Merge "Change camera/microphone AppOps cutoff to PROCESS_STATE_BOUND_FOREGROUND_SERVICE" into rvc-dev

2020-03-05 02:13:21 +00:00
parent e5d57d4add bb866ad23a
commit 769f07684b
2 changed files with 48 additions and 28 deletions
--- a/services/core/java/com/android/server/am/OomAdjuster.java
+++ b/services/core/java/com/android/server/am/OomAdjuster.java
@@ -33,6 +33,8 @@ import static android.app.ActivityManager.PROCESS_STATE_IMPORTANT_BACKGROUND;
 import static android.app.ActivityManager.PROCESS_STATE_IMPORTANT_FOREGROUND;
 import static android.app.ActivityManager.PROCESS_STATE_LAST_ACTIVITY;
 import static android.app.ActivityManager.PROCESS_STATE_NONEXISTENT;
+import static android.app.ActivityManager.PROCESS_STATE_PERSISTENT;
+import static android.app.ActivityManager.PROCESS_STATE_PERSISTENT_UI;
 import static android.app.ActivityManager.PROCESS_STATE_SERVICE;
 import static android.app.ActivityManager.PROCESS_STATE_TOP;
 import static android.app.ActivityManager.PROCESS_STATE_TRANSIENT_BACKGROUND;
@@ -1697,13 +1699,13 @@ public final class OomAdjuster {
                                if (enabled) {
                                    if (cr.hasFlag(Context.BIND_INCLUDE_CAPABILITIES)) {
                                        // TOP process passes all capabilities to the service.
-                                        capability = PROCESS_CAPABILITY_ALL;
+                                        capability |= PROCESS_CAPABILITY_ALL;
                                    } else {
                                        // TOP process passes no capability to the service.
                                    }
                                } else {
                                    // TOP process passes all capabilities to the service.
-                                    capability = PROCESS_CAPABILITY_ALL;
+                                    capability |= PROCESS_CAPABILITY_ALL;
                                }
                            } else if (clientProcState
                                    <= PROCESS_STATE_FOREGROUND_SERVICE) {
@@ -2004,17 +2006,9 @@ public final class OomAdjuster {
        // apply capability from FGS.
        if (app.hasForegroundServices()) {
            capability |= capabilityFromFGS;
-        } else if (!ActivityManager.isProcStateBackground(procState)) {
-            // procState higher than PROCESS_STATE_BOUND_FOREGROUND_SERVICE implicitly has
-            // camera/microphone capability
-            //TODO: remove this line when enforcing the feature.
-            capability |= PROCESS_CAPABILITY_ALL_IMPLICIT;
        }

-        // TOP process has all capabilities.
-        if (procState <= PROCESS_STATE_TOP) {
-            capability = PROCESS_CAPABILITY_ALL;
-        }
+        capability |= getDefaultCapability(app, procState);

        // Do final modification to adj.  Everything we do between here and applying
        // the final setAdj must be done in this function, because we will also use
@@ -2034,6 +2028,30 @@ public final class OomAdjuster {
                || app.curCapability != prevCapability ;
    }

+    private int getDefaultCapability(ProcessRecord app, int procState) {
+        switch (procState) {
+            case PROCESS_STATE_PERSISTENT:
+            case PROCESS_STATE_PERSISTENT_UI:
+            case PROCESS_STATE_TOP:
+                return PROCESS_CAPABILITY_ALL;
+            case PROCESS_STATE_BOUND_TOP:
+                return PROCESS_CAPABILITY_ALL_IMPLICIT;
+            case PROCESS_STATE_FOREGROUND_SERVICE:
+                if (app.hasForegroundServices()) {
+                    // Capability from FGS are conditional depending on foreground service type in
+                    // manifest file and the mAllowWhileInUsePermissionInFgs flag.
+                    return PROCESS_CAPABILITY_NONE;
+                } else {
+                    // process has no FGS, the PROCESS_STATE_FOREGROUND_SERVICE is from client.
+                    return PROCESS_CAPABILITY_ALL_IMPLICIT;
+                }
+            case PROCESS_STATE_BOUND_FOREGROUND_SERVICE:
+                return PROCESS_CAPABILITY_ALL_IMPLICIT;
+            default:
+                return PROCESS_CAPABILITY_NONE;
+        }
+    }
+
    /**
     * Checks if for the given app and client, there's a cycle that should skip over the client
     * for now or use partial values to evaluate the effect of the client binding.
--- a/services/core/java/com/android/server/appop/AppOpsService.java
+++ b/services/core/java/com/android/server/appop/AppOpsService.java
@@ -29,6 +29,8 @@ import static android.app.AppOpsManager.KEY_BG_STATE_SETTLE_TIME;
 import static android.app.AppOpsManager.KEY_FG_SERVICE_STATE_SETTLE_TIME;
 import static android.app.AppOpsManager.KEY_TOP_STATE_SETTLE_TIME;
 import static android.app.AppOpsManager.MODE_ALLOWED;
+import static android.app.AppOpsManager.MODE_FOREGROUND;
+import static android.app.AppOpsManager.MODE_IGNORED;
 import static android.app.AppOpsManager.NoteOpEvent;
 import static android.app.AppOpsManager.OP_CAMERA;
 import static android.app.AppOpsManager.OP_FLAGS_ALL;
@@ -515,12 +517,12 @@ public class AppOpsService extends IAppOpsService.Stub {
        }

        int evalMode(int op, int mode) {
-            if (mode == AppOpsManager.MODE_FOREGROUND) {
+            if (mode == MODE_FOREGROUND) {
                if (appWidgetVisible) {
                    return MODE_ALLOWED;
                } else if (state <= UID_STATE_TOP) {
-                    // process is in foreground.
-                    return AppOpsManager.MODE_ALLOWED;
+                    // process is in TOP.
+                    return MODE_ALLOWED;
                } else if (state <= AppOpsManager.resolveFirstUnrestrictedUidState(op)) {
                    // process is in foreground, check its capability.
                    switch (op) {
@@ -529,53 +531,53 @@ public class AppOpsService extends IAppOpsService.Stub {
                        case AppOpsManager.OP_MONITOR_LOCATION:
                        case AppOpsManager.OP_MONITOR_HIGH_POWER_LOCATION:
                            if ((capability & PROCESS_CAPABILITY_FOREGROUND_LOCATION) != 0) {
-                                return AppOpsManager.MODE_ALLOWED;
+                                return MODE_ALLOWED;
                            } else if ((capability
                                    & TEMP_PROCESS_CAPABILITY_FOREGROUND_LOCATION) != 0) {
                                // The FGS has the location capability, but due to FGS BG start
                                // restriction it lost the capability, use temp location capability
                                // to mark this case.
                                maybeShowWhileInUseDebugToast(op, mode);
-                                return AppOpsManager.MODE_IGNORED;
+                                return MODE_IGNORED;
                            } else {
-                                return AppOpsManager.MODE_IGNORED;
+                                return MODE_IGNORED;
                            }
                        case OP_CAMERA:
                            if ((capability & PROCESS_CAPABILITY_FOREGROUND_CAMERA) != 0) {
-                                return AppOpsManager.MODE_ALLOWED;
+                                return MODE_ALLOWED;
                            } else {
                                maybeShowWhileInUseDebugToast(op, mode);
-                                return AppOpsManager.MODE_IGNORED;
+                                return MODE_IGNORED;
                            }
                        case OP_RECORD_AUDIO:
                            if ((capability & PROCESS_CAPABILITY_FOREGROUND_MICROPHONE) != 0) {
-                                return AppOpsManager.MODE_ALLOWED;
+                                return MODE_ALLOWED;
                            } else {
                                maybeShowWhileInUseDebugToast(op, mode);
-                                return AppOpsManager.MODE_IGNORED;
+                                return MODE_IGNORED;
                            }
                        default:
-                            return AppOpsManager.MODE_ALLOWED;
+                            return MODE_ALLOWED;
                    }
                } else {
                    // process is not in foreground.
-                    return AppOpsManager.MODE_IGNORED;
+                    return MODE_IGNORED;
                }
-            } else if (mode == AppOpsManager.MODE_ALLOWED) {
+            } else if (mode == MODE_ALLOWED) {
                switch (op) {
                    case OP_CAMERA:
                        if ((capability & PROCESS_CAPABILITY_FOREGROUND_CAMERA) != 0) {
-                            return AppOpsManager.MODE_ALLOWED;
+                            return MODE_ALLOWED;
                        } else {
                            maybeShowWhileInUseDebugToast(op, mode);
-                            return AppOpsManager.MODE_IGNORED;
+                            return MODE_IGNORED;
                        }
                    case OP_RECORD_AUDIO:
                        if ((capability & PROCESS_CAPABILITY_FOREGROUND_MICROPHONE) != 0) {
-                            return AppOpsManager.MODE_ALLOWED;
+                            return MODE_ALLOWED;
                        } else {
                            maybeShowWhileInUseDebugToast(op, mode);
-                            return AppOpsManager.MODE_IGNORED;
+                            return MODE_IGNORED;
                        }
                    default:
                        return MODE_ALLOWED;