diff --git a/api/current.txt b/api/current.txt
index 3fb05450c16c8..d24e350e0f99b 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -11483,10 +11483,12 @@ package android.content.pm {
     method public void setOriginatingUri(@Nullable android.net.Uri);
     method public void setReferrerUri(@Nullable android.net.Uri);
     method public void setSize(long);
+    method public void setWhitelistedRestrictedPermissions(@Nullable java.util.Set<java.lang.String>);
     method public void writeToParcel(android.os.Parcel, int);
     field public static final android.os.Parcelable.Creator<android.content.pm.PackageInstaller.SessionParams> CREATOR;
     field public static final int MODE_FULL_INSTALL = 1; // 0x1
     field public static final int MODE_INHERIT_EXISTING = 2; // 0x2
+    field @NonNull public static final java.util.Set<java.lang.String> RESTRICTED_PERMISSIONS_ALL;
   }
 
   public class PackageItemInfo {
@@ -11523,6 +11525,7 @@ package android.content.pm {
     method public abstract boolean addPermission(@NonNull android.content.pm.PermissionInfo);
     method public abstract boolean addPermissionAsync(@NonNull android.content.pm.PermissionInfo);
     method @Deprecated public abstract void addPreferredActivity(@NonNull android.content.IntentFilter, int, @Nullable android.content.ComponentName[], @NonNull android.content.ComponentName);
+    method @RequiresPermission(value="android.permission.WHITELIST_RESTRICTED_PERMISSIONS", conditional=true) public boolean addWhitelistedRestrictedPermission(@NonNull String, @NonNull String, int);
     method public abstract boolean canRequestPackageInstalls();
     method public abstract String[] canonicalToCurrentPackageNames(@NonNull String[]);
     method @CheckResult public abstract int checkPermission(@NonNull String, @NonNull String);
@@ -11592,11 +11595,13 @@ package android.content.pm {
     method @NonNull public abstract android.graphics.drawable.Drawable getUserBadgedDrawableForDensity(@NonNull android.graphics.drawable.Drawable, @NonNull android.os.UserHandle, @Nullable android.graphics.Rect, int);
     method @NonNull public abstract android.graphics.drawable.Drawable getUserBadgedIcon(@NonNull android.graphics.drawable.Drawable, @NonNull android.os.UserHandle);
     method @NonNull public abstract CharSequence getUserBadgedLabel(@NonNull CharSequence, @NonNull android.os.UserHandle);
+    method @RequiresPermission(value="android.permission.WHITELIST_RESTRICTED_PERMISSIONS", conditional=true) @NonNull public java.util.Set<java.lang.String> getWhitelistedRestrictedPermissions(@NonNull String, int);
     method @Nullable public abstract android.content.res.XmlResourceParser getXml(@NonNull String, @XmlRes int, @Nullable android.content.pm.ApplicationInfo);
     method public boolean hasSigningCertificate(@NonNull String, @NonNull byte[], int);
     method public boolean hasSigningCertificate(int, @NonNull byte[], int);
     method public abstract boolean hasSystemFeature(@NonNull String);
     method public abstract boolean hasSystemFeature(@NonNull String, int);
+    method public boolean isDeviceUpgrading();
     method public abstract boolean isInstantApp();
     method public abstract boolean isInstantApp(@NonNull String);
     method public boolean isPackageSuspended(@NonNull String) throws android.content.pm.PackageManager.NameNotFoundException;
@@ -11613,6 +11618,7 @@ package android.content.pm {
     method @NonNull public abstract java.util.List<android.content.pm.PermissionInfo> queryPermissionsByGroup(@NonNull String, int) throws android.content.pm.PackageManager.NameNotFoundException;
     method @Deprecated public abstract void removePackageFromPreferred(@NonNull String);
     method public abstract void removePermission(@NonNull String);
+    method @RequiresPermission(value="android.permission.WHITELIST_RESTRICTED_PERMISSIONS", conditional=true) public boolean removeWhitelistedRestrictedPermission(@NonNull String, @NonNull String, int);
     method @Nullable public abstract android.content.pm.ResolveInfo resolveActivity(@NonNull android.content.Intent, int);
     method @Nullable public abstract android.content.pm.ProviderInfo resolveContentProvider(@NonNull String, int);
     method @Nullable public abstract android.content.pm.ResolveInfo resolveService(@NonNull android.content.Intent, int);
@@ -11740,6 +11746,9 @@ package android.content.pm {
     field public static final String FEATURE_WIFI_DIRECT = "android.hardware.wifi.direct";
     field public static final String FEATURE_WIFI_PASSPOINT = "android.hardware.wifi.passpoint";
     field public static final String FEATURE_WIFI_RTT = "android.hardware.wifi.rtt";
+    field public static final int FLAG_PERMISSION_WHITELIST_INSTALLER = 2; // 0x2
+    field public static final int FLAG_PERMISSION_WHITELIST_SYSTEM = 1; // 0x1
+    field public static final int FLAG_PERMISSION_WHITELIST_UPGRADE = 4; // 0x4
     field public static final int GET_ACTIVITIES = 1; // 0x1
     field public static final int GET_CONFIGURATIONS = 16384; // 0x4000
     field @Deprecated public static final int GET_DISABLED_COMPONENTS = 512; // 0x200
@@ -11840,7 +11849,9 @@ package android.content.pm {
     method @Nullable public CharSequence loadDescription(@NonNull android.content.pm.PackageManager);
     field @NonNull public static final android.os.Parcelable.Creator<android.content.pm.PermissionInfo> CREATOR;
     field public static final int FLAG_COSTS_MONEY = 1; // 0x1
+    field public static final int FLAG_HARD_RESTRICTED = 4; // 0x4
     field public static final int FLAG_INSTALLED = 1073741824; // 0x40000000
+    field public static final int FLAG_SOFT_RESTRICTED = 8; // 0x8
     field public static final int PROTECTION_DANGEROUS = 1; // 0x1
     field public static final int PROTECTION_FLAG_APPOP = 64; // 0x40
     field public static final int PROTECTION_FLAG_DEVELOPMENT = 32; // 0x20
diff --git a/api/system-current.txt b/api/system-current.txt
index 64589093654eb..eb9f82af93123 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -201,6 +201,7 @@ package android {
     field public static final String UPDATE_TIME_ZONE_RULES = "android.permission.UPDATE_TIME_ZONE_RULES";
     field public static final String USER_ACTIVITY = "android.permission.USER_ACTIVITY";
     field public static final String USE_RESERVED_DISK = "android.permission.USE_RESERVED_DISK";
+    field public static final String WHITELIST_RESTRICTED_PERMISSIONS = "android.permission.WHITELIST_RESTRICTED_PERMISSIONS";
     field public static final String WRITE_DEVICE_CONFIG = "android.permission.WRITE_DEVICE_CONFIG";
     field public static final String WRITE_DREAM_STATE = "android.permission.WRITE_DREAM_STATE";
     field public static final String WRITE_EMBEDDED_SUBSCRIPTIONS = "android.permission.WRITE_EMBEDDED_SUBSCRIPTIONS";
@@ -1581,6 +1582,7 @@ package android.content.pm {
     method public boolean getInstallAsInstantApp(boolean);
     method public boolean getInstallAsVirtualPreload();
     method public boolean getRequestDowngrade();
+    method @NonNull public java.util.Set<java.lang.String> getWhitelistedRestrictedPermissions();
   }
 
   public static class PackageInstaller.SessionParams implements android.os.Parcelable {
@@ -1651,8 +1653,12 @@ package android.content.pm {
     field public static final String EXTRA_REQUEST_PERMISSIONS_RESULTS = "android.content.pm.extra.REQUEST_PERMISSIONS_RESULTS";
     field public static final String FEATURE_BROADCAST_RADIO = "android.hardware.broadcastradio";
     field public static final String FEATURE_TELEPHONY_CARRIERLOCK = "android.hardware.telephony.carrierlock";
+    field public static final int FLAG_PERMISSION_APPLY_RESTRICTION = 16384; // 0x4000
     field public static final int FLAG_PERMISSION_GRANTED_BY_DEFAULT = 32; // 0x20
     field public static final int FLAG_PERMISSION_POLICY_FIXED = 4; // 0x4
+    field public static final int FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT = 2048; // 0x800
+    field public static final int FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT = 4096; // 0x1000
+    field public static final int FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT = 8192; // 0x2000
     field public static final int FLAG_PERMISSION_REVIEW_REQUIRED = 64; // 0x40
     field public static final int FLAG_PERMISSION_REVOKE_ON_UPGRADE = 8; // 0x8
     field public static final int FLAG_PERMISSION_SYSTEM_FIXED = 16; // 0x10
@@ -1708,6 +1714,7 @@ package android.content.pm {
     field public static final int MATCH_ANY_USER = 4194304; // 0x400000
     field public static final int MATCH_FACTORY_ONLY = 2097152; // 0x200000
     field public static final int MATCH_INSTANT = 8388608; // 0x800000
+    field public static boolean RESTRICTED_PERMISSIONS_ENABLED;
     field public static final int RESTRICTION_HIDE_FROM_SUGGESTIONS = 1; // 0x1
     field public static final int RESTRICTION_HIDE_NOTIFICATIONS = 2; // 0x2
     field public static final int RESTRICTION_NONE = 0; // 0x0
@@ -1722,7 +1729,7 @@ package android.content.pm {
     method public void onPermissionsChanged(int);
   }
 
-  @IntDef(prefix={"FLAG_PERMISSION_"}, value={android.content.pm.PackageManager.FLAG_PERMISSION_USER_SET, android.content.pm.PackageManager.FLAG_PERMISSION_USER_FIXED, android.content.pm.PackageManager.FLAG_PERMISSION_POLICY_FIXED, android.content.pm.PackageManager.FLAG_PERMISSION_REVOKE_ON_UPGRADE, android.content.pm.PackageManager.FLAG_PERMISSION_SYSTEM_FIXED, android.content.pm.PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT, android.content.pm.PackageManager.FLAG_PERMISSION_USER_SENSITIVE_WHEN_GRANTED, android.content.pm.PackageManager.FLAG_PERMISSION_USER_SENSITIVE_WHEN_DENIED}) @java.lang.annotation.Retention(java.lang.annotation.RetentionPolicy.SOURCE) public static @interface PackageManager.PermissionFlags {
+  @IntDef(prefix={"FLAG_PERMISSION_"}, value={android.content.pm.PackageManager.FLAG_PERMISSION_USER_SET, android.content.pm.PackageManager.FLAG_PERMISSION_USER_FIXED, android.content.pm.PackageManager.FLAG_PERMISSION_POLICY_FIXED, android.content.pm.PackageManager.FLAG_PERMISSION_REVOKE_ON_UPGRADE, android.content.pm.PackageManager.FLAG_PERMISSION_SYSTEM_FIXED, android.content.pm.PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT, android.content.pm.PackageManager.FLAG_PERMISSION_USER_SENSITIVE_WHEN_GRANTED, android.content.pm.PackageManager.FLAG_PERMISSION_USER_SENSITIVE_WHEN_DENIED, android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT, android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT, android.content.pm.PackageManager.FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT, android.content.pm.PackageManager.FLAG_PERMISSION_APPLY_RESTRICTION}) @java.lang.annotation.Retention(java.lang.annotation.RetentionPolicy.SOURCE) public static @interface PackageManager.PermissionFlags {
   }
 
   public class PermissionGroupInfo extends android.content.pm.PackageItemInfo implements android.os.Parcelable {
@@ -5451,7 +5458,7 @@ package android.os {
   }
 
   public static interface RemoteCallback.OnResultListener {
-    method public void onResult(android.os.Bundle);
+    method public void onResult(@Nullable android.os.Bundle);
   }
 
   public class ServiceSpecificException extends java.lang.RuntimeException {
@@ -5694,6 +5701,7 @@ package android.permission {
     method @NonNull public abstract java.util.List<android.permission.RuntimePermissionPresentationInfo> onGetAppPermissions(@NonNull String);
     method @NonNull public abstract java.util.List<android.permission.RuntimePermissionUsageInfo> onGetPermissionUsages(boolean, long);
     method public abstract void onGetRuntimePermissionsBackup(@NonNull android.os.UserHandle, @NonNull java.io.OutputStream);
+    method public abstract void onGrantOrUpgradeDefaultRuntimePermissions();
     method @BinderThread public abstract boolean onRestoreDelayedRuntimePermissionsBackup(@NonNull String, @NonNull android.os.UserHandle);
     method @BinderThread public abstract void onRestoreRuntimePermissionsBackup(@NonNull android.os.UserHandle, @NonNull java.io.InputStream);
     method public abstract void onRevokeRuntimePermission(@NonNull String, @NonNull String);
@@ -5703,7 +5711,9 @@ package android.permission {
   }
 
   public final class PermissionManager {
+    method @IntRange(from=0) @RequiresPermission(android.Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY) public int getRuntimePermissionsVersion();
     method @NonNull public java.util.List<android.permission.PermissionManager.SplitPermissionInfo> getSplitPermissions();
+    method @RequiresPermission(android.Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY) public void setRuntimePermissionsVersion(@IntRange(from=0) int);
   }
 
   public static final class PermissionManager.SplitPermissionInfo {
@@ -5871,6 +5881,7 @@ package android.provider {
     field public static final String NAMESPACE_INTELLIGENCE_ATTENTION = "intelligence_attention";
     field public static final String NAMESPACE_MEDIA_NATIVE = "media_native";
     field public static final String NAMESPACE_NETD_NATIVE = "netd_native";
+    field public static final String NAMESPACE_PRIVACY = "privacy";
     field public static final String NAMESPACE_ROLLBACK = "rollback";
     field public static final String NAMESPACE_ROLLBACK_BOOT = "rollback_boot";
     field public static final String NAMESPACE_RUNTIME = "runtime";
@@ -5891,12 +5902,6 @@ package android.provider {
     method public void onPropertyChanged(@NonNull String, @NonNull String, @Nullable String);
   }
 
-  public static interface DeviceConfig.Privacy {
-    field public static final String NAMESPACE = "privacy";
-    field public static final String PROPERTY_LOCATION_ACCESS_CHECK_ENABLED = "location_access_check_enabled";
-    field public static final String PROPERTY_PERMISSIONS_HUB_ENABLED = "permissions_hub_enabled";
-  }
-
   public static class DeviceConfig.Properties {
     method public boolean getBoolean(@NonNull String, boolean);
     method public float getFloat(@NonNull String, float);
@@ -6075,7 +6080,6 @@ package android.provider {
     field public static final String INSTALL_CARRIER_APP_NOTIFICATION_SLEEP_MILLIS = "install_carrier_app_notification_sleep_millis";
     field public static final String OTA_DISABLE_AUTOMATIC_UPDATE = "ota_disable_automatic_update";
     field public static final String REQUIRE_PASSWORD_TO_DECRYPT = "require_password_to_decrypt";
-    field public static final String SMS_ACCESS_RESTRICTION_ENABLED = "sms_access_restriction_enabled";
     field public static final String THEATER_MODE_ON = "theater_mode_on";
     field public static final String WEBVIEW_MULTIPROCESS = "webview_multiprocess";
     field public static final String WIFI_BADGING_THRESHOLDS = "wifi_badging_thresholds";
@@ -9521,6 +9525,7 @@ package android.util {
     field public static final int PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__AUTO_GRANTED = 5; // 0x5
     field public static final int PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__IGNORED = 1; // 0x1
     field public static final int PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__IGNORED_POLICY_FIXED = 3; // 0x3
+    field public static final int PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__IGNORED_RESTRICTED_PERMISSION = 9; // 0x9
     field public static final int PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__IGNORED_USER_FIXED = 2; // 0x2
     field public static final int PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__USER_DENIED = 6; // 0x6
     field public static final int PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__USER_DENIED_WITH_PREJUDICE = 7; // 0x7
diff --git a/api/test-current.txt b/api/test-current.txt
index 99cdfb012155c..973e70067c37d 100644
--- a/api/test-current.txt
+++ b/api/test-current.txt
@@ -655,8 +655,13 @@ package android.content.pm {
     ctor public LauncherApps(android.content.Context);
   }
 
+  public static class PackageInstaller.SessionInfo implements android.os.Parcelable {
+    method @NonNull public java.util.Set<java.lang.String> getWhitelistedRestrictedPermissions();
+  }
+
   public static class PackageInstaller.SessionParams implements android.os.Parcelable {
     method public void setEnableRollback(boolean);
+    method @RequiresPermission("android.permission.INSTALL_GRANT_RUNTIME_PERMISSIONS") public void setGrantedRuntimePermissions(String[]);
     method @RequiresPermission(android.Manifest.permission.INSTALL_PACKAGES) public void setInstallAsApex();
     method @RequiresPermission(android.Manifest.permission.INSTALL_PACKAGES) public void setStaged();
   }
@@ -679,7 +684,11 @@ package android.content.pm {
     method @RequiresPermission(anyOf={"android.permission.GRANT_RUNTIME_PERMISSIONS", "android.permission.REVOKE_RUNTIME_PERMISSIONS"}) public abstract void updatePermissionFlags(@NonNull String, @NonNull String, int, int, @NonNull android.os.UserHandle);
     field public static final String FEATURE_ADOPTABLE_STORAGE = "android.software.adoptable_storage";
     field public static final String FEATURE_FILE_BASED_ENCRYPTION = "android.software.file_based_encryption";
+    field public static final int FLAG_PERMISSION_APPLY_RESTRICTION = 16384; // 0x4000
     field public static final int FLAG_PERMISSION_POLICY_FIXED = 4; // 0x4
+    field public static final int FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT = 2048; // 0x800
+    field public static final int FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT = 4096; // 0x1000
+    field public static final int FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT = 8192; // 0x2000
     field public static final int FLAG_PERMISSION_REVIEW_REQUIRED = 64; // 0x40
     field public static final int FLAG_PERMISSION_REVOKE_ON_UPGRADE = 8; // 0x8
     field public static final int FLAG_PERMISSION_REVOKE_WHEN_REQUESTED = 128; // 0x80
@@ -688,6 +697,7 @@ package android.content.pm {
     field public static final int FLAG_PERMISSION_USER_SET = 1; // 0x1
     field public static final int MATCH_FACTORY_ONLY = 2097152; // 0x200000
     field public static final int MATCH_KNOWN_PACKAGES = 4202496; // 0x402000
+    field public static boolean RESTRICTED_PERMISSIONS_ENABLED;
     field public static final String SYSTEM_SHARED_LIBRARY_SERVICES = "android.ext.services";
     field public static final String SYSTEM_SHARED_LIBRARY_SHARED = "android.ext.shared";
   }
@@ -1820,7 +1830,7 @@ package android.os {
   }
 
   public static interface RemoteCallback.OnResultListener {
-    method public void onResult(android.os.Bundle);
+    method public void onResult(@Nullable android.os.Bundle);
   }
 
   public final class StrictMode {
@@ -2101,6 +2111,7 @@ package android.provider {
     method @RequiresPermission(android.Manifest.permission.WRITE_DEVICE_CONFIG) public static boolean setProperty(@NonNull String, @NonNull String, @Nullable String, boolean);
     field public static final String NAMESPACE_AUTOFILL = "autofill";
     field public static final String NAMESPACE_CONTENT_CAPTURE = "content_capture";
+    field public static final String NAMESPACE_PRIVACY = "privacy";
     field public static final String NAMESPACE_ROLLBACK = "rollback";
     field public static final String NAMESPACE_ROLLBACK_BOOT = "rollback_boot";
   }
@@ -2113,11 +2124,6 @@ package android.provider {
     method public void onPropertyChanged(@NonNull String, @NonNull String, @Nullable String);
   }
 
-  public static interface DeviceConfig.Privacy {
-    field public static final String NAMESPACE = "privacy";
-    field public static final String PROPERTY_LOCATION_ACCESS_CHECK_ENABLED = "location_access_check_enabled";
-  }
-
   public static class DeviceConfig.Properties {
     method public boolean getBoolean(@NonNull String, boolean);
     method public float getFloat(@NonNull String, float);
@@ -2172,7 +2178,6 @@ package android.provider {
     field public static final String LOW_POWER_MODE = "low_power";
     field public static final String LOW_POWER_MODE_STICKY = "low_power_sticky";
     field public static final String OVERLAY_DISPLAY_DEVICES = "overlay_display_devices";
-    field public static final String SMS_ACCESS_RESTRICTION_ENABLED = "sms_access_restriction_enabled";
     field public static final String USE_OPEN_WIFI_PACKAGE = "use_open_wifi_package";
   }
 
diff --git a/cmds/statsd/src/atoms.proto b/cmds/statsd/src/atoms.proto
index 8986c6fd02c21..146cf0cd2da95 100644
--- a/cmds/statsd/src/atoms.proto
+++ b/cmds/statsd/src/atoms.proto
@@ -5453,6 +5453,8 @@ message PermissionGrantRequestResultReported {
         USER_DENIED_WITH_PREJUDICE = 7;
         // permission was automatically denied
         AUTO_DENIED = 8;
+        // permission request was ignored because permission is restricted
+        IGNORED_RESTRICTED_PERMISSION = 9;
     }
     // The result of the permission grant
     optional Result result = 6;
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
index 4b0b8cb12d5e7..15982a796a7e1 100644
--- a/core/java/android/app/AppOpsManager.java
+++ b/core/java/android/app/AppOpsManager.java
@@ -30,9 +30,7 @@ import android.app.usage.UsageStatsManager;
 import android.content.Context;
 import android.content.pm.PackageManager;
 import android.content.pm.ParceledListSlice;
-import android.database.ContentObserver;
 import android.media.AudioAttributes.AttributeUsage;
-import android.net.Uri;
 import android.os.Binder;
 import android.os.IBinder;
 import android.os.Parcel;
@@ -42,7 +40,6 @@ import android.os.RemoteCallback;
 import android.os.RemoteException;
 import android.os.SystemProperties;
 import android.os.UserManager;
-import android.provider.Settings;
 import android.util.ArrayMap;
 import android.util.LongSparseArray;
 import android.util.LongSparseLongArray;
@@ -70,7 +67,6 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Objects;
 import java.util.concurrent.Executor;
-import java.util.concurrent.atomic.AtomicInteger;
 import java.util.function.Consumer;
 import java.util.function.Supplier;
 
@@ -1757,21 +1753,21 @@ public class AppOpsManager {
             AppOpsManager.MODE_ALLOWED, // VIBRATE
             AppOpsManager.MODE_ALLOWED, // READ_CONTACTS
             AppOpsManager.MODE_ALLOWED, // WRITE_CONTACTS
-            AppOpsManager.MODE_ALLOWED, // READ_CALL_LOG
-            AppOpsManager.MODE_ALLOWED, // WRITE_CALL_LOG
+            AppOpsManager.MODE_DEFAULT, // READ_CALL_LOG
+            AppOpsManager.MODE_DEFAULT, // WRITE_CALL_LOG
             AppOpsManager.MODE_ALLOWED, // READ_CALENDAR
             AppOpsManager.MODE_ALLOWED, // WRITE_CALENDAR
             AppOpsManager.MODE_ALLOWED, // WIFI_SCAN
             AppOpsManager.MODE_ALLOWED, // POST_NOTIFICATION
             AppOpsManager.MODE_ALLOWED, // NEIGHBORING_CELLS
             AppOpsManager.MODE_ALLOWED, // CALL_PHONE
-            AppOpsManager.MODE_ALLOWED, // READ_SMS
+            AppOpsManager.MODE_DEFAULT, // READ_SMS
             AppOpsManager.MODE_IGNORED, // WRITE_SMS
-            AppOpsManager.MODE_ALLOWED, // RECEIVE_SMS
+            AppOpsManager.MODE_DEFAULT, // RECEIVE_SMS
             AppOpsManager.MODE_ALLOWED, // RECEIVE_EMERGENCY_BROADCAST
-            AppOpsManager.MODE_ALLOWED, // RECEIVE_MMS
-            AppOpsManager.MODE_ALLOWED, // RECEIVE_WAP_PUSH
-            AppOpsManager.MODE_ALLOWED, // SEND_SMS
+            AppOpsManager.MODE_DEFAULT, // RECEIVE_MMS
+            AppOpsManager.MODE_DEFAULT, // RECEIVE_WAP_PUSH
+            AppOpsManager.MODE_DEFAULT, // SEND_SMS
             AppOpsManager.MODE_ALLOWED, // READ_ICC_SMS
             AppOpsManager.MODE_ALLOWED, // WRITE_ICC_SMS
             AppOpsManager.MODE_DEFAULT, // WRITE_SETTINGS
@@ -1805,10 +1801,10 @@ public class AppOpsManager {
             AppOpsManager.MODE_ALLOWED, // READ_PHONE_STATE
             AppOpsManager.MODE_ALLOWED, // ADD_VOICEMAIL
             AppOpsManager.MODE_ALLOWED, // USE_SIP
-            AppOpsManager.MODE_ALLOWED, // PROCESS_OUTGOING_CALLS
+            AppOpsManager.MODE_DEFAULT, // PROCESS_OUTGOING_CALLS
             AppOpsManager.MODE_ALLOWED, // USE_FINGERPRINT
             AppOpsManager.MODE_ALLOWED, // BODY_SENSORS
-            AppOpsManager.MODE_ALLOWED, // READ_CELL_BROADCASTS
+            AppOpsManager.MODE_DEFAULT, // READ_CELL_BROADCASTS
             AppOpsManager.MODE_ERRORED, // MOCK_LOCATION
             AppOpsManager.MODE_ALLOWED, // READ_EXTERNAL_STORAGE
             AppOpsManager.MODE_ALLOWED, // WRITE_EXTERNAL_STORAGE
@@ -2101,51 +2097,9 @@ public class AppOpsManager {
      * @hide
      */
     public static @Mode int opToDefaultMode(int op) {
-        // STOPSHIP b/118520006: Hardcode the default values once the feature is stable.
-        switch (op) {
-            // SMS permissions
-            case AppOpsManager.OP_SEND_SMS:
-            case AppOpsManager.OP_RECEIVE_SMS:
-            case AppOpsManager.OP_READ_SMS:
-            case AppOpsManager.OP_RECEIVE_WAP_PUSH:
-            case AppOpsManager.OP_RECEIVE_MMS:
-            case AppOpsManager.OP_READ_CELL_BROADCASTS:
-            // CallLog permissions
-            case AppOpsManager.OP_READ_CALL_LOG:
-            case AppOpsManager.OP_WRITE_CALL_LOG:
-            case AppOpsManager.OP_PROCESS_OUTGOING_CALLS: {
-                if (sSmsAndCallLogRestrictionEnabled.get() == 1) {
-                    return AppOpsManager.MODE_DEFAULT;
-                }
-            }
-        }
         return sOpDefaultMode[op];
     }
 
-    // STOPSHIP b/118520006: Hardcode the default values once the feature is stable.
-    private static final AtomicInteger sSmsAndCallLogRestrictionEnabled = new AtomicInteger(-1);
-
-    // STOPSHIP b/118520006: Hardcode the default values once the feature is stable.
-    static {
-        final Context context = ActivityThread.currentApplication();
-        if (context != null) {
-            sSmsAndCallLogRestrictionEnabled.set(ActivityThread.currentActivityThread()
-                        .getIntCoreSetting(Settings.Global.SMS_ACCESS_RESTRICTION_ENABLED, 0));
-
-            final Uri uri =
-                    Settings.Global.getUriFor(Settings.Global.SMS_ACCESS_RESTRICTION_ENABLED);
-            context.getContentResolver().registerContentObserver(uri, false, new ContentObserver(
-                    context.getMainThreadHandler()) {
-                @Override
-                public void onChange(boolean selfChange) {
-                    sSmsAndCallLogRestrictionEnabled.set(Settings.Global.getInt(
-                            context.getContentResolver(),
-                            Settings.Global.SMS_ACCESS_RESTRICTION_ENABLED, 0));
-                }
-            });
-        }
-    }
-
     /**
      * Retrieve the default mode for the app op.
      *
diff --git a/core/java/android/app/ApplicationPackageManager.java b/core/java/android/app/ApplicationPackageManager.java
index a906790c45abc..82a34ceea8b95 100644
--- a/core/java/android/app/ApplicationPackageManager.java
+++ b/core/java/android/app/ApplicationPackageManager.java
@@ -89,6 +89,7 @@ import android.system.OsConstants;
 import android.system.StructStat;
 import android.text.TextUtils;
 import android.util.ArrayMap;
+import android.util.ArraySet;
 import android.util.IconDrawableFactory;
 import android.util.LauncherIcons;
 import android.util.Log;
@@ -111,6 +112,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 
 /** @hide */
 public class ApplicationPackageManager extends PackageManager {
@@ -717,6 +719,43 @@ public class ApplicationPackageManager extends PackageManager {
         }
     }
 
+    @Override
+    public @NonNull Set<String> getWhitelistedRestrictedPermissions(
+            @NonNull String packageName, @PermissionWhitelistFlags int whitelistFlags) {
+        try {
+            final List<String> whitelist = mPM.getWhitelistedRestrictedPermissions(
+                    packageName, whitelistFlags, getUserId());
+            if (whitelist != null) {
+                return new ArraySet<>(whitelist);
+            }
+            return Collections.emptySet();
+        } catch (RemoteException e) {
+            throw e.rethrowFromSystemServer();
+        }
+    }
+
+    @Override
+    public boolean addWhitelistedRestrictedPermission(@NonNull String packageName,
+            @NonNull String permission, @PermissionWhitelistFlags int whitelistFlags) {
+        try {
+            return mPM.addWhitelistedRestrictedPermission(packageName, permission,
+                    whitelistFlags, getUserId());
+        } catch (RemoteException e) {
+            throw e.rethrowFromSystemServer();
+        }
+    }
+
+    @Override
+    public boolean removeWhitelistedRestrictedPermission(@NonNull String packageName,
+            @NonNull String permission, @PermissionWhitelistFlags int whitelistFlags) {
+        try {
+            return mPM.removeWhitelistedRestrictedPermission(packageName, permission,
+                    whitelistFlags, getUserId());
+        } catch (RemoteException e) {
+            throw e.rethrowFromSystemServer();
+        }
+    }
+
     @Override
     @UnsupportedAppUsage
     public boolean shouldShowRequestPermissionRationale(String permission) {
@@ -2634,13 +2673,15 @@ public class ApplicationPackageManager extends PackageManager {
         }
     }
 
-    /**
-     * @hide
-     */
     @Override
     public boolean isUpgrade() {
+        return isDeviceUpgrading();
+    }
+
+    @Override
+    public boolean isDeviceUpgrading() {
         try {
-            return mPM.isUpgrade();
+            return mPM.isDeviceUpgrading();
         } catch (RemoteException e) {
             throw e.rethrowFromSystemServer();
         }
diff --git a/core/java/android/app/SystemServiceRegistry.java b/core/java/android/app/SystemServiceRegistry.java
index d67bfb6c9c84f..8749b108c1687 100644
--- a/core/java/android/app/SystemServiceRegistry.java
+++ b/core/java/android/app/SystemServiceRegistry.java
@@ -50,6 +50,7 @@ import android.content.om.IOverlayManager;
 import android.content.om.OverlayManager;
 import android.content.pm.CrossProfileApps;
 import android.content.pm.ICrossProfileApps;
+import android.content.pm.IPackageManager;
 import android.content.pm.IShortcutService;
 import android.content.pm.LauncherApps;
 import android.content.pm.PackageManager;
@@ -1239,14 +1240,16 @@ final class SystemServiceRegistry {
                 new CachedServiceFetcher<PermissionManager>() {
                     @Override
                     public PermissionManager createService(ContextImpl ctx) {
-                        return new PermissionManager(ctx.getOuterContext());
+                        IPackageManager packageManager = AppGlobals.getPackageManager();
+                        return new PermissionManager(ctx.getOuterContext(), packageManager);
                     }});
 
         registerService(Context.PERMISSION_CONTROLLER_SERVICE, PermissionControllerManager.class,
                 new CachedServiceFetcher<PermissionControllerManager>() {
                     @Override
                     public PermissionControllerManager createService(ContextImpl ctx) {
-                        return new PermissionControllerManager(ctx.getOuterContext());
+                        return new PermissionControllerManager(ctx.getOuterContext(),
+                                ctx.getMainThreadHandler());
                     }});
 
         registerService(Context.ROLE_SERVICE, RoleManager.class,
diff --git a/core/java/android/app/role/IRoleController.aidl b/core/java/android/app/role/IRoleController.aidl
index a472eacb28a18..19762e0841b1f 100644
--- a/core/java/android/app/role/IRoleController.aidl
+++ b/core/java/android/app/role/IRoleController.aidl
@@ -33,8 +33,6 @@ oneway interface IRoleController {
 
     void onClearRoleHolders(in String roleName, int flags, in RemoteCallback callback);
 
-    void onSmsKillSwitchToggled(boolean enabled);
-
     void isApplicationQualifiedForRole(in String roleName, in String packageName,
             in RemoteCallback callback);
 
diff --git a/core/java/android/app/role/RoleControllerManager.java b/core/java/android/app/role/RoleControllerManager.java
index bd981179e2ff3..027e152ee95ff 100644
--- a/core/java/android/app/role/RoleControllerManager.java
+++ b/core/java/android/app/role/RoleControllerManager.java
@@ -120,13 +120,6 @@ public class RoleControllerManager {
                 flags, callback));
     }
 
-    /**
-     * @see RoleControllerService#onSmsKillSwitchToggled(boolean)
-     */
-    public void onSmsKillSwitchToggled(boolean enabled) {
-        mRemoteService.scheduleAsyncRequest(new OnSmsKillSwitchToggledRequest(enabled));
-    }
-
     /**
      * @see RoleControllerService#onIsApplicationQualifiedForRole(String, String)
      */
@@ -415,28 +408,6 @@ public class RoleControllerManager {
         }
     }
 
-    /**
-     * Request for {@link #onSmsKillSwitchToggled(boolean)}
-     */
-    private static final class OnSmsKillSwitchToggledRequest
-            implements AbstractRemoteService.AsyncRequest<IRoleController> {
-
-        private final boolean mEnabled;
-
-        private OnSmsKillSwitchToggledRequest(boolean enabled) {
-            mEnabled = enabled;
-        }
-
-        @Override
-        public void run(@NonNull IRoleController service) {
-            try {
-                service.onSmsKillSwitchToggled(mEnabled);
-            } catch (RemoteException e) {
-                Log.e(LOG_TAG, "Error calling onSmsKillSwitchToggled()", e);
-            }
-        }
-    }
-
     /**
      * Request for {@link #isApplicationQualifiedForRole(String, String, Executor, Consumer)}
      */
diff --git a/core/java/android/app/role/RoleControllerService.java b/core/java/android/app/role/RoleControllerService.java
index 312761d43afd6..2bc94560edd77 100644
--- a/core/java/android/app/role/RoleControllerService.java
+++ b/core/java/android/app/role/RoleControllerService.java
@@ -131,15 +131,6 @@ public abstract class RoleControllerService extends Service {
                         roleName, flags, callback));
             }
 
-            @Override
-            public void onSmsKillSwitchToggled(boolean enabled) {
-                enforceCallerSystemUid("onSmsKillSwitchToggled");
-
-                mWorkerHandler.sendMessage(PooledLambda.obtainMessage(
-                        RoleControllerService::onSmsKillSwitchToggled, RoleControllerService.this,
-                        enabled));
-            }
-
             private void enforceCallerSystemUid(@NonNull String methodName) {
                 if (Binder.getCallingUid() != Process.SYSTEM_UID) {
                     throw new SecurityException("Only the system process can call " + methodName
@@ -258,17 +249,6 @@ public abstract class RoleControllerService extends Service {
     public abstract boolean onClearRoleHolders(@NonNull String roleName,
             @RoleManager.ManageHoldersFlags int flags);
 
-    /**
-     * Cleanup appop/permissions state in response to sms kill switch toggle
-     *
-     * @param enabled whether kill switch was turned on
-     *
-     * @hide
-     */
-    //STOPSHIP: remove this api before shipping a final version
-    @WorkerThread
-    public abstract void onSmsKillSwitchToggled(boolean enabled);
-
     /**
      * Check whether an application is qualified for a role.
      *
diff --git a/core/java/android/content/ContentProvider.java b/core/java/android/content/ContentProvider.java
index ddfe75568eee1..71242fbac9a5e 100644
--- a/core/java/android/content/ContentProvider.java
+++ b/core/java/android/content/ContentProvider.java
@@ -620,13 +620,7 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall
         private int noteProxyOp(String callingPkg, int op) {
             if (op != AppOpsManager.OP_NONE) {
                 int mode = mAppOpsManager.noteProxyOp(op, callingPkg);
-                int nonDefaultMode = mode == MODE_DEFAULT ? interpretDefaultAppOpMode(op) : mode;
-                if (mode == MODE_DEFAULT && nonDefaultMode == MODE_IGNORED) {
-                    Log.w(TAG, "Denying access for " + callingPkg + " to " + getClass().getName()
-                            + " (" + AppOpsManager.opToName(op)
-                            + " = " + AppOpsManager.opToName(mode) + ")");
-                }
-                return mode == MODE_DEFAULT ? nonDefaultMode : mode;
+                return mode == MODE_DEFAULT ? MODE_IGNORED : mode;
             }
 
             return AppOpsManager.MODE_ALLOWED;
@@ -654,16 +648,6 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall
         return mTransport.noteProxyOp(callingPkg, AppOpsManager.permissionToOpCode(permission));
     }
 
-    /**
-     * Allows for custom interpretations of {@link AppOpsManager#MODE_DEFAULT} by individual
-     * content providers
-     *
-     * @hide
-     */
-    protected int interpretDefaultAppOpMode(int op) {
-        return MODE_IGNORED;
-    }
-
     /** {@hide} */
     protected int enforceReadPermissionInner(Uri uri, String callingPkg, IBinder callerToken)
             throws SecurityException {
diff --git a/core/java/android/content/pm/IPackageManager.aidl b/core/java/android/content/pm/IPackageManager.aidl
index fb2218778c9b3..cf704d52cba05 100644
--- a/core/java/android/content/pm/IPackageManager.aidl
+++ b/core/java/android/content/pm/IPackageManager.aidl
@@ -130,6 +130,15 @@ interface IPackageManager {
 
     void updatePermissionFlagsForAllApps(int flagMask, int flagValues, int userId);
 
+    List<String> getWhitelistedRestrictedPermissions(String packageName, int flags,
+            int userId);
+
+    boolean addWhitelistedRestrictedPermission(String packageName, String permission,
+            int whitelistFlags, int userId);
+
+    boolean removeWhitelistedRestrictedPermission(String packageName, String permission,
+            int whitelistFlags, int userId);
+
     boolean shouldShowRequestPermissionRationale(String permissionName,
             String packageName, int userId);
 
@@ -643,7 +652,7 @@ interface IPackageManager {
 
     boolean isFirstBoot();
     boolean isOnlyCoreApps();
-    boolean isUpgrade();
+    boolean isDeviceUpgrading();
 
     void setPermissionEnforced(String permission, boolean enforced);
     boolean isPermissionEnforced(String permission);
@@ -757,4 +766,8 @@ interface IPackageManager {
     List<ModuleInfo> getInstalledModules(int flags);
 
     ModuleInfo getModuleInfo(String packageName, int flags);
+
+    int getRuntimePermissionsVersion(int userId);
+
+    void setRuntimePermissionsVersion(int version, int userId);
 }
diff --git a/core/java/android/content/pm/PackageInstaller.java b/core/java/android/content/pm/PackageInstaller.java
index ec2e8ca260606..90fb20bb0163b 100644
--- a/core/java/android/content/pm/PackageInstaller.java
+++ b/core/java/android/content/pm/PackageInstaller.java
@@ -30,6 +30,7 @@ import android.annotation.UnsupportedAppUsage;
 import android.app.ActivityManager;
 import android.app.AppGlobals;
 import android.content.Intent;
+import android.content.IntentFilter;
 import android.content.IntentSender;
 import android.content.pm.PackageManager.DeleteFlags;
 import android.content.pm.PackageManager.InstallReason;
@@ -48,6 +49,7 @@ import android.os.SystemProperties;
 import android.os.UserHandle;
 import android.system.ErrnoException;
 import android.system.Os;
+import android.util.ArraySet;
 import android.util.ExceptionUtils;
 
 import com.android.internal.util.IndentingPrintWriter;
@@ -62,8 +64,10 @@ import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.security.MessageDigest;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Set;
 import java.util.concurrent.Executor;
 
 /**
@@ -1265,6 +1269,11 @@ public class PackageInstaller {
          */
         public static final int MODE_INHERIT_EXISTING = 2;
 
+        /**
+         * Special constant to refer to all restricted permissions.
+         */
+        public static final @NonNull Set<String> RESTRICTED_PERMISSIONS_ALL = new ArraySet<>();
+
         /** {@hide} */
         public static final int UID_UNKNOWN = -1;
 
@@ -1306,6 +1315,8 @@ public class PackageInstaller {
         /** {@hide} */
         public String[] grantedRuntimePermissions;
         /** {@hide} */
+        public List<String> whitelistedRestrictedPermissions;
+        /** {@hide} */
         public String installerPackageName;
         /** {@hide} */
         public boolean isMultiPackage;
@@ -1339,6 +1350,7 @@ public class PackageInstaller {
             abiOverride = source.readString();
             volumeUuid = source.readString();
             grantedRuntimePermissions = source.readStringArray();
+            whitelistedRestrictedPermissions = source.createStringArrayList();
             installerPackageName = source.readString();
             isMultiPackage = source.readBoolean();
             isStaged = source.readBoolean();
@@ -1360,6 +1372,7 @@ public class PackageInstaller {
             ret.abiOverride = abiOverride;
             ret.volumeUuid = volumeUuid;
             ret.grantedRuntimePermissions = grantedRuntimePermissions;
+            ret.whitelistedRestrictedPermissions = whitelistedRestrictedPermissions;
             ret.installerPackageName = installerPackageName;
             ret.isMultiPackage = isMultiPackage;
             ret.isStaged = isStaged;
@@ -1474,6 +1487,7 @@ public class PackageInstaller {
          *
          * @hide
          */
+        @TestApi
         @SystemApi
         @RequiresPermission(android.Manifest.permission.INSTALL_GRANT_RUNTIME_PERMISSIONS)
         public void setGrantedRuntimePermissions(String[] permissions) {
@@ -1481,6 +1495,43 @@ public class PackageInstaller {
             this.grantedRuntimePermissions = permissions;
         }
 
+        /**
+         * Sets which restricted permissions to be whitelisted for the app. Whitelisting
+         * is not granting the permissions, rather it allows the app to hold permissions
+         * which are otherwise restricted. Whitelisting a non restricted permission has
+         * no effect.
+         *
+         * <p> Permissions can be hard restricted which means that the app cannot hold
+         * them or soft restricted where the app can hold the permission but in a weaker
+         * form. Whether a permission is {@link PermissionInfo#FLAG_HARD_RESTRICTED hard
+         * restricted} or {@link PermissionInfo#FLAG_SOFT_RESTRICTED soft restricted}
+         * depends on the permission declaration. Whitelisting a hard restricted permission
+         * allows the app to hold that permission and whitelisting a soft restricted
+         * permission allows the app to hold the permission in its full, unrestricted form.
+         *
+         * <p>The whitelisted permissions would be applied as the {@link
+         * PackageManager#FLAG_PERMISSION_WHITELIST_INSTALLER installer whitelist}.
+         *
+         * @param permissions The restricted permissions to whitelist. Pass
+         * {@link #RESTRICTED_PERMISSIONS_ALL} to whitelist all permissions and
+         * <code>null</code> to clear. If you want to whitelist some permissions
+         * (not all) the list must contain at least one permission.
+         *
+         * @see PackageManager#addWhitelistedRestrictedPermission(String, String, int)
+         * @see PackageManager#removeWhitelistedRestrictedPermission(String, String, int)
+         */
+        public void setWhitelistedRestrictedPermissions(@Nullable Set<String> permissions) {
+            if (permissions == RESTRICTED_PERMISSIONS_ALL) {
+                installFlags |= PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS;
+            }
+            if (permissions != null) {
+                this.whitelistedRestrictedPermissions = new ArrayList<>(permissions);
+            } else {
+                installFlags &= ~PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS;
+                this.whitelistedRestrictedPermissions = null;
+            }
+        }
+
         /**
          * Request that rollbacks be enabled or disabled for the given upgrade.
          *
@@ -1656,6 +1707,7 @@ public class PackageInstaller {
             pw.printPair("abiOverride", abiOverride);
             pw.printPair("volumeUuid", volumeUuid);
             pw.printPair("grantedRuntimePermissions", grantedRuntimePermissions);
+            pw.printPair("whitelistedRestrictedPermissions", whitelistedRestrictedPermissions);
             pw.printPair("installerPackageName", installerPackageName);
             pw.printPair("isMultiPackage", isMultiPackage);
             pw.printPair("isStaged", isStaged);
@@ -1683,6 +1735,7 @@ public class PackageInstaller {
             dest.writeString(abiOverride);
             dest.writeString(volumeUuid);
             dest.writeStringArray(grantedRuntimePermissions);
+            dest.writeStringList(whitelistedRestrictedPermissions);
             dest.writeString(installerPackageName);
             dest.writeBoolean(isMultiPackage);
             dest.writeBoolean(isStaged);
@@ -1794,6 +1847,8 @@ public class PackageInstaller {
         public Uri referrerUri;
         /** {@hide} */
         public String[] grantedRuntimePermissions;
+        /** {@hide}*/
+        public List<String> whitelistedRestrictedPermissions;
         /** {@hide} */
         public int installFlags;
         /** {@hide} */
@@ -1847,6 +1902,8 @@ public class PackageInstaller {
             originatingUid = source.readInt();
             referrerUri = source.readParcelable(null);
             grantedRuntimePermissions = source.readStringArray();
+            whitelistedRestrictedPermissions = source.createStringArrayList();
+
             installFlags = source.readInt();
             isMultiPackage = source.readBoolean();
             isStaged = source.readBoolean();
@@ -2048,6 +2105,25 @@ public class PackageInstaller {
             return grantedRuntimePermissions;
         }
 
+        /**
+         * Get the value set in {@link SessionParams#setWhitelistedRestrictedPermissions(Set)}.
+         * Note that if all permissions are whitelisted this method returns {@link
+         * SessionParams#RESTRICTED_PERMISSIONS_ALL}.
+         *
+         * @hide
+         */
+        @TestApi
+        @SystemApi
+        public @NonNull Set<String> getWhitelistedRestrictedPermissions() {
+            if ((installFlags & PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS) != 0) {
+                return SessionParams.RESTRICTED_PERMISSIONS_ALL;
+            }
+            if (whitelistedRestrictedPermissions != null) {
+                return new ArraySet<>(whitelistedRestrictedPermissions);
+            }
+            return Collections.emptySet();
+        }
+
         /**
          * Get the value set in {@link SessionParams#setAllowDowngrade(boolean)}.
          *
@@ -2277,6 +2353,7 @@ public class PackageInstaller {
             dest.writeInt(originatingUid);
             dest.writeParcelable(referrerUri, flags);
             dest.writeStringArray(grantedRuntimePermissions);
+            dest.writeStringList(whitelistedRestrictedPermissions);
             dest.writeInt(installFlags);
             dest.writeBoolean(isMultiPackage);
             dest.writeBoolean(isStaged);
diff --git a/core/java/android/content/pm/PackageManager.java b/core/java/android/content/pm/PackageManager.java
index 025d8f9507f9a..83e15e8daa39a 100644
--- a/core/java/android/content/pm/PackageManager.java
+++ b/core/java/android/content/pm/PackageManager.java
@@ -69,8 +69,10 @@ import dalvik.system.VMRuntime;
 import java.io.File;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
+import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
+import java.util.Set;
 
 /**
  * Class for retrieving various kinds of information related to the application
@@ -84,6 +86,11 @@ public abstract class PackageManager {
     /** {@hide} */
     public static final boolean APPLY_DEFAULT_TO_DEVICE_PROTECTED_STORAGE = true;
 
+    /** {@hide} */
+    @SystemApi
+    @TestApi
+    public static boolean RESTRICTED_PERMISSIONS_ENABLED = false;
+
     /**
      * This exception is thrown when a given package, application, or component
      * name cannot be found.
@@ -712,6 +719,7 @@ public abstract class PackageManager {
             INSTALL_ALL_USERS,
             INSTALL_REQUEST_DOWNGRADE,
             INSTALL_GRANT_RUNTIME_PERMISSIONS,
+            INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS,
             INSTALL_FORCE_VOLUME_UUID,
             INSTALL_FORCE_PERMISSION_PROMPT,
             INSTALL_INSTANT_APP,
@@ -794,6 +802,16 @@ public abstract class PackageManager {
      */
     public static final int INSTALL_GRANT_RUNTIME_PERMISSIONS = 0x00000100;
 
+    /**
+     * Flag parameter for {@link #installPackage} to indicate that all restricted
+     * permissions should be whitelisted. If {@link #INSTALL_ALL_USERS}
+     * is set the restricted permissions will be whitelisted for all users, otherwise
+     * only to the owner.
+     *
+     * @hide
+     */
+    public static final int INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS = 0x00000200;
+
     /** {@hide} */
     public static final int INSTALL_FORCE_VOLUME_UUID = 0x00000200;
 
@@ -3075,14 +3093,72 @@ public abstract class PackageManager {
     public static final int FLAG_PERMISSION_USER_SENSITIVE_WHEN_DENIED =  1 << 9;
 
     /**
-     * Mask for all permission flags present in Android P
-     *
-     * @deprecated This constant does not contain useful information and should never have been
-     * exposed. When checking permission flags always flag each flag explicitly and ignore all
-     * flags that do not matter for this particular code.
+     * Permission flag: The permission is restricted but the app is exempt
+     * from the restriction and is allowed to hold this permission in its
+     * full form and the exemption is provided by the installer on record.
      *
      * @hide
      */
+    @TestApi
+    @SystemApi
+    public static final int FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT =  1 << 11;
+
+    /**
+     * Permission flag: The permission is restricted but the app is exempt
+     * from the restriction and is allowed to hold this permission in its
+     * full form and the exemption is provided by the system due to its
+     * permission policy.
+     *
+     * @hide
+     */
+    @TestApi
+    @SystemApi
+    public static final int FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT =  1 << 12;
+
+    /**
+     * Permission flag: The permission is restricted but the app is exempt
+     * from the restriction and is allowed to hold this permission and the
+     * exemption is provided by the system when upgrading from an OS version
+     * where the permission was not restricted to an OS version where the
+     * permission is restricted.
+     *
+     * @hide
+     */
+    @TestApi
+    @SystemApi
+    public static final int FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT =  1 << 13;
+
+
+    /**
+     * Permission flag: The permission is disabled but may be granted. If
+     * disabled the data protected by the permission should be protected
+     * by a no-op (empty list, default error, etc) instead of crashing the
+     * client.
+     *
+     * @hide
+     */
+    @TestApi
+    @SystemApi
+    public static final int FLAG_PERMISSION_APPLY_RESTRICTION =  1 << 14;
+
+
+    /**
+     * Permission flags: Bitwise or of all permission flags allowing an
+     * exemption for a restricted permission.
+     * @hide
+     */
+    public static final int FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT =
+            FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT
+                    | FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT
+                    | FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT;
+
+    /**
+     * Mask for all permission flags.
+     *
+     * @hide
+     *
+     * @deprecated Don't use - does not capture all flags.
+     */
     @Deprecated
     @SystemApi
     public static final int MASK_PERMISSION_FLAGS = 0xFF;
@@ -3092,7 +3168,20 @@ public abstract class PackageManager {
      *
      * @hide
      */
-    public static final int MASK_PERMISSION_FLAGS_ALL = 0x3FF;
+    public static final int MASK_PERMISSION_FLAGS_ALL = FLAG_PERMISSION_USER_SET
+            | FLAG_PERMISSION_USER_FIXED
+            | FLAG_PERMISSION_POLICY_FIXED
+            | FLAG_PERMISSION_REVOKE_ON_UPGRADE
+            | FLAG_PERMISSION_SYSTEM_FIXED
+            | FLAG_PERMISSION_GRANTED_BY_DEFAULT
+            | FLAG_PERMISSION_REVIEW_REQUIRED
+            | FLAG_PERMISSION_REVOKE_WHEN_REQUESTED
+            | FLAG_PERMISSION_USER_SENSITIVE_WHEN_GRANTED
+            | FLAG_PERMISSION_USER_SENSITIVE_WHEN_DENIED
+            | FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT
+            | FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT
+            | FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT
+            | FLAG_PERMISSION_APPLY_RESTRICTION;
 
     /**
      * Injected activity in app that forwards user to setting activity of that app.
@@ -3101,6 +3190,35 @@ public abstract class PackageManager {
      */
     public static final String APP_DETAILS_ACTIVITY_CLASS_NAME = AppDetailsActivity.class.getName();
 
+    /**
+     * Permission whitelist flag: permissions whitelisted by the system.
+     * Permissions can also be whitelisted by the installer or on upgrade.
+     */
+    public static final int FLAG_PERMISSION_WHITELIST_SYSTEM = 1 << 0;
+
+    /**
+     * Permission whitelist flag: permissions whitelisted by the installer.
+     * Permissions can also be whitelisted by the system or on upgrade.
+     */
+    public static final int FLAG_PERMISSION_WHITELIST_INSTALLER = 1 << 1;
+
+    /**
+     * Permission whitelist flag: permissions whitelisted by the system
+     * when upgrading from an OS version where the permission was not
+     * restricted to an OS version where the permission is restricted.
+     * Permissions can also be whitelisted by the installer or the system.
+     */
+    public static final int FLAG_PERMISSION_WHITELIST_UPGRADE = 1 << 2;
+
+    /** @hide */
+    @IntDef(flag = true, prefix = {"FLAG_PERMISSION_WHITELIST_"}, value = {
+            FLAG_PERMISSION_WHITELIST_SYSTEM,
+            FLAG_PERMISSION_WHITELIST_INSTALLER,
+            FLAG_PERMISSION_WHITELIST_UPGRADE
+    })
+    @Retention(RetentionPolicy.SOURCE)
+    public @interface PermissionWhitelistFlags {}
+
     /**
      * This is a library that contains components apps can invoke. For
      * example, a services for apps to bind to, or standard chooser UI,
@@ -3824,6 +3942,10 @@ public abstract class PackageManager {
             /*
             FLAG_PERMISSION_REVOKE_WHEN_REQUESED
             */
+            FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT,
+            FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT,
+            FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT,
+            FLAG_PERMISSION_APPLY_RESTRICTION
     })
     @Retention(RetentionPolicy.SOURCE)
     public @interface PermissionFlags {}
@@ -3924,6 +4046,163 @@ public abstract class PackageManager {
             @NonNull String packageName, @PermissionFlags int flagMask,
             @PermissionFlags int flagValues, @NonNull UserHandle user);
 
+    /**
+     * Gets the restricted permissions that have been whitelisted and the app
+     * is allowed to have them granted in their full form.
+     *
+     * <p> Permissions can be hard restricted which means that the app cannot hold
+     * them or soft restricted where the app can hold the permission but in a weaker
+     * form. Whether a permission is {@link PermissionInfo#FLAG_HARD_RESTRICTED hard
+     * restricted} or {@link PermissionInfo#FLAG_SOFT_RESTRICTED soft restricted}
+     * depends on the permission declaration. Whitelisting a hard restricted permission
+     * allows for the to hold that permission and whitelisting a soft restricted
+     * permission allows the app to hold the permission in its full, unrestricted form.
+     *
+     * <p><ol>There are three whitelists:
+     *
+     * <li>one for cases where the system permission policy whitelists a permission
+     * This list corresponds to the{@link #FLAG_PERMISSION_WHITELIST_SYSTEM} flag.
+     * Can only be accessed by pre-installed holders of a dedicated permission.
+     *
+     * <li>one for cases where the system whitelists the permission when upgrading
+     * from an OS version in which the permission was not restricted to an OS version
+     * in which the permission is restricted. This list corresponds to the {@link
+     * #FLAG_PERMISSION_WHITELIST_UPGRADE} flag. Can be accessed by pre-installed
+     * holders of a dedicated permission or the installer on record.
+     *
+     * <li>one for cases where the installer of the package whitelists a permission.
+     * This list corresponds to the {@link #FLAG_PERMISSION_WHITELIST_INSTALLER} flag.
+     * Can be accessed by pre-installed holders of a dedicated permission or the
+     * installer on record.
+     *
+     * @param packageName The app for which to get whitelisted permissions.
+     * @param whitelistFlag The flag to determine which whitelist to query. Only one flag
+     * can be passed.s
+     * @return The whitelisted permissions that are on any of the whitelists you query for.
+     *
+     * @see #addWhitelistedRestrictedPermission(String, String, int)
+     * @see #removeWhitelistedRestrictedPermission(String, String, int)
+     * @see #FLAG_PERMISSION_WHITELIST_SYSTEM
+     * @see #FLAG_PERMISSION_WHITELIST_UPGRADE
+     * @see #FLAG_PERMISSION_WHITELIST_INSTALLER
+     *
+     * @throws SecurityException if you try to access a whitelist that you have no access to.
+     */
+    @RequiresPermission(value = Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS,
+            conditional = true)
+    public @NonNull Set<String> getWhitelistedRestrictedPermissions(
+            @NonNull String packageName, @PermissionWhitelistFlags int whitelistFlag) {
+        return Collections.emptySet();
+    }
+
+    /**
+     * Adds a whitelisted restricted permission for an app.
+     *
+     * <p> Permissions can be hard restricted which means that the app cannot hold
+     * them or soft restricted where the app can hold the permission but in a weaker
+     * form. Whether a permission is {@link PermissionInfo#FLAG_HARD_RESTRICTED hard
+     * restricted} or {@link PermissionInfo#FLAG_SOFT_RESTRICTED soft restricted}
+     * depends on the permission declaration. Whitelisting a hard restricted permission
+     * allows for the to hold that permission and whitelisting a soft restricted
+     * permission allows the app to hold the permission in its full, unrestricted form.
+     *
+     * <p><ol>There are three whitelists:
+     *
+     * <li>one for cases where the system permission policy whitelists a permission
+     * This list corresponds to the {@link #FLAG_PERMISSION_WHITELIST_SYSTEM} flag.
+     * Can only be modified by pre-installed holders of a dedicated permission.
+     *
+     * <li>one for cases where the system whitelists the permission when upgrading
+     * from an OS version in which the permission was not restricted to an OS version
+     * in which the permission is restricted. This list corresponds to the {@link
+     * #FLAG_PERMISSION_WHITELIST_UPGRADE} flag. Can be modified by pre-installed
+     * holders of a dedicated permission. The installer on record can only remove
+     * permissions from this whitelist.
+     *
+     * <li>one for cases where the installer of the package whitelists a permission.
+     * This list corresponds to the {@link #FLAG_PERMISSION_WHITELIST_INSTALLER} flag.
+     * Can be modified by pre-installed holders of a dedicated permission or the installer
+     * on record.
+     *
+     * <p>You need to specify the whitelists for which to set the whitelisted permissions
+     * which will clear the previous whitelisted permissions and replace them with the
+     * provided ones.
+     *
+     * @param packageName The app for which to get whitelisted permissions.
+     * @param permission The whitelisted permission to add.
+     * @param whitelistFlags The whitelists to which to add. Passing multiple flags
+     * updates all specified whitelists.
+     * @return Whether the permission was added to the whitelist.
+     *
+     * @see #getWhitelistedRestrictedPermissions(String, int)
+     * @see #removeWhitelistedRestrictedPermission(String, String, int)
+     * @see #FLAG_PERMISSION_WHITELIST_SYSTEM
+     * @see #FLAG_PERMISSION_WHITELIST_UPGRADE
+     * @see #FLAG_PERMISSION_WHITELIST_INSTALLER
+     *
+     * @throws SecurityException if you try to modify a whitelist that you have no access to.
+     */
+    @RequiresPermission(value = Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS,
+            conditional = true)
+    public boolean addWhitelistedRestrictedPermission(@NonNull String packageName,
+            @NonNull String permission, @PermissionWhitelistFlags int whitelistFlags) {
+        return false;
+    }
+
+    /**
+     * Removes a whitelisted restricted permission for an app.
+     *
+     * <p> Permissions can be hard restricted which means that the app cannot hold
+     * them or soft restricted where the app can hold the permission but in a weaker
+     * form. Whether a permission is {@link PermissionInfo#FLAG_HARD_RESTRICTED hard
+     * restricted} or {@link PermissionInfo#FLAG_SOFT_RESTRICTED soft restricted}
+     * depends on the permission declaration. Whitelisting a hard restricted permission
+     * allows for the to hold that permission and whitelisting a soft restricted
+     * permission allows the app to hold the permission in its full, unrestricted form.
+     *
+     * <p><ol>There are three whitelists:
+     *
+     * <li>one for cases where the system permission policy whitelists a permission
+     * This list corresponds to the {@link #FLAG_PERMISSION_WHITELIST_SYSTEM} flag.
+     * Can only be modified by pre-installed holders of a dedicated permission.
+     *
+     * <li>one for cases where the system whitelists the permission when upgrading
+     * from an OS version in which the permission was not restricted to an OS version
+     * in which the permission is restricted. This list corresponds to the {@link
+     * #FLAG_PERMISSION_WHITELIST_UPGRADE} flag. Can be modified by pre-installed
+     * holders of a dedicated permission. The installer on record can only remove
+     * permissions from this whitelist.
+     *
+     * <li>one for cases where the installer of the package whitelists a permission.
+     * This list corresponds to the {@link #FLAG_PERMISSION_WHITELIST_INSTALLER} flag.
+     * Can be modified by pre-installed holders of a dedicated permission or the installer
+     * on record.
+     *
+     * <p>You need to specify the whitelists for which to set the whitelisted permissions
+     * which will clear the previous whitelisted permissions and replace them with the
+     * provided ones.
+     *
+     * @param packageName The app for which to get whitelisted permissions.
+     * @param permission The whitelisted permission to remove.
+     * @param whitelistFlags The whitelists from which to remove. Passing multiple flags
+     * updates all specified whitelists.
+     * @return Whether the permission was removed from the whitelist.
+     *
+     * @see #getWhitelistedRestrictedPermissions(String, int)
+     * @see #addWhitelistedRestrictedPermission(String, String, int)
+     * @see #FLAG_PERMISSION_WHITELIST_SYSTEM
+     * @see #FLAG_PERMISSION_WHITELIST_UPGRADE
+     * @see #FLAG_PERMISSION_WHITELIST_INSTALLER
+     *
+     * @throws SecurityException if you try to modify a whitelist that you have no access to.
+     */
+    @RequiresPermission(value = Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS,
+        conditional = true)
+    public boolean removeWhitelistedRestrictedPermission(@NonNull String packageName,
+        @NonNull String permission, @PermissionWhitelistFlags int whitelistFlags) {
+        return false;
+    }
+
     /**
      * Gets whether you should show UI with rationale for requesting a permission.
      * You should do this only if you do not have the permission and the context in
@@ -6514,6 +6793,13 @@ public abstract class PackageManager {
     @UnsupportedAppUsage
     public abstract boolean isUpgrade();
 
+    /**
+     * Returns true if the device is upgrading, such as first boot after OTA.
+     */
+    public boolean isDeviceUpgrading() {
+        return false;
+    }
+
     /**
      * Return interface that offers the ability to install, upgrade, and remove
      * applications on the device.
@@ -6739,6 +7025,10 @@ public abstract class PackageManager {
             case FLAG_PERMISSION_REVOKE_WHEN_REQUESTED: return "REVOKE_WHEN_REQUESTED";
             case FLAG_PERMISSION_USER_SENSITIVE_WHEN_GRANTED: return "USER_SENSITIVE_WHEN_GRANTED";
             case FLAG_PERMISSION_USER_SENSITIVE_WHEN_DENIED: return "USER_SENSITIVE_WHEN_DENIED";
+            case FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT: return "RESTRICTION_INSTALLER_EXEMPT";
+            case FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT: return "RESTRICTION_SYSTEM_EXEMPT";
+            case FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT: return "RESTRICTION_UPGRADE_EXEMPT";
+            case FLAG_PERMISSION_APPLY_RESTRICTION: return "FLAG_PERMISSION_APPLY_RESTRICTION";
             default: return Integer.toString(flag);
         }
     }
diff --git a/core/java/android/content/pm/PackageManagerInternal.java b/core/java/android/content/pm/PackageManagerInternal.java
index cd324afb04797..5f54735839072 100644
--- a/core/java/android/content/pm/PackageManagerInternal.java
+++ b/core/java/android/content/pm/PackageManagerInternal.java
@@ -80,6 +80,8 @@ public abstract class PackageManagerInternal {
     public interface PackageListObserver {
         /** A package was added to the system. */
         void onPackageAdded(@NonNull String packageName, int uid);
+        /** A package was changed - either installed for a specific user or updated. */
+        default void onPackageChanged(@NonNull String packageName, int uid) {}
         /** A package was removed from the system. */
         void onPackageRemoved(@NonNull String packageName, int uid);
     }
@@ -950,4 +952,13 @@ public abstract class PackageManagerInternal {
      */
     public abstract void uninstallApex(String packageName, long versionCode, int userId,
             IntentSender intentSender);
+
+    /**
+     * Whether default permission grants have been performed for a user
+     * since the device booted.
+     *
+     * @param userId The user id.
+     * @return true if default permissions
+     */
+    public abstract boolean wereDefaultPermissionsGrantedSinceBoot(int userId);
 }
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index 8981000714dd7..2b23e7a2a6338 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -3279,6 +3279,19 @@ public class PackageParser {
         perm.info.flags = sa.getInt(
                 com.android.internal.R.styleable.AndroidManifestPermission_permissionFlags, 0);
 
+        // For now only platform runtime permissions can be restricted
+        if (!perm.info.isRuntime() || !"android".equals(perm.info.packageName)) {
+            perm.info.flags &= ~PermissionInfo.FLAG_HARD_RESTRICTED;
+            perm.info.flags &= ~PermissionInfo.FLAG_SOFT_RESTRICTED;
+        } else {
+            // The platform does not get to specify conflicting permissions
+            if ((perm.info.flags & PermissionInfo.FLAG_HARD_RESTRICTED) != 0
+                    && (perm.info.flags & PermissionInfo.FLAG_SOFT_RESTRICTED) != 0) {
+                throw new IllegalStateException("Permission cannot be both soft and hard"
+                        + " restricted: " + perm.info.name);
+            }
+        }
+
         sa.recycle();
 
         if (perm.info.protectionLevel == -1) {
diff --git a/core/java/android/content/pm/PermissionInfo.java b/core/java/android/content/pm/PermissionInfo.java
index 6a41f334827dd..f838900d43d7a 100644
--- a/core/java/android/content/pm/PermissionInfo.java
+++ b/core/java/android/content/pm/PermissionInfo.java
@@ -319,6 +319,27 @@ public class PermissionInfo extends PackageItemInfo implements Parcelable {
     @SystemApi
     public static final int FLAG_REMOVED = 1<<1;
 
+    /**
+     * Flag for {@link #flags}, corresponding to <code>hardRestricted</code>
+     * value of {@link android.R.attr#permissionFlags}.
+     *
+     * <p> This permission is restricted by the platform and it would be
+     * grantable only to apps that meet special criteria per platform
+     * policy.
+     */
+    public static final int FLAG_HARD_RESTRICTED = 1<<2;
+
+    /**
+     * Flag for {@link #flags}, corresponding to <code>softRestricted</code>
+     * value of {@link android.R.attr#permissionFlags}.
+     *
+     * <p>This permission is restricted by the platform and it would be
+     * grantable in its full form to apps that meet special criteria
+     * per platform policy. Otherwise, a weaker form of the permission
+     * would be granted. The weak grant depends on the permission.
+     */
+    public static final int FLAG_SOFT_RESTRICTED = 1<<3;
+
     /**
      * Flag for {@link #flags}, indicating that this permission has been
      * installed into the system's globally defined permissions.
@@ -574,11 +595,31 @@ public class PermissionInfo extends PackageItemInfo implements Parcelable {
         return size;
     }
 
+    /** @hide */
+    public boolean isHardRestricted() {
+        return (flags & PermissionInfo.FLAG_HARD_RESTRICTED) != 0;
+    }
+
+    /** @hide */
+    public boolean isSoftRestricted() {
+        return (flags & PermissionInfo.FLAG_SOFT_RESTRICTED) != 0;
+    }
+
+    /** @hide */
+    public boolean isRestricted() {
+        return isHardRestricted() || isSoftRestricted();
+    }
+
     /** @hide */
     public boolean isAppOp() {
         return (protectionLevel & PermissionInfo.PROTECTION_FLAG_APPOP) != 0;
     }
 
+    /** @hide */
+    public boolean isRuntime() {
+        return getProtection() == PROTECTION_DANGEROUS;
+    }
+
     public static final @NonNull Creator<PermissionInfo> CREATOR =
         new Creator<PermissionInfo>() {
         @Override
diff --git a/core/java/android/os/RemoteCallback.java b/core/java/android/os/RemoteCallback.java
index 22cf404c4f570..047ba1d20056e 100644
--- a/core/java/android/os/RemoteCallback.java
+++ b/core/java/android/os/RemoteCallback.java
@@ -29,7 +29,7 @@ import android.annotation.TestApi;
 public final class RemoteCallback implements Parcelable {
 
     public interface OnResultListener {
-        public void onResult(Bundle result);
+        void onResult(@Nullable Bundle result);
     }
 
     private final OnResultListener mListener;
diff --git a/core/java/android/permission/IPermissionController.aidl b/core/java/android/permission/IPermissionController.aidl
index 4f65d244d3c1f..45c01bcf255b6 100644
--- a/core/java/android/permission/IPermissionController.aidl
+++ b/core/java/android/permission/IPermissionController.aidl
@@ -40,4 +40,5 @@ oneway interface IPermissionController {
     void getPermissionUsages(boolean countSystem, long numMillis, in RemoteCallback callback);
     void setRuntimePermissionGrantStateByDeviceAdmin(String callerPackageName, String packageName,
             String permission, int grantState, in RemoteCallback callback);
+    void grantOrUpgradeDefaultRuntimePermissions(in RemoteCallback callback);
 }
diff --git a/core/java/android/permission/PermissionControllerManager.java b/core/java/android/permission/PermissionControllerManager.java
index 55fae3014666f..be8973751bf8d 100644
--- a/core/java/android/permission/PermissionControllerManager.java
+++ b/core/java/android/permission/PermissionControllerManager.java
@@ -56,7 +56,7 @@ import android.os.RemoteException;
 import android.os.UserHandle;
 import android.util.ArrayMap;
 import android.util.Log;
-import android.util.SparseArray;
+import android.util.Pair;
 
 import com.android.internal.annotations.GuardedBy;
 import com.android.internal.infra.AbstractMultiplePendingRequestsRemoteService;
@@ -95,7 +95,8 @@ public final class PermissionControllerManager {
      * Global remote services (per user) used by all {@link PermissionControllerManager managers}
      */
     @GuardedBy("sLock")
-    private static SparseArray<RemoteService> sRemoteServices = new SparseArray<>(1);
+    private static ArrayMap<Pair<Integer, Thread>, RemoteService> sRemoteServices
+            = new ArrayMap<>(1);
 
     /**
      * The key for retrieving the result from the returned bundle.
@@ -217,20 +218,24 @@ public final class PermissionControllerManager {
      * Create a new {@link PermissionControllerManager}.
      *
      * @param context to create the manager for
+     * @param handler handler to schedule work
      *
      * @hide
      */
-    public PermissionControllerManager(@NonNull Context context) {
+    public PermissionControllerManager(@NonNull Context context, @NonNull Handler handler) {
         synchronized (sLock) {
-            RemoteService remoteService = sRemoteServices.get(context.getUserId(), null);
+            Pair<Integer, Thread> key = new Pair<>(context.getUserId(),
+                    handler.getLooper().getThread());
+            RemoteService remoteService = sRemoteServices.get(key);
             if (remoteService == null) {
                 Intent intent = new Intent(SERVICE_INTERFACE);
                 intent.setPackage(context.getPackageManager().getPermissionControllerPackageName());
                 ResolveInfo serviceInfo = context.getPackageManager().resolveService(intent, 0);
 
                 remoteService = new RemoteService(context.getApplicationContext(),
-                        serviceInfo.getComponentInfo().getComponentName(), context.getUser());
-                sRemoteServices.put(context.getUserId(), remoteService);
+                        serviceInfo.getComponentInfo().getComponentName(), handler,
+                        context.getUser());
+                sRemoteServices.put(key, remoteService);
             }
 
             mRemoteService = remoteService;
@@ -453,6 +458,23 @@ public final class PermissionControllerManager {
                 countSystem, numMillis, executor, callback));
     }
 
+    /**
+     * Grant or upgrade runtime permissions. The upgrade could be performed
+     * based on whether the device upgraded, whether the permission database
+     * version is old, or because the permission policy changed.
+     *
+     * @param executor Executor on which to invoke the callback
+     * @param callback Callback to receive the result
+     *
+     * @hide
+     */
+    @RequiresPermission(Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY)
+    public void grantOrUpgradeDefaultRuntimePermissions(
+            @NonNull @CallbackExecutor Executor executor, @NonNull Consumer<Boolean> callback) {
+        mRemoteService.scheduleRequest(new PendingGrantOrUpgradeDefaultRuntimePermissionsRequest(
+                mRemoteService, executor, callback));
+    }
+
     /**
      * A connection to the remote service
      */
@@ -469,10 +491,10 @@ public final class PermissionControllerManager {
          * @param user User the remote service should be connected as
          */
         RemoteService(@NonNull Context context, @NonNull ComponentName componentName,
-                @NonNull UserHandle user) {
+                @NonNull Handler handler, @NonNull UserHandle user) {
             super(context, SERVICE_INTERFACE, componentName, user.getIdentifier(),
                     service -> Log.e(TAG, "RemoteService " + service + " died"),
-                    context.getMainThreadHandler(), 0, false, 1);
+                    handler, 0, false, 1);
         }
 
         /**
@@ -1147,4 +1169,51 @@ public final class PermissionControllerManager {
             }
         }
     }
+
+    /**
+     * Request for {@link #grantOrUpgradeDefaultRuntimePermissions(Executor, Consumer)}
+     */
+    private static final class PendingGrantOrUpgradeDefaultRuntimePermissionsRequest extends
+            AbstractRemoteService.PendingRequest<RemoteService, IPermissionController> {
+        private final @NonNull Consumer<Boolean> mCallback;
+
+        private final @NonNull RemoteCallback mRemoteCallback;
+
+        private PendingGrantOrUpgradeDefaultRuntimePermissionsRequest(
+                @NonNull RemoteService service,  @NonNull @CallbackExecutor Executor executor,
+                @NonNull Consumer<Boolean> callback) {
+            super(service);
+            mCallback = callback;
+
+            mRemoteCallback = new RemoteCallback(result -> executor.execute(() -> {
+                long token = Binder.clearCallingIdentity();
+                try {
+                    callback.accept(result != null);
+                } finally {
+                    Binder.restoreCallingIdentity(token);
+                    finish();
+                }
+            }), null);
+        }
+
+        @Override
+        protected void onTimeout(RemoteService remoteService) {
+            long token = Binder.clearCallingIdentity();
+            try {
+                mCallback.accept(false);
+            } finally {
+                Binder.restoreCallingIdentity(token);
+            }
+        }
+
+        @Override
+        public void run() {
+            try {
+                getService().getServiceInterface().grantOrUpgradeDefaultRuntimePermissions(
+                        mRemoteCallback);
+            } catch (RemoteException e) {
+                Log.e(TAG, "Error granting or upgrading runtime permissions", e);
+            }
+        }
+    }
 }
diff --git a/core/java/android/permission/PermissionControllerService.java b/core/java/android/permission/PermissionControllerService.java
index 2313d5972cbd8..ed44367e28c67 100644
--- a/core/java/android/permission/PermissionControllerService.java
+++ b/core/java/android/permission/PermissionControllerService.java
@@ -177,6 +177,17 @@ public abstract class PermissionControllerService extends Service {
     public abstract @NonNull List<RuntimePermissionUsageInfo> onGetPermissionUsages(
             boolean countSystem, long numMillis);
 
+    /**
+     * Grant or upgrade runtime permissions. The upgrade could be performed
+     * based on whether the device upgraded, whether the permission database
+     * version is old, or because the permission policy changed.
+     *
+     * @see PackageManager#isDeviceUpgrading()
+     * @see PermissionManager#getRuntimePermissionsVersion()
+     * @see PermissionManager#setRuntimePermissionsVersion(int)
+     */
+    public abstract void onGrantOrUpgradeDefaultRuntimePermissions();
+
     /**
      * Set the runtime permission state from a device admin.
      *
@@ -350,6 +361,18 @@ public abstract class PermissionControllerService extends Service {
                         PermissionControllerService.this, callerPackageName, packageName,
                         permission, grantState, callback));
             }
+
+            @Override
+            public void grantOrUpgradeDefaultRuntimePermissions(@NonNull RemoteCallback callback) {
+                checkNotNull(callback, "callback");
+
+                enforceCallingPermission(Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY,
+                        null);
+
+                mHandler.sendMessage(obtainMessage(
+                        PermissionControllerService::grantOrUpgradeDefaultRuntimePermissions,
+                        PermissionControllerService.this, callback));
+            }
         };
     }
 
@@ -426,4 +449,9 @@ public abstract class PermissionControllerService extends Service {
         result.putBoolean(PermissionControllerManager.KEY_RESULT, wasSet);
         callback.sendResult(result);
     }
+
+    private void grantOrUpgradeDefaultRuntimePermissions(@NonNull RemoteCallback callback) {
+        onGrantOrUpgradeDefaultRuntimePermissions();
+        callback.sendResult(Bundle.EMPTY);
+    }
 }
diff --git a/core/java/android/permission/PermissionManager.java b/core/java/android/permission/PermissionManager.java
index 2ea706613ef84..1aa5b06569355 100644
--- a/core/java/android/permission/PermissionManager.java
+++ b/core/java/android/permission/PermissionManager.java
@@ -16,10 +16,19 @@
 
 package android.permission;
 
+import android.Manifest;
+import android.annotation.IntRange;
 import android.annotation.NonNull;
+import android.annotation.RequiresPermission;
 import android.annotation.SystemApi;
 import android.annotation.SystemService;
+import android.annotation.TestApi;
+import android.annotation.UnsupportedAppUsage;
 import android.content.Context;
+import android.content.pm.IPackageManager;
+import android.content.pm.PackageManager;
+import android.content.pm.PermissionInfo;
+import android.os.RemoteException;
 
 import com.android.internal.annotations.Immutable;
 import com.android.server.SystemConfig;
@@ -46,14 +55,53 @@ public final class PermissionManager {
 
     private final @NonNull Context mContext;
 
+    private final IPackageManager mPackageManager;
+
     /**
      * Creates a new instance.
      *
      * @param context The current context in which to operate.
      * @hide
      */
-    public PermissionManager(@NonNull Context context) {
+    public PermissionManager(@NonNull Context context, IPackageManager packageManager) {
         mContext = context;
+        mPackageManager = packageManager;
+    }
+
+    /**
+     * Gets the version of the runtime permission database.
+     *
+     * @return The database version.
+     *
+     * @hide
+     */
+    @TestApi
+    @SystemApi
+    @RequiresPermission(Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY)
+    public @IntRange(from = 0) int getRuntimePermissionsVersion() {
+        try {
+            return mPackageManager.getRuntimePermissionsVersion(mContext.getUserId());
+        } catch (RemoteException e) {
+            throw e.rethrowFromSystemServer();
+        }
+    }
+
+    /**
+     * Sets the version of the runtime permission database.
+     *
+     * @param version The new version.
+     *
+     * @hide
+     */
+    @TestApi
+    @SystemApi
+    @RequiresPermission(Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY)
+    public void setRuntimePermissionsVersion(@IntRange(from = 0) int version) {
+        try {
+            mPackageManager.setRuntimePermissionsVersion(version, mContext.getUserId());
+        } catch (RemoteException e) {
+            throw e.rethrowFromSystemServer();
+        }
     }
 
     /**
diff --git a/core/java/android/permission/PermissionManagerInternal.java b/core/java/android/permission/PermissionManagerInternal.java
index 92dbab33a2f09..71674311965ce 100644
--- a/core/java/android/permission/PermissionManagerInternal.java
+++ b/core/java/android/permission/PermissionManagerInternal.java
@@ -18,6 +18,7 @@ package android.permission;
 
 import android.annotation.NonNull;
 import android.annotation.Nullable;
+import android.annotation.UserIdInt;
 import android.os.UserHandle;
 
 /**
@@ -28,6 +29,23 @@ import android.os.UserHandle;
  * @hide
  */
 public abstract class PermissionManagerInternal {
+
+    /**
+     * Listener for package permission state (permissions or flags) changes.
+     */
+    public interface OnRuntimePermissionStateChangedListener {
+
+        /**
+         * Called when the runtime permission state (permissions or flags) changed.
+         *
+         * @param packageName The package for which the change happened.
+         * @param userId the user id for which the change happened.
+         */
+        @Nullable
+        void onRuntimePermissionStateChanged(@NonNull String packageName,
+                @UserIdInt int userId);
+    }
+
     /**
      * Get the state of the runtime permissions as xml file.
      *
@@ -59,4 +77,20 @@ public abstract class PermissionManagerInternal {
      */
     public abstract void restoreDelayedRuntimePermissions(@NonNull String packageName,
             @NonNull UserHandle user);
+
+    /**
+     * Adds a listener for runtime permission state (permissions or flags) changes.
+     *
+     * @param listener The listener.
+     */
+    public abstract void addOnRuntimePermissionStateChangedListener(
+            @NonNull OnRuntimePermissionStateChangedListener listener);
+
+    /**
+     * Removes a listener for runtime permission state (permissions or flags) changes.
+     *
+     * @param listener The listener.
+     */
+    public abstract void removeOnRuntimePermissionStateChangedListener(
+            @NonNull OnRuntimePermissionStateChangedListener listener);
 }
diff --git a/core/java/android/provider/DeviceConfig.java b/core/java/android/provider/DeviceConfig.java
index 9ec77232ec28b..166de3fde7413 100644
--- a/core/java/android/provider/DeviceConfig.java
+++ b/core/java/android/provider/DeviceConfig.java
@@ -281,30 +281,7 @@ public final class DeviceConfig {
      */
     @SystemApi
     @TestApi
-    public interface Privacy {
-        String NAMESPACE = "privacy";
-
-        /**
-         * Whether to show the Permissions Hub.
-         *
-         * @hide
-         */
-        @SystemApi
-        String PROPERTY_PERMISSIONS_HUB_ENABLED = "permissions_hub_enabled";
-
-        /**
-         * Whether to show location access check notifications.
-         */
-        String PROPERTY_LOCATION_ACCESS_CHECK_ENABLED = "location_access_check_enabled";
-
-        /**
-         * Whether to disable the new device identifier access restrictions.
-         *
-         * @hide
-         */
-        String PROPERTY_DEVICE_IDENTIFIER_ACCESS_RESTRICTIONS_DISABLED =
-                "device_identifier_access_restrictions_disabled";
-    }
+    public static final String NAMESPACE_PRIVACY = "privacy";
 
     private static final Object sLock = new Object();
     @GuardedBy("sLock")
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
index ee0c83ea72f8b..2e1ef38048b2f 100644
--- a/core/java/android/provider/Settings.java
+++ b/core/java/android/provider/Settings.java
@@ -13390,18 +13390,6 @@ public final class Settings {
         public static final String LOCATION_GLOBAL_KILL_SWITCH =
                 "location_global_kill_switch";
 
-        /**
-         * If set to 1, app cannot request read sms permission unless it's the default sms handler.
-         *
-         * STOPSHIP: Remove this once we ship with the restriction enabled.
-         *
-         * @hide
-         */
-        @SystemApi
-        @TestApi
-        public static final String SMS_ACCESS_RESTRICTION_ENABLED =
-                "sms_access_restriction_enabled";
-
         /**
          * If set to 1, the device identifier check will be relaxed to the previous READ_PHONE_STATE
          * permission check for 3P apps.
diff --git a/core/java/android/util/StatsLogAtoms.java b/core/java/android/util/StatsLogAtoms.java
index bbede5394ede0..4780cb58ca063 100644
--- a/core/java/android/util/StatsLogAtoms.java
+++ b/core/java/android/util/StatsLogAtoms.java
@@ -76,6 +76,13 @@ public class StatsLogAtoms {
     public static final int PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__IGNORED_POLICY_FIXED =
             StatsLogInternal.PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__IGNORED_POLICY_FIXED;
 
+    /**
+     * Possible value of {@link PermissionGrantRequestResultReported_Result}:
+     * permission request was ignored because it was restricted
+     */
+    public static final int PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__IGNORED_RESTRICTED_PERMISSION =
+            StatsLogInternal.PERMISSION_GRANT_REQUEST_RESULT_REPORTED__RESULT__IGNORED_RESTRICTED_PERMISSION;
+
     /**
      * Possible value of {@link PermissionGrantRequestResultReported_Result}:
      * permission was granted by user action
diff --git a/core/java/com/android/internal/infra/AbstractMultiplePendingRequestsRemoteService.java b/core/java/com/android/internal/infra/AbstractMultiplePendingRequestsRemoteService.java
index 206efa94b7f69..c3aa847acae17 100644
--- a/core/java/com/android/internal/infra/AbstractMultiplePendingRequestsRemoteService.java
+++ b/core/java/com/android/internal/infra/AbstractMultiplePendingRequestsRemoteService.java
@@ -32,7 +32,6 @@ import java.util.ArrayList;
  *
  * @param <S> the concrete remote service class
  * @param <I> the interface of the binder service
- * @hide
  */
 public abstract class AbstractMultiplePendingRequestsRemoteService<S
         extends AbstractMultiplePendingRequestsRemoteService<S, I>, I extends IInterface>
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index de526eff275e0..b94eb1626e37e 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -728,7 +728,7 @@
         android:permissionGroup="android.permission-group.UNDEFINED"
         android:label="@string/permlab_sendSms"
         android:description="@string/permdesc_sendSms"
-        android:permissionFlags="costsMoney"
+        android:permissionFlags="costsMoney|hardRestricted"
         android:protectionLevel="dangerous" />
 
     <!-- Allows an application to receive SMS messages.
@@ -738,6 +738,7 @@
         android:permissionGroup="android.permission-group.UNDEFINED"
         android:label="@string/permlab_receiveSms"
         android:description="@string/permdesc_receiveSms"
+        android:permissionFlags="hardRestricted"
         android:protectionLevel="dangerous" />
 
     <!-- Allows an application to read SMS messages.
@@ -747,6 +748,7 @@
         android:permissionGroup="android.permission-group.UNDEFINED"
         android:label="@string/permlab_readSms"
         android:description="@string/permdesc_readSms"
+        android:permissionFlags="hardRestricted"
         android:protectionLevel="dangerous" />
 
     <!-- Allows an application to receive WAP push messages.
@@ -756,6 +758,7 @@
         android:permissionGroup="android.permission-group.UNDEFINED"
         android:label="@string/permlab_receiveWapPush"
         android:description="@string/permdesc_receiveWapPush"
+        android:permissionFlags="hardRestricted"
         android:protectionLevel="dangerous" />
 
     <!-- Allows an application to monitor incoming MMS messages.
@@ -765,6 +768,7 @@
         android:permissionGroup="android.permission-group.UNDEFINED"
         android:label="@string/permlab_receiveMms"
         android:description="@string/permdesc_receiveMms"
+        android:permissionFlags="hardRestricted"
         android:protectionLevel="dangerous" />
 
     <!-- @SystemApi @TestApi Allows an application to read previously received cell broadcast
@@ -783,6 +787,7 @@
         android:permissionGroup="android.permission-group.UNDEFINED"
         android:label="@string/permlab_readCellBroadcasts"
         android:description="@string/permdesc_readCellBroadcasts"
+        android:permissionFlags="hardRestricted"
         android:protectionLevel="dangerous" />
 
     <!-- ====================================================================== -->
@@ -947,6 +952,7 @@
         android:permissionGroup="android.permission-group.UNDEFINED"
         android:label="@string/permlab_readCallLog"
         android:description="@string/permdesc_readCallLog"
+        android:permissionFlags="hardRestricted"
         android:protectionLevel="dangerous" />
 
     <!-- Allows an application to write (but not read) the user's
@@ -966,6 +972,7 @@
         android:permissionGroup="android.permission-group.UNDEFINED"
         android:label="@string/permlab_writeCallLog"
         android:description="@string/permdesc_writeCallLog"
+        android:permissionFlags="hardRestricted"
         android:protectionLevel="dangerous" />
 
     <!-- Allows an application to see the number being dialed during an outgoing
@@ -980,6 +987,7 @@
         android:permissionGroup="android.permission-group.UNDEFINED"
         android:label="@string/permlab_processOutgoingCalls"
         android:description="@string/permdesc_processOutgoingCalls"
+        android:permissionFlags="hardRestricted"
         android:protectionLevel="dangerous" />
 
     <!-- ====================================================================== -->
@@ -3427,6 +3435,12 @@
     <permission android:name="android.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY"
                 android:protectionLevel="signature|installer" />
 
+    <!-- @SystemApi Allows an application to whitelist restricted permissions
+         on any of the whitelists.
+    @hide -->
+    <permission android:name="android.permission.WHITELIST_RESTRICTED_PERMISSIONS"
+                android:protectionLevel="signature|installer" />
+
     <!-- @hide Allows an application to observe permission changes. -->
     <permission android:name="android.permission.OBSERVE_GRANT_REVOKE_PERMISSIONS"
         android:protectionLevel="signature|privileged" />
diff --git a/core/res/res/values/attrs_manifest.xml b/core/res/res/values/attrs_manifest.xml
index 8f3f25aad1822..47c243ca1e041 100644
--- a/core/res/res/values/attrs_manifest.xml
+++ b/core/res/res/values/attrs_manifest.xml
@@ -310,13 +310,24 @@
         <!-- Set to indicate that this permission allows an operation that
              may cost the user money.  Such permissions may be highlighted
              when shown to the user with this additional information.  -->
-        <flag name="costsMoney" value="0x0001" />
+        <flag name="costsMoney" value="0x1" />
         <!-- Additional flag from base permission type: this permission has been
              removed and it is no longer enforced. It shouldn't be shown in the
              UI. Removed permissions are kept as normal permissions for backwards
              compatibility as apps may be checking them before calling an API.
         -->
         <flag name="removed" value="0x2" />
+        <!-- This permission is restricted by the platform and it would be
+             grantable only to apps that meet special criteria per platform
+             policy.
+        -->
+        <flag name="hardRestricted" value="0x4" />
+        <!-- This permission is restricted by the platform and it would be
+             grantable in its full form to apps that meet special criteria
+             per platform policy. Otherwise, a weaker form of the permission
+             would be granted. The weak grant depends on the permission.
+        -->
+        <flag name="softRestricted" value="0x8" />
     </attr>
 
     <!-- Specified the name of a group that this permission is associated
diff --git a/core/tests/coretests/src/android/provider/SettingsBackupTest.java b/core/tests/coretests/src/android/provider/SettingsBackupTest.java
index c36ca829bb505..33c23c47bcee4 100644
--- a/core/tests/coretests/src/android/provider/SettingsBackupTest.java
+++ b/core/tests/coretests/src/android/provider/SettingsBackupTest.java
@@ -433,7 +433,6 @@ public class SettingsBackupTest {
                     Settings.Global.SIGNED_CONFIG_VERSION,
                     Settings.Global.SMART_SELECTION_UPDATE_CONTENT_URL,
                     Settings.Global.SMART_SELECTION_UPDATE_METADATA_URL,
-                    Settings.Global.SMS_ACCESS_RESTRICTION_ENABLED,
                     Settings.Global.SMS_OUTGOING_CHECK_INTERVAL_MS,
                     Settings.Global.SMS_OUTGOING_CHECK_MAX_COUNT,
                     Settings.Global.SMS_SHORT_CODE_CONFIRMATION,
diff --git a/packages/PackageInstaller/src/com/android/packageinstaller/InstallInstalling.java b/packages/PackageInstaller/src/com/android/packageinstaller/InstallInstalling.java
index 9f38d48da4ed5..cee4666a39ba7 100755
--- a/packages/PackageInstaller/src/com/android/packageinstaller/InstallInstalling.java
+++ b/packages/PackageInstaller/src/com/android/packageinstaller/InstallInstalling.java
@@ -139,6 +139,9 @@ public class InstallInstalling extends AlertActivity {
                         getIntent().getStringExtra(Intent.EXTRA_INSTALLER_PACKAGE_NAME);
                 params.installReason = PackageManager.INSTALL_REASON_USER;
 
+                // Whitelist all restricted permissions.
+                params.setWhitelistedRestrictedPermissions(null /*permissions*/);
+
                 File file = new File(mPackageURI.getPath());
                 try {
                     PackageParser.PackageLite pkg = PackageParser.parsePackageLite(file, 0);
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProtoDumpUtil.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProtoDumpUtil.java
index f597a1a85d012..c204f265f27ff 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProtoDumpUtil.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProtoDumpUtil.java
@@ -1236,11 +1236,6 @@ class SettingsProtoDumpUtil {
         dumpSetting(s, p,
                 Settings.Global.SMS_SHORT_CODES_UPDATE_METADATA_URL,
                 GlobalSettingsProto.Sms.SHORT_CODES_UPDATE_METADATA_URL);
-        dumpSetting(s, p,
-                Settings.Global.SMS_ACCESS_RESTRICTION_ENABLED,
-                GlobalSettingsProto.Sms.ACCESS_RESTRICTION_ENABLED);
-        p.end(smsToken);
-
         final long soundsToken = p.start(GlobalSettingsProto.SOUNDS);
         dumpSetting(s, p,
                 Settings.Global.CAR_DOCK_SOUND,
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index 296f7a144ffe5..a5b78497a645b 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -3610,7 +3610,7 @@ public class SettingsProvider extends ContentProvider {
 
                     final boolean isUpgrade;
                     try {
-                        isUpgrade = mPackageManager.isUpgrade();
+                        isUpgrade = mPackageManager.isDeviceUpgrading();
                     } catch (RemoteException e) {
                         throw new IllegalStateException("Package manager not available");
                     }
diff --git a/packages/Shell/AndroidManifest.xml b/packages/Shell/AndroidManifest.xml
index 2a9456dd723c4..d1b7c75723616 100644
--- a/packages/Shell/AndroidManifest.xml
+++ b/packages/Shell/AndroidManifest.xml
@@ -99,6 +99,7 @@
     <uses-permission android:name="android.permission.GRANT_RUNTIME_PERMISSIONS" />
     <uses-permission android:name="android.permission.REVOKE_RUNTIME_PERMISSIONS" />
     <uses-permission android:name="android.permission.INSTALL_GRANT_RUNTIME_PERMISSIONS" />
+    <uses-permission android:name="android.permission.WHITELIST_RESTRICTED_PERMISSIONS" />
     <uses-permission android:name="android.permission.SET_KEYBOARD_LAYOUT" />
     <uses-permission android:name="android.permission.GET_DETAILED_TASKS" />
     <uses-permission android:name="android.permission.SET_SCREEN_COMPATIBILITY" />
diff --git a/services/core/java/com/android/server/am/CoreSettingsObserver.java b/services/core/java/com/android/server/am/CoreSettingsObserver.java
index cb587de01f14f..b053d84de7d65 100644
--- a/services/core/java/com/android/server/am/CoreSettingsObserver.java
+++ b/services/core/java/com/android/server/am/CoreSettingsObserver.java
@@ -74,7 +74,6 @@ final class CoreSettingsObserver extends ContentObserver {
         sGlobalSettingToTypeMap.put(Settings.Global.GPU_DEBUG_LAYERS, String.class);
         sGlobalSettingToTypeMap.put(Settings.Global.GPU_DEBUG_LAYERS_GLES, String.class);
         sGlobalSettingToTypeMap.put(Settings.Global.GPU_DEBUG_LAYER_APP, String.class);
-        sGlobalSettingToTypeMap.put(Settings.Global.SMS_ACCESS_RESTRICTION_ENABLED, int.class);
         sGlobalSettingToTypeMap.put(Settings.Global.GAME_DRIVER_ALL_APPS, int.class);
         sGlobalSettingToTypeMap.put(Settings.Global.GAME_DRIVER_OPT_IN_APPS, String.class);
         sGlobalSettingToTypeMap.put(Settings.Global.GAME_DRIVER_OPT_OUT_APPS, String.class);
diff --git a/services/core/java/com/android/server/am/UserController.java b/services/core/java/com/android/server/am/UserController.java
index 2bd91985eafb3..8847e32d0fb5e 100644
--- a/services/core/java/com/android/server/am/UserController.java
+++ b/services/core/java/com/android/server/am/UserController.java
@@ -2269,7 +2269,7 @@ class UserController implements Handler.Callback {
         boolean isFirstBootOrUpgrade() {
             IPackageManager pm = AppGlobals.getPackageManager();
             try {
-                return pm.isFirstBoot() || pm.isUpgrade();
+                return pm.isFirstBoot() || pm.isDeviceUpgrading();
             } catch (RemoteException e) {
                 throw e.rethrowFromSystemServer();
             }
diff --git a/services/core/java/com/android/server/pm/OtaDexoptService.java b/services/core/java/com/android/server/pm/OtaDexoptService.java
index 1c9028d10ca2e..9094e1bf4c5ab 100644
--- a/services/core/java/com/android/server/pm/OtaDexoptService.java
+++ b/services/core/java/com/android/server/pm/OtaDexoptService.java
@@ -353,7 +353,7 @@ public class OtaDexoptService extends IOtaDexopt.Stub {
             throw new IllegalStateException("Should not be ota-dexopting when trying to move.");
         }
 
-        if (!mPackageManagerService.isUpgrade()) {
+        if (!mPackageManagerService.isDeviceUpgrading()) {
             Slog.d(TAG, "No upgrade, skipping A/B artifacts check.");
             return;
         }
diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java
index e4cb283fe864f..7f48970b445a4 100644
--- a/services/core/java/com/android/server/pm/PackageInstallerService.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerService.java
@@ -531,6 +531,16 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements
                         + "to use the PackageManager.INSTALL_GRANT_RUNTIME_PERMISSIONS flag");
             }
 
+            // Only system components can circumvent restricted whitelisting when installing.
+            if ((params.installFlags
+                    & PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS) != 0
+                    && mContext.checkCallingOrSelfPermission(Manifest.permission
+                    .WHITELIST_RESTRICTED_PERMISSIONS) == PackageManager.PERMISSION_DENIED) {
+                throw new SecurityException("You need the "
+                        + "android.permission.WHITELIST_RESTRICTED_PERMISSIONS permission to"
+                        + " use the PackageManager.INSTALL_WHITELIST_RESTRICTED_PERMISSIONS flag");
+            }
+
             // Defensively resize giant app icons
             if (params.appIcon != null) {
                 final ActivityManager am = (ActivityManager) mContext.getSystemService(
diff --git a/services/core/java/com/android/server/pm/PackageInstallerSession.java b/services/core/java/com/android/server/pm/PackageInstallerSession.java
index 3306ccdf2a221..a935c652be53e 100644
--- a/services/core/java/com/android/server/pm/PackageInstallerSession.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerSession.java
@@ -139,6 +139,8 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
     static final String TAG_SESSION = "session";
     static final String TAG_CHILD_SESSION = "childSession";
     private static final String TAG_GRANTED_RUNTIME_PERMISSION = "granted-runtime-permission";
+    private static final String TAG_WHITELISTED_RESTRICTED_PERMISSION =
+            "whitelisted-restricted-permission";
     private static final String ATTR_SESSION_ID = "sessionId";
     private static final String ATTR_USER_ID = "userId";
     private static final String ATTR_INSTALLER_PACKAGE_NAME = "installerPackageName";
@@ -486,6 +488,7 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
             info.originatingUid = params.originatingUid;
             info.referrerUri = params.referrerUri;
             info.grantedRuntimePermissions = params.grantedRuntimePermissions;
+            info.whitelistedRestrictedPermissions = params.whitelistedRestrictedPermissions;
             info.installFlags = params.installFlags;
             info.isMultiPackage = params.isMultiPackage;
             info.isStaged = params.isStaged;
@@ -2331,6 +2334,19 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
         }
     }
 
+    private static void writeWhitelistedRestrictedPermissionsLocked(@NonNull XmlSerializer out,
+            @Nullable List<String> whitelistedRestrictedPermissions) throws IOException {
+        if (whitelistedRestrictedPermissions != null) {
+            final int permissionCount = whitelistedRestrictedPermissions.size();
+            for (int i = 0; i < permissionCount; i++) {
+                out.startTag(null, TAG_WHITELISTED_RESTRICTED_PERMISSION);
+                writeStringAttribute(out, ATTR_NAME, whitelistedRestrictedPermissions.get(i));
+                out.endTag(null, TAG_WHITELISTED_RESTRICTED_PERMISSION);
+            }
+        }
+    }
+
+
     private static File buildAppIconFile(int sessionId, @NonNull File sessionsDir) {
         return new File(sessionsDir, "app_icon." + sessionId + ".png");
     }
@@ -2392,6 +2408,8 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
             writeIntAttribute(out, ATTR_INSTALL_REASON, params.installReason);
 
             writeGrantedRuntimePermissionsLocked(out, params.grantedRuntimePermissions);
+            writeWhitelistedRestrictedPermissionsLocked(out,
+                    params.whitelistedRestrictedPermissions);
 
             // Persist app icon if changed since last written
             File appIconFile = buildAppIconFile(sessionId, sessionsDir);
@@ -2510,7 +2528,8 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
 
         // Store the current depth. We should stop parsing when we reach an end tag at the same
         // depth.
-        List<String> permissions = new ArrayList<>();
+        List<String> grantedRuntimePermissions = new ArrayList<>();
+        List<String> whitelistedRestrictedPermissions = new ArrayList<>();
         List<Integer> childSessionIds = new ArrayList<>();
         int outerDepth = in.getDepth();
         int type;
@@ -2520,15 +2539,24 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
                 continue;
             }
             if (TAG_GRANTED_RUNTIME_PERMISSION.equals(in.getName())) {
-                permissions.add(readStringAttribute(in, ATTR_NAME));
+                grantedRuntimePermissions.add(readStringAttribute(in, ATTR_NAME));
+            }
+            if (TAG_WHITELISTED_RESTRICTED_PERMISSION.equals(in.getName())) {
+                whitelistedRestrictedPermissions.add(readStringAttribute(in, ATTR_NAME));
+
             }
             if (TAG_CHILD_SESSION.equals(in.getName())) {
                 childSessionIds.add(readIntAttribute(in, ATTR_SESSION_ID, SessionInfo.INVALID_ID));
             }
         }
 
-        if (permissions.size() > 0) {
-            params.grantedRuntimePermissions = permissions.stream().toArray(String[]::new);
+        if (grantedRuntimePermissions.size() > 0) {
+            params.grantedRuntimePermissions = grantedRuntimePermissions
+                    .stream().toArray(String[]::new);
+        }
+
+        if (whitelistedRestrictedPermissions.size() > 0) {
+            params.whitelistedRestrictedPermissions = whitelistedRestrictedPermissions;
         }
 
         int[] childSessionIdsArray;
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 444d2fa8d665b..d5b1ca3e72a1e 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -170,6 +170,7 @@ import android.content.pm.PackageList;
 import android.content.pm.PackageManager;
 import android.content.pm.PackageManager.LegacyPackageDeleteObserver;
 import android.content.pm.PackageManager.ModuleInfoFlags;
+import android.content.pm.PackageManager.PermissionWhitelistFlags;
 import android.content.pm.PackageManagerInternal;
 import android.content.pm.PackageManagerInternal.CheckPermissionDelegate;
 import android.content.pm.PackageManagerInternal.PackageListObserver;
@@ -745,6 +746,9 @@ public class PackageManagerService extends IPackageManager.Stub
     @GuardedBy("mPackages")
     final private ArraySet<PackageListObserver> mPackageListObservers = new ArraySet<>();
 
+    @GuardedBy("mPackages")
+    private final SparseIntArray mDefaultPermissionsGrantedUsers = new SparseIntArray();
+
     private final ModuleInfoProvider mModuleInfoProvider;
 
     private final ApexManager mApexManager;
@@ -1487,10 +1491,15 @@ public class PackageManagerService extends IPackageManager.Stub
                         final boolean virtualPreload = ((args.installFlags
                                 & PackageManager.INSTALL_VIRTUAL_PRELOAD) != 0);
                         final String[] grantedPermissions = args.installGrantPermissions;
+                        final List<String> whitelistedRestrictedPermissions = ((args.installFlags
+                                & PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS) != 0
+                                    && parentRes.pkg != null)
+                                ? parentRes.pkg.requestedPermissions : null;
 
                         // Handle the parent package
-                        handlePackagePostInstall(parentRes, grantPermissions, killApp,
-                                virtualPreload, grantedPermissions, didRestore,
+                        handlePackagePostInstall(parentRes, grantPermissions,
+                                killApp, virtualPreload, grantedPermissions,
+                                whitelistedRestrictedPermissions, didRestore,
                                 args.installerPackageName, args.observer);
 
                         // Handle the child packages
@@ -1498,8 +1507,9 @@ public class PackageManagerService extends IPackageManager.Stub
                                 ? parentRes.addedChildPackages.size() : 0;
                         for (int i = 0; i < childCount; i++) {
                             PackageInstalledInfo childRes = parentRes.addedChildPackages.valueAt(i);
-                            handlePackagePostInstall(childRes, grantPermissions, killApp,
-                                    virtualPreload, grantedPermissions, false /*didRestore*/,
+                            handlePackagePostInstall(childRes, grantPermissions,
+                                    killApp, virtualPreload, grantedPermissions,
+                                    whitelistedRestrictedPermissions, false /*didRestore*/,
                                     args.installerPackageName, args.observer);
                         }
 
@@ -1777,7 +1787,8 @@ public class PackageManagerService extends IPackageManager.Stub
     };
 
     private void handlePackagePostInstall(PackageInstalledInfo res, boolean grantPermissions,
-            boolean killApp, boolean virtualPreload, String[] grantedPermissions,
+            boolean killApp, boolean virtualPreload,
+            String[] grantedPermissions, List<String> whitelistedRestrictedPermissions,
             boolean launchedForRestore, String installerPackage,
             IPackageInstallObserver2 installObserver) {
         if (res.returnCode == PackageManager.INSTALL_SUCCEEDED) {
@@ -1786,6 +1797,16 @@ public class PackageManagerService extends IPackageManager.Stub
                 res.removedInfo.sendPackageRemovedBroadcasts(killApp);
             }
 
+            // Whitelist any restricted permissions first as some may be runtime
+            // that the installer requested to be granted at install time.
+            if (whitelistedRestrictedPermissions != null
+                    && !whitelistedRestrictedPermissions.isEmpty()) {
+                mPermissionManager.setWhitelistedRestrictedPermissions(
+                        res.pkg, res.newUsers, whitelistedRestrictedPermissions,
+                        Process.myUid(), PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER,
+                        mPermissionCallback);
+            }
+
             // Now that we successfully installed the package, grant runtime
             // permissions if requested before broadcasting the install. Also
             // for legacy apps in permission review mode we clear the permission
@@ -1999,6 +2020,8 @@ public class PackageManagerService extends IPackageManager.Stub
 
             if (allNewUsers && !update) {
                 notifyPackageAdded(packageName, res.uid);
+            } else {
+                notifyPackageChanged(packageName, res.uid);
             }
 
             // Log current value of "unknown sources" setting
@@ -2308,6 +2331,7 @@ public class PackageManagerService extends IPackageManager.Stub
                         public void onDefaultRuntimePermissionsGranted(int userId) {
                             synchronized(mPackages) {
                                 mSettings.onDefaultRuntimePermissionsGrantedLPr(userId);
+                                mDefaultPermissionsGrantedUsers.put(userId, userId);
                             }
                         }
                     }, mPackages /*externalLock*/);
@@ -3475,7 +3499,7 @@ public class PackageManagerService extends IPackageManager.Stub
     }
 
     @Override
-    public boolean isUpgrade() {
+    public boolean isDeviceUpgrading() {
         // allow instant applications
         // The system property allows testing ota flow when upgraded to the same image.
         return mIsUpgrade || SystemProperties.getBoolean(
@@ -5527,7 +5551,7 @@ public class PackageManagerService extends IPackageManager.Stub
                 == PackageManager.PERMISSION_GRANTED);
 
         mPermissionManager.revokeRuntimePermission(permName, packageName, overridePolicy,
-                getCallingUid(), userId, mPermissionCallback);
+                userId, mPermissionCallback);
     }
 
     @Override
@@ -5618,6 +5642,193 @@ public class PackageManagerService extends IPackageManager.Stub
         }
     }
 
+    @Override
+    public @Nullable List<String> getWhitelistedRestrictedPermissions(@NonNull String packageName,
+            @PermissionWhitelistFlags int whitelistFlags, @UserIdInt int userId) {
+        Preconditions.checkNotNull(packageName);
+        Preconditions.checkFlagsArgument(whitelistFlags,
+                PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE
+                        | PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM
+                        | PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER);
+        Preconditions.checkArgumentNonNegative(userId, null);
+
+        if (UserHandle.getCallingUserId() != userId) {
+            mContext.enforceCallingOrSelfPermission(
+                    android.Manifest.permission.INTERACT_ACROSS_USERS,
+                    "getWhitelistedRestrictedPermissions for user " + userId);
+        }
+
+        synchronized (mPackages) {
+            final PackageSetting packageSetting = mSettings.mPackages.get(packageName);
+            if (packageSetting == null) {
+                Slog.w(TAG, "Unknown package: " + packageName);
+                return null;
+            }
+
+            final boolean isCallerPrivileged = mContext.checkCallingOrSelfPermission(
+                    Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS)
+                            == PackageManager.PERMISSION_GRANTED;
+            final PackageSetting installerPackageSetting = mSettings.mPackages.get(
+                    packageSetting.installerPackageName);
+            final boolean isCallerInstallerOnRecord = installerPackageSetting != null
+                    && UserHandle.isSameApp(installerPackageSetting.appId, Binder.getCallingUid());
+
+            if ((whitelistFlags & PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM) != 0
+                    && !isCallerPrivileged) {
+                throw new SecurityException("Querying system whitelist requires "
+                        + Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS);
+            }
+
+            if ((whitelistFlags & (PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE
+                    | PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER)) != 0) {
+                if (!isCallerPrivileged && !isCallerInstallerOnRecord) {
+                    throw new SecurityException("Querying upgrade or installer whitelist"
+                            + " requires being installer on record or "
+                            + Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS);
+                }
+            }
+
+            if (filterAppAccessLPr(packageSetting, Binder.getCallingUid(),
+                    UserHandle.getCallingUserId())) {
+                return null;
+            }
+
+            final long identity = Binder.clearCallingIdentity();
+            try {
+                return mPermissionManager.getWhitelistedRestrictedPermissions(
+                        packageSetting.pkg, whitelistFlags, userId);
+            } finally {
+                Binder.restoreCallingIdentity(identity);
+            }
+        }
+    }
+
+    @Override
+    public boolean addWhitelistedRestrictedPermission(@NonNull String packageName,
+            @NonNull String permission, @PermissionWhitelistFlags int whitelistFlags,
+            @UserIdInt int userId) {
+        // Other argument checks are done in get/setWhitelistedRestrictedPermissions
+        Preconditions.checkNotNull(permission);
+
+        List<String> permissions = getWhitelistedRestrictedPermissions(packageName,
+                whitelistFlags, userId);
+        if (permissions == null) {
+            permissions = new ArrayList<>(1);
+        }
+        if (permissions.indexOf(permission) < 0) {
+            permissions.add(permission);
+            setWhitelistedRestrictedPermissions(packageName, permissions,
+                    whitelistFlags, userId);
+            return true;
+        }
+        return false;
+    }
+
+    @Override
+    public boolean removeWhitelistedRestrictedPermission(@NonNull String packageName,
+            @NonNull String permission, @PermissionWhitelistFlags int whitelistFlags,
+            @UserIdInt int userId) {
+        // Other argument checks are done in get/setWhitelistedRestrictedPermissions
+        Preconditions.checkNotNull(permission);
+
+        final List<String> permissions = getWhitelistedRestrictedPermissions(packageName,
+                whitelistFlags, userId);
+        if (permissions != null && permissions.remove(permission)) {
+            setWhitelistedRestrictedPermissions(packageName, permissions,
+                    whitelistFlags, userId);
+            return true;
+        }
+        return false;
+    }
+
+    private void setWhitelistedRestrictedPermissions(@NonNull String packageName,
+            @Nullable List<String> permissions, @PermissionWhitelistFlags int whitelistFlag,
+            @UserIdInt int userId) {
+        Preconditions.checkNotNull(packageName);
+        Preconditions.checkFlagsArgument(whitelistFlag,
+                PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE
+                        | PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM
+                        | PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER);
+        Preconditions.checkArgument(Integer.bitCount(whitelistFlag) == 1);
+        Preconditions.checkArgumentNonNegative(userId, null);
+
+        if (UserHandle.getCallingUserId() != userId) {
+            mContext.enforceCallingOrSelfPermission(
+                    Manifest.permission.INTERACT_ACROSS_USERS,
+                    "setWhitelistedRestrictedPermissions for user " + userId);
+        }
+
+        synchronized (mPackages) {
+            final PackageSetting packageSetting = mSettings.mPackages.get(packageName);
+            if (packageSetting == null) {
+                Slog.w(TAG, "Unknown package: " + packageName);
+                return;
+            }
+
+            final boolean isCallerPrivileged = mContext.checkCallingOrSelfPermission(
+                    Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS)
+                            == PackageManager.PERMISSION_GRANTED;
+            final PackageSetting installerPackageSetting = mSettings.mPackages.get(
+                    packageSetting.installerPackageName);
+            final boolean isCallerInstallerOnRecord = installerPackageSetting != null
+                    && UserHandle.isSameApp(installerPackageSetting.appId, Binder.getCallingUid());
+
+            if ((whitelistFlag & PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM) != 0
+                    && !isCallerPrivileged) {
+                throw new SecurityException("Modifying system whitelist requires "
+                        + Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS);
+            }
+
+            if ((whitelistFlag & PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE) != 0) {
+                if (!isCallerPrivileged && !isCallerInstallerOnRecord) {
+                    throw new SecurityException("Modifying upgrade whitelist requires"
+                            + " being installer on record or "
+                            + Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS);
+                }
+                final List<String> whitelistedPermissions = getWhitelistedRestrictedPermissions(
+                        packageName, whitelistFlag, userId);
+                if (permissions == null || permissions.isEmpty()) {
+                    if (whitelistedPermissions == null || whitelistedPermissions.isEmpty()) {
+                        return;
+                    }
+                } else {
+                    // Only the system can add and remove while the installer can only remove.
+                    final int permissionCount = permissions.size();
+                    for (int i = 0; i < permissionCount; i++) {
+                        if ((whitelistedPermissions == null
+                                || !whitelistedPermissions.contains(permissions.get(i)))
+                                && !isCallerPrivileged) {
+                            throw new SecurityException("Adding to upgrade whitelist requires"
+                                    + Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS);
+                        }
+                    }
+                }
+            }
+
+            if ((whitelistFlag & PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER) != 0) {
+                if (!isCallerPrivileged && !isCallerInstallerOnRecord) {
+                    throw new SecurityException("Modifying installer whitelist requires"
+                            + " being installer on record or "
+                            + Manifest.permission.WHITELIST_RESTRICTED_PERMISSIONS);
+                }
+            }
+
+            if (filterAppAccessLPr(packageSetting, Binder.getCallingUid(),
+                    UserHandle.getCallingUserId())) {
+                return;
+            }
+
+            final long identity = Binder.clearCallingIdentity();
+            try {
+                mPermissionManager.setWhitelistedRestrictedPermissions(packageSetting.pkg,
+                        new int[]{userId}, permissions, Process.myUid(), whitelistFlag,
+                        mPermissionCallback);
+            } finally {
+                Binder.restoreCallingIdentity(identity);
+            }
+        }
+    }
+
     @Override
     public boolean shouldShowRequestPermissionRationale(String permissionName,
             String packageName, int userId) {
@@ -8676,7 +8887,7 @@ public class PackageManagerService extends IPackageManager.Stub
     private void maybeClearProfilesForUpgradesLI(
             @Nullable PackageSetting originalPkgSetting,
             @NonNull PackageParser.Package currentPkg) {
-        if (originalPkgSetting == null || !isUpgrade()) {
+        if (originalPkgSetting == null || !isDeviceUpgrading()) {
           return;
         }
         if (originalPkgSetting.versionCode == currentPkg.mVersionCode) {
@@ -9163,7 +9374,7 @@ public class PackageManagerService extends IPackageManager.Stub
         enforceSystemOrRoot("Only the system can request package update");
 
         // We need to re-extract after an OTA.
-        boolean causeUpgrade = isUpgrade();
+        boolean causeUpgrade = isDeviceUpgrading();
 
         // First boot or factory reset.
         // Note: we also handle devices that are upgrading to N right now as if it is their
@@ -9224,7 +9435,7 @@ public class PackageManagerService extends IPackageManager.Stub
 
             boolean useProfileForDexopt = false;
 
-            if ((isFirstBoot() || isUpgrade()) && isSystemApp(pkg)) {
+            if ((isFirstBoot() || isDeviceUpgrading()) && isSystemApp(pkg)) {
                 // Copy over initial preopt profiles since we won't get any JIT samples for methods
                 // that are already compiled.
                 File profileFile = new File(getPrebuildProfilePath(pkg));
@@ -12551,6 +12762,22 @@ public class PackageManagerService extends IPackageManager.Stub
         }
     }
 
+    @Override
+    public void notifyPackageChanged(String packageName, int uid) {
+        final PackageListObserver[] observers;
+        synchronized (mPackages) {
+            if (mPackageListObservers.size() == 0) {
+                return;
+            }
+            final PackageListObserver[] observerArray =
+                    new PackageListObserver[mPackageListObservers.size()];
+            observers = mPackageListObservers.toArray(observerArray);
+        }
+        for (int i = observers.length - 1; i >= 0; --i) {
+            observers[i].onPackageChanged(packageName, uid);
+        }
+    }
+
     private static final Comparator<ProviderInfo> sProviderInitOrderSorter = (p1, p2) -> {
         final int v1 = p1.initOrder;
         final int v2 = p2.initOrder;
@@ -14510,6 +14737,7 @@ public class PackageManagerService extends IPackageManager.Stub
         int mRet;
         final String packageAbiOverride;
         final String[] grantedRuntimePermissions;
+        final List<String> whitelistedRestrictedPermissions;
         final VerificationInfo verificationInfo;
         final PackageParser.SigningDetails signingDetails;
         final int installReason;
@@ -14519,8 +14747,8 @@ public class PackageManagerService extends IPackageManager.Stub
         InstallParams(OriginInfo origin, MoveInfo move, IPackageInstallObserver2 observer,
                 int installFlags, String installerPackageName, String volumeUuid,
                 VerificationInfo verificationInfo, UserHandle user, String packageAbiOverride,
-                String[] grantedPermissions, PackageParser.SigningDetails signingDetails,
-                int installReason) {
+                String[] grantedPermissions, List<String> whitelistedRestrictedPermissions,
+                PackageParser.SigningDetails signingDetails, int installReason) {
             super(user);
             this.origin = origin;
             this.move = move;
@@ -14531,6 +14759,7 @@ public class PackageManagerService extends IPackageManager.Stub
             this.verificationInfo = verificationInfo;
             this.packageAbiOverride = packageAbiOverride;
             this.grantedRuntimePermissions = grantedPermissions;
+            this.whitelistedRestrictedPermissions = whitelistedRestrictedPermissions;
             this.signingDetails = signingDetails;
             this.installReason = installReason;
         }
@@ -14558,8 +14787,10 @@ public class PackageManagerService extends IPackageManager.Stub
             installerPackageName = activeInstallSession.getInstallerPackageName();
             volumeUuid = activeInstallSession.getSessionParams().volumeUuid;
             packageAbiOverride = activeInstallSession.getSessionParams().abiOverride;
-            grantedRuntimePermissions =
-                    activeInstallSession.getSessionParams().grantedRuntimePermissions;
+            grantedRuntimePermissions = activeInstallSession.getSessionParams()
+                    .grantedRuntimePermissions;
+            whitelistedRestrictedPermissions = activeInstallSession.getSessionParams()
+                    .whitelistedRestrictedPermissions;
             signingDetails = activeInstallSession.getSigningDetails();
         }
 
@@ -15016,6 +15247,7 @@ public class PackageManagerService extends IPackageManager.Stub
         final UserHandle user;
         final String abiOverride;
         final String[] installGrantPermissions;
+        final List<String> whitelistedRestrictedPermissions;
         /** If non-null, drop an async trace when the install completes */
         final String traceMethod;
         final int traceCookie;
@@ -15032,6 +15264,7 @@ public class PackageManagerService extends IPackageManager.Stub
                 int installFlags, String installerPackageName, String volumeUuid,
                 UserHandle user, String[] instructionSets,
                 String abiOverride, String[] installGrantPermissions,
+                List<String> whitelistedRestrictedPermissions,
                 String traceMethod, int traceCookie, SigningDetails signingDetails,
                 int installReason,
                 MultiPackageInstallParams multiPackageInstallParams) {
@@ -15045,6 +15278,7 @@ public class PackageManagerService extends IPackageManager.Stub
             this.instructionSets = instructionSets;
             this.abiOverride = abiOverride;
             this.installGrantPermissions = installGrantPermissions;
+            this.whitelistedRestrictedPermissions = whitelistedRestrictedPermissions;
             this.traceMethod = traceMethod;
             this.traceCookie = traceCookie;
             this.signingDetails = signingDetails;
@@ -15135,7 +15369,7 @@ public class PackageManagerService extends IPackageManager.Stub
             super(params.origin, params.move, params.observer, params.installFlags,
                     params.installerPackageName, params.volumeUuid,
                     params.getUser(), null /*instructionSets*/, params.packageAbiOverride,
-                    params.grantedRuntimePermissions,
+                    params.grantedRuntimePermissions, params.whitelistedRestrictedPermissions,
                     params.traceMethod, params.traceCookie, params.signingDetails,
                     params.installReason, params.mParentInstallParams);
         }
@@ -15143,7 +15377,7 @@ public class PackageManagerService extends IPackageManager.Stub
         /** Existing install */
         FileInstallArgs(String codePath, String resourcePath, String[] instructionSets) {
             super(OriginInfo.fromNothing(), null, null, 0, null, null, null, instructionSets,
-                    null, null, null, 0, PackageParser.SigningDetails.UNKNOWN,
+                    null, null, null, null, 0, PackageParser.SigningDetails.UNKNOWN,
                     PackageManager.INSTALL_REASON_UNKNOWN, null /* parent */);
             this.codeFile = (codePath != null) ? new File(codePath) : null;
             this.resourceFile = (resourcePath != null) ? new File(resourcePath) : null;
@@ -15334,7 +15568,7 @@ public class PackageManagerService extends IPackageManager.Stub
             super(params.origin, params.move, params.observer, params.installFlags,
                     params.installerPackageName, params.volumeUuid,
                     params.getUser(), null /* instruction sets */, params.packageAbiOverride,
-                    params.grantedRuntimePermissions,
+                    params.grantedRuntimePermissions, params.whitelistedRestrictedPermissions,
                     params.traceMethod, params.traceCookie, params.signingDetails,
                     params.installReason, params.mParentInstallParams);
         }
@@ -20960,6 +21194,7 @@ public class PackageManagerService extends IPackageManager.Stub
                 }
             }
         }
+
         sUserManager.systemReady();
         // If we upgraded grant all default permissions before kicking off.
         for (int userId : grantPermissionsUserIds) {
@@ -22809,7 +23044,8 @@ public class PackageManagerService extends IPackageManager.Stub
         final InstallParams params = new InstallParams(origin, move, installObserver, installFlags,
                 installerPackageName, volumeUuid, null /*verificationInfo*/, user,
                 packageAbiOverride, null /*grantedPermissions*/,
-                PackageParser.SigningDetails.UNKNOWN, PackageManager.INSTALL_REASON_UNKNOWN);
+                null /*whitelistedRestrictedPermissions*/, PackageParser.SigningDetails.UNKNOWN,
+                PackageManager.INSTALL_REASON_UNKNOWN);
         params.setTraceMethod("movePackage").setTraceCookie(System.identityHashCode(params));
         msg.obj = params;
 
@@ -23904,7 +24140,7 @@ public class PackageManagerService extends IPackageManager.Stub
         public void revokeRuntimePermission(String packageName, String permName, int userId,
                 boolean overridePolicy) {
             mPermissionManager.revokeRuntimePermission(
-                    permName, packageName, overridePolicy, getCallingUid(), userId,
+                    permName, packageName, overridePolicy, userId,
                     mPermissionCallback);
         }
 
@@ -24285,6 +24521,13 @@ public class PackageManagerService extends IPackageManager.Stub
                         null);
             }
         }
+
+        @Override
+        public boolean wereDefaultPermissionsGrantedSinceBoot(int userId) {
+            synchronized (mPackages) {
+                return mDefaultPermissionPolicy.wereDefaultPermissionsGrantedSinceBoot(userId);
+            }
+        }
     }
 
     @GuardedBy("mPackages")
@@ -24330,6 +24573,29 @@ public class PackageManagerService extends IPackageManager.Stub
         return EmptyArray.STRING;
     }
 
+    @Override
+    public int getRuntimePermissionsVersion(@UserIdInt int userId) {
+        Preconditions.checkArgumentNonnegative(userId);
+        mContext.enforceCallingOrSelfPermission(
+                Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY,
+                "setRuntimePermissionVersion");
+        synchronized (mPackages) {
+            return mSettings.getDefaultRuntimePermissionsVersionLPr(userId);
+        }
+    }
+
+    @Override
+    public void setRuntimePermissionsVersion(int version, @UserIdInt int userId) {
+        Preconditions.checkArgumentNonnegative(version);
+        Preconditions.checkArgumentNonnegative(userId);
+        mContext.enforceCallingOrSelfPermission(
+                Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY,
+                "setRuntimePermissionVersion");
+        synchronized (mPackages) {
+            mSettings.setDefaultRuntimePermissionsVersionLPr(version, userId);
+        }
+    }
+
     @Override
     public void grantDefaultPermissionsToEnabledCarrierApps(String[] packageNames, int userId) {
         enforceSystemOrPhoneCaller("grantPermissionsToEnabledCarrierApps");
@@ -24795,5 +25061,6 @@ interface PackageSender {
     void sendPackageAddedForNewUsers(String packageName, boolean sendBootCompleted,
         boolean includeStopped, int appId, int[] userIds, int[] instantUserIds);
     void notifyPackageAdded(String packageName, int uid);
+    void notifyPackageChanged(String packageName, int uid);
     void notifyPackageRemoved(String packageName, int uid);
 }
diff --git a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
index 2d1afa7e87a75..4e4a0e420d86d 100644
--- a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
+++ b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
@@ -2347,6 +2347,9 @@ class PackageManagerShellCommand extends ShellCommand {
                     break;
                 case "-g":
                     sessionParams.installFlags |= PackageManager.INSTALL_GRANT_RUNTIME_PERMISSIONS;
+                case "-w":
+                    sessionParams.installFlags |=
+                            PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS;
                     break;
                 case "--dont-kill":
                     sessionParams.installFlags |= PackageManager.INSTALL_DONT_KILL_APP;
@@ -2950,7 +2953,7 @@ class PackageManagerShellCommand extends ShellCommand {
         pw.println("       [--user USER_ID] INTENT");
         pw.println("    Prints all broadcast receivers that can handle the given INTENT.");
         pw.println("");
-        pw.println("  install [-lrtsfdg] [-i PACKAGE] [--user USER_ID|all|current]");
+        pw.println("  install [-lrtsfdgw] [-i PACKAGE] [--user USER_ID|all|current]");
         pw.println("       [-p INHERIT_PACKAGE] [--install-location 0/1/2]");
         pw.println("       [--install-reason 0/1/2/3/4] [--originating-uri URI]");
         pw.println("       [--referrer URI] [--abi ABI_NAME] [--force-sdk]");
@@ -2969,6 +2972,7 @@ class PackageManagerShellCommand extends ShellCommand {
         pw.println("      -d: allow version code downgrade (debuggable packages only)");
         pw.println("      -p: partial application install (new split on top of existing pkg)");
         pw.println("      -g: grant all runtime permissions");
+        pw.println("      -w: whitelist all restricted permissions");
         pw.println("      -S: size in bytes of package, required for stdin");
         pw.println("      --user: install under the given user.");
         pw.println("      --dont-kill: installing a new feature split, don't kill running app");
diff --git a/services/core/java/com/android/server/pm/Settings.java b/services/core/java/com/android/server/pm/Settings.java
index 4f81fd9f7a9f2..41a8a776e3f7f 100644
--- a/services/core/java/com/android/server/pm/Settings.java
+++ b/services/core/java/com/android/server/pm/Settings.java
@@ -1313,7 +1313,7 @@ public final class Settings {
 
     boolean areDefaultRuntimePermissionsGrantedLPr(int userId) {
         return mRuntimePermissionsPersistence
-                .areDefaultRuntimPermissionsGrantedLPr(userId);
+                .areDefaultRuntimePermissionsGrantedLPr(userId);
     }
 
     void onDefaultRuntimePermissionsGrantedLPr(int userId) {
@@ -1321,6 +1321,14 @@ public final class Settings {
                 .onDefaultRuntimePermissionsGrantedLPr(userId);
     }
 
+    int getDefaultRuntimePermissionsVersionLPr(int userId) {
+        return mRuntimePermissionsPersistence.getVersionLPr(userId);
+    }
+
+    void setDefaultRuntimePermissionsVersionLPr(int version, int userId) {
+        mRuntimePermissionsPersistence.setVersionLPr(version, userId);
+    }
+
     public VersionInfo findOrCreateVersion(String volumeUuid) {
         VersionInfo ver = mVersion.get(volumeUuid);
         if (ver == null) {
@@ -4727,7 +4735,13 @@ public final class Settings {
                         && !permissionNames.contains(perm)) {
                     continue;
                 }
-                pw.print(prefix); pw.print("    "); pw.println(perm);
+                pw.print(prefix); pw.print("    "); pw.print(perm);
+                final BasePermission bp = mPermissions.getPermission(perm);
+                if (bp != null && bp.isRestricted()) {
+                    pw.println(": restricted=true");
+                } else {
+                    pw.println();
+                }
             }
         }
 
@@ -5023,7 +5037,10 @@ public final class Settings {
             final int flag = 1 << Integer.numberOfTrailingZeros(flags);
             flags &= ~flag;
             flagsString.append(PackageManager.permissionFlagToString(flag));
-            flagsString.append(' ');
+            if (flags != 0) {
+                flagsString.append('|');
+            }
+
         }
         if (flagsString != null) {
             flagsString.append(']');
@@ -5085,6 +5102,8 @@ public final class Settings {
         private static final long WRITE_PERMISSIONS_DELAY_MILLIS = 200;
         private static final long MAX_WRITE_PERMISSIONS_DELAY_MILLIS = 2000;
 
+        private static final int INITIAL_VERSION = 0;
+
         private final Handler mHandler = new MyHandler();
 
         private final Object mPersistenceLock;
@@ -5096,6 +5115,10 @@ public final class Settings {
         // The mapping keys are user ids.
         private final SparseLongArray mLastNotWrittenMutationTimesMillis = new SparseLongArray();
 
+        @GuardedBy("mLock")
+        // The mapping keys are user ids.
+        private final SparseIntArray mVersions = new SparseIntArray();
+
         @GuardedBy("mLock")
         // The mapping keys are user ids.
         private final SparseArray<String> mFingerprints = new SparseArray<>();
@@ -5109,7 +5132,18 @@ public final class Settings {
         }
 
         @GuardedBy("Settings.this.mLock")
-        public boolean areDefaultRuntimPermissionsGrantedLPr(int userId) {
+        int getVersionLPr(int userId) {
+            return mVersions.get(userId);
+        }
+
+        @GuardedBy("Settings.this.mLock")
+        void setVersionLPr(int version, int userId) {
+            mVersions.put(userId, version);
+            writePermissionsForUserAsyncLPr(userId);
+        }
+
+        @GuardedBy("Settings.this.mLock")
+        public boolean areDefaultRuntimePermissionsGrantedLPr(int userId) {
             return mDefaultPermissionsGranted.get(userId);
         }
 
@@ -5206,6 +5240,9 @@ public final class Settings {
 
                 serializer.startTag(null, TAG_RUNTIME_PERMISSIONS);
 
+                final int version = mVersions.get(userId, INITIAL_VERSION);
+                serializer.attribute(null, ATTR_VERSION, Integer.toString(version));
+
                 String fingerprint = mFingerprints.get(userId);
                 if (fingerprint != null) {
                     serializer.attribute(null, ATTR_FINGERPRINT, fingerprint);
@@ -5263,6 +5300,7 @@ public final class Settings {
             }
 
             mDefaultPermissionsGranted.delete(userId);
+            mVersions.delete(userId);
             mFingerprints.remove(userId);
         }
 
@@ -5326,6 +5364,9 @@ public final class Settings {
 
                 switch (parser.getName()) {
                     case TAG_RUNTIME_PERMISSIONS: {
+                        int version = XmlUtils.readIntAttribute(parser, ATTR_VERSION,
+                                INITIAL_VERSION);
+                        mVersions.put(userId, version);
                         String fingerprint = parser.getAttributeValue(null, ATTR_FINGERPRINT);
                         mFingerprints.put(userId, fingerprint);
                         final boolean defaultsGranted = Build.FINGERPRINT.equals(fingerprint);
diff --git a/services/core/java/com/android/server/pm/permission/BasePermission.java b/services/core/java/com/android/server/pm/permission/BasePermission.java
index 1957eb89fd0c6..490c647c22b1d 100644
--- a/services/core/java/com/android/server/pm/permission/BasePermission.java
+++ b/services/core/java/com/android/server/pm/permission/BasePermission.java
@@ -193,6 +193,22 @@ public final class BasePermission {
                 && (perm.info.flags & PermissionInfo.FLAG_REMOVED) != 0;
     }
 
+    public boolean isSoftRestricted() {
+        return perm != null && perm.info != null
+                && (perm.info.flags & PermissionInfo.FLAG_SOFT_RESTRICTED) != 0;
+    }
+
+    public boolean isHardRestricted() {
+        return perm != null && perm.info != null
+                && (perm.info.flags & PermissionInfo.FLAG_HARD_RESTRICTED) != 0;
+    }
+
+    public boolean isRestricted() {
+        return perm != null && perm.info != null
+                && (perm.info.flags & (PermissionInfo.FLAG_HARD_RESTRICTED
+                | PermissionInfo.FLAG_SOFT_RESTRICTED)) != 0;
+    }
+
     public boolean isSignature() {
         return (protectionLevel & PermissionInfo.PROTECTION_MASK_BASE) ==
                 PermissionInfo.PROTECTION_SIGNATURE;
diff --git a/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java b/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
index 5c386b47b1b14..5eb2b09ce3b66 100644
--- a/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
+++ b/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
@@ -62,8 +62,10 @@ import android.util.ArrayMap;
 import android.util.ArraySet;
 import android.util.Log;
 import android.util.Slog;
+import android.util.SparseIntArray;
 import android.util.Xml;
 
+import com.android.internal.annotations.GuardedBy;
 import com.android.internal.util.ArrayUtils;
 import com.android.internal.util.XmlUtils;
 import com.android.server.LocalServices;
@@ -116,6 +118,7 @@ public final class DefaultPermissionGrantPolicy {
     private static final String ATTR_PACKAGE = "package";
     private static final String ATTR_NAME = "name";
     private static final String ATTR_FIXED = "fixed";
+    private static final String ATTR_WHITELISTED = "whitelisted";
 
     private static final Set<String> PHONE_PERMISSIONS = new ArraySet<>();
 
@@ -213,12 +216,16 @@ public final class DefaultPermissionGrantPolicy {
     private final PackageManagerInternal mServiceInternal;
     private final PermissionManagerService mPermissionManager;
     private final DefaultPermissionGrantedCallback mPermissionGrantedCallback;
+
+    @GuardedBy("mLock")
+    private SparseIntArray mDefaultPermissionsGrantedUsers = new SparseIntArray();
+
     public interface DefaultPermissionGrantedCallback {
         /** Callback when permissions have been granted */
         void onDefaultRuntimePermissionsGranted(int userId);
     }
 
-    public DefaultPermissionGrantPolicy(Context context, Looper looper,
+    DefaultPermissionGrantPolicy(Context context, Looper looper,
             @Nullable DefaultPermissionGrantedCallback callback,
             @NonNull PermissionManagerService permissionManager) {
         mContext = context;
@@ -288,10 +295,19 @@ public final class DefaultPermissionGrantPolicy {
         }
     }
 
+    public boolean wereDefaultPermissionsGrantedSinceBoot(int userId) {
+        synchronized (mLock) {
+            return mDefaultPermissionsGrantedUsers.indexOfKey(userId) >= 0;
+        }
+    }
+
     public void grantDefaultPermissions(int userId) {
         grantPermissionsToSysComponentsAndPrivApps(userId);
         grantDefaultSystemHandlerPermissions(userId);
         grantDefaultPermissionExceptions(userId);
+        synchronized (mLock) {
+            mDefaultPermissionsGrantedUsers.put(userId, userId);
+        }
     }
 
     private void grantRuntimePermissionsForSystemPackage(int userId, PackageInfo pkg) {
@@ -306,7 +322,7 @@ public final class DefaultPermissionGrantPolicy {
             }
         }
         if (!permissions.isEmpty()) {
-            grantRuntimePermissions(pkg, permissions, true, userId);
+            grantRuntimePermissions(pkg, permissions, true /*systemFixed*/, userId);
         }
     }
 
@@ -334,8 +350,8 @@ public final class DefaultPermissionGrantPolicy {
     @SafeVarargs
     private final void grantIgnoringSystemPackage(String packageName, int userId,
             Set<String>... permissionGroups) {
-        grantPermissionsToPackage(
-                packageName, userId, true /* ignoreSystemPackage */, permissionGroups);
+        grantPermissionsToPackage(packageName, userId, true /* ignoreSystemPackage */,
+                true /*whitelistRestrictedPermissions*/, permissionGroups);
     }
 
     @SafeVarargs
@@ -359,24 +375,30 @@ public final class DefaultPermissionGrantPolicy {
             return;
         }
         grantPermissionsToPackage(getSystemPackageInfo(packageName),
-                userId, systemFixed, false /* ignoreSystemPackage */, permissionGroups);
+                userId, systemFixed, false /* ignoreSystemPackage */,
+                true /*whitelistRestrictedPermissions*/, permissionGroups);
     }
 
     @SafeVarargs
     private final void grantPermissionsToPackage(String packageName, int userId,
-            boolean ignoreSystemPackage, Set<String>... permissionGroups) {
+            boolean ignoreSystemPackage, boolean whitelistRestrictedPermissions,
+            Set<String>... permissionGroups) {
         grantPermissionsToPackage(getPackageInfo(packageName),
-                userId, false /* systemFixed */, ignoreSystemPackage, permissionGroups);
+                userId, false /* systemFixed */, ignoreSystemPackage,
+                whitelistRestrictedPermissions, permissionGroups);
     }
 
     @SafeVarargs
-    private final void grantPermissionsToPackage(PackageInfo packageName, int userId,
-            boolean systemFixed, boolean ignoreSystemPackage, Set<String>... permissionGroups) {
-        if (packageName == null) return;
-        if (doesPackageSupportRuntimePermissions(packageName)) {
+    private final void grantPermissionsToPackage(PackageInfo packageInfo, int userId,
+            boolean systemFixed, boolean ignoreSystemPackage,
+            boolean whitelistRestrictedPermissions, Set<String>... permissionGroups) {
+        if (packageInfo == null) {
+            return;
+        }
+        if (doesPackageSupportRuntimePermissions(packageInfo)) {
             for (Set<String> permissionGroup : permissionGroups) {
-                grantRuntimePermissions(packageName, permissionGroup, systemFixed,
-                        ignoreSystemPackage, userId);
+                grantRuntimePermissions(packageInfo, permissionGroup, systemFixed,
+                        ignoreSystemPackage, whitelistRestrictedPermissions, userId);
             }
         }
     }
@@ -585,8 +607,8 @@ public final class DefaultPermissionGrantPolicy {
                 browserPackage = null;
             }
         }
-        grantPermissionsToPackage(browserPackage, userId,
-                false /* ignoreSystemPackage */, LOCATION_PERMISSIONS);
+        grantPermissionsToPackage(browserPackage, userId, false /* ignoreSystemPackage */,
+                true /*whitelistRestrictedPermissions*/, LOCATION_PERMISSIONS);
 
         // Voice interaction
         if (voiceInteractPackageNames != null) {
@@ -809,7 +831,7 @@ public final class DefaultPermissionGrantPolicy {
         }
         Log.i(TAG, "Granting permissions to sim call manager for user:" + userId);
         grantPermissionsToPackage(packageName, userId, false /* ignoreSystemPackage */,
-                PHONE_PERMISSIONS, MICROPHONE_PERMISSIONS);
+                true /*whitelistRestrictedPermissions*/, PHONE_PERMISSIONS, MICROPHONE_PERMISSIONS);
     }
 
     private void grantDefaultPermissionsToDefaultSystemSimCallManager(
@@ -854,7 +876,6 @@ public final class DefaultPermissionGrantPolicy {
             grantSystemFixedPermissionsToSystemPackage(packageName, userId,
                     PHONE_PERMISSIONS, LOCATION_PERMISSIONS);
         }
-
     }
 
     public void revokeDefaultPermissionsFromDisabledTelephonyDataServices(
@@ -980,7 +1001,8 @@ public final class DefaultPermissionGrantPolicy {
 
     private void grantRuntimePermissions(PackageInfo pkg, Set<String> permissions,
             boolean systemFixed, int userId) {
-        grantRuntimePermissions(pkg, permissions, systemFixed, false, userId);
+        grantRuntimePermissions(pkg, permissions, systemFixed, false,
+                true /*whitelistRestrictedPermissions*/, userId);
     }
 
     private void revokeRuntimePermissions(String packageName, Set<String> permissions,
@@ -1065,11 +1087,10 @@ public final class DefaultPermissionGrantPolicy {
         }
     }
 
-    private void grantRuntimePermissions(PackageInfo pkg,
-            Set<String> permissionsWithoutSplits, boolean systemFixed, boolean ignoreSystemPackage,
-            int userId) {
-        UserHandle user = UserHandle.of(userId);
-
+    private void grantRuntimePermissions(PackageInfo pkg, Set<String> permissionsWithoutSplits,
+            boolean systemFixed, boolean ignoreSystemPackage,
+            boolean whitelistRestrictedPermissions, int userId) {
+            UserHandle user = UserHandle.of(userId);
         if (pkg == null) {
             return;
         }
@@ -1203,6 +1224,10 @@ public final class DefaultPermissionGrantPolicy {
                                 .grantRuntimePermission(pkg.packageName, permission, user);
                     }
 
+                    if (whitelistRestrictedPermissions && isPermissionRestricted(permission)) {
+                        newFlags |= PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT;
+                    }
+
                     mContext.getPackageManager().updatePermissionFlags(permission, pkg.packageName,
                             newFlags, newFlags, user);
 
@@ -1354,7 +1379,11 @@ public final class DefaultPermissionGrantPolicy {
                     permissions.clear();
                 }
                 permissions.add(permissionGrant.name);
-                grantRuntimePermissions(pkg, permissions, permissionGrant.fixed, userId);
+
+
+                grantRuntimePermissions(pkg, permissions, permissionGrant.fixed,
+                        permissionGrant.whitelisted, true /*whitelistRestrictedPermissions*/,
+                        userId);
             }
         }
     }
@@ -1510,8 +1539,10 @@ public final class DefaultPermissionGrantPolicy {
                 }
 
                 final boolean fixed = XmlUtils.readBooleanAttribute(parser, ATTR_FIXED);
+                final boolean whitelisted = XmlUtils.readBooleanAttribute(parser, ATTR_WHITELISTED);
 
-                DefaultPermissionGrant exception = new DefaultPermissionGrant(name, fixed);
+                DefaultPermissionGrant exception = new DefaultPermissionGrant(
+                        name, fixed, whitelisted);
                 outPackageExceptions.add(exception);
             } else {
                 Log.e(TAG, "Unknown tag " + parser.getName() + "under <exception>");
@@ -1524,6 +1555,14 @@ public final class DefaultPermissionGrantPolicy {
                 && pkg.applicationInfo.targetSdkVersion > Build.VERSION_CODES.LOLLIPOP_MR1;
     }
 
+    private boolean isPermissionRestricted(String name) {
+        try {
+            return mContext.getPackageManager().getPermissionInfo(name, 0).isRestricted();
+        } catch (NameNotFoundException e) {
+            return false;
+        }
+    }
+
     private boolean isPermissionDangerous(String name) {
         try {
             final PermissionInfo pi = mContext.getPackageManager().getPermissionInfo(name, 0);
@@ -1537,10 +1576,13 @@ public final class DefaultPermissionGrantPolicy {
     private static final class DefaultPermissionGrant {
         final String name;
         final boolean fixed;
+        final boolean whitelisted;
 
-        public DefaultPermissionGrant(String name, boolean fixed) {
+        public DefaultPermissionGrant(String name, boolean fixed,
+                boolean whitelisted) {
             this.name = name;
             this.fixed = fixed;
+            this.whitelisted = whitelisted;
         }
     }
 }
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 86a399465ee01..9336c55d4a798 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -24,6 +24,8 @@ import static android.app.AppOpsManager.MODE_FOREGROUND;
 import static android.app.AppOpsManager.OP_NONE;
 import static android.app.AppOpsManager.permissionToOp;
 import static android.app.AppOpsManager.permissionToOpCode;
+import static android.content.pm.PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT;
+import static android.content.pm.PackageManager.FLAG_PERMISSION_APPLY_RESTRICTION;
 import static android.content.pm.PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT;
 import static android.content.pm.PackageManager.FLAG_PERMISSION_POLICY_FIXED;
 import static android.content.pm.PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED;
@@ -33,6 +35,10 @@ import static android.content.pm.PackageManager.FLAG_PERMISSION_SYSTEM_FIXED;
 import static android.content.pm.PackageManager.FLAG_PERMISSION_USER_FIXED;
 import static android.content.pm.PackageManager.FLAG_PERMISSION_USER_SET;
 import static android.content.pm.PackageManager.MASK_PERMISSION_FLAGS_ALL;
+import static android.content.pm.PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER;
+import static android.content.pm.PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM;
+import static android.content.pm.PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE;
+import static android.content.pm.PackageManager.RESTRICTED_PERMISSIONS_ENABLED;
 import static android.os.Trace.TRACE_TAG_PACKAGE_MANAGER;
 import static android.os.UserHandle.getAppId;
 import static android.os.UserHandle.getUid;
@@ -54,6 +60,7 @@ import android.app.AppOpsManager;
 import android.app.AppOpsManagerInternal;
 import android.content.Context;
 import android.content.pm.PackageManager;
+import android.content.pm.PackageManager.PermissionWhitelistFlags;
 import android.content.pm.PackageManagerInternal;
 import android.content.pm.PackageParser;
 import android.content.pm.PackageParser.Package;
@@ -62,6 +69,7 @@ import android.content.pm.PermissionInfo;
 import android.metrics.LogMaker;
 import android.os.Binder;
 import android.os.Build;
+import android.os.Debug;
 import android.os.Handler;
 import android.os.HandlerThread;
 import android.os.Process;
@@ -75,6 +83,7 @@ import android.permission.PermissionControllerManager;
 import android.permission.PermissionManager;
 import android.permission.PermissionManagerInternal;
 import android.provider.Settings;
+import android.permission.PermissionManagerInternal.OnRuntimePermissionStateChangedListener;
 import android.text.TextUtils;
 import android.util.ArrayMap;
 import android.util.ArraySet;
@@ -89,6 +98,8 @@ import com.android.internal.logging.MetricsLogger;
 import com.android.internal.logging.nano.MetricsProto.MetricsEvent;
 import com.android.internal.os.RoSystemProperties;
 import com.android.internal.util.ArrayUtils;
+import com.android.internal.util.function.pooled.PooledLambda;
+import com.android.server.FgThread;
 import com.android.server.LocalServices;
 import com.android.server.ServiceThread;
 import com.android.server.SystemConfig;
@@ -216,6 +227,11 @@ public class PermissionManagerService {
     @GuardedBy("mLock")
     private final SparseBooleanArray mHasNoDelayedPermBackup = new SparseBooleanArray();
 
+    /** Listeners for permission state (granting and flags) changes */
+    @GuardedBy("mLock")
+    final private ArrayList<OnRuntimePermissionStateChangedListener>
+            mRuntimePermissionStateChangedListeners = new ArrayList<>();
+
     PermissionManagerService(Context context,
             @Nullable DefaultPermissionGrantedCallback defaultGrantCallback,
             @NonNull Object externalLock) {
@@ -437,6 +453,42 @@ public class PermissionManagerService {
         }
     }
 
+    private void addOnRuntimePermissionStateChangedListener(@NonNull
+            OnRuntimePermissionStateChangedListener listener) {
+        synchronized (mLock) {
+            mRuntimePermissionStateChangedListeners.add(listener);
+        }
+    }
+
+    private void removeOnRuntimePermissionStateChangedListener(@NonNull
+            OnRuntimePermissionStateChangedListener listener) {
+        synchronized (mLock) {
+            mRuntimePermissionStateChangedListeners.remove(listener);
+        }
+    }
+
+    private void notifyRuntimePermissionStateChanged(@NonNull String packageName,
+            @UserIdInt int userId) {
+        FgThread.getHandler().sendMessage(PooledLambda.obtainMessage
+                (PermissionManagerService::doNotifyRuntimePermissionStateChanged,
+                        PermissionManagerService.this, packageName, userId));
+    }
+
+    private void doNotifyRuntimePermissionStateChanged(@NonNull String packageName,
+            @UserIdInt int userId) {
+        final ArrayList<OnRuntimePermissionStateChangedListener> listeners;
+        synchronized (mLock) {
+            if (mRuntimePermissionStateChangedListeners.isEmpty()) {
+                return;
+            }
+            listeners = new ArrayList<>(mRuntimePermissionStateChangedListeners);
+        }
+        final int listenerCount = listeners.size();
+        for (int i = 0; i < listenerCount; i++) {
+            listeners.get(i).onRuntimePermissionStateChanged(packageName, userId);
+        }
+    }
+
     /**
      * Returns {@code true} if the permission can be implied from another granted permission.
      * <p>Some permissions, such as ACCESS_FINE_LOCATION, imply other permissions,
@@ -611,7 +663,7 @@ public class PermissionManagerService {
 
                                 try {
                                     revokeRuntimePermission(permissionName, packageName, false,
-                                            Process.SYSTEM_UID, userId, permissionCallback);
+                                            userId, permissionCallback);
                                 } catch (IllegalArgumentException e) {
                                     Slog.e(TAG, "Could not revoke " + permissionName + " from "
                                             + packageName, e);
@@ -955,9 +1007,10 @@ public class PermissionManagerService {
                 }
 
                 if (grant != GRANT_DENIED) {
-                    if (!ps.isSystem() && ps.areInstallPermissionsFixed()) {
+                    if (!ps.isSystem() && ps.areInstallPermissionsFixed() && !bp.isRuntime()) {
                         // If this is an existing, non-system package, then
-                        // we can't add any new permissions to it.
+                        // we can't add any new permissions to it. Runtime
+                        // permissions can be added any time - they ad dynamic.
                         if (!allowedSig && !origPermissions.hasInstallPermission(perm)) {
                             // Except...  if this is a permission that was added
                             // to the platform (note: need to only do this when
@@ -994,6 +1047,9 @@ public class PermissionManagerService {
                         } break;
 
                         case GRANT_RUNTIME: {
+                            boolean hardRestricted = bp.isHardRestricted();
+                            boolean softRestricted = bp.isSoftRestricted();
+
                             for (int userId : currentUserIds) {
                                 PermissionState permState = origPermissions
                                         .getRuntimePermissionState(perm, userId);
@@ -1001,7 +1057,36 @@ public class PermissionManagerService {
 
                                 boolean wasChanged = false;
 
+                                boolean restrictionExempt = !RESTRICTED_PERMISSIONS_ENABLED
+                                        || (origPermissions.getPermissionFlags(bp.name, userId)
+                                                & FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT) != 0;
+                                boolean restrictionApplied = (origPermissions.getPermissionFlags(
+                                        bp.name, userId) & FLAG_PERMISSION_APPLY_RESTRICTION) != 0;
+
                                 if (appSupportsRuntimePermissions) {
+                                    // If hard restricted we don't allow holding it
+                                    if (hardRestricted) {
+                                        if (!restrictionExempt) {
+                                            if (permState != null && permState.isGranted()
+                                                    && permissionsState.revokeRuntimePermission(
+                                                    bp, userId) != PERMISSION_OPERATION_FAILURE) {
+                                                wasChanged = true;
+                                            }
+                                            if (!restrictionApplied) {
+                                                flags |= FLAG_PERMISSION_APPLY_RESTRICTION;
+                                                wasChanged = true;
+                                            }
+                                        }
+                                    // If soft restricted we allow holding in a restricted form
+                                    } else if (softRestricted) {
+                                        // Regardless if granted set the restriction flag as it
+                                        // may affect app treatment based on this permission.
+                                        if (!restrictionExempt && !restrictionApplied) {
+                                            flags |= FLAG_PERMISSION_APPLY_RESTRICTION;
+                                            wasChanged = true;
+                                        }
+                                    }
+
                                     // Remove review flag as it is not necessary anymore
                                     if ((flags & FLAG_PERMISSION_REVIEW_REQUIRED) != 0) {
                                         flags &= ~FLAG_PERMISSION_REVIEW_REQUIRED;
@@ -1011,7 +1096,8 @@ public class PermissionManagerService {
                                     if ((flags & FLAG_PERMISSION_REVOKE_ON_UPGRADE) != 0) {
                                         flags &= ~FLAG_PERMISSION_REVOKE_ON_UPGRADE;
                                         wasChanged = true;
-                                    } else {
+                                    // Hard restricted permissions cannot be held.
+                                    } else if (!hardRestricted || restrictionExempt) {
                                         if (permState != null && permState.isGranted()) {
                                             if (permissionsState.grantRuntimePermission(bp, userId)
                                                     == PERMISSION_OPERATION_FAILURE) {
@@ -1032,8 +1118,29 @@ public class PermissionManagerService {
                                         }
                                     }
 
-                                    if (permissionsState.grantRuntimePermission(bp, userId)
-                                            != PERMISSION_OPERATION_FAILURE) {
+                                    if (!permissionsState.hasRuntimePermission(bp.name, userId)
+                                            && permissionsState.grantRuntimePermission(bp, userId)
+                                                    != PERMISSION_OPERATION_FAILURE) {
+                                        wasChanged = true;
+                                    }
+
+                                    // If legacy app always grant the permission but if restricted
+                                    // and not exempt take a note a restriction should be applied.
+                                    if ((hardRestricted || softRestricted)
+                                            && !restrictionExempt && !restrictionApplied) {
+                                        flags |= FLAG_PERMISSION_APPLY_RESTRICTION;
+                                        wasChanged = true;
+                                    }
+                                }
+
+                                // If unrestricted or restriction exempt, don't apply restriction.
+                                if (!(hardRestricted || softRestricted) || restrictionExempt)  {
+                                    if (restrictionApplied) {
+                                        flags &= ~FLAG_PERMISSION_APPLY_RESTRICTION;
+                                        // Dropping restriction on a legacy app requires a review.
+                                        if (!appSupportsRuntimePermissions) {
+                                            flags |= FLAG_PERMISSION_REVIEW_REQUIRED;
+                                        }
                                         wasChanged = true;
                                     }
                                 }
@@ -1058,14 +1165,47 @@ public class PermissionManagerService {
                             if (origPermissions.revokeInstallPermission(bp)
                                     != PERMISSION_OPERATION_FAILURE) {
                                 origPermissions.updatePermissionFlags(bp, UserHandle.USER_ALL,
-                                        MASK_PERMISSION_FLAGS_ALL, 0);
+                                        (MASK_PERMISSION_FLAGS_ALL
+                                                & ~FLAG_PERMISSION_APPLY_RESTRICTION), 0);
                                 changedInstallPermission = true;
                             }
 
+                            boolean hardRestricted = bp.isHardRestricted();
+                            boolean softRestricted = bp.isSoftRestricted();
+
                             for (int userId : currentUserIds) {
                                 boolean wasChanged = false;
 
+                                boolean restrictionExempt = !RESTRICTED_PERMISSIONS_ENABLED
+                                        || (origPermissions.getPermissionFlags(bp.name, userId)
+                                                & FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT) != 0;
+                                boolean restrictionApplied = (origPermissions.getPermissionFlags(
+                                        bp.name, userId) & FLAG_PERMISSION_APPLY_RESTRICTION) != 0;
+
                                 if (appSupportsRuntimePermissions) {
+                                    // If hard restricted we don't allow holding it
+                                    if (hardRestricted) {
+                                        if (!restrictionExempt) {
+                                            if (permState != null && permState.isGranted()
+                                                    && permissionsState.revokeRuntimePermission(
+                                                    bp, userId) != PERMISSION_OPERATION_FAILURE) {
+                                                wasChanged = true;
+                                            }
+                                            if (!restrictionApplied) {
+                                                flags |= FLAG_PERMISSION_APPLY_RESTRICTION;
+                                                wasChanged = true;
+                                            }
+                                        }
+                                    // If soft restricted we allow holding in a restricted form
+                                    } else if (softRestricted) {
+                                        // Regardless if granted set the  restriction flag as it
+                                        // may affect app treatment based on this permission.
+                                        if (!restrictionExempt && !restrictionApplied) {
+                                            flags |= FLAG_PERMISSION_APPLY_RESTRICTION;
+                                            wasChanged = true;
+                                        }
+                                    }
+
                                     // Remove review flag as it is not necessary anymore
                                     if ((flags & FLAG_PERMISSION_REVIEW_REQUIRED) != 0) {
                                         flags &= ~FLAG_PERMISSION_REVIEW_REQUIRED;
@@ -1075,18 +1215,40 @@ public class PermissionManagerService {
                                     if ((flags & FLAG_PERMISSION_REVOKE_ON_UPGRADE) != 0) {
                                         flags &= ~FLAG_PERMISSION_REVOKE_ON_UPGRADE;
                                         wasChanged = true;
-                                    } else {
+                                    // Hard restricted permissions cannot be held.
+                                    } else if (!hardRestricted || restrictionExempt) {
                                         if (permissionsState.grantRuntimePermission(bp, userId) !=
                                                 PERMISSION_OPERATION_FAILURE) {
                                              wasChanged = true;
                                         }
                                     }
                                 } else {
-                                    if (permissionsState.grantRuntimePermission(bp, userId) !=
-                                            PERMISSION_OPERATION_FAILURE) {
+                                    if (!permissionsState.hasRuntimePermission(bp.name, userId)
+                                            && permissionsState.grantRuntimePermission(bp,
+                                                    userId) != PERMISSION_OPERATION_FAILURE) {
                                         flags |= FLAG_PERMISSION_REVIEW_REQUIRED;
                                         wasChanged = true;
                                     }
+
+                                    // If legacy app always grant the permission but if restricted
+                                    // and not exempt take a note a restriction should be applied.
+                                    if ((hardRestricted || softRestricted)
+                                            && !restrictionExempt && !restrictionApplied) {
+                                        flags |= FLAG_PERMISSION_APPLY_RESTRICTION;
+                                        wasChanged = true;
+                                    }
+                                }
+
+                                // If unrestricted or restriction exempt, don't apply restriction.
+                                if (!(hardRestricted || softRestricted) || restrictionExempt)  {
+                                    if (restrictionApplied) {
+                                        flags &= ~FLAG_PERMISSION_APPLY_RESTRICTION;
+                                        // Dropping restriction on a legacy app requires a review.
+                                        if (!appSupportsRuntimePermissions) {
+                                            flags |= FLAG_PERMISSION_REVIEW_REQUIRED;
+                                        }
+                                        wasChanged = true;
+                                    }
                                 }
 
                                 if (wasChanged) {
@@ -1150,6 +1312,7 @@ public class PermissionManagerService {
             updatedUserIds = setInitialGrantForNewImplicitPermissionsLocked(origPermissions,
                     permissionsState, pkg, updatedUserIds);
 
+            // TODO: Move to PermissionPolicyService
             setAppOpsLocked(permissionsState, pkg);
         }
 
@@ -1159,6 +1322,10 @@ public class PermissionManagerService {
         if (callback != null) {
             callback.onPermissionUpdated(updatedUserIds, runtimePermissionsRevoked);
         }
+
+        for (int userId : updatedUserIds) {
+            notifyRuntimePermissionStateChanged(pkg.packageName, userId);
+        }
     }
 
     /**
@@ -1882,6 +2049,54 @@ public class PermissionManagerService {
         }
     }
 
+    private @Nullable List<String> getWhitelistedRestrictedPermissions(
+            @NonNull PackageParser.Package pkg, @PermissionWhitelistFlags int whitelistFlags,
+            @UserIdInt int userId) {
+        final PackageSetting packageSetting = (PackageSetting) pkg.mExtras;
+        if (packageSetting == null) {
+            return null;
+        }
+
+        final PermissionsState permissionsState = packageSetting.getPermissionsState();
+
+        int queryFlags = 0;
+        if ((whitelistFlags & PackageManager.FLAG_PERMISSION_WHITELIST_SYSTEM) != 0) {
+            queryFlags |= PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT;
+        }
+        if ((whitelistFlags & PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE) != 0) {
+            queryFlags |= PackageManager.FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT;
+        }
+        if ((whitelistFlags & PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER) != 0) {
+            queryFlags |=  PackageManager.FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
+        }
+
+        ArrayList<String> whitelistedPermissions = null;
+
+        final int permissionCount = pkg.requestedPermissions.size();
+        for (int i = 0; i < permissionCount; i++) {
+            final String permissionName = pkg.requestedPermissions.get(i);
+            final int currentFlags = permissionsState.getPermissionFlags(permissionName, userId);
+            if ((currentFlags & queryFlags) != 0) {
+                if (whitelistedPermissions == null) {
+                    whitelistedPermissions = new ArrayList<>();
+                }
+                whitelistedPermissions.add(permissionName);
+            }
+        }
+
+        return whitelistedPermissions;
+    }
+
+    private void setWhitelistedRestrictedPermissions(@NonNull PackageParser.Package pkg,
+            @NonNull int[] userIds, @Nullable List<String> permissions, int callingUid,
+            @PackageManager.PermissionWhitelistFlags int whitelistFlags,
+            @NonNull PermissionCallback callback) {
+        for (int userId : userIds) {
+            setWhitelistedRestrictedPermissionsForUser(pkg, userId, permissions,
+                    callingUid, whitelistFlags, callback);
+        }
+    }
+
     private void grantRequestedRuntimePermissionsForUser(PackageParser.Package pkg, int userId,
             String[] grantedPermissions, int callingUid, PermissionCallback callback) {
         PackageSetting ps = (PackageSetting) pkg.mExtras;
@@ -1979,12 +2194,21 @@ public class PermissionManagerService {
 
         final int flags = permissionsState.getPermissionFlags(permName, userId);
         if ((flags & PackageManager.FLAG_PERMISSION_SYSTEM_FIXED) != 0) {
-            throw new SecurityException("Cannot grant system fixed permission "
+            Log.e(TAG, "Cannot grant system fixed permission "
                     + permName + " for package " + packageName);
+            return;
         }
         if (!overridePolicy && (flags & PackageManager.FLAG_PERMISSION_POLICY_FIXED) != 0) {
-            throw new SecurityException("Cannot grant policy fixed permission "
+            Log.e(TAG, "Cannot grant policy fixed permission "
                     + permName + " for package " + packageName);
+            return;
+        }
+
+        if (RESTRICTED_PERMISSIONS_ENABLED && bp.isRestricted()
+                && (flags & PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT) == 0) {
+            Log.e(TAG, "Cannot grant restricted non-exempt permission "
+                    + permName + " for package " + packageName);
+            return;
         }
 
         if (bp.isDevelopment()) {
@@ -2031,6 +2255,10 @@ public class PermissionManagerService {
             callback.onPermissionGranted(uid, userId);
         }
 
+        if (bp.isRuntime()) {
+            notifyRuntimePermissionStateChanged(packageName, userId);
+        }
+
         // Only need to do this if user is initialized. Otherwise it's a new user
         // and there are no processes running as the user yet and there's no need
         // to make an expensive call to remount processes for the changed permissions.
@@ -2051,7 +2279,7 @@ public class PermissionManagerService {
     }
 
     private void revokeRuntimePermission(String permName, String packageName,
-            boolean overridePolicy, int callingUid, int userId, PermissionCallback callback) {
+            boolean overridePolicy, int userId, PermissionCallback callback) {
         if (!mUserManagerInt.exists(userId)) {
             Log.e(TAG, "No such user:" + userId);
             return;
@@ -2067,8 +2295,6 @@ public class PermissionManagerService {
                 false, // requirePermissionWhenSameUser
                 "revokeRuntimePermission");
 
-        final int appId;
-
         final PackageParser.Package pkg = mPackageManagerInt.getPackage(packageName);
         if (pkg == null || pkg.mExtras == null) {
             throw new IllegalArgumentException("Unknown package: " + packageName);
@@ -2129,9 +2355,126 @@ public class PermissionManagerService {
         }
 
         if (callback != null) {
-            final int uid = UserHandle.getUid(userId, pkg.applicationInfo.uid);
             callback.onPermissionRevoked(pkg.applicationInfo.uid, userId);
         }
+
+        if (bp.isRuntime()) {
+            notifyRuntimePermissionStateChanged(packageName, userId);
+        }
+    }
+
+    private void setWhitelistedRestrictedPermissionsForUser(@NonNull PackageParser.Package pkg,
+            @UserIdInt int userId, @Nullable List<String> permissions, int callingUid,
+            @PermissionWhitelistFlags int whitelistFlags, PermissionCallback callback) {
+        final PackageSetting ps = (PackageSetting) pkg.mExtras;
+        if (ps == null) {
+            return;
+        }
+
+        final PermissionsState permissionsState = ps.getPermissionsState();
+
+        ArraySet<String> oldGrantedRestrictedPermissions = null;
+        boolean updatePermissions = false;
+
+        final int permissionCount = pkg.requestedPermissions.size();
+        for (int i = 0; i < permissionCount; i++) {
+            final String permissionName = pkg.requestedPermissions.get(i);
+
+            final BasePermission bp = mSettings.getPermissionLocked(permissionName);
+            if (bp == null) {
+                Slog.w(TAG, "Cannot whitelist unknown permission: " + permissionName);
+                continue;
+            }
+
+            if (!bp.isRestricted()) {
+                continue;
+            }
+
+            if (permissionsState.hasPermission(permissionName, userId)) {
+                if (oldGrantedRestrictedPermissions == null) {
+                    oldGrantedRestrictedPermissions = new ArraySet<>();
+                }
+                oldGrantedRestrictedPermissions.add(permissionName);
+            }
+
+            final int oldFlags = permissionsState.getPermissionFlags(permissionName, userId);
+
+            int newFlags = oldFlags;
+            int mask = 0;
+            int whitelistFlagsCopy = whitelistFlags;
+            while (whitelistFlagsCopy != 0) {
+                final int flag = 1 << Integer.numberOfTrailingZeros(whitelistFlagsCopy);
+                whitelistFlagsCopy &= ~flag;
+                switch (flag) {
+                    case FLAG_PERMISSION_WHITELIST_SYSTEM: {
+                        mask |= PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT;
+                        if (permissions != null && permissions.contains(permissionName)) {
+                            newFlags |= PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT;
+                        } else {
+                            newFlags &= ~PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT;
+                        }
+                    } break;
+                    case FLAG_PERMISSION_WHITELIST_UPGRADE: {
+                        mask |= PackageManager.FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT;
+                        if (permissions != null && permissions.contains(permissionName)) {
+                            newFlags |= PackageManager.FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT;
+                        } else {
+                            newFlags &= ~PackageManager.FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT;
+                        }
+                    } break;
+                    case FLAG_PERMISSION_WHITELIST_INSTALLER: {
+                        mask |= PackageManager.FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
+                        if (permissions != null && permissions.contains(permissionName)) {
+                            newFlags |= PackageManager.FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
+                        } else {
+                            newFlags &= ~PackageManager.FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
+                        }
+                    } break;
+                }
+            }
+
+            if (oldFlags == newFlags) {
+                continue;
+            }
+
+            updatePermissions = true;
+
+            // If the permission is policy fixed as granted but it is no longer
+            // on any of the whitelists we need to clear the policy fixed flag
+            // as whitelisting trumps policy i.e. policy cannot grant a non
+            // grantable permission.
+            if ((oldFlags & PackageManager.FLAG_PERMISSION_POLICY_FIXED) != 0) {
+                final boolean isWhitelisted = (newFlags
+                        & (PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT)) != 0;
+                final boolean isGranted = permissionsState.hasPermission(permissionName, userId);
+                if (!isWhitelisted && isGranted) {
+                    mask |= PackageManager.FLAG_PERMISSION_POLICY_FIXED;
+                    newFlags &= ~PackageManager.FLAG_PERMISSION_POLICY_FIXED;
+                }
+            }
+
+            updatePermissionFlags(permissionName, pkg.packageName, mask, newFlags,
+                    callingUid, userId, false, null /*callback*/);
+        }
+
+        if (updatePermissions) {
+            // Update app permissions to take into account the new whitelist state.
+            updatePermissions(pkg.packageName, pkg, getVolumeUuidForPackage(pkg),
+                    0 /*flags*/, null /*allPackages*/, callback);
+
+            // If this resulted in losing a permission we need to kill the app.
+            if (oldGrantedRestrictedPermissions != null) {
+                final int oldGrantedCount = oldGrantedRestrictedPermissions.size();
+                for (int i = 0; i < oldGrantedCount; i++) {
+                    final String permission = oldGrantedRestrictedPermissions.valueAt(i);
+                    // Sometimes we create a new permission state instance during update.
+                    if (!ps.getPermissionsState().hasPermission(permission, userId)) {
+                        callback.onPermissionRevoked(pkg.applicationInfo.uid, userId);
+                        break;
+                    }
+                }
+            }
+        }
     }
 
     @GuardedBy("mLock")
@@ -2504,11 +2847,16 @@ public class PermissionManagerService {
             flagMask &= ~PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT;
             flagValues &= ~PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT;
             flagValues &= ~PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED;
+            flagValues &= ~PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT;
+            flagValues &= ~PackageManager.FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
+            flagValues &= ~PackageManager.FLAG_PERMISSION_RESTRICTION_UPGRADE_EXEMPT;
+            flagValues &= ~PackageManager.FLAG_PERMISSION_APPLY_RESTRICTION;
         }
 
         final PackageParser.Package pkg = mPackageManagerInt.getPackage(packageName);
         if (pkg == null || pkg.mExtras == null) {
-            throw new IllegalArgumentException("Unknown package: " + packageName);
+            Log.e(TAG, "Unknown package: " + packageName);
+            return;
         }
         if (mPackageManagerInt.filterAppAccess(pkg, callingUid, userId)) {
             throw new IllegalArgumentException("Unknown package: " + packageName);
@@ -2528,6 +2876,9 @@ public class PermissionManagerService {
                 permissionsState.getRuntimePermissionState(permName, userId) != null;
         final boolean permissionUpdated =
                 permissionsState.updatePermissionFlags(bp, userId, flagMask, flagValues);
+        if (permissionUpdated && bp.isRuntime()) {
+            notifyRuntimePermissionStateChanged(packageName, userId);
+        }
         if (permissionUpdated && callback != null) {
             // Install and runtime permissions are stored in different places,
             // so figure out what permission changed and persist the change.
@@ -2766,6 +3117,20 @@ public class PermissionManagerService {
                     pkg, userIds, grantedPermissions, callingUid, callback);
         }
         @Override
+        public List<String> getWhitelistedRestrictedPermissions(PackageParser.Package pkg,
+                @PackageManager.PermissionWhitelistFlags int whitelistFlags, int userId) {
+            return PermissionManagerService.this.getWhitelistedRestrictedPermissions(pkg,
+                    whitelistFlags, userId);
+        }
+        @Override
+        public void setWhitelistedRestrictedPermissions(@NonNull PackageParser.Package pkg,
+                @NonNull int[] userIds, @Nullable List<String> permissions, int callingUid,
+                @PackageManager.PermissionWhitelistFlags int whitelistFlags,
+                @NonNull PermissionCallback callback) {
+            PermissionManagerService.this.setWhitelistedRestrictedPermissions(
+                    pkg, userIds, permissions, callingUid, whitelistFlags, callback);
+        }
+        @Override
         public void grantRuntimePermissionsGrantedToDisabledPackage(PackageParser.Package pkg,
                 int callingUid, PermissionCallback callback) {
             PermissionManagerService.this.grantRuntimePermissionsGrantedToDisabledPackageLocked(
@@ -2773,10 +3138,9 @@ public class PermissionManagerService {
         }
         @Override
         public void revokeRuntimePermission(String permName, String packageName,
-                boolean overridePolicy, int callingUid, int userId,
-                PermissionCallback callback) {
+                boolean overridePolicy, int userId, PermissionCallback callback) {
             PermissionManagerService.this.revokeRuntimePermission(permName, packageName,
-                    overridePolicy, callingUid, userId, callback);
+                    overridePolicy, userId, callback);
         }
         @Override
         public void updatePermissions(String packageName, Package pkg, boolean replaceGrant,
@@ -2894,5 +3258,19 @@ public class PermissionManagerService {
                 @NonNull UserHandle user) {
             PermissionManagerService.this.restoreDelayedRuntimePermissions(packageName, user);
         }
+
+        @Override
+        public void addOnRuntimePermissionStateChangedListener(
+                OnRuntimePermissionStateChangedListener listener) {
+            PermissionManagerService.this.addOnRuntimePermissionStateChangedListener(
+                    listener);
+        }
+
+        @Override
+        public void removeOnRuntimePermissionStateChangedListener(
+                OnRuntimePermissionStateChangedListener listener) {
+            PermissionManagerService.this.removeOnRuntimePermissionStateChangedListener(
+                    listener);
+        }
     }
 }
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java
index 6c09fa0241dbe..34f922e11d083 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java
@@ -18,6 +18,7 @@ package com.android.server.pm.permission;
 
 import android.annotation.NonNull;
 import android.annotation.Nullable;
+import android.content.pm.PackageManager;
 import android.content.pm.PackageManager.PermissionInfoFlags;
 import android.content.pm.PackageParser;
 import android.content.pm.PermissionGroupInfo;
@@ -76,8 +77,16 @@ public abstract class PermissionManagerServiceInternal extends PermissionManager
             @NonNull PackageParser.Package pkg, @NonNull int[] userIds,
             @NonNull String[] grantedPermissions, int callingUid,
             @Nullable PermissionCallback callback);
+    public abstract @Nullable List<String> getWhitelistedRestrictedPermissions(
+            @NonNull PackageParser.Package pkg,
+            @PackageManager.PermissionWhitelistFlags int whitelistFlags, int userId);
+    public abstract void setWhitelistedRestrictedPermissions(
+            @NonNull PackageParser.Package pkg, @NonNull int[] userIds,
+            @NonNull List<String> permissions, int callingUid,
+            @PackageManager.PermissionWhitelistFlags int whitelistFlags,
+            @Nullable PermissionCallback callback);
     public abstract void revokeRuntimePermission(@NonNull String permName,
-            @NonNull String packageName, boolean overridePolicy, int callingUid, int userId,
+            @NonNull String packageName, boolean overridePolicy, int userId,
             @Nullable PermissionCallback callback);
 
     public abstract void updatePermissions(@Nullable String packageName,
diff --git a/services/core/java/com/android/server/pm/permission/PermissionsState.java b/services/core/java/com/android/server/pm/permission/PermissionsState.java
index c615ee502fa99..505a0e22eac46 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionsState.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionsState.java
@@ -607,7 +607,7 @@ public final class PermissionsState {
 
     private int grantPermission(BasePermission permission, int userId) {
         if (hasPermission(permission.getName(), userId)) {
-            return PERMISSION_OPERATION_FAILURE;
+            return PERMISSION_OPERATION_SUCCESS;
         }
 
         final boolean hasGids = !ArrayUtils.isEmpty(permission.computeGids(userId));
@@ -632,7 +632,7 @@ public final class PermissionsState {
     private int revokePermission(BasePermission permission, int userId) {
         final String permName = permission.getName();
         if (!hasPermission(permName, userId)) {
-            return PERMISSION_OPERATION_FAILURE;
+            return PERMISSION_OPERATION_SUCCESS;
         }
 
         final boolean hasGids = !ArrayUtils.isEmpty(permission.computeGids(userId));
diff --git a/services/core/java/com/android/server/policy/PermissionPolicyService.java b/services/core/java/com/android/server/policy/PermissionPolicyService.java
new file mode 100644
index 0000000000000..3011808d281cd
--- /dev/null
+++ b/services/core/java/com/android/server/policy/PermissionPolicyService.java
@@ -0,0 +1,281 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.policy;
+
+import static android.content.pm.PackageManager.FLAG_PERMISSION_APPLY_RESTRICTION;
+
+import android.annotation.NonNull;
+import android.annotation.UserIdInt;
+import android.app.AppOpsManager;
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.content.pm.PackageManagerInternal;
+import android.content.pm.PackageManagerInternal.PackageListObserver;
+import android.content.pm.PackageParser;
+import android.content.pm.PermissionInfo;
+import android.os.UserHandle;
+import android.os.UserManagerInternal;
+import android.permission.PermissionControllerManager;
+import android.permission.PermissionManagerInternal;
+import android.util.Slog;
+import android.util.SparseArray;
+import android.util.SparseIntArray;
+
+import com.android.internal.util.function.QuadConsumer;
+import com.android.internal.util.function.TriConsumer;
+import com.android.server.FgThread;
+import com.android.server.LocalServices;
+import com.android.server.SystemService;
+
+import java.util.concurrent.CountDownLatch;
+
+/**
+ * This is a permission policy that governs over all permission mechanism
+ * such as permissions, app ops, etc. For example, the policy ensures that
+ * permission state and app ops is synchronized for cases where there is a
+ * dependency between permission state (permissions or permission flags)
+ * and app ops - and vise versa.
+ */
+public final class PermissionPolicyService extends SystemService {
+
+    private static final String LOG_TAG = PermissionPolicyService.class.getSimpleName();
+
+    public PermissionPolicyService(@NonNull Context context) {
+        super(context);
+    }
+
+    @Override
+    public void onStart() {
+        final PackageManagerInternal packageManagerInternal = LocalServices.getService(
+                PackageManagerInternal.class);
+        packageManagerInternal.getPackageList(new PackageListObserver() {
+            @Override
+            public void onPackageAdded(String packageName, int uid) {
+                synchronizePackagePermissionsAndAppOpsForUser(getContext(), packageName,
+                        UserHandle.getUserId(uid));
+            }
+
+            @Override
+            public void onPackageChanged(String packageName, int uid) {
+                synchronizePackagePermissionsAndAppOpsForUser(getContext(), packageName,
+                        UserHandle.getUserId(uid));
+            }
+
+            @Override
+            public void onPackageRemoved(String packageName, int uid) {
+                /* do nothing */
+            }
+        });
+    }
+
+    @Override
+    public void onStartUser(@UserIdInt int userId) {
+        grantOrUpgradeDefaultRuntimePermissionsInNeeded(getContext(), userId);
+        synchronizePermissionsAndAppOpsForUser(getContext(), userId);
+        startWatchingRuntimePermissionChanges(getContext(), userId);
+    }
+
+    private static void grantOrUpgradeDefaultRuntimePermissionsInNeeded(@NonNull Context context,
+            @UserIdInt int userId) {
+        final PackageManagerInternal packageManagerInternal = LocalServices.getService(
+                PackageManagerInternal.class);
+        if (packageManagerInternal.wereDefaultPermissionsGrantedSinceBoot(userId)) {
+            // Now call into the permission controller to apply policy around permissions
+            final CountDownLatch latch = new CountDownLatch(1);
+
+            // We need to create a local manager that does not schedule work on the main
+            // there as we are on the main thread and want to block until the work is
+            // completed or we time out.
+            final PermissionControllerManager permissionControllerManager =
+                    new PermissionControllerManager(context, FgThread.getHandler());
+            permissionControllerManager.grantOrUpgradeDefaultRuntimePermissions(
+                    FgThread.getExecutor(),
+                    (Boolean success) -> {
+                        if (!success) {
+                            // We are in an undefined state now, let us crash and have
+                            // rescue party suggest a wipe to recover to a good one.
+                            final String message = "Error granting/upgrading runtime permissions";
+                            Slog.wtf(LOG_TAG, message);
+                            throw new IllegalStateException(message);
+                        }
+                        latch.countDown();
+                    }
+            );
+            try {
+                latch.await();
+            } catch (InterruptedException e) {
+                /* ignore */
+            }
+        }
+    }
+
+    private static void onRestrictedPermissionEnabledChange(@NonNull Context context) {
+        final PermissionManagerInternal permissionManagerInternal = LocalServices
+                .getService(PermissionManagerInternal.class);
+        final UserManagerInternal userManagerInternal = LocalServices.getService(
+                UserManagerInternal.class);
+        for (int userId : userManagerInternal.getUserIds()) {
+            synchronizePermissionsAndAppOpsForUser(context, userId);
+        }
+    }
+
+    private static void startWatchingRuntimePermissionChanges(@NonNull Context context,
+            int userId) {
+        final PermissionManagerInternal permissionManagerInternal = LocalServices.getService(
+                PermissionManagerInternal.class);
+        permissionManagerInternal.addOnRuntimePermissionStateChangedListener(
+                (packageName, changedUserId) -> {
+                    if (userId == changedUserId) {
+                        synchronizePackagePermissionsAndAppOpsForUser(context, packageName, userId);
+                    }
+                });
+    }
+
+    private static void synchronizePackagePermissionsAndAppOpsForUser(@NonNull Context context,
+            @NonNull String packageName, @UserIdInt int userId) {
+        final PackageManagerInternal packageManagerInternal = LocalServices.getService(
+                PackageManagerInternal.class);
+        final PackageParser.Package pkg = packageManagerInternal
+                .getPackage(packageName);
+        if (pkg != null) {
+            PermissionToOpSynchronizer.syncPackage(context, pkg, userId);
+        }
+    }
+
+    private static void synchronizePermissionsAndAppOpsForUser(@NonNull Context context,
+            @UserIdInt int userId) {
+        final PackageManagerInternal packageManagerInternal = LocalServices.getService(
+                PackageManagerInternal.class);
+        final PermissionToOpSynchronizer synchronizer = new PermissionToOpSynchronizer(context);
+        packageManagerInternal.forEachPackage((pkg) ->
+                synchronizer.addPackage(context, pkg, userId));
+        synchronizer.syncPackages();
+    }
+
+    private static class PermissionToOpSynchronizer {
+        private final @NonNull Context mContext;
+
+        private final @NonNull SparseArray<String> mPackageNames = new SparseArray<>();
+        private final @NonNull SparseIntArray mAllowedUidOps = new SparseIntArray();
+        private final @NonNull SparseIntArray mDefaultUidOps = new SparseIntArray();
+
+        PermissionToOpSynchronizer(@NonNull Context context) {
+            mContext = context;
+        }
+
+        private void addPackage(@NonNull Context context,
+                @NonNull PackageParser.Package pkg, @UserIdInt int userId) {
+            addPackage(context, pkg, userId, this::addAllowedEntry, this::addIgnoredEntry);
+        }
+
+        void syncPackages() {
+            final AppOpsManager appOpsManager = mContext.getSystemService(AppOpsManager.class);
+            final int allowedCount = mAllowedUidOps.size();
+            for (int i = 0; i < allowedCount; i++) {
+                final int opCode = mAllowedUidOps.keyAt(i);
+                final int uid = mAllowedUidOps.valueAt(i);
+                final String packageName = mPackageNames.valueAt(i);
+                setUidModeAllowed(appOpsManager, opCode, uid, packageName);
+            }
+            final int defaultCount = mDefaultUidOps.size();
+            for (int i = 0; i < defaultCount; i++) {
+                final int opCode = mDefaultUidOps.keyAt(i);
+                final int uid = mDefaultUidOps.valueAt(i);
+                setUidModeDefault(appOpsManager, opCode, uid);
+            }
+        }
+
+        static void syncPackage(@NonNull Context context, @NonNull PackageParser.Package pkg,
+                @UserIdInt int userId) {
+            addPackage(context, pkg, userId, PermissionToOpSynchronizer::setUidModeAllowed,
+                    PermissionToOpSynchronizer::setUidModeDefault);
+        }
+
+        private static void addPackage(@NonNull Context context,
+                @NonNull PackageParser.Package pkg, @UserIdInt int userId,
+                @NonNull QuadConsumer<AppOpsManager, Integer, Integer, String> allowedConsumer,
+                @NonNull TriConsumer<AppOpsManager, Integer, Integer> defaultConsumer) {
+            final PackageManager packageManager = context.getPackageManager();
+            final AppOpsManager appOpsManager = context.getSystemService(AppOpsManager.class);
+
+            final int uid = UserHandle.getUid(userId, UserHandle.getAppId(pkg.applicationInfo.uid));
+            final UserHandle userHandle = UserHandle.of(userId);
+
+            final int permissionCount = pkg.requestedPermissions.size();
+            for (int i = 0; i < permissionCount; i++) {
+                final String permission = pkg.requestedPermissions.get(i);
+
+                final int opCode = AppOpsManager.permissionToOpCode(permission);
+                if (opCode == AppOpsManager.OP_NONE) {
+                    continue;
+                }
+
+                final PermissionInfo permissionInfo;
+                try {
+                    permissionInfo = packageManager.getPermissionInfo(permission, 0);
+                } catch (PackageManager.NameNotFoundException e) {
+                    continue;
+                }
+
+                if (!permissionInfo.isRestricted()) {
+                    continue;
+                }
+
+                final boolean applyRestriction = PackageManager.RESTRICTED_PERMISSIONS_ENABLED
+                        && (packageManager.getPermissionFlags(permission, pkg.packageName,
+                                userHandle) & FLAG_PERMISSION_APPLY_RESTRICTION) != 0;
+
+                if (permissionInfo.isHardRestricted()) {
+                    if (applyRestriction) {
+                        defaultConsumer.accept(appOpsManager, opCode, uid);
+                    } else {
+                        allowedConsumer.accept(appOpsManager, opCode, uid, pkg.packageName);
+                    }
+                } else if (permissionInfo.isSoftRestricted()) {
+                    //TODO: Implement soft restrictions like storage here.
+                }
+            }
+        }
+
+        @SuppressWarnings("unused")
+        private void addAllowedEntry(@NonNull AppOpsManager appOpsManager, int opCode,
+                int uid, @NonNull String packageName) {
+            mPackageNames.put(opCode, packageName);
+            mAllowedUidOps.put(opCode, uid);
+        }
+
+        @SuppressWarnings("unused")
+        private void addIgnoredEntry(@NonNull AppOpsManager appOpsManager,
+                int opCode, int uid) {
+            mDefaultUidOps.put(opCode, uid);
+        }
+
+        private static void setUidModeAllowed(@NonNull AppOpsManager appOpsManager,
+                int opCode, int uid, @NonNull String packageName) {
+            final int currentMode = appOpsManager.unsafeCheckOpRaw(AppOpsManager
+                    .opToPublicName(opCode), uid, packageName);
+            if (currentMode == AppOpsManager.MODE_DEFAULT) {
+                appOpsManager.setUidMode(opCode, uid, AppOpsManager.MODE_ALLOWED);
+            }
+        }
+
+        private static void setUidModeDefault(@NonNull AppOpsManager appOpsManager,
+                int opCode, int uid) {
+            appOpsManager.setUidMode(opCode, uid, AppOpsManager.MODE_DEFAULT);
+        }
+    }
+}
diff --git a/services/core/java/com/android/server/policy/PhoneWindowManager.java b/services/core/java/com/android/server/policy/PhoneWindowManager.java
index 0e0fc120dbfda..b3f1c553ba823 100644
--- a/services/core/java/com/android/server/policy/PhoneWindowManager.java
+++ b/services/core/java/com/android/server/policy/PhoneWindowManager.java
@@ -4830,7 +4830,7 @@ public class PhoneWindowManager implements WindowManagerPolicy {
                             return true;
                         }
                     };
-                    if (mContext.getPackageManager().isUpgrade()) {
+                    if (mContext.getPackageManager().isDeviceUpgrading()) {
                         mBootMsgDialog.setTitle(R.string.android_upgrading_title);
                     } else {
                         mBootMsgDialog.setTitle(R.string.android_start_title);
diff --git a/services/core/java/com/android/server/role/RoleManagerService.java b/services/core/java/com/android/server/role/RoleManagerService.java
index 6d9e09761e526..325ba071b428a 100644
--- a/services/core/java/com/android/server/role/RoleManagerService.java
+++ b/services/core/java/com/android/server/role/RoleManagerService.java
@@ -38,9 +38,7 @@ import android.content.pm.PackageManager;
 import android.content.pm.PackageManager.NameNotFoundException;
 import android.content.pm.PackageManagerInternal;
 import android.content.pm.Signature;
-import android.database.ContentObserver;
 import android.database.CursorWindow;
-import android.net.Uri;
 import android.os.AsyncTask;
 import android.os.Binder;
 import android.os.Bundle;
@@ -52,7 +50,6 @@ import android.os.ResultReceiver;
 import android.os.ShellCallback;
 import android.os.UserHandle;
 import android.os.UserManagerInternal;
-import android.provider.Settings;
 import android.service.sms.FinancialSmsService;
 import android.telephony.IFinancialSmsCallback;
 import android.text.TextUtils;
@@ -205,23 +202,6 @@ public class RoleManagerService extends SystemService implements RoleUserState.C
                         () -> performInitialGrantsIfNecessaryAsync(userId));
             }
         }, UserHandle.ALL, intentFilter, null, null);
-
-        getContext().getContentResolver().registerContentObserver(
-                Settings.Global.getUriFor(Settings.Global.SMS_ACCESS_RESTRICTION_ENABLED), false,
-                new ContentObserver(getContext().getMainThreadHandler()) {
-                    @Override
-                    public void onChange(boolean selfChange, Uri uri, int userId) {
-                        boolean killSwitchEnabled = Settings.Global.getInt(
-                                getContext().getContentResolver(),
-                                Settings.Global.SMS_ACCESS_RESTRICTION_ENABLED, 0) == 1;
-                        for (int user : mUserManagerInternal.getUserIds()) {
-                            if (mUserManagerInternal.isUserRunning(user)) {
-                                getOrCreateControllerService(user)
-                                        .onSmsKillSwitchToggled(killSwitchEnabled);
-                            }
-                        }
-                    }
-                }, UserHandle.USER_ALL);
     }
 
     @Override
diff --git a/services/java/com/android/server/SystemServer.java b/services/java/com/android/server/SystemServer.java
index 9d09c4c3637ba..4824d7bcffb6a 100644
--- a/services/java/com/android/server/SystemServer.java
+++ b/services/java/com/android/server/SystemServer.java
@@ -32,6 +32,7 @@ import android.content.Context;
 import android.content.Intent;
 import android.content.pm.PackageItemInfo;
 import android.content.pm.PackageManager;
+import android.content.pm.PackageManagerInternal;
 import android.content.res.Configuration;
 import android.content.res.Resources.Theme;
 import android.database.sqlite.SQLiteCompatibilityWalFlags;
@@ -124,6 +125,7 @@ import com.android.server.pm.OtaDexoptService;
 import com.android.server.pm.PackageManagerService;
 import com.android.server.pm.ShortcutService;
 import com.android.server.pm.UserManagerService;
+import com.android.server.policy.PermissionPolicyService;
 import com.android.server.policy.PhoneWindowManager;
 import com.android.server.policy.role.LegacyRoleResolutionPolicy;
 import com.android.server.power.PowerManagerService;
@@ -541,7 +543,7 @@ public final class SystemServer {
     }
 
     private boolean isFirstBootOrUpgrade() {
-        return mPackageManagerService.isFirstBoot() || mPackageManagerService.isUpgrade();
+        return mPackageManagerService.isFirstBoot() || mPackageManagerService.isDeviceUpgrading();
     }
 
     private void reportWtf(String msg, Throwable e) {
@@ -1984,6 +1986,11 @@ public final class SystemServer {
         mSystemServiceManager.startBootPhase(SystemService.PHASE_DEVICE_SPECIFIC_SERVICES_READY);
         traceEnd();
 
+        // Permission policy service
+        traceBeginAndSlog("StartPermissionPolicyService");
+        mSystemServiceManager.startService(PermissionPolicyService.class);
+        traceEnd();
+
         // These are needed to propagate to the runnable below.
         final NetworkManagementService networkManagementF = networkManagement;
         final NetworkStatsService networkStatsF = networkStats;
diff --git a/services/tests/servicestests/src/com/android/server/backup/testutils/IPackageManagerStub.java b/services/tests/servicestests/src/com/android/server/backup/testutils/IPackageManagerStub.java
index 0792414fef95f..97a6e6657b7ae 100644
--- a/services/tests/servicestests/src/com/android/server/backup/testutils/IPackageManagerStub.java
+++ b/services/tests/servicestests/src/com/android/server/backup/testutils/IPackageManagerStub.java
@@ -224,6 +224,24 @@ public class IPackageManagerStub implements IPackageManager {
 
     }
 
+    @Override
+    public List<String> getWhitelistedRestrictedPermissions(String packageName, int flags,
+            int userId) throws RemoteException {
+        return null;
+    }
+
+    @Override
+    public boolean addWhitelistedRestrictedPermission(String packageName, String permission,
+            int whitelistFlags, int userId) throws RemoteException {
+        return false;
+    }
+
+    @Override
+    public boolean removeWhitelistedRestrictedPermission(String packageName, String permission,
+            int whitelistFlags, int userId) throws RemoteException {
+        return false;
+    }
+
     @Override
     public boolean shouldShowRequestPermissionRationale(String permissionName, String packageName,
         int userId) throws RemoteException {
@@ -858,7 +876,7 @@ public class IPackageManagerStub implements IPackageManager {
     }
 
     @Override
-    public boolean isUpgrade() throws RemoteException {
+    public boolean isDeviceUpgrading() throws RemoteException {
         return false;
     }
 
@@ -1182,6 +1200,16 @@ public class IPackageManagerStub implements IPackageManager {
         return null;
     }
 
+    @Override
+    public int getRuntimePermissionsVersion(int userId) throws RemoteException {
+        return 0;
+    }
+
+    @Override
+    public void setRuntimePermissionsVersion(int version, int userId) throws RemoteException {
+
+    }
+
     @Override
     public IBinder asBinder() {
         return null;
diff --git a/services/tests/servicestests/src/com/android/server/backup/testutils/PackageManagerStub.java b/services/tests/servicestests/src/com/android/server/backup/testutils/PackageManagerStub.java
index 717275232a81d..5fb9c435a31c7 100644
--- a/services/tests/servicestests/src/com/android/server/backup/testutils/PackageManagerStub.java
+++ b/services/tests/servicestests/src/com/android/server/backup/testutils/PackageManagerStub.java
@@ -950,6 +950,11 @@ public class PackageManagerStub extends PackageManager {
         return false;
     }
 
+    @Override
+    public boolean isDeviceUpgrading() {
+        return false;
+    }
+
     @Override
     public PackageInstaller getPackageInstaller() {
         return null;
diff --git a/services/tests/servicestests/src/com/android/server/pm/PackageManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/pm/PackageManagerServiceTest.java
index 4cfd098936fbc..95ec3d9c09173 100644
--- a/services/tests/servicestests/src/com/android/server/pm/PackageManagerServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/pm/PackageManagerServiceTest.java
@@ -59,6 +59,11 @@ public class PackageManagerServiceTest {
             public void notifyPackageAdded(String packageName, int uid) {
             }
 
+            @Override
+            public void notifyPackageChanged(String packageName, int uid) {
+
+            }
+
             @Override
             public void notifyPackageRemoved(String packageName, int uid) {
             }
diff --git a/telephony/java/com/android/internal/telephony/TelephonyPermissions.java b/telephony/java/com/android/internal/telephony/TelephonyPermissions.java
index c9b038c7c7d65..80fb58d450785 100644
--- a/telephony/java/com/android/internal/telephony/TelephonyPermissions.java
+++ b/telephony/java/com/android/internal/telephony/TelephonyPermissions.java
@@ -54,6 +54,12 @@ public final class TelephonyPermissions {
     private static final Supplier<ITelephony> TELEPHONY_SUPPLIER = () ->
             ITelephony.Stub.asInterface(ServiceManager.getService(Context.TELEPHONY_SERVICE));
 
+    /**
+     * Whether to disable the new device identifier access restrictions.
+     */
+    private static final String PROPERTY_DEVICE_IDENTIFIER_ACCESS_RESTRICTIONS_DISABLED =
+            "device_identifier_access_restrictions_disabled";
+
     // Contains a mapping of packages that did not meet the new requirements to access device
     // identifiers and the methods they were attempting to invoke; used to prevent duplicate
     // reporting of packages / methods.
@@ -446,8 +452,8 @@ public final class TelephonyPermissions {
      * Returns true if the new device identifier access restrictions are disabled.
      */
     private static boolean isIdentifierCheckDisabled() {
-        return Boolean.parseBoolean(DeviceConfig.getProperty(DeviceConfig.Privacy.NAMESPACE,
-                DeviceConfig.Privacy.PROPERTY_DEVICE_IDENTIFIER_ACCESS_RESTRICTIONS_DISABLED));
+        return DeviceConfig.getInt(DeviceConfig.NAMESPACE_PRIVACY,
+                PROPERTY_DEVICE_IDENTIFIER_ACCESS_RESTRICTIONS_DISABLED, 0) == 1;
     }
 
     /**
diff --git a/test-mock/src/android/test/mock/MockPackageManager.java b/test-mock/src/android/test/mock/MockPackageManager.java
index 226c0b8c07d67..14b847fa9ff6c 100644
--- a/test-mock/src/android/test/mock/MockPackageManager.java
+++ b/test-mock/src/android/test/mock/MockPackageManager.java
@@ -56,6 +56,7 @@ import android.os.UserHandle;
 import android.os.storage.VolumeInfo;
 
 import java.util.List;
+import java.util.Set;
 
 /**
  * A mock {@link android.content.pm.PackageManager} class.  All methods are non-functional and throw
@@ -294,6 +295,27 @@ public class MockPackageManager extends PackageManager {
         throw new UnsupportedOperationException();
     }
 
+    /** @hide */
+    @Override
+    public @NonNull Set<String> getWhitelistedRestrictedPermissions(
+            @NonNull String packageName, @PermissionWhitelistFlags int whitelistFlags) {
+        throw new UnsupportedOperationException();
+    }
+
+    /** @hide */
+    @Override
+    public boolean addWhitelistedRestrictedPermission(@NonNull String packageName,
+            @NonNull String permission, @PermissionWhitelistFlags int whitelistFlags) {
+        throw new UnsupportedOperationException();
+    }
+
+    /** @hide */
+    @Override
+    public boolean removeWhitelistedRestrictedPermission(@NonNull String packageName,
+            @NonNull String permission, @PermissionWhitelistFlags int whitelistFlags) {
+        throw new UnsupportedOperationException();
+    }
+
     /** @hide */
     @Override
     public boolean shouldShowRequestPermissionRationale(String permission) {
@@ -1103,6 +1125,14 @@ public class MockPackageManager extends PackageManager {
         throw new UnsupportedOperationException();
     }
 
+    /**
+     * @hide
+     */
+    @Override
+    public boolean isDeviceUpgrading() {
+        throw new UnsupportedOperationException();
+    }
+
     /**
      * @hide
      */