diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java index 765ecb9710cb0..82c02a4ebefee 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java @@ -3319,47 +3319,51 @@ public class PermissionManagerService extends IPermissionManager.Stub { if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivileged() && !platformPackage && platformPermission) { if (!hasPrivappWhitelistEntry(perm, pkg)) { - ApexManager apexMgr = ApexManager.getInstance(); - String apexContainingPkg = apexMgr.getActiveApexPackageNameContainingPackage(pkg); - // Only enforce whitelist this on boot if (!mSystemReady // Updated system apps do not need to be whitelisted - && !pkgSetting.getPkgState().isUpdatedSystemApp() - // Apps that are in updated apexs' do not need to be whitelisted - && (apexContainingPkg == null || apexMgr.isFactory( - apexMgr.getPackageInfo(apexContainingPkg, MATCH_ACTIVE_PACKAGE)))) { - // it's only a reportable violation if the permission isn't explicitly denied - ArraySet deniedPermissions = null; - if (pkg.isVendor()) { - deniedPermissions = SystemConfig.getInstance() - .getVendorPrivAppDenyPermissions(pkg.getPackageName()); - } else if (pkg.isProduct()) { - deniedPermissions = SystemConfig.getInstance() - .getProductPrivAppDenyPermissions(pkg.getPackageName()); - } else if (pkg.isSystemExt()) { - deniedPermissions = SystemConfig.getInstance() - .getSystemExtPrivAppDenyPermissions(pkg.getPackageName()); - } else { - deniedPermissions = SystemConfig.getInstance() - .getPrivAppDenyPermissions(pkg.getPackageName()); - } - final boolean permissionViolation = - deniedPermissions == null || !deniedPermissions.contains(perm); - if (permissionViolation) { - Slog.w(TAG, "Privileged permission " + perm + " for package " - + pkg.getPackageName() + " (" + pkg.getCodePath() - + ") not in privapp-permissions whitelist"); + && !pkgSetting.getPkgState().isUpdatedSystemApp()) { + ApexManager apexMgr = ApexManager.getInstance(); + String apexContainingPkg = apexMgr.getActiveApexPackageNameContainingPackage( + pkg); - if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { - if (mPrivappPermissionsViolations == null) { - mPrivappPermissionsViolations = new ArraySet<>(); - } - mPrivappPermissionsViolations.add( - pkg.getPackageName() + " (" + pkg.getCodePath() + "): " + perm); + // Apps that are in updated apexs' do not need to be whitelisted + if (apexContainingPkg == null || apexMgr.isFactory( + apexMgr.getPackageInfo(apexContainingPkg, MATCH_ACTIVE_PACKAGE))) { + // it's only a reportable violation if the permission isn't explicitly + // denied + ArraySet deniedPermissions = null; + if (pkg.isVendor()) { + deniedPermissions = SystemConfig.getInstance() + .getVendorPrivAppDenyPermissions(pkg.getPackageName()); + } else if (pkg.isProduct()) { + deniedPermissions = SystemConfig.getInstance() + .getProductPrivAppDenyPermissions(pkg.getPackageName()); + } else if (pkg.isSystemExt()) { + deniedPermissions = SystemConfig.getInstance() + .getSystemExtPrivAppDenyPermissions(pkg.getPackageName()); + } else { + deniedPermissions = SystemConfig.getInstance() + .getPrivAppDenyPermissions(pkg.getPackageName()); + } + final boolean permissionViolation = + deniedPermissions == null || !deniedPermissions.contains(perm); + if (permissionViolation) { + Slog.w(TAG, "Privileged permission " + perm + " for package " + + pkg.getPackageName() + " (" + pkg.getCodePath() + + ") not in privapp-permissions whitelist"); + + if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { + if (mPrivappPermissionsViolations == null) { + mPrivappPermissionsViolations = new ArraySet<>(); + } + mPrivappPermissionsViolations.add( + pkg.getPackageName() + " (" + pkg.getCodePath() + "): " + + perm); + } + } else { + return false; } - } else { - return false; } } if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) {