Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Pre-Q storage perm should behave hard restricted

Browse Source 
Test: atest --test-mapping frameworks/base/services/core/java/com/android/server/policy:presubmit
Fixes: 131188778
Change-Id: If99dc99e8164156ae15f6617d0383513d505e15e
This commit is contained in:
Philip P. Moltmann
2019-05-30 08:27:19 -07:00
parent faa788aff0
commit 8625cdd03b
3 changed files with 57 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
services/core/java/com/android/server/pm/permission/PermissionManagerService.java
View File

@@ -97,6 +97,7 @@ import com.android.server.pm.SharedUserSetting;
import com.android.server.pm.UserManagerService;
import com.android.server.pm.permission.PermissionManagerServiceInternal.PermissionCallback;
import com.android.server.pm.permission.PermissionsState.PermissionState;
import com.android.server.policy.SoftRestrictedPermissionPolicy;
import libcore.util.EmptyArray;
@@ -2121,11 +2122,18 @@ public class PermissionManagerService {
if (bp.isHardRestricted()
&& (flags & PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT) == 0) {
Log.e(TAG, "Cannot grant restricted non-exempt permission "
Log.e(TAG, "Cannot grant hard restricted non-exempt permission "
+ permName + " for package " + packageName);
return;
}
if (bp.isSoftRestricted() && !SoftRestrictedPermissionPolicy.forPermission(mContext,
pkg.applicationInfo, permName).canBeGranted()) {
Log.e(TAG, "Cannot grant soft restricted permission " + permName + " for package "
+ packageName);
return;
}
if (bp.isDevelopment()) {
// Development permissions must be handled specially, since they are not
// normal runtime permissions. For now they apply to all users.

43
services/core/java/com/android/server/policy/SoftRestrictedPermissionPolicy.java
View File

@@ -24,17 +24,29 @@ import static android.app.AppOpsManager.MODE_IGNORED;
import static android.app.AppOpsManager.OP_LEGACY_STORAGE;
import static android.app.AppOpsManager.OP_NONE;
import static android.content.pm.PackageManager.FLAG_PERMISSION_APPLY_RESTRICTION;
import static android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
import static android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT;
import static android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT;
import android.annotation.NonNull;
import android.app.AppOpsManager;
import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.os.Build;
import android.util.Log;
/**
* The behavior of soft restricted permissions is different for each permission. This class collects
* the policies in one place.
*/
public abstract class SoftRestrictedPermissionPolicy {
private static final String LOG_TAG = SoftRestrictedPermissionPolicy.class.getSimpleName();
private static final int FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT =
FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT
| FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT
| FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
private static final SoftRestrictedPermissionPolicy DUMMY_POLICY =
new SoftRestrictedPermissionPolicy() {
@Override
@@ -51,6 +63,11 @@ public abstract class SoftRestrictedPermissionPolicy {
public boolean shouldSetAppOpIfNotDefault() {
return false;
}
@Override
public boolean canBeGranted() {
return true;
}
};
/**
@@ -70,11 +87,13 @@ public abstract class SoftRestrictedPermissionPolicy {
// collections.
case READ_EXTERNAL_STORAGE:
case WRITE_EXTERNAL_STORAGE: {
boolean applyRestriction = (context.getPackageManager().getPermissionFlags(
permission, appInfo.packageName, context.getUser())
& FLAG_PERMISSION_APPLY_RESTRICTION) != 0;
int flags = context.getPackageManager().getPermissionFlags(
permission, appInfo.packageName, context.getUser());
boolean applyRestriction = (flags & FLAG_PERMISSION_APPLY_RESTRICTION) != 0;
boolean isWhiteListed = (flags & FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT) != 0;
boolean hasRequestedLegacyExternalStorage =
appInfo.hasRequestedLegacyExternalStorage();
int targetSDK = appInfo.targetSdkVersion;
return new SoftRestrictedPermissionPolicy() {
@Override
@@ -99,6 +118,19 @@ public abstract class SoftRestrictedPermissionPolicy {
// turn on isolated storage. This will make the app loose all its files.
return getAppOpMode() != MODE_IGNORED;
}
@Override
public boolean canBeGranted() {
if (isWhiteListed || targetSDK >= Build.VERSION_CODES.Q) {
return true;
} else {
Log.w(LOG_TAG, permission + " for " + appInfo.packageName
+ " is not whitelisted and targetSDK " + targetSDK + "<"
+ Build.VERSION_CODES.Q);
return false;
}
}
};
}
default:
@@ -122,4 +154,9 @@ public abstract class SoftRestrictedPermissionPolicy {
* {@link AppOpsManager#MODE_DEFAULT}.
*/
public abstract boolean shouldSetAppOpIfNotDefault();
/**
* @return If the permission can be granted
*/
public abstract boolean canBeGranted();
}

8
services/core/java/com/android/server/policy/TEST_MAPPING
View File

@@ -27,6 +27,14 @@
"exclude-annotation": "androidx.test.filters.FlakyTest"
}
]
},
{
"name": "CtsPermission2TestCases",
"options": [
{
"include-filter": "android.permission2.cts.RestrictedPermissionsTest"
}
]
}
],
"postsubmit": [