Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f72b614d authored by Hai Zhang's avatar Hai Zhang Committed by Android Build Coastguard Worker
Browse files

Preserve flags for non-runtime permissions upon package update. 

PermissionManagerServiceImpl.restorePermissionState() creates a new
UID permission state for non-shared-UID packages that have been
updated (i.e. replaced), however the existing logic for non-runtime
permission never carried over the flags from the old state. This
wasn't an issue for much older platforms because permission flags
weren't used for non-runtime permissions, however since we are
starting to use them for role protected permissions (ROLE_GRANTED) and
app op permissions (USER_SET), we do need to preserver the permission
flags.

This change merges the logic for granting and revoking a non-runtime
permission in restorePermissionState() into a single if branch, and
appends the logic to copy the flag from the old state in that branch.

Bug: 283006437
Test: PermissionFlagsTest#nonRuntimePermissionFlagsPreservedAfterReinstall
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:98f78c885d2c9e5d88a4636b1ed36d723ca9261f)
Merged-In: Iea3c66710e7d28c6fc730b1939da64f1172b08db
Change-Id: Iea3c66710e7d28c6fc730b1939da64f1172b08db
parent 5f15f790

services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java

+50 −38
Original line number Original line Diff line number Diff line
@@ -2784,6 +2784,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt 
                                + pkg.getPackageName());

                                + pkg.getPackageName());

                    }

                    }





                    if (bp.isNormal() || bp.isSignature() || bp.isInternal()) {

                        if ((bp.isNormal() && shouldGrantNormalPermission)

                        if ((bp.isNormal() && shouldGrantNormalPermission)

                                || (bp.isSignature()

                                || (bp.isSignature()

                                        && (!bp.isPrivileged() || CollectionUtils.contains(

                                        && (!bp.isPrivileged() || CollectionUtils.contains(
@@ -2792,8 +2793,10 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt 
                                                permName)

                                                permName)

                                                || (((bp.isPrivileged() && CollectionUtils.contains(

                                                || (((bp.isPrivileged() && CollectionUtils.contains(

                                                        shouldGrantPrivilegedPermissionIfWasGranted,

                                                        shouldGrantPrivilegedPermissionIfWasGranted,

                                                    permName)) || bp.isDevelopment() || bp.isRole())

                                                        permName)) || bp.isDevelopment()

                                                    && origState.isPermissionGranted(permName))))

                                                                || bp.isRole())

                                                        && origState.isPermissionGranted(

                                                                permName))))

                                || (bp.isInternal()

                                || (bp.isInternal()

                                        && (!bp.isPrivileged() || CollectionUtils.contains(

                                        && (!bp.isPrivileged() || CollectionUtils.contains(

                                                isPrivilegedPermissionAllowlisted, permName))

                                                isPrivilegedPermissionAllowlisted, permName))
@@ -2801,12 +2804,35 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt 
                                                permName)

                                                permName)

                                                || (((bp.isPrivileged() && CollectionUtils.contains(

                                                || (((bp.isPrivileged() && CollectionUtils.contains(

                                                        shouldGrantPrivilegedPermissionIfWasGranted,

                                                        shouldGrantPrivilegedPermissionIfWasGranted,

                                                    permName)) || bp.isDevelopment() || bp.isRole())

                                                        permName)) || bp.isDevelopment()

                                                    && origState.isPermissionGranted(permName))))) {

                                                                || bp.isRole())

                                                        && origState.isPermissionGranted(

                                                                permName))))) {

                            // Grant an install permission.

                            // Grant an install permission.

                            if (uidState.grantPermission(bp)) {

                            if (uidState.grantPermission(bp)) {

                                changedInstallPermission = true;

                                changedInstallPermission = true;

                            }

                            }

                        } else {

                            if (DEBUG_PERMISSIONS) {

                                boolean wasGranted = uidState.isPermissionGranted(bp.getName());

                                if (wasGranted || bp.isAppOp()) {

                                    Slog.i(TAG, (wasGranted ? "Un-granting" : "Not granting")

                                            + " permission " + perm

                                            + " from package " + friendlyName

                                            + " (protectionLevel=" + bp.getProtectionLevel()

                                            + " flags=0x"

                                            + Integer.toHexString(PackageInfoUtils.appInfoFlags(pkg,

                                            ps))

                                            + ")");

                                }

                            }

                            if (uidState.revokePermission(bp)) {

                                changedInstallPermission = true;

                            }

                        }

                        PermissionState origPermState = origState.getPermissionState(perm);

                        int flags = origPermState != null ? origPermState.getFlags() : 0;

                        uidState.updatePermissionFlags(bp, MASK_PERMISSION_FLAGS_ALL, flags);

                    } else if (bp.isRuntime()) {

                    } else if (bp.isRuntime()) {

                        boolean hardRestricted = bp.isHardRestricted();

                        boolean hardRestricted = bp.isHardRestricted();

                        boolean softRestricted = bp.isSoftRestricted();

                        boolean softRestricted = bp.isSoftRestricted();
@@ -2930,22 +2956,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt 
                        uidState.updatePermissionFlags(bp, MASK_PERMISSION_FLAGS_ALL,

                        uidState.updatePermissionFlags(bp, MASK_PERMISSION_FLAGS_ALL,

                                flags);

                                flags);

                    } else {

                    } else {

                        if (DEBUG_PERMISSIONS) {

                        Slog.wtf(LOG_TAG, "Unknown permission protection " + bp.getProtection()

                            boolean wasGranted = uidState.isPermissionGranted(bp.getName());

                                + " for permission " + bp.getName());

                            if (wasGranted || bp.isAppOp()) {

                                Slog.i(TAG, (wasGranted ? "Un-granting" : "Not granting")

                                        + " permission " + perm

                                        + " from package " + friendlyName

                                        + " (protectionLevel=" + bp.getProtectionLevel()

                                        + " flags=0x"

                                        + Integer.toHexString(PackageInfoUtils.appInfoFlags(pkg,

                                                ps))

                                        + ")");

                            }

                        }

                        if (uidState.removePermissionState(bp.getName())) {

                            changedInstallPermission = true;

                        }

                    }

                    }

                }

                }