diff options
| author | 2024-04-12 17:02:32 +0000 | |
|---|---|---|
| committer | 2024-04-12 17:02:32 +0000 | |
| commit | b83de0bcf7f9aa4544dc3a2408e7cc642244585d (patch) | |
| tree | 864b6791bfb96d8bd4843a3c6f1e34ad3093fb9d | |
| parent | b9754ad7081c2dc6eef4421f3e0dc0c910206204 (diff) | |
| parent | 0281cea6dc27f92c9a535e150fd0307b1aeaac3a (diff) | |
Merge "Short circuit system and root uids in appop checks" into main
| -rw-r--r-- | services/core/java/com/android/server/appop/AppOpsService.java | 33 |
1 files changed, 26 insertions, 7 deletions
diff --git a/services/core/java/com/android/server/appop/AppOpsService.java b/services/core/java/com/android/server/appop/AppOpsService.java index 83fa34490f32..a1f80d05fe1f 100644 --- a/services/core/java/com/android/server/appop/AppOpsService.java +++ b/services/core/java/com/android/server/appop/AppOpsService.java @@ -70,6 +70,7 @@ import static android.content.Intent.ACTION_PACKAGE_REMOVED; import static android.content.Intent.EXTRA_REPLACING; import static android.content.pm.PermissionInfo.PROTECTION_DANGEROUS; import static android.content.pm.PermissionInfo.PROTECTION_FLAG_APPOP; +import static android.permission.flags.Flags.runtimePermissionAppopsMappingEnabled; import static com.android.server.appop.AppOpsService.ModeCallback.ALL_OPS; @@ -2683,6 +2684,15 @@ public class AppOpsService extends IAppOpsService.Stub { } } + /** + * When querying the mode these should always be allowed and the checking service might not + * have information on them. + */ + private static boolean isOpAllowedForUid(int uid) { + return runtimePermissionAppopsMappingEnabled() + && (uid == Process.ROOT_UID || uid == Process.SYSTEM_UID); + } + @Override public int checkOperationRaw(int code, int uid, String packageName, @Nullable String attributionTag) { @@ -2758,6 +2768,9 @@ public class AppOpsService extends IAppOpsService.Stub { pvr.bypass, true)) { return AppOpsManager.MODE_IGNORED; } + if (isOpAllowedForUid(uid)) { + return MODE_ALLOWED; + } code = AppOpsManager.opToSwitch(code); UidState uidState = getUidStateLocked(uid, false); if (uidState != null @@ -3072,9 +3085,12 @@ public class AppOpsService extends IAppOpsService.Stub { return new SyncNotedAppOp(AppOpsManager.MODE_IGNORED, code, attributionTag, packageName); } - // If there is a non-default per UID policy (we set UID op mode only if - // non-default) it takes over, otherwise use the per package policy. - if (mAppOpsCheckingService.getUidMode( + if (isOpAllowedForUid(uid)) { + // Op is always allowed for the UID, do nothing. + + // If there is a non-default per UID policy (we set UID op mode only if + // non-default) it takes over, otherwise use the per package policy. + } else if (mAppOpsCheckingService.getUidMode( uidState.uid, getPersistentId(virtualDeviceId), switchCode) != AppOpsManager.opToDefaultMode(switchCode)) { final int uidMode = @@ -3666,10 +3682,13 @@ public class AppOpsService extends IAppOpsService.Stub { isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, virtualDeviceId, pvr.bypass, false); final int switchCode = AppOpsManager.opToSwitch(code); - // If there is a non-default per UID policy (we set UID op mode only if - // non-default) it takes over, otherwise use the per package policy. - if (mAppOpsCheckingService.getUidMode( - uidState.uid, getPersistentId(virtualDeviceId), switchCode) + if (isOpAllowedForUid(uid)) { + // Op is always allowed for the UID, do nothing. + + // If there is a non-default per UID policy (we set UID op mode only if + // non-default) it takes over, otherwise use the per package policy. + } else if (mAppOpsCheckingService.getUidMode( + uidState.uid, getPersistentId(virtualDeviceId), switchCode) != AppOpsManager.opToDefaultMode(switchCode)) { final int uidMode = uidState.evalMode( |