Merge "Create a better implementation for permission GIDs." into main

author: Hai Zhang <zhanghai@google.com> 2024-02-15 04:47:35 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2024-02-15 04:47:35 +0000
commit: 894f417b0a4bdb66e4eac5c8d692f7f59fa596fd (patch)
tree: 8f0cbae8f4375a76fe5adde37cdb4fb53689bb2e
parent: c113156151ad7179f814eabd080f6a0a26aacaf1 (diff)
parent: 05b75fb4282bfac8da921c1cbbd0510bcc910fb6 (diff)
2 files changed, 64 insertions, 32 deletions
diff --git a/core/java/android/permission/flags.aconfig b/core/java/android/permission/flags.aconfig
index 95d6437ce3f6..9218cb8f497d 100644
--- a/core/java/android/permission/flags.aconfig
+++ b/core/java/android/permission/flags.aconfig
@@ -119,3 +119,14 @@ flag {
      description: "Enables the getEmergencyRoleHolder API."
      bug: "323157319"
 }
+
+flag {
+    name: "new_permission_gid_enabled"
+    is_fixed_read_only: true
+    namespace: "permissions"
+    description: "Enable new permission GID implementation"
+    bug: "325137277"
+    metadata {
+        purpose: PURPOSE_BUGFIX
+    }
+}
diff --git a/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt b/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
index 558827631dfe..cb3ee7307e36 100644
--- a/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
+++ b/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
@@ -46,6 +46,7 @@ import com.android.server.pm.KnownPackages
 import com.android.server.pm.parsing.PackageInfoUtils
 import com.android.server.pm.pkg.AndroidPackage
 import com.android.server.pm.pkg.PackageState
+import libcore.util.EmptyArray
 
 class AppIdPermissionPolicy : SchemePolicy() {
     private val persistence = AppIdPermissionPersistence()
@@ -73,40 +74,42 @@ class AppIdPermissionPolicy : SchemePolicy() {
     }
 
     override fun MutateStateScope.onInitialized() {
-        newState.externalState.configPermissions.forEach { (permissionName, permissionEntry) ->
-            val oldPermission = newState.systemState.permissions[permissionName]
-            val newPermission =
-                if (oldPermission != null) {
-                    if (permissionEntry.gids != null) {
-                        oldPermission.copy(
-                            gids = permissionEntry.gids,
-                            areGidsPerUser = permissionEntry.perUser
-                        )
-                    } else {
-                        return@forEach
-                    }
-                } else {
-                    @Suppress("DEPRECATION")
-                    val permissionInfo =
-                        PermissionInfo().apply {
-                            name = permissionName
-                            packageName = PLATFORM_PACKAGE_NAME
-                            protectionLevel = PermissionInfo.PROTECTION_SIGNATURE
+        if (!Flags.newPermissionGidEnabled()) {
+            newState.externalState.configPermissions.forEach { (permissionName, permissionEntry) ->
+                val oldPermission = newState.systemState.permissions[permissionName]
+                val newPermission =
+                    if (oldPermission != null) {
+                        if (permissionEntry.gids != null) {
+                            oldPermission.copy(
+                                gids = permissionEntry.gids,
+                                areGidsPerUser = permissionEntry.perUser
+                            )
+                        } else {
+                            return@forEach
                         }
-                    if (permissionEntry.gids != null) {
-                        Permission(
-                            permissionInfo,
-                            false,
-                            Permission.TYPE_CONFIG,
-                            0,
-                            permissionEntry.gids,
-                            permissionEntry.perUser
-                        )
                     } else {
-                        Permission(permissionInfo, false, Permission.TYPE_CONFIG, 0)
+                        @Suppress("DEPRECATION")
+                        val permissionInfo =
+                            PermissionInfo().apply {
+                                name = permissionName
+                                packageName = PLATFORM_PACKAGE_NAME
+                                protectionLevel = PermissionInfo.PROTECTION_SIGNATURE
+                            }
+                        if (permissionEntry.gids != null) {
+                            Permission(
+                                permissionInfo,
+                                false,
+                                Permission.TYPE_CONFIG,
+                                0,
+                                permissionEntry.gids,
+                                permissionEntry.perUser
+                            )
+                        } else {
+                            Permission(permissionInfo, false, Permission.TYPE_CONFIG, 0)
+                        }
                     }
-                }
-            newState.mutateSystemState().mutatePermissions()[permissionName] = newPermission
+                newState.mutateSystemState().mutatePermissions()[permissionName] = newPermission
+            }
         }
     }
 
@@ -459,7 +462,7 @@ class AppIdPermissionPolicy : SchemePolicy() {
                 )
                 return@forEachIndexed
             }
-            val newPermission =
+            var newPermission =
                 if (oldPermission != null && newPackageName != oldPermission.packageName) {
                     val oldPackageName = oldPermission.packageName
                     // Only allow system apps to redefine non-system permissions.
@@ -582,6 +585,24 @@ class AppIdPermissionPolicy : SchemePolicy() {
                         )
                     }
                 }
+            if (Flags.newPermissionGidEnabled()) {
+                var gids = EmptyArray.INT
+                var areGidsPerUser = false
+                if (!parsedPermission.isTree && packageState.isSystem) {
+                    newState.externalState.configPermissions[permissionName]?.let {
+                        gids = it.gids
+                        areGidsPerUser = it.perUser
+                    }
+                }
+                newPermission = Permission(
+                    newPermissionInfo,
+                    true,
+                    Permission.TYPE_MANIFEST,
+                    packageState.appId,
+                    gids,
+                    areGidsPerUser
+                )
+            }
 
             if (parsedPermission.isTree) {
                 newState.mutateSystemState().mutatePermissionTrees()[permissionName] = newPermission
author	Hai Zhang <zhanghai@google.com>	2024-02-15 04:47:35 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2024-02-15 04:47:35 +0000
commit	894f417b0a4bdb66e4eac5c8d692f7f59fa596fd (patch)
tree	8f0cbae8f4375a76fe5adde37cdb4fb53689bb2e
parent	c113156151ad7179f814eabd080f6a0a26aacaf1 (diff)
parent	05b75fb4282bfac8da921c1cbbd0510bcc910fb6 (diff)