Loading core/java/com/android/internal/os/RoSystemProperties.java +10 −2 Original line number Diff line number Diff line Loading @@ -27,8 +27,8 @@ public class RoSystemProperties { SystemProperties.getInt("ro.debuggable", 0) == 1; public static final int FACTORYTEST = SystemProperties.getInt("ro.factorytest", 0); public static final boolean CONTROL_PRIVAPP_PERMISSIONS = SystemProperties.getBoolean("ro.control_privapp_permissions", false); public static final String CONTROL_PRIVAPP_PERMISSIONS = SystemProperties.get("ro.control_privapp_permissions"); // ------ ro.config.* -------- // public static final boolean CONFIG_LOW_RAM = Loading @@ -50,4 +50,12 @@ public class RoSystemProperties { "file".equalsIgnoreCase(CRYPTO_TYPE); public static final boolean CRYPTO_BLOCK_ENCRYPTED = "block".equalsIgnoreCase(CRYPTO_TYPE); public static final boolean CONTROL_PRIVAPP_PERMISSIONS_LOG = "log".equalsIgnoreCase(CONTROL_PRIVAPP_PERMISSIONS); public static final boolean CONTROL_PRIVAPP_PERMISSIONS_ENFORCE = "enforce".equalsIgnoreCase(CONTROL_PRIVAPP_PERMISSIONS); public static final boolean CONTROL_PRIVAPP_PERMISSIONS_DISABLE = !CONTROL_PRIVAPP_PERMISSIONS_LOG && !CONTROL_PRIVAPP_PERMISSIONS_ENFORCE; } services/core/java/com/android/server/pm/PackageManagerService.java +6 −3 Original line number Diff line number Diff line Loading @@ -10531,18 +10531,21 @@ public class PackageManagerService extends IPackageManager.Stub { BasePermission bp, PermissionsState origPermissions) { boolean privilegedPermission = (bp.protectionLevel & PermissionInfo.PROTECTION_FLAG_PRIVILEGED) != 0; boolean controlPrivappPermissions = RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS; boolean privappPermissionsDisable = RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_DISABLE; boolean platformPermission = PLATFORM_PACKAGE_NAME.equals(bp.sourcePackage); boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName); if (controlPrivappPermissions && privilegedPermission && pkg.isPrivilegedApp() if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivilegedApp() && !platformPackage && platformPermission) { ArraySet<String> wlPermissions = SystemConfig.getInstance() .getPrivAppPermissions(pkg.packageName); boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm); if (!whitelisted) { // Log for now. TODO Enforce permissions Slog.w(TAG, "Privileged permission " + perm + " for package " + pkg.packageName + " - not in privapp-permissions whitelist"); if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { return false; } } } boolean allowed = (compareSignatures( Loading services/tests/servicestests/src/com/android/server/pm/PackageManagerPresubmitTest.java +2 −2 Original line number Diff line number Diff line Loading @@ -90,9 +90,9 @@ public class PackageManagerPresubmitTest { boolean granted = (packageInfo.requestedPermissionsFlags[i] & PackageInfo.REQUESTED_PERMISSION_GRANTED) != 0; assertTrue("Permission " + pName + " should be granted to " + testPackage, granted); // if CONTROL_PRIVAPP_PERMISSIONS enabled, platform permissions must be whitelisted // if privapp permissions are enforced, platform permissions must be whitelisted // in SystemConfig if (platformPermission && RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS) { if (platformPermission && RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { assertTrue("Permission " + pName + " should be declared in the xml file for package " + testPackage, Loading Loading
core/java/com/android/internal/os/RoSystemProperties.java +10 −2 Original line number Diff line number Diff line Loading @@ -27,8 +27,8 @@ public class RoSystemProperties { SystemProperties.getInt("ro.debuggable", 0) == 1; public static final int FACTORYTEST = SystemProperties.getInt("ro.factorytest", 0); public static final boolean CONTROL_PRIVAPP_PERMISSIONS = SystemProperties.getBoolean("ro.control_privapp_permissions", false); public static final String CONTROL_PRIVAPP_PERMISSIONS = SystemProperties.get("ro.control_privapp_permissions"); // ------ ro.config.* -------- // public static final boolean CONFIG_LOW_RAM = Loading @@ -50,4 +50,12 @@ public class RoSystemProperties { "file".equalsIgnoreCase(CRYPTO_TYPE); public static final boolean CRYPTO_BLOCK_ENCRYPTED = "block".equalsIgnoreCase(CRYPTO_TYPE); public static final boolean CONTROL_PRIVAPP_PERMISSIONS_LOG = "log".equalsIgnoreCase(CONTROL_PRIVAPP_PERMISSIONS); public static final boolean CONTROL_PRIVAPP_PERMISSIONS_ENFORCE = "enforce".equalsIgnoreCase(CONTROL_PRIVAPP_PERMISSIONS); public static final boolean CONTROL_PRIVAPP_PERMISSIONS_DISABLE = !CONTROL_PRIVAPP_PERMISSIONS_LOG && !CONTROL_PRIVAPP_PERMISSIONS_ENFORCE; }
services/core/java/com/android/server/pm/PackageManagerService.java +6 −3 Original line number Diff line number Diff line Loading @@ -10531,18 +10531,21 @@ public class PackageManagerService extends IPackageManager.Stub { BasePermission bp, PermissionsState origPermissions) { boolean privilegedPermission = (bp.protectionLevel & PermissionInfo.PROTECTION_FLAG_PRIVILEGED) != 0; boolean controlPrivappPermissions = RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS; boolean privappPermissionsDisable = RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_DISABLE; boolean platformPermission = PLATFORM_PACKAGE_NAME.equals(bp.sourcePackage); boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName); if (controlPrivappPermissions && privilegedPermission && pkg.isPrivilegedApp() if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivilegedApp() && !platformPackage && platformPermission) { ArraySet<String> wlPermissions = SystemConfig.getInstance() .getPrivAppPermissions(pkg.packageName); boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm); if (!whitelisted) { // Log for now. TODO Enforce permissions Slog.w(TAG, "Privileged permission " + perm + " for package " + pkg.packageName + " - not in privapp-permissions whitelist"); if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { return false; } } } boolean allowed = (compareSignatures( Loading
services/tests/servicestests/src/com/android/server/pm/PackageManagerPresubmitTest.java +2 −2 Original line number Diff line number Diff line Loading @@ -90,9 +90,9 @@ public class PackageManagerPresubmitTest { boolean granted = (packageInfo.requestedPermissionsFlags[i] & PackageInfo.REQUESTED_PERMISSION_GRANTED) != 0; assertTrue("Permission " + pName + " should be granted to " + testPackage, granted); // if CONTROL_PRIVAPP_PERMISSIONS enabled, platform permissions must be whitelisted // if privapp permissions are enforced, platform permissions must be whitelisted // in SystemConfig if (platformPermission && RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS) { if (platformPermission && RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { assertTrue("Permission " + pName + " should be declared in the xml file for package " + testPackage, Loading
