Loading core/java/android/permission/flags.aconfig +10 −0 Original line number Original line Diff line number Diff line Loading @@ -157,3 +157,13 @@ flag { bug: "266164193" bug: "266164193" } } flag { name: "ignore_apex_permissions" is_fixed_read_only: true namespace: "permissions" description: "Ignore APEX pacakges for permissions on V+" bug: "301320911" metadata { purpose: PURPOSE_BUGFIX } } services/permission/java/com/android/server/permission/access/AccessPolicy.kt +13 −0 Original line number Original line Diff line number Diff line Loading @@ -16,6 +16,7 @@ package com.android.server.permission.access package com.android.server.permission.access import android.permission.flags.Flags import android.util.Slog import android.util.Slog import com.android.modules.utils.BinaryXmlPullParser import com.android.modules.utils.BinaryXmlPullParser import com.android.modules.utils.BinaryXmlSerializer import com.android.modules.utils.BinaryXmlSerializer Loading Loading @@ -78,6 +79,9 @@ private constructor( setPackageStates(packageStates) setPackageStates(packageStates) setDisabledSystemPackageStates(disabledSystemPackageStates) setDisabledSystemPackageStates(disabledSystemPackageStates) packageStates.forEach { (_, packageState) -> packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } mutateAppIdPackageNames() mutateAppIdPackageNames() .mutateOrPut(packageState.appId) { MutableIndexedListSet() } .mutateOrPut(packageState.appId) { MutableIndexedListSet() } .add(packageState.packageName) .add(packageState.packageName) Loading @@ -103,6 +107,9 @@ private constructor( newState.mutateUserStatesNoWrite()[userId] = MutableUserState() newState.mutateUserStatesNoWrite()[userId] = MutableUserState() forEachSchemePolicy { with(it) { onUserAdded(userId) } } forEachSchemePolicy { with(it) { onUserAdded(userId) } } newState.externalState.packageStates.forEach { (_, packageState) -> newState.externalState.packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } upgradePackageVersion(packageState, userId) upgradePackageVersion(packageState, userId) } } } } Loading @@ -126,6 +133,9 @@ private constructor( setPackageStates(packageStates) setPackageStates(packageStates) setDisabledSystemPackageStates(disabledSystemPackageStates) setDisabledSystemPackageStates(disabledSystemPackageStates) packageStates.forEach { (packageName, packageState) -> packageStates.forEach { (packageName, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } if (packageState.volumeUuid == volumeUuid) { if (packageState.volumeUuid == volumeUuid) { // The APK for a package on a mounted storage volume may still be unavailable // The APK for a package on a mounted storage volume may still be unavailable // due to APK being deleted, e.g. after an OTA. // due to APK being deleted, e.g. after an OTA. Loading @@ -151,6 +161,9 @@ private constructor( with(it) { onStorageVolumeMounted(volumeUuid, packageNames, isSystemUpdated) } with(it) { onStorageVolumeMounted(volumeUuid, packageNames, isSystemUpdated) } } } packageStates.forEach { (_, packageState) -> packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } if (packageState.volumeUuid == volumeUuid) { if (packageState.volumeUuid == volumeUuid) { newState.userStates.forEachIndexed { _, userId, _ -> newState.userStates.forEachIndexed { _, userId, _ -> upgradePackageVersion(packageState, userId) upgradePackageVersion(packageState, userId) Loading services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt +3 −0 Original line number Original line Diff line number Diff line Loading @@ -81,6 +81,9 @@ class AppIdPermissionPolicy : SchemePolicy() { override fun MutateStateScope.onUserAdded(userId: Int) { override fun MutateStateScope.onUserAdded(userId: Int) { newState.externalState.packageStates.forEach { (_, packageState) -> newState.externalState.packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } evaluateAllPermissionStatesForPackageAndUser(packageState, userId, null) evaluateAllPermissionStatesForPackageAndUser(packageState, userId, null) } } newState.externalState.appIdPackageNames.forEachIndexed { _, appId, _ -> newState.externalState.appIdPackageNames.forEachIndexed { _, appId, _ -> Loading services/permission/java/com/android/server/permission/access/permission/PermissionService.kt +29 −2 Original line number Original line Diff line number Diff line Loading @@ -1445,6 +1445,9 @@ class PermissionService(private val service: AccessCheckingService) : val packageStates = packageManagerLocal.withUnfilteredSnapshot().use { it.packageStates } val packageStates = packageManagerLocal.withUnfilteredSnapshot().use { it.packageStates } service.mutateState { service.mutateState { packageStates.forEach { (packageName, packageState) -> packageStates.forEach { (packageName, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } val androidPackage = packageState.androidPackage ?: return@forEach val androidPackage = packageState.androidPackage ?: return@forEach androidPackage.requestedPermissions.forEach { permissionName -> androidPackage.requestedPermissions.forEach { permissionName -> updatePermissionFlags( updatePermissionFlags( Loading Loading @@ -1877,6 +1880,9 @@ class PermissionService(private val service: AccessCheckingService) : packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> service.mutateState { service.mutateState { snapshot.packageStates.forEach { (_, packageState) -> snapshot.packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } with(policy) { resetRuntimePermissions(packageState.packageName, userId) } with(policy) { resetRuntimePermissions(packageState.packageName, userId) } with(devicePolicy) { resetRuntimePermissions(packageState.packageName, userId) } with(devicePolicy) { resetRuntimePermissions(packageState.packageName, userId) } } } Loading Loading @@ -1918,8 +1924,11 @@ class PermissionService(private val service: AccessCheckingService) : } } packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> snapshot.packageStates.forEach packageStates@{ (_, packageState) -> snapshot.packageStates.forEach { (_, packageState) -> val androidPackage = packageState.androidPackage ?: return@packageStates if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } val androidPackage = packageState.androidPackage ?: return@forEach if (permissionName in androidPackage.requestedPermissions) { if (permissionName in androidPackage.requestedPermissions) { packageNames += androidPackage.packageName packageNames += androidPackage.packageName } } Loading @@ -1934,6 +1943,9 @@ class PermissionService(private val service: AccessCheckingService) : val permissions = service.getState { with(policy) { getPermissions() } } val permissions = service.getState { with(policy) { getPermissions() } } packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> snapshot.packageStates.forEach packageStates@{ (_, packageState) -> snapshot.packageStates.forEach packageStates@{ (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@packageStates } val androidPackage = packageState.androidPackage ?: return@packageStates val androidPackage = packageState.androidPackage ?: return@packageStates androidPackage.requestedPermissions.forEach requestedPermissions@{ permissionName -> androidPackage.requestedPermissions.forEach requestedPermissions@{ permissionName -> val permission = permissions[permissionName] ?: return@requestedPermissions val permission = permissions[permissionName] ?: return@requestedPermissions Loading Loading @@ -2060,6 +2072,9 @@ class PermissionService(private val service: AccessCheckingService) : val appIdPackageNames = MutableIndexedMap<Int, MutableIndexedSet<String>>() val appIdPackageNames = MutableIndexedMap<Int, MutableIndexedSet<String>>() packageStates.forEach { (_, packageState) -> packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } appIdPackageNames appIdPackageNames .getOrPut(packageState.appId) { MutableIndexedSet() } .getOrPut(packageState.appId) { MutableIndexedSet() } .add(packageState.packageName) .add(packageState.packageName) Loading Loading @@ -2313,6 +2328,10 @@ class PermissionService(private val service: AccessCheckingService) : isInstantApp: Boolean, isInstantApp: Boolean, oldPackage: AndroidPackage? oldPackage: AndroidPackage? ) { ) { if (Flags.ignoreApexPermissions() && packageState.isApex) { return } synchronized(storageVolumeLock) { synchronized(storageVolumeLock) { // Accumulating the package names here because we want to maintain the same call order // Accumulating the package names here because we want to maintain the same call order // of onPackageAdded() and reuse this order in onStorageVolumeAdded(). We need the // of onPackageAdded() and reuse this order in onStorageVolumeAdded(). We need the Loading @@ -2339,6 +2358,10 @@ class PermissionService(private val service: AccessCheckingService) : params: PermissionManagerServiceInternal.PackageInstalledParams, params: PermissionManagerServiceInternal.PackageInstalledParams, userId: Int userId: Int ) { ) { if (Flags.ignoreApexPermissions() && androidPackage.isApex) { return } if (params === PermissionManagerServiceInternal.PackageInstalledParams.DEFAULT) { if (params === PermissionManagerServiceInternal.PackageInstalledParams.DEFAULT) { // TODO: We should actually stop calling onPackageInstalled() when we are passing // TODO: We should actually stop calling onPackageInstalled() when we are passing // PackageInstalledParams.DEFAULT in InstallPackageHelper, because there's actually no // PackageInstalledParams.DEFAULT in InstallPackageHelper, because there's actually no Loading Loading @@ -2391,6 +2414,10 @@ class PermissionService(private val service: AccessCheckingService) : sharedUserPkgs: List<AndroidPackage>, sharedUserPkgs: List<AndroidPackage>, userId: Int userId: Int ) { ) { if (Flags.ignoreApexPermissions() && packageState.isApex) { return } val userIds = val userIds = if (userId == UserHandle.USER_ALL) { if (userId == UserHandle.USER_ALL) { userManagerService.userIdsIncludingPreCreated userManagerService.userIdsIncludingPreCreated Loading Loading
core/java/android/permission/flags.aconfig +10 −0 Original line number Original line Diff line number Diff line Loading @@ -157,3 +157,13 @@ flag { bug: "266164193" bug: "266164193" } } flag { name: "ignore_apex_permissions" is_fixed_read_only: true namespace: "permissions" description: "Ignore APEX pacakges for permissions on V+" bug: "301320911" metadata { purpose: PURPOSE_BUGFIX } }
services/permission/java/com/android/server/permission/access/AccessPolicy.kt +13 −0 Original line number Original line Diff line number Diff line Loading @@ -16,6 +16,7 @@ package com.android.server.permission.access package com.android.server.permission.access import android.permission.flags.Flags import android.util.Slog import android.util.Slog import com.android.modules.utils.BinaryXmlPullParser import com.android.modules.utils.BinaryXmlPullParser import com.android.modules.utils.BinaryXmlSerializer import com.android.modules.utils.BinaryXmlSerializer Loading Loading @@ -78,6 +79,9 @@ private constructor( setPackageStates(packageStates) setPackageStates(packageStates) setDisabledSystemPackageStates(disabledSystemPackageStates) setDisabledSystemPackageStates(disabledSystemPackageStates) packageStates.forEach { (_, packageState) -> packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } mutateAppIdPackageNames() mutateAppIdPackageNames() .mutateOrPut(packageState.appId) { MutableIndexedListSet() } .mutateOrPut(packageState.appId) { MutableIndexedListSet() } .add(packageState.packageName) .add(packageState.packageName) Loading @@ -103,6 +107,9 @@ private constructor( newState.mutateUserStatesNoWrite()[userId] = MutableUserState() newState.mutateUserStatesNoWrite()[userId] = MutableUserState() forEachSchemePolicy { with(it) { onUserAdded(userId) } } forEachSchemePolicy { with(it) { onUserAdded(userId) } } newState.externalState.packageStates.forEach { (_, packageState) -> newState.externalState.packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } upgradePackageVersion(packageState, userId) upgradePackageVersion(packageState, userId) } } } } Loading @@ -126,6 +133,9 @@ private constructor( setPackageStates(packageStates) setPackageStates(packageStates) setDisabledSystemPackageStates(disabledSystemPackageStates) setDisabledSystemPackageStates(disabledSystemPackageStates) packageStates.forEach { (packageName, packageState) -> packageStates.forEach { (packageName, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } if (packageState.volumeUuid == volumeUuid) { if (packageState.volumeUuid == volumeUuid) { // The APK for a package on a mounted storage volume may still be unavailable // The APK for a package on a mounted storage volume may still be unavailable // due to APK being deleted, e.g. after an OTA. // due to APK being deleted, e.g. after an OTA. Loading @@ -151,6 +161,9 @@ private constructor( with(it) { onStorageVolumeMounted(volumeUuid, packageNames, isSystemUpdated) } with(it) { onStorageVolumeMounted(volumeUuid, packageNames, isSystemUpdated) } } } packageStates.forEach { (_, packageState) -> packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } if (packageState.volumeUuid == volumeUuid) { if (packageState.volumeUuid == volumeUuid) { newState.userStates.forEachIndexed { _, userId, _ -> newState.userStates.forEachIndexed { _, userId, _ -> upgradePackageVersion(packageState, userId) upgradePackageVersion(packageState, userId) Loading
services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt +3 −0 Original line number Original line Diff line number Diff line Loading @@ -81,6 +81,9 @@ class AppIdPermissionPolicy : SchemePolicy() { override fun MutateStateScope.onUserAdded(userId: Int) { override fun MutateStateScope.onUserAdded(userId: Int) { newState.externalState.packageStates.forEach { (_, packageState) -> newState.externalState.packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } evaluateAllPermissionStatesForPackageAndUser(packageState, userId, null) evaluateAllPermissionStatesForPackageAndUser(packageState, userId, null) } } newState.externalState.appIdPackageNames.forEachIndexed { _, appId, _ -> newState.externalState.appIdPackageNames.forEachIndexed { _, appId, _ -> Loading
services/permission/java/com/android/server/permission/access/permission/PermissionService.kt +29 −2 Original line number Original line Diff line number Diff line Loading @@ -1445,6 +1445,9 @@ class PermissionService(private val service: AccessCheckingService) : val packageStates = packageManagerLocal.withUnfilteredSnapshot().use { it.packageStates } val packageStates = packageManagerLocal.withUnfilteredSnapshot().use { it.packageStates } service.mutateState { service.mutateState { packageStates.forEach { (packageName, packageState) -> packageStates.forEach { (packageName, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } val androidPackage = packageState.androidPackage ?: return@forEach val androidPackage = packageState.androidPackage ?: return@forEach androidPackage.requestedPermissions.forEach { permissionName -> androidPackage.requestedPermissions.forEach { permissionName -> updatePermissionFlags( updatePermissionFlags( Loading Loading @@ -1877,6 +1880,9 @@ class PermissionService(private val service: AccessCheckingService) : packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> service.mutateState { service.mutateState { snapshot.packageStates.forEach { (_, packageState) -> snapshot.packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } with(policy) { resetRuntimePermissions(packageState.packageName, userId) } with(policy) { resetRuntimePermissions(packageState.packageName, userId) } with(devicePolicy) { resetRuntimePermissions(packageState.packageName, userId) } with(devicePolicy) { resetRuntimePermissions(packageState.packageName, userId) } } } Loading Loading @@ -1918,8 +1924,11 @@ class PermissionService(private val service: AccessCheckingService) : } } packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> snapshot.packageStates.forEach packageStates@{ (_, packageState) -> snapshot.packageStates.forEach { (_, packageState) -> val androidPackage = packageState.androidPackage ?: return@packageStates if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } val androidPackage = packageState.androidPackage ?: return@forEach if (permissionName in androidPackage.requestedPermissions) { if (permissionName in androidPackage.requestedPermissions) { packageNames += androidPackage.packageName packageNames += androidPackage.packageName } } Loading @@ -1934,6 +1943,9 @@ class PermissionService(private val service: AccessCheckingService) : val permissions = service.getState { with(policy) { getPermissions() } } val permissions = service.getState { with(policy) { getPermissions() } } packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> packageManagerLocal.withUnfilteredSnapshot().use { snapshot -> snapshot.packageStates.forEach packageStates@{ (_, packageState) -> snapshot.packageStates.forEach packageStates@{ (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@packageStates } val androidPackage = packageState.androidPackage ?: return@packageStates val androidPackage = packageState.androidPackage ?: return@packageStates androidPackage.requestedPermissions.forEach requestedPermissions@{ permissionName -> androidPackage.requestedPermissions.forEach requestedPermissions@{ permissionName -> val permission = permissions[permissionName] ?: return@requestedPermissions val permission = permissions[permissionName] ?: return@requestedPermissions Loading Loading @@ -2060,6 +2072,9 @@ class PermissionService(private val service: AccessCheckingService) : val appIdPackageNames = MutableIndexedMap<Int, MutableIndexedSet<String>>() val appIdPackageNames = MutableIndexedMap<Int, MutableIndexedSet<String>>() packageStates.forEach { (_, packageState) -> packageStates.forEach { (_, packageState) -> if (Flags.ignoreApexPermissions() && packageState.isApex) { return@forEach } appIdPackageNames appIdPackageNames .getOrPut(packageState.appId) { MutableIndexedSet() } .getOrPut(packageState.appId) { MutableIndexedSet() } .add(packageState.packageName) .add(packageState.packageName) Loading Loading @@ -2313,6 +2328,10 @@ class PermissionService(private val service: AccessCheckingService) : isInstantApp: Boolean, isInstantApp: Boolean, oldPackage: AndroidPackage? oldPackage: AndroidPackage? ) { ) { if (Flags.ignoreApexPermissions() && packageState.isApex) { return } synchronized(storageVolumeLock) { synchronized(storageVolumeLock) { // Accumulating the package names here because we want to maintain the same call order // Accumulating the package names here because we want to maintain the same call order // of onPackageAdded() and reuse this order in onStorageVolumeAdded(). We need the // of onPackageAdded() and reuse this order in onStorageVolumeAdded(). We need the Loading @@ -2339,6 +2358,10 @@ class PermissionService(private val service: AccessCheckingService) : params: PermissionManagerServiceInternal.PackageInstalledParams, params: PermissionManagerServiceInternal.PackageInstalledParams, userId: Int userId: Int ) { ) { if (Flags.ignoreApexPermissions() && androidPackage.isApex) { return } if (params === PermissionManagerServiceInternal.PackageInstalledParams.DEFAULT) { if (params === PermissionManagerServiceInternal.PackageInstalledParams.DEFAULT) { // TODO: We should actually stop calling onPackageInstalled() when we are passing // TODO: We should actually stop calling onPackageInstalled() when we are passing // PackageInstalledParams.DEFAULT in InstallPackageHelper, because there's actually no // PackageInstalledParams.DEFAULT in InstallPackageHelper, because there's actually no Loading Loading @@ -2391,6 +2414,10 @@ class PermissionService(private val service: AccessCheckingService) : sharedUserPkgs: List<AndroidPackage>, sharedUserPkgs: List<AndroidPackage>, userId: Int userId: Int ) { ) { if (Flags.ignoreApexPermissions() && packageState.isApex) { return } val userIds = val userIds = if (userId == UserHandle.USER_ALL) { if (userId == UserHandle.USER_ALL) { userManagerService.userIdsIncludingPreCreated userManagerService.userIdsIncludingPreCreated Loading
