Loading services/core/java/com/android/server/notification/SnoozeHelper.java +2 −0 Original line number Diff line number Diff line Loading @@ -36,6 +36,7 @@ import android.util.Slog; import com.android.internal.annotations.VisibleForTesting; import com.android.internal.logging.MetricsLogger; import com.android.internal.logging.nano.MetricsProto; import com.android.server.pm.PackageManagerService; import org.xmlpull.v1.XmlPullParser; import org.xmlpull.v1.XmlPullParserException; Loading Loading @@ -330,6 +331,7 @@ public class SnoozeHelper { return PendingIntent.getBroadcast(mContext, REQUEST_CODE_REPOST, new Intent(REPOST_ACTION) .setPackage(PackageManagerService.PLATFORM_PACKAGE_NAME) .setData(new Uri.Builder().scheme(REPOST_SCHEME).appendPath(key).build()) .addFlags(Intent.FLAG_RECEIVER_FOREGROUND) .putExtra(EXTRA_KEY, key) Loading services/core/java/com/android/server/pm/PackageManagerService.java +2 −0 Original line number Diff line number Diff line Loading @@ -12466,6 +12466,8 @@ public class PackageManagerService extends IPackageManager.Stub if (hasOldPkg) { mPermissionManager.revokeRuntimePermissionsIfGroupChanged(pkg, oldPkg, allPackageNames, mPermissionCallback); mPermissionManager.revokeStoragePermissionsIfScopeExpanded(pkg, oldPkg, mPermissionCallback); } if (hasPermissionDefinitionChanges) { mPermissionManager.revokeRuntimePermissionsIfPermissionDefinitionChanged( services/core/java/com/android/server/pm/permission/PermissionManagerService.java +65 −0 Original line number Diff line number Diff line Loading @@ -150,6 +150,9 @@ public class PermissionManagerService { private static final int USER_PERMISSION_FLAGS = FLAG_PERMISSION_USER_SET | FLAG_PERMISSION_USER_FIXED; /** All storage permissions */ private static final List<String> STORAGE_PERMISSIONS = new ArrayList<>(); /** If the permission of the value is granted, so is the key */ private static final Map<String, String> FULLER_PERMISSION_MAP = new HashMap<>(); Loading @@ -158,6 +161,9 @@ public class PermissionManagerService { Manifest.permission.ACCESS_FINE_LOCATION); FULLER_PERMISSION_MAP.put(Manifest.permission.INTERACT_ACROSS_USERS, Manifest.permission.INTERACT_ACROSS_USERS_FULL); STORAGE_PERMISSIONS.add(Manifest.permission.READ_EXTERNAL_STORAGE); STORAGE_PERMISSIONS.add(Manifest.permission.WRITE_EXTERNAL_STORAGE); STORAGE_PERMISSIONS.add(Manifest.permission.ACCESS_MEDIA_LOCATION); } /** Lock to protect internal data access */ Loading Loading @@ -589,6 +595,50 @@ public class PermissionManagerService { return protectionLevel; } /** * If the app is updated, and has scoped storage permissions, then it is possible that the * app updated in an attempt to get unscoped storage. If so, revoke all storage permissions. * @param newPackage The new package that was installed * @param oldPackage The old package that was updated */ private void revokeStoragePermissionsIfScopeExpanded( @NonNull PackageParser.Package newPackage, @NonNull PackageParser.Package oldPackage, @NonNull PermissionCallback permissionCallback) { boolean downgradedSdk = oldPackage.applicationInfo.targetSdkVersion >= Build.VERSION_CODES.Q && newPackage.applicationInfo.targetSdkVersion < Build.VERSION_CODES.Q; boolean upgradedSdk = oldPackage.applicationInfo.targetSdkVersion < Build.VERSION_CODES.Q && newPackage.applicationInfo.targetSdkVersion >= Build.VERSION_CODES.Q; boolean newlyRequestsLegacy = !upgradedSdk && !oldPackage.applicationInfo.hasRequestedLegacyExternalStorage() && newPackage.applicationInfo.hasRequestedLegacyExternalStorage(); if (!newlyRequestsLegacy && !downgradedSdk) { return; } final int callingUid = Binder.getCallingUid(); final int userId = UserHandle.getUserId(newPackage.applicationInfo.uid); int numRequestedPermissions = newPackage.requestedPermissions.size(); for (int i = 0; i < numRequestedPermissions; i++) { PermissionInfo permInfo = getPermissionInfo(newPackage.requestedPermissions.get(i), newPackage.packageName, 0, callingUid); if (permInfo == null || !STORAGE_PERMISSIONS.contains(permInfo.name)) { continue; } EventLog.writeEvent(0x534e4554, "171430330", newPackage.applicationInfo.uid, "Revoking permission " + permInfo.name + " from package " + newPackage.packageName + " as either the sdk downgraded " + downgradedSdk + " or newly requested legacy full storage " + newlyRequestsLegacy); revokeRuntimePermission(permInfo.name, newPackage.packageName, false, userId, permissionCallback); } } /** * We might auto-grant permissions if any permission of the group is already granted. Hence if * the group of a granted permission changes we need to revoke it to avoid having permissions of Loading Loading @@ -3119,6 +3169,21 @@ public class PermissionManagerService { public boolean isPermissionsReviewRequired(@NonNull Package pkg, @UserIdInt int userId) { return PermissionManagerService.this.isPermissionsReviewRequired(pkg, userId); } /** * If the app is updated, and has scoped storage permissions, then it is possible that the * app updated in an attempt to get unscoped storage. If so, revoke all storage permissions. * @param newPackage The new package that was installed * @param oldPackage The old package that was updated */ public void revokeStoragePermissionsIfScopeExpanded( @NonNull PackageParser.Package newPackage, @NonNull PackageParser.Package oldPackage, @NonNull PermissionCallback permissionCallback) { PermissionManagerService.this.revokeStoragePermissionsIfScopeExpanded(newPackage, oldPackage, permissionCallback); } @Override public void revokeRuntimePermissionsIfGroupChanged( @NonNull PackageParser.Package newPackage, Loading services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java +11 −0 Original line number Diff line number Diff line Loading @@ -126,6 +126,17 @@ public abstract class PermissionManagerServiceInternal extends PermissionManager @NonNull ArrayList<String> allPackageNames, @NonNull PermissionCallback permissionCallback); /** * If the app is updated, and has scoped storage permissions, then it is possible that the * app updated in an attempt to get unscoped storage. If so, revoke all storage permissions. * @param newPackage The new package that was installed * @param oldPackage The old package that was updated */ public abstract void revokeStoragePermissionsIfScopeExpanded( @NonNull PackageParser.Package newPackage, @NonNull PackageParser.Package oldPackage, @NonNull PermissionCallback permissionCallback); /** * Add all permissions in the given package. * <p> Loading services/core/java/com/android/server/wm/LockTaskController.java +5 −5 Original line number Diff line number Diff line Loading @@ -485,7 +485,7 @@ public class LockTaskController { setStatusBarState(LOCK_TASK_MODE_NONE, userId); setKeyguardState(LOCK_TASK_MODE_NONE, userId); if (mLockTaskModeState == LOCK_TASK_MODE_PINNED) { lockKeyguardIfNeeded(); lockKeyguardIfNeeded(userId); } if (getDevicePolicyManager() != null) { getDevicePolicyManager().notifyLockTaskModeChanged(false, null, userId); Loading Loading @@ -801,15 +801,15 @@ public class LockTaskController { * Helper method for locking the device immediately. This may be necessary when the device * leaves the pinned mode. */ private void lockKeyguardIfNeeded() { if (shouldLockKeyguard()) { private void lockKeyguardIfNeeded(int userId) { if (shouldLockKeyguard(userId)) { mWindowManager.lockNow(null); mWindowManager.dismissKeyguard(null /* callback */, null /* message */); getLockPatternUtils().requireCredentialEntry(USER_ALL); } } private boolean shouldLockKeyguard() { private boolean shouldLockKeyguard(int userId) { // This functionality should be kept consistent with // com.android.settings.security.ScreenPinningSettings (see b/127605586) try { Loading @@ -819,7 +819,7 @@ public class LockTaskController { } catch (Settings.SettingNotFoundException e) { // Log to SafetyNet for b/127605586 android.util.EventLog.writeEvent(0x534e4554, "127605586", -1, ""); return getLockPatternUtils().isSecure(USER_CURRENT); return getLockPatternUtils().isSecure(userId); } } Loading Loading
services/core/java/com/android/server/notification/SnoozeHelper.java +2 −0 Original line number Diff line number Diff line Loading @@ -36,6 +36,7 @@ import android.util.Slog; import com.android.internal.annotations.VisibleForTesting; import com.android.internal.logging.MetricsLogger; import com.android.internal.logging.nano.MetricsProto; import com.android.server.pm.PackageManagerService; import org.xmlpull.v1.XmlPullParser; import org.xmlpull.v1.XmlPullParserException; Loading Loading @@ -330,6 +331,7 @@ public class SnoozeHelper { return PendingIntent.getBroadcast(mContext, REQUEST_CODE_REPOST, new Intent(REPOST_ACTION) .setPackage(PackageManagerService.PLATFORM_PACKAGE_NAME) .setData(new Uri.Builder().scheme(REPOST_SCHEME).appendPath(key).build()) .addFlags(Intent.FLAG_RECEIVER_FOREGROUND) .putExtra(EXTRA_KEY, key) Loading
services/core/java/com/android/server/pm/PackageManagerService.java +2 −0 Original line number Diff line number Diff line Loading @@ -12466,6 +12466,8 @@ public class PackageManagerService extends IPackageManager.Stub if (hasOldPkg) { mPermissionManager.revokeRuntimePermissionsIfGroupChanged(pkg, oldPkg, allPackageNames, mPermissionCallback); mPermissionManager.revokeStoragePermissionsIfScopeExpanded(pkg, oldPkg, mPermissionCallback); } if (hasPermissionDefinitionChanges) { mPermissionManager.revokeRuntimePermissionsIfPermissionDefinitionChanged(
services/core/java/com/android/server/pm/permission/PermissionManagerService.java +65 −0 Original line number Diff line number Diff line Loading @@ -150,6 +150,9 @@ public class PermissionManagerService { private static final int USER_PERMISSION_FLAGS = FLAG_PERMISSION_USER_SET | FLAG_PERMISSION_USER_FIXED; /** All storage permissions */ private static final List<String> STORAGE_PERMISSIONS = new ArrayList<>(); /** If the permission of the value is granted, so is the key */ private static final Map<String, String> FULLER_PERMISSION_MAP = new HashMap<>(); Loading @@ -158,6 +161,9 @@ public class PermissionManagerService { Manifest.permission.ACCESS_FINE_LOCATION); FULLER_PERMISSION_MAP.put(Manifest.permission.INTERACT_ACROSS_USERS, Manifest.permission.INTERACT_ACROSS_USERS_FULL); STORAGE_PERMISSIONS.add(Manifest.permission.READ_EXTERNAL_STORAGE); STORAGE_PERMISSIONS.add(Manifest.permission.WRITE_EXTERNAL_STORAGE); STORAGE_PERMISSIONS.add(Manifest.permission.ACCESS_MEDIA_LOCATION); } /** Lock to protect internal data access */ Loading Loading @@ -589,6 +595,50 @@ public class PermissionManagerService { return protectionLevel; } /** * If the app is updated, and has scoped storage permissions, then it is possible that the * app updated in an attempt to get unscoped storage. If so, revoke all storage permissions. * @param newPackage The new package that was installed * @param oldPackage The old package that was updated */ private void revokeStoragePermissionsIfScopeExpanded( @NonNull PackageParser.Package newPackage, @NonNull PackageParser.Package oldPackage, @NonNull PermissionCallback permissionCallback) { boolean downgradedSdk = oldPackage.applicationInfo.targetSdkVersion >= Build.VERSION_CODES.Q && newPackage.applicationInfo.targetSdkVersion < Build.VERSION_CODES.Q; boolean upgradedSdk = oldPackage.applicationInfo.targetSdkVersion < Build.VERSION_CODES.Q && newPackage.applicationInfo.targetSdkVersion >= Build.VERSION_CODES.Q; boolean newlyRequestsLegacy = !upgradedSdk && !oldPackage.applicationInfo.hasRequestedLegacyExternalStorage() && newPackage.applicationInfo.hasRequestedLegacyExternalStorage(); if (!newlyRequestsLegacy && !downgradedSdk) { return; } final int callingUid = Binder.getCallingUid(); final int userId = UserHandle.getUserId(newPackage.applicationInfo.uid); int numRequestedPermissions = newPackage.requestedPermissions.size(); for (int i = 0; i < numRequestedPermissions; i++) { PermissionInfo permInfo = getPermissionInfo(newPackage.requestedPermissions.get(i), newPackage.packageName, 0, callingUid); if (permInfo == null || !STORAGE_PERMISSIONS.contains(permInfo.name)) { continue; } EventLog.writeEvent(0x534e4554, "171430330", newPackage.applicationInfo.uid, "Revoking permission " + permInfo.name + " from package " + newPackage.packageName + " as either the sdk downgraded " + downgradedSdk + " or newly requested legacy full storage " + newlyRequestsLegacy); revokeRuntimePermission(permInfo.name, newPackage.packageName, false, userId, permissionCallback); } } /** * We might auto-grant permissions if any permission of the group is already granted. Hence if * the group of a granted permission changes we need to revoke it to avoid having permissions of Loading Loading @@ -3119,6 +3169,21 @@ public class PermissionManagerService { public boolean isPermissionsReviewRequired(@NonNull Package pkg, @UserIdInt int userId) { return PermissionManagerService.this.isPermissionsReviewRequired(pkg, userId); } /** * If the app is updated, and has scoped storage permissions, then it is possible that the * app updated in an attempt to get unscoped storage. If so, revoke all storage permissions. * @param newPackage The new package that was installed * @param oldPackage The old package that was updated */ public void revokeStoragePermissionsIfScopeExpanded( @NonNull PackageParser.Package newPackage, @NonNull PackageParser.Package oldPackage, @NonNull PermissionCallback permissionCallback) { PermissionManagerService.this.revokeStoragePermissionsIfScopeExpanded(newPackage, oldPackage, permissionCallback); } @Override public void revokeRuntimePermissionsIfGroupChanged( @NonNull PackageParser.Package newPackage, Loading
services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java +11 −0 Original line number Diff line number Diff line Loading @@ -126,6 +126,17 @@ public abstract class PermissionManagerServiceInternal extends PermissionManager @NonNull ArrayList<String> allPackageNames, @NonNull PermissionCallback permissionCallback); /** * If the app is updated, and has scoped storage permissions, then it is possible that the * app updated in an attempt to get unscoped storage. If so, revoke all storage permissions. * @param newPackage The new package that was installed * @param oldPackage The old package that was updated */ public abstract void revokeStoragePermissionsIfScopeExpanded( @NonNull PackageParser.Package newPackage, @NonNull PackageParser.Package oldPackage, @NonNull PermissionCallback permissionCallback); /** * Add all permissions in the given package. * <p> Loading
services/core/java/com/android/server/wm/LockTaskController.java +5 −5 Original line number Diff line number Diff line Loading @@ -485,7 +485,7 @@ public class LockTaskController { setStatusBarState(LOCK_TASK_MODE_NONE, userId); setKeyguardState(LOCK_TASK_MODE_NONE, userId); if (mLockTaskModeState == LOCK_TASK_MODE_PINNED) { lockKeyguardIfNeeded(); lockKeyguardIfNeeded(userId); } if (getDevicePolicyManager() != null) { getDevicePolicyManager().notifyLockTaskModeChanged(false, null, userId); Loading Loading @@ -801,15 +801,15 @@ public class LockTaskController { * Helper method for locking the device immediately. This may be necessary when the device * leaves the pinned mode. */ private void lockKeyguardIfNeeded() { if (shouldLockKeyguard()) { private void lockKeyguardIfNeeded(int userId) { if (shouldLockKeyguard(userId)) { mWindowManager.lockNow(null); mWindowManager.dismissKeyguard(null /* callback */, null /* message */); getLockPatternUtils().requireCredentialEntry(USER_ALL); } } private boolean shouldLockKeyguard() { private boolean shouldLockKeyguard(int userId) { // This functionality should be kept consistent with // com.android.settings.security.ScreenPinningSettings (see b/127605586) try { Loading @@ -819,7 +819,7 @@ public class LockTaskController { } catch (Settings.SettingNotFoundException e) { // Log to SafetyNet for b/127605586 android.util.EventLog.writeEvent(0x534e4554, "127605586", -1, ""); return getLockPatternUtils().isSecure(USER_CURRENT); return getLockPatternUtils().isSecure(userId); } } Loading
