From a8333192aaa747e23efa6d779ef8eebf01e24ee0 Mon Sep 17 00:00:00 2001 From: Justin Yun Date: Tue, 26 May 2020 15:54:31 +0900 Subject: [PATCH] Product partition must have limited system configs. Specify the system configurations that can be updated from the product partition. We must clean up some of these system configs from the product partition. Bug: 157203468 Test: device boot Change-Id: I40af2f31427531bb0a1ed0e6ea7566473d3e3f50 --- .../java/com/android/server/SystemConfig.java | 53 +++++++++++++------ 1 file changed, 36 insertions(+), 17 deletions(-) diff --git a/core/java/com/android/server/SystemConfig.java b/core/java/com/android/server/SystemConfig.java index 21ca948fa89cb..f5bd3dffa6441 100644 --- a/core/java/com/android/server/SystemConfig.java +++ b/core/java/com/android/server/SystemConfig.java @@ -69,14 +69,19 @@ public class SystemConfig { static SystemConfig sInstance; // permission flag, determines which types of configuration are allowed to be read - private static final int ALLOW_FEATURES = 0x01; - private static final int ALLOW_LIBS = 0x02; - private static final int ALLOW_PERMISSIONS = 0x04; - private static final int ALLOW_APP_CONFIGS = 0x08; - private static final int ALLOW_PRIVAPP_PERMISSIONS = 0x10; - private static final int ALLOW_OEM_PERMISSIONS = 0x20; - private static final int ALLOW_HIDDENAPI_WHITELISTING = 0x40; - private static final int ALLOW_ASSOCIATIONS = 0x80; + private static final int ALLOW_FEATURES = 0x001; + private static final int ALLOW_LIBS = 0x002; + private static final int ALLOW_PERMISSIONS = 0x004; + private static final int ALLOW_APP_CONFIGS = 0x008; + private static final int ALLOW_PRIVAPP_PERMISSIONS = 0x010; + private static final int ALLOW_OEM_PERMISSIONS = 0x020; + private static final int ALLOW_HIDDENAPI_WHITELISTING = 0x040; + private static final int ALLOW_ASSOCIATIONS = 0x080; + // ALLOW_OVERRIDE_APP_RESTRICTIONS allows to use "allow-in-power-save-except-idle", + // "allow-in-power-save", "allow-in-data-usage-save", "allow-unthrottled-location", + // and "allow-ignore-location-settings". + private static final int ALLOW_OVERRIDE_APP_RESTRICTIONS = 0x100; + private static final int ALLOW_IMPLICIT_BROADCASTS = 0x200; private static final int ALLOW_ALL = ~0; // property for runtime configuration differentiation @@ -513,11 +518,21 @@ public class SystemConfig { readPermissions(Environment.buildPath( Environment.getOemDirectory(), "etc", "permissions"), oemPermissionFlag); - // Allow Product to customize all system configs + // Allow Product to customize these configs + // TODO(b/157203468): ALLOW_HIDDENAPI_WHITELISTING must be removed because we prohibited + // the use of hidden APIs from the product partition. + int productPermissionFlag = ALLOW_FEATURES | ALLOW_LIBS | ALLOW_PERMISSIONS + | ALLOW_APP_CONFIGS | ALLOW_PRIVAPP_PERMISSIONS | ALLOW_HIDDENAPI_WHITELISTING + | ALLOW_ASSOCIATIONS | ALLOW_OVERRIDE_APP_RESTRICTIONS | ALLOW_IMPLICIT_BROADCASTS; + if (Build.VERSION.FIRST_SDK_INT <= Build.VERSION_CODES.R) { + // TODO(b/157393157): This must check product interface enforcement instead of + // FIRST_SDK_VERSION for the devices without product interface enforcement. + productPermissionFlag = ALLOW_ALL; + } readPermissions(Environment.buildPath( - Environment.getProductDirectory(), "etc", "sysconfig"), ALLOW_ALL); + Environment.getProductDirectory(), "etc", "sysconfig"), productPermissionFlag); readPermissions(Environment.buildPath( - Environment.getProductDirectory(), "etc", "permissions"), ALLOW_ALL); + Environment.getProductDirectory(), "etc", "permissions"), productPermissionFlag); // Allow /system_ext to customize all system configs readPermissions(Environment.buildPath( @@ -631,6 +646,10 @@ public class SystemConfig { final boolean allowApiWhitelisting = (permissionFlag & ALLOW_HIDDENAPI_WHITELISTING) != 0; final boolean allowAssociations = (permissionFlag & ALLOW_ASSOCIATIONS) != 0; + final boolean allowOverrideAppRestrictions = + (permissionFlag & ALLOW_OVERRIDE_APP_RESTRICTIONS) != 0; + final boolean allowImplicitBroadcasts = (permissionFlag & ALLOW_IMPLICIT_BROADCASTS) + != 0; while (true) { XmlUtils.nextElement(parser); if (parser.getEventType() == XmlPullParser.END_DOCUMENT) { @@ -777,7 +796,7 @@ public class SystemConfig { XmlUtils.skipCurrentTag(parser); } break; case "allow-in-power-save-except-idle": { - if (allowAll) { + if (allowOverrideAppRestrictions) { String pkgname = parser.getAttributeValue(null, "package"); if (pkgname == null) { Slog.w(TAG, "<" + name + "> without package in " @@ -791,7 +810,7 @@ public class SystemConfig { XmlUtils.skipCurrentTag(parser); } break; case "allow-in-power-save": { - if (allowAll) { + if (allowOverrideAppRestrictions) { String pkgname = parser.getAttributeValue(null, "package"); if (pkgname == null) { Slog.w(TAG, "<" + name + "> without package in " @@ -805,7 +824,7 @@ public class SystemConfig { XmlUtils.skipCurrentTag(parser); } break; case "allow-in-data-usage-save": { - if (allowAll) { + if (allowOverrideAppRestrictions) { String pkgname = parser.getAttributeValue(null, "package"); if (pkgname == null) { Slog.w(TAG, "<" + name + "> without package in " @@ -819,7 +838,7 @@ public class SystemConfig { XmlUtils.skipCurrentTag(parser); } break; case "allow-unthrottled-location": { - if (allowAll) { + if (allowOverrideAppRestrictions) { String pkgname = parser.getAttributeValue(null, "package"); if (pkgname == null) { Slog.w(TAG, "<" + name + "> without package in " @@ -833,7 +852,7 @@ public class SystemConfig { XmlUtils.skipCurrentTag(parser); } break; case "allow-ignore-location-settings": { - if (allowAll) { + if (allowOverrideAppRestrictions) { String pkgname = parser.getAttributeValue(null, "package"); if (pkgname == null) { Slog.w(TAG, "<" + name + "> without package in " @@ -847,7 +866,7 @@ public class SystemConfig { XmlUtils.skipCurrentTag(parser); } break; case "allow-implicit-broadcast": { - if (allowAll) { + if (allowImplicitBroadcasts) { String action = parser.getAttributeValue(null, "action"); if (action == null) { Slog.w(TAG, "<" + name + "> without action in "