Add a new permission to allow usage of system dataloaders.

Shell delegation only delegates permissions/appops. Need to add the permission instead of checking UIDs. Bug: 168508924 Test: atest PackageManagerShellCommandTest PackageManagerShellCommandIncrementalTest IncrementalServiceTest PackageManagerServiceTest ChecksumsTest Change-Id: If31980b698cdfef251ffdca400d641a79948019f Merged-In: If31980b698cdfef251ffdca400d641a79948019f
author: Alex Buynytskyy <alexbuy@google.com> 2021-02-22 15:43:10 -0800
committer: Alex Buynytskyy <alexbuy@google.com> 2021-02-23 00:51:17 +0000
commit: 1d7d40e90c2062cd11ca51e48633ce27c2a10781 (patch)
tree: 4cf9b3ff53d5486e806e8a2dd850133a0f86fd7b
parent: 4ac678f289afa36844f8415f95725c8ceae5e8c0 (diff)
3 files changed, 15 insertions, 2 deletions
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index a85996afa900..5dd85805cfc1 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -3983,6 +3983,13 @@
     <permission android:name="com.android.permission.USE_INSTALLER_V2"
         android:protectionLevel="signature|verifier" />
 
+    <!-- Allows an application to use System Data Loaders.
+         <p>Not for use by third-party applications.
+         @hide
+    -->
+    <permission android:name="com.android.permission.USE_SYSTEM_DATA_LOADERS"
+                android:protectionLevel="signature" />
+
     <!-- @SystemApi @TestApi Allows an application to clear user data.
          <p>Not for use by third-party applications
          @hide
diff --git a/packages/Shell/AndroidManifest.xml b/packages/Shell/AndroidManifest.xml
index a15ceb6d8811..259484073162 100644
--- a/packages/Shell/AndroidManifest.xml
+++ b/packages/Shell/AndroidManifest.xml
@@ -86,6 +86,7 @@
     <uses-permission android:name="android.permission.INSTALL_PACKAGES" />
     <!--  TODO(b/152310230): remove once APIs are confirmed to be sufficient -->
     <uses-permission android:name="com.android.permission.USE_INSTALLER_V2" />
+    <uses-permission android:name="com.android.permission.USE_SYSTEM_DATA_LOADERS" />
     <uses-permission android:name="android.permission.MOVE_PACKAGE" />
     <uses-permission android:name="android.permission.KEEP_UNINSTALLED_PACKAGES" />
     <uses-permission android:name="android.permission.CLEAR_APP_USER_DATA" />
diff --git a/services/core/java/com/android/server/pm/PackageInstallerSession.java b/services/core/java/com/android/server/pm/PackageInstallerSession.java
index f09f33ea95ff..9e2ca9d32315 100644
--- a/services/core/java/com/android/server/pm/PackageInstallerSession.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerSession.java
@@ -1010,9 +1010,14 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
                 throw new IllegalArgumentException(
                         "DataLoader installation of APEX modules is not allowed.");
             }
+
             if (this.params.dataLoaderParams.getComponentName().getPackageName()
-                    == SYSTEM_DATA_LOADER_PACKAGE) {
-                assertShellOrSystemCalling("System data loaders");
+                    == SYSTEM_DATA_LOADER_PACKAGE && mContext.checkCallingOrSelfPermission(
+                    Manifest.permission.USE_SYSTEM_DATA_LOADERS)
+                    != PackageManager.PERMISSION_GRANTED) {
+                throw new SecurityException("You need the "
+                        + "com.android.permission.USE_SYSTEM_DATA_LOADERS permission "
+                        + "to use system data loaders");
             }
         }
author	Alex Buynytskyy <alexbuy@google.com>	2021-02-22 15:43:10 -0800
committer	Alex Buynytskyy <alexbuy@google.com>	2021-02-23 00:51:17 +0000
commit	1d7d40e90c2062cd11ca51e48633ce27c2a10781 (patch)
tree	4cf9b3ff53d5486e806e8a2dd850133a0f86fd7b
parent	4ac678f289afa36844f8415f95725c8ceae5e8c0 (diff)