAppResolver();
	case "has-feature":		case "has-feature":
	@@ -1293,6 +1295,19 @@ class PackageManagerShellCommand extends ShellCommand {
	return 0;		return 0;
	}		}

			private int runGetPrivappDenyPermissions() {
			final String pkg = getNextArg();
			if (pkg == null) {
			System.err.println("Error: no package specified.");
			return 1;
			}
			ArraySet<String> privAppDenyPermissions =
			SystemConfig.getInstance().getPrivAppDenyPermissions(pkg);
			getOutPrintWriter().println(privAppDenyPermissions == null
			? "{}" : privAppDenyPermissions.toString());
			return 0;
			}

	private int runGetInstantAppResolver() {		private int runGetInstantAppResolver() {
	final PrintWriter pw = getOutPrintWriter();		final PrintWriter pw = getOutPrintWriter();
	try {		try {