From dbac29e44f10148d6233ced4a0161277a71e343e Mon Sep 17 00:00:00 2001
From: "Philip P. Moltmann" <moltmann@google.com>
Date: Tue, 30 Jun 2020 17:33:25 -0700
Subject: [PATCH 1/2] Allow perm controller to read historical app-op data

Bug: 161007415
Test: built
Change-Id: I600862708dee58f947270fa25cb0cd6e3c6a0317
---
 .../java/com/android/server/appop/AppOpsService.java | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/services/core/java/com/android/server/appop/AppOpsService.java b/services/core/java/com/android/server/appop/AppOpsService.java
index 6eab0221b7abc..c5bdb9edd069c 100644
--- a/services/core/java/com/android/server/appop/AppOpsService.java
+++ b/services/core/java/com/android/server/appop/AppOpsService.java
@@ -2052,6 +2052,8 @@ public class AppOpsService extends IAppOpsService.Stub {
     public void getHistoricalOps(int uid, String packageName, String attributionTag,
             List<String> opNames, int filter, long beginTimeMillis, long endTimeMillis,
             int flags, RemoteCallback callback) {
+        PackageManager pm = mContext.getPackageManager();
+
         ensureHistoricalOpRequestIsValid(uid, packageName, attributionTag, opNames, filter,
                 beginTimeMillis, endTimeMillis, flags);
         Objects.requireNonNull(callback, "callback cannot be null");
@@ -2059,8 +2061,16 @@ public class AppOpsService extends IAppOpsService.Stub {
         ActivityManagerInternal ami = LocalServices.getService(ActivityManagerInternal.class);
         boolean isCallerInstrumented = ami.isUidCurrentlyInstrumented(Binder.getCallingUid());
         boolean isCallerSystem = Binder.getCallingPid() == Process.myPid();
+        boolean isCallerPermissionController;
+        try {
+            isCallerPermissionController = pm.getPackageUid(
+                    mContext.getPackageManager().getPermissionControllerPackageName(), 0)
+                    == Binder.getCallingUid();
+        } catch (PackageManager.NameNotFoundException doesNotHappen) {
+            return;
+        }
 
-        if (!isCallerSystem && !isCallerInstrumented) {
+        if (!isCallerSystem && !isCallerInstrumented && !isCallerPermissionController) {
             mHandler.post(() -> callback.sendResult(new Bundle()));
             return;
         }

From 9abf24f032698724cb79723ca50b7e94349587e6 Mon Sep 17 00:00:00 2001
From: "Philip P. Moltmann" <moltmann@google.com>
Date: Tue, 14 Jul 2020 17:12:15 -0700
Subject: [PATCH 2/2] Give Permission Controller the ability to see all
 accounts.

Bug: 161007415
Change-Id: I912cbfdc9a1881a0e9a1755848147cdf23781885
---
 data/etc/privapp-permissions-platform.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/data/etc/privapp-permissions-platform.xml b/data/etc/privapp-permissions-platform.xml
index c710bed29361e..cec06dac32371 100644
--- a/data/etc/privapp-permissions-platform.xml
+++ b/data/etc/privapp-permissions-platform.xml
@@ -143,6 +143,9 @@ applications that come with the platform
         <permission name="android.permission.SUBSTITUTE_NOTIFICATION_APP_NAME" />
         <permission name="android.permission.PACKAGE_USAGE_STATS" />
         <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE" />
+
+        <!-- For permission hub 2 debugging only -->
+        <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/>
     </privapp-permissions>
 
     <privapp-permissions package="com.android.phone">