RESTRICT AUTOMERGE Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag

If a permission has the "pre23" flag, and an app is upgrading past api 23, then we should not assume that a "development" permission remains granted Fixes: 259458532 Test: atest RevokeSawPermissionTest Change-Id: I214396f455c5ed9e8bac2e50b1525b86475c81c7
author: Nate Myren <ntmyren@google.com> 2022-12-02 09:44:31 -0800
committer: Nate Myren <ntmyren@google.com> 2022-12-02 18:28:35 +0000
commit: 2f30a63b11e59f9daf42f51eb85aa91c86f4baf4 (patch)
tree: 4395554554ab6934608d8db54e3d169ec782e263
parent: f90ec68dfa4b00df80bb420dd51f49ee673af973 (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 2a07f8eb67bb..a1c9970c2726 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -2347,7 +2347,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
         final PackageSetting ps = (PackageSetting)
                 mPackageManagerInt.getPackageSetting(newPackage.getPackageName());
         if (grantSignaturePermission(Manifest.permission.SYSTEM_ALERT_WINDOW, newPackage, ps, saw,
-                ps.getPermissionsState())) {
+                ps.getPermissionsState(), true)) {
             return;
         }
         for (int userId : mUserManagerInt.getUserIds()) {
@@ -3588,6 +3588,13 @@ public class PermissionManagerService extends IPermissionManager.Stub {
 
     private boolean grantSignaturePermission(String perm, AndroidPackage pkg,
             PackageSetting pkgSetting, BasePermission bp, PermissionsState origPermissions) {
+        return grantSignaturePermission(perm, pkg, pkgSetting, bp, origPermissions, false);
+    }
+
+
+    private boolean grantSignaturePermission(String perm, AndroidPackage pkg,
+            PackageSetting pkgSetting, BasePermission bp, PermissionsState origPermissions,
+            boolean isApi23Upgrade) {
         boolean oemPermission = bp.isOEM();
         boolean vendorPrivilegedPermission = bp.isVendorPrivileged();
         boolean privilegedPermission = bp.isPrivileged() || bp.isVendorPrivileged();
@@ -3762,7 +3769,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
                 // Any pre-installed system app is allowed to get this permission.
                 allowed = true;
             }
-            if (!allowed && bp.isDevelopment()) {
+            if (!allowed && bp.isDevelopment() && !(bp.isPre23() && isApi23Upgrade)) {
                 // For development permissions, a development permission
                 // is granted only if it was already granted.
                 allowed = origPermissions.hasInstallPermission(perm);
author	Nate Myren <ntmyren@google.com>	2022-12-02 09:44:31 -0800
committer	Nate Myren <ntmyren@google.com>	2022-12-02 18:28:35 +0000
commit	2f30a63b11e59f9daf42f51eb85aa91c86f4baf4 (patch)
tree	4395554554ab6934608d8db54e3d169ec782e263
parent	f90ec68dfa4b00df80bb420dd51f49ee673af973 (diff)