resolve merge conflicts of d22603ebd295 to master

Test: I solemnly swear I tested this conflict resolution.
Change-Id: Iab4443f6a8b996ea9f28f4e68c6ec3bb708526e6

3 files changed, 47 insertions, 3 deletions

diff --git a/core/java/com/android/server/SystemConfig.java b/core/java/com/android/server/SystemConfig.java
index 81018fe4b357..77788921635f 100644
--- a/core/java/com/android/server/SystemConfig.java
+++ b/core/java/com/android/server/SystemConfig.java
@@ -141,6 +141,7 @@ public class SystemConfig {
 
 
     final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>();
+    final ArrayMap<String, ArraySet<String>> mPrivAppDenyPermissions = new ArrayMap<>();
 
     public static SystemConfig getInstance() {
         synchronized (SystemConfig.class) {
@@ -219,6 +220,10 @@ public class SystemConfig {
         return mPrivAppPermissions.get(packageName);
     }
 
+    public ArraySet<String> getPrivAppDenyPermissions(String packageName) {
+        return mPrivAppDenyPermissions.get(packageName);
+    }
+
     SystemConfig() {
         // Read configuration from system
         readPermissions(Environment.buildPath(
@@ -660,6 +665,7 @@ public class SystemConfig {
         if (permissions == null) {
             permissions = new ArraySet<>();
         }
+        ArraySet<String> denyPermissions = mPrivAppDenyPermissions.get(packageName);
         int depth = parser.getDepth();
         while (XmlUtils.nextElementWithin(parser, depth)) {
             String name = parser.getName();
@@ -671,8 +677,22 @@ public class SystemConfig {
                     continue;
                 }
                 permissions.add(permName);
+            } else if ("deny-permission".equals(name)) {
+                String permName = parser.getAttributeValue(null, "name");
+                if (TextUtils.isEmpty(permName)) {
+                    Slog.w(TAG, "name is required for <deny-permission> in "
+                            + parser.getPositionDescription());
+                    continue;
+                }
+                if (denyPermissions == null) {
+                    denyPermissions = new ArraySet<>();
+                }
+                denyPermissions.add(permName);
             }
         }
         mPrivAppPermissions.put(packageName, permissions);
+        if (denyPermissions != null) {
+            mPrivAppDenyPermissions.put(packageName, denyPermissions);
+        }
     }
 }
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index bd120117b9ab..1617defc95a5 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -13213,10 +13213,19 @@ public class PackageManagerService extends IPackageManager.Stub
                         + pkg.packageName + " - not in privapp-permissions whitelist");
                 // Only report violations for apps on system image
                 if (!mSystemReady && !pkg.isUpdatedSystemApp()) {
-                    if (mPrivappPermissionsViolations == null) {
-                        mPrivappPermissionsViolations = new ArraySet<>();
+                    // it's only a reportable violation if the permission isn't explicitly denied
+                    final ArraySet<String> deniedPermissions = SystemConfig.getInstance()
+                            .getPrivAppDenyPermissions(pkg.packageName);
+                    final boolean permissionViolation =
+                            deniedPermissions == null || !deniedPermissions.contains(perm);
+                    if (permissionViolation) {
+                        if (mPrivappPermissionsViolations == null) {
+                            mPrivappPermissionsViolations = new ArraySet<>();
+                        }
+                        mPrivappPermissionsViolations.add(pkg.packageName + ": " + perm);
+                    } else {
+                        return false;
                     }
-                    mPrivappPermissionsViolations.add(pkg.packageName + ": " + perm);
                 }
                 if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) {
                     return false;
diff --git a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
index 46e21dbc98bd..909ffabfd2db 100644
--- a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
+++ b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
@@ -148,6 +148,8 @@ class PackageManagerShellCommand extends ShellCommand {
                     return runSetHomeActivity();
                 case "get-privapp-permissions":
                     return runGetPrivappPermissions();
+                case "get-privapp-deny-permissions":
+                    return runGetPrivappDenyPermissions();
                 case "get-instantapp-resolver":
                     return runGetInstantAppResolver();
                 case "has-feature":
@@ -1293,6 +1295,19 @@ class PackageManagerShellCommand extends ShellCommand {
         return 0;
     }
 
+    private int runGetPrivappDenyPermissions() {
+        final String pkg = getNextArg();
+        if (pkg == null) {
+            System.err.println("Error: no package specified.");
+            return 1;
+        }
+        ArraySet<String> privAppDenyPermissions =
+                SystemConfig.getInstance().getPrivAppDenyPermissions(pkg);
+        getOutPrintWriter().println(privAppDenyPermissions == null
+                ? "{}" : privAppDenyPermissions.toString());
+        return 0;
+    }
+
     private int runGetInstantAppResolver() {
         final PrintWriter pw = getOutPrintWriter();
         try {