[appops] Preflight skip datasource validation

The forDataDelivery logic always skips checking the first attribution in the chain from datasources, either via singleReceiverFromDataSource, or internal in startProxyOp, since skipProxy=true is passed for non-trivial chains. Make the preflight check consistent with this behavior, by also skipping a checkOp on the first entry in this case. This avoids cases where the preflight fails when the delivery would succeed, which should never happen. This is implicitly relied on by audioserver, as it happens to fail checkOp due to not having a valid Uid/PackageState. Test: manual: start and stop recording with toggle restriction Test: atest CtsMediaAudioPermissionTestCases Test: atest RuntimePermissionsAppOpTrackingTest Test: atest SensorPrivacyMicrophoneTest Bug: 399138369 Bug: 293603271 Bug: 401105309 Flag: EXEMPT bugfix Change-Id: I509e7f8da501f5e32d336adb412662e078eab500
author: Atneya Nair <atneya@google.com> 2025-03-19 22:55:13 -0700
committer: Atneya Nair <atneya@google.com> 2025-03-19 22:55:14 -0700
commit: 30d34d06fac9ae18754719a4d032f496c89112e7 (patch)
tree: 2ef37a06d3d6ebfcda00a8b2ae34f22ddfadca63
parent: 4df491445a5e9da47a58e20edd46c4ec8b280319 (diff)
1 files changed, 13 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index ac19ea12c6a4..fbf81b9accad 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1541,8 +1541,19 @@ public class PermissionManagerService extends IPermissionManager.Stub {
                 }
                 final AttributionSource resolvedAttributionSource =
                         accessorSource.withPackageName(resolvedAccessorPackageName);
-                final int opMode = appOpsManager.unsafeCheckOpRawNoThrow(op,
-                        resolvedAttributionSource);
+                // Avoid checking the first attr in the chain in some cases for consistency with
+                // checks for data delivery.
+                // In particular, for chains of 2 or more, when skipProxyOperation is true, the
+                // for data delivery implementation does not actually check the first link in the
+                // chain. If the attribution is just a singleReceiverFromDatasource, this
+                // exemption does not apply, since it does not go through proxyOp flow, and the top
+                // of the chain is actually removed above.
+                // Skipping the check avoids situations where preflight checks fail since the data
+                // source itself does not have the op (e.g. audioserver).
+                final int opMode = (skipProxyOperation && !singleReceiverFromDatasource) ?
+                        AppOpsManager.MODE_ALLOWED :
+                        appOpsManager.unsafeCheckOpRawNoThrow(op, resolvedAttributionSource);
+
                 final AttributionSource next = accessorSource.getNext();
                 if (!selfAccess && opMode == AppOpsManager.MODE_ALLOWED && next != null) {
                     final String resolvedNextPackageName = resolvePackageName(context, next);
author	Atneya Nair <atneya@google.com>	2025-03-19 22:55:13 -0700
committer	Atneya Nair <atneya@google.com>	2025-03-19 22:55:14 -0700
commit	30d34d06fac9ae18754719a4d032f496c89112e7 (patch)
tree	2ef37a06d3d6ebfcda00a8b2ae34f22ddfadca63
parent	4df491445a5e9da47a58e20edd46c4ec8b280319 (diff)