Merge "Allow explicit permission denial" into oc-mr1-dev

2017-08-16 17:11:30 +00:00
parent 0480580696 74629e3183
commit 7fc53a11f8
3 changed files with 50 additions and 5 deletions
--- a/core/java/com/android/server/SystemConfig.java
+++ b/core/java/com/android/server/SystemConfig.java
@@ -141,6 +141,7 @@ public class SystemConfig {


    final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>();
+    final ArrayMap<String, ArraySet<String>> mPrivAppDenyPermissions = new ArrayMap<>();

    public static SystemConfig getInstance() {
        synchronized (SystemConfig.class) {
@@ -219,6 +220,10 @@ public class SystemConfig {
        return mPrivAppPermissions.get(packageName);
    }

+    public ArraySet<String> getPrivAppDenyPermissions(String packageName) {
+        return mPrivAppDenyPermissions.get(packageName);
+    }
+
    SystemConfig() {
        // Read configuration from system
        readPermissions(Environment.buildPath(
@@ -660,6 +665,7 @@ public class SystemConfig {
        if (permissions == null) {
            permissions = new ArraySet<>();
        }
+        ArraySet<String> denyPermissions = mPrivAppDenyPermissions.get(packageName);
        int depth = parser.getDepth();
        while (XmlUtils.nextElementWithin(parser, depth)) {
            String name = parser.getName();
@@ -671,8 +677,22 @@ public class SystemConfig {
                    continue;
                }
                permissions.add(permName);
+            } else if ("deny-permission".equals(name)) {
+                String permName = parser.getAttributeValue(null, "name");
+                if (TextUtils.isEmpty(permName)) {
+                    Slog.w(TAG, "name is required for <deny-permission> in "
+                            + parser.getPositionDescription());
+                    continue;
+                }
+                if (denyPermissions == null) {
+                    denyPermissions = new ArraySet<>();
+                }
+                denyPermissions.add(permName);
            }
        }
        mPrivAppPermissions.put(packageName, permissions);
+        if (denyPermissions != null) {
+            mPrivAppDenyPermissions.put(packageName, denyPermissions);
+        }
    }
 }
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -13191,18 +13191,28 @@ public class PackageManagerService extends IPackageManager.Stub
        boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName);
        if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivilegedApp()
                && !platformPackage && platformPermission) {
-            ArraySet<String> wlPermissions = SystemConfig.getInstance()
+            final ArraySet<String> allowedPermissions = SystemConfig.getInstance()
                    .getPrivAppPermissions(pkg.packageName);
-            boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm);
+            final boolean whitelisted =
+                    allowedPermissions != null && allowedPermissions.contains(perm);
            if (!whitelisted) {
                Slog.w(TAG, "Privileged permission " + perm + " for package "
                        + pkg.packageName + " - not in privapp-permissions whitelist");
                // Only report violations for apps on system image
                if (!mSystemReady && !pkg.isUpdatedSystemApp()) {
-                    if (mPrivappPermissionsViolations == null) {
-                        mPrivappPermissionsViolations = new ArraySet<>();
+                    // it's only a reportable violation if the permission isn't explicitly denied
+                    final ArraySet<String> deniedPermissions = SystemConfig.getInstance()
+                            .getPrivAppDenyPermissions(pkg.packageName);
+                    final boolean permissionViolation =
+                            deniedPermissions == null || !deniedPermissions.contains(perm);
+                    if (permissionViolation) {
+                        if (mPrivappPermissionsViolations == null) {
+                            mPrivappPermissionsViolations = new ArraySet<>();
+                        }
+                        mPrivappPermissionsViolations.add(pkg.packageName + ": " + perm);
+                    } else {
+                        return false;
                    }
-                    mPrivappPermissionsViolations.add(pkg.packageName + ": " + perm);
                }
                if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) {
                    return false;
--- a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
+++ b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
@@ -148,6 +148,8 @@ class PackageManagerShellCommand extends ShellCommand {
                    return runSetHomeActivity();
                case "get-privapp-permissions":
                    return runGetPrivappPermissions();
+                case "get-privapp-deny-permissions":
+                    return runGetPrivappDenyPermissions();
                case "get-instantapp-resolver":
                    return runGetInstantAppResolver();
                case "has-feature":
@@ -1293,6 +1295,19 @@ class PackageManagerShellCommand extends ShellCommand {
        return 0;
    }

+    private int runGetPrivappDenyPermissions() {
+        final String pkg = getNextArg();
+        if (pkg == null) {
+            System.err.println("Error: no package specified.");
+            return 1;
+        }
+        ArraySet<String> privAppDenyPermissions =
+                SystemConfig.getInstance().getPrivAppDenyPermissions(pkg);
+        getOutPrintWriter().println(privAppDenyPermissions == null
+                ? "{}" : privAppDenyPermissions.toString());
+        return 0;
+    }
+
    private int runGetInstantAppResolver() {
        final PrintWriter pw = getOutPrintWriter();
        try {