Merge "Enforce BACKUP permission for BackupManager#excludeKeysFromRestore()" into rvc-dev am: 8700a941f6 am: 99fab9ca81

Change-Id: I93925be43d038fe88a2633f138b7c01f671b4e86

services/backup/java/com/android/server/backup/UserBackupManagerService.java

@@ -3120,6 +3120,8 @@ public class UserBackupManagerService {
      * to the backup agent during restore.
      */
     public void excludeKeysFromRestore(String packageName, List<String> keys) {
+        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
+                "excludeKeysFromRestore");
         mBackupPreferences.addExcludedKeys(packageName, keys);
     }
 

services/robotests/backup/src/com/android/server/backup/UserBackupManagerServiceTest.java

@@ -85,6 +85,7 @@ import java.io.FileDescriptor;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.io.StringWriter;
+import java.util.ArrayList;
 import java.util.List;
 
 /**
@@ -519,6 +520,23 @@ public class UserBackupManagerServiceTest {
         expectThrows(SecurityException.class, backupManagerService::getCurrentTransportComponent);
     }
 
+    /**
+     * Test verifying that {@link UserBackupManagerService#excludeKeysFromRestore(String, List)}
+     * throws a {@link SecurityException} if the caller does not have backup permission.
+     */
+    @Test
+    public void testExcludeKeysFromRestore_withoutPermission() throws Exception {
+        mShadowContext.denyPermissions(android.Manifest.permission.BACKUP);
+        UserBackupManagerService backupManagerService = createUserBackupManagerServiceAndRunTasks();
+
+        expectThrows(
+                SecurityException.class,
+                () ->
+                        backupManagerService.excludeKeysFromRestore(
+                                PACKAGE_1,
+                                new ArrayList<String>(){}));
+    }
+
     /* Tests for updating transport attributes */
 
     private static final int PACKAGE_UID = 10;