diff options
| author | 2017-08-16 17:48:00 +0000 | |
|---|---|---|
| committer | 2017-08-16 17:48:00 +0000 | |
| commit | d22603ebd2951034c8fc7188ceee324c8f4bab0b (patch) | |
| tree | 62689757cdc2670c37d95f113af5b5d00c577cd3 | |
| parent | 91f0c696daf8f894c4bd568218cab5c9b29426d6 (diff) | |
| parent | cab962b8d0684c31dca44808d095978f6d04f8e8 (diff) | |
Merge "Merge "Allow explicit permission denial" into oc-mr1-dev am: 7fc53a11f8" into oc-mr1-dev-plus-aosp
3 files changed, 50 insertions, 5 deletions
diff --git a/core/java/com/android/server/SystemConfig.java b/core/java/com/android/server/SystemConfig.java index 81018fe4b357..77788921635f 100644 --- a/core/java/com/android/server/SystemConfig.java +++ b/core/java/com/android/server/SystemConfig.java @@ -141,6 +141,7 @@ public class SystemConfig { final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>(); + final ArrayMap<String, ArraySet<String>> mPrivAppDenyPermissions = new ArrayMap<>(); public static SystemConfig getInstance() { synchronized (SystemConfig.class) { @@ -219,6 +220,10 @@ public class SystemConfig { return mPrivAppPermissions.get(packageName); } + public ArraySet<String> getPrivAppDenyPermissions(String packageName) { + return mPrivAppDenyPermissions.get(packageName); + } + SystemConfig() { // Read configuration from system readPermissions(Environment.buildPath( @@ -660,6 +665,7 @@ public class SystemConfig { if (permissions == null) { permissions = new ArraySet<>(); } + ArraySet<String> denyPermissions = mPrivAppDenyPermissions.get(packageName); int depth = parser.getDepth(); while (XmlUtils.nextElementWithin(parser, depth)) { String name = parser.getName(); @@ -671,8 +677,22 @@ public class SystemConfig { continue; } permissions.add(permName); + } else if ("deny-permission".equals(name)) { + String permName = parser.getAttributeValue(null, "name"); + if (TextUtils.isEmpty(permName)) { + Slog.w(TAG, "name is required for <deny-permission> in " + + parser.getPositionDescription()); + continue; + } + if (denyPermissions == null) { + denyPermissions = new ArraySet<>(); + } + denyPermissions.add(permName); } } mPrivAppPermissions.put(packageName, permissions); + if (denyPermissions != null) { + mPrivAppDenyPermissions.put(packageName, denyPermissions); + } } } diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index 22254ef3a9a8..43e0affb590a 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -13191,18 +13191,28 @@ public class PackageManagerService extends IPackageManager.Stub boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName); if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivilegedApp() && !platformPackage && platformPermission) { - ArraySet<String> wlPermissions = SystemConfig.getInstance() + final ArraySet<String> allowedPermissions = SystemConfig.getInstance() .getPrivAppPermissions(pkg.packageName); - boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm); + final boolean whitelisted = + allowedPermissions != null && allowedPermissions.contains(perm); if (!whitelisted) { Slog.w(TAG, "Privileged permission " + perm + " for package " + pkg.packageName + " - not in privapp-permissions whitelist"); // Only report violations for apps on system image if (!mSystemReady && !pkg.isUpdatedSystemApp()) { - if (mPrivappPermissionsViolations == null) { - mPrivappPermissionsViolations = new ArraySet<>(); + // it's only a reportable violation if the permission isn't explicitly denied + final ArraySet<String> deniedPermissions = SystemConfig.getInstance() + .getPrivAppDenyPermissions(pkg.packageName); + final boolean permissionViolation = + deniedPermissions == null || !deniedPermissions.contains(perm); + if (permissionViolation) { + if (mPrivappPermissionsViolations == null) { + mPrivappPermissionsViolations = new ArraySet<>(); + } + mPrivappPermissionsViolations.add(pkg.packageName + ": " + perm); + } else { + return false; } - mPrivappPermissionsViolations.add(pkg.packageName + ": " + perm); } if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { return false; diff --git a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java index 46e21dbc98bd..909ffabfd2db 100644 --- a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java +++ b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java @@ -148,6 +148,8 @@ class PackageManagerShellCommand extends ShellCommand { return runSetHomeActivity(); case "get-privapp-permissions": return runGetPrivappPermissions(); + case "get-privapp-deny-permissions": + return runGetPrivappDenyPermissions(); case "get-instantapp-resolver": return runGetInstantAppResolver(); case "has-feature": @@ -1293,6 +1295,19 @@ class PackageManagerShellCommand extends ShellCommand { return 0; } + private int runGetPrivappDenyPermissions() { + final String pkg = getNextArg(); + if (pkg == null) { + System.err.println("Error: no package specified."); + return 1; + } + ArraySet<String> privAppDenyPermissions = + SystemConfig.getInstance().getPrivAppDenyPermissions(pkg); + getOutPrintWriter().println(privAppDenyPermissions == null + ? "{}" : privAppDenyPermissions.toString()); + return 0; + } + private int runGetInstantAppResolver() { final PrintWriter pw = getOutPrintWriter(); try { |