Introduce new permissionFlag

The new permission flag is for restricted permissions which the installer is not able to exempt. Test: Install test app Bug: 158311343 Change-Id: I7340948690ea69750ef479d1b8f0ac8a6177c98c
author: Evan Severson <evanseverson@google.com> 2020-08-06 13:54:37 -0700
committer: Evan Severson <evanseverson@google.com> 2020-09-23 14:06:06 -0700
commit: d7087b25ce394ec54cc6ec8e2852aee0a12c0e8a (patch)
tree: 3b453988348693dc2edadf4cb47f9b202acc4382
parent: 4f30e0baeb0c6b6645c6f2f44c72c7fd11115ac3 (diff)
7 files changed, 31 insertions, 2 deletions
diff --git a/api/current.txt b/api/current.txt
index 5d87ab192b58..855f84ab3238 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -12345,6 +12345,7 @@ package android.content.pm {
     field public static final int FLAG_HARD_RESTRICTED = 4; // 0x4
     field public static final int FLAG_IMMUTABLY_RESTRICTED = 16; // 0x10
     field public static final int FLAG_INSTALLED = 1073741824; // 0x40000000
+    field public static final int FLAG_INSTALLER_EXEMPT_IGNORED = 32; // 0x20
     field public static final int FLAG_SOFT_RESTRICTED = 8; // 0x8
     field public static final int PROTECTION_DANGEROUS = 1; // 0x1
     field public static final int PROTECTION_FLAG_APPOP = 64; // 0x40
diff --git a/core/java/android/content/pm/PermissionInfo.java b/core/java/android/content/pm/PermissionInfo.java
index 04e15c20b2f4..5d4c843d2eab 100644
--- a/core/java/android/content/pm/PermissionInfo.java
+++ b/core/java/android/content/pm/PermissionInfo.java
@@ -377,6 +377,14 @@ public class PermissionInfo extends PackageItemInfo implements Parcelable {
     public static final int FLAG_IMMUTABLY_RESTRICTED = 1<<4;
 
     /**
+     * Flag for {@link #flags}, corresponding to <code>installerExemptIgnored</code>
+     * value of {@link android.R.attr#permissionFlags}.
+     *
+     * <p> Modifier for permission restriction. This permission cannot be exempted by the installer.
+     */
+    public static final int FLAG_INSTALLER_EXEMPT_IGNORED = 1 << 5;
+
+    /**
      * Flag for {@link #flags}, indicating that this permission has been
      * installed into the system's globally defined permissions.
      */
@@ -656,6 +664,11 @@ public class PermissionInfo extends PackageItemInfo implements Parcelable {
     }
 
     /** @hide */
+    public boolean isInstallerExemptIgnored() {
+        return (flags & PermissionInfo.FLAG_INSTALLER_EXEMPT_IGNORED) != 0;
+    }
+
+    /** @hide */
     public boolean isAppOp() {
         return (protectionLevel & PermissionInfo.PROTECTION_FLAG_APPOP) != 0;
     }
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 5074df470410..2614998904d5 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1254,7 +1254,7 @@
         android:permissionGroup="android.permission-group.UNDEFINED"
         android:label="@string/permlab_recordBackgroundAudio"
         android:description="@string/permdesc_recordBackgroundAudio"
-        android:permissionFlags="hardRestricted"
+        android:permissionFlags="hardRestricted|installerExemptIgnored"
         android:protectionLevel="dangerous" />
 
     <!-- ====================================================================== -->
@@ -1334,7 +1334,7 @@
             android:permissionGroup="android.permission-group.UNDEFINED"
             android:label="@string/permlab_backgroundCamera"
             android:description="@string/permdesc_backgroundCamera"
-            android:permissionFlags="hardRestricted"
+            android:permissionFlags="hardRestricted|installerExemptIgnored"
             android:protectionLevel="dangerous" />
 
     <!-- @SystemApi Required in addition to android.permission.CAMERA to be able to access
diff --git a/core/res/res/values/attrs_manifest.xml b/core/res/res/values/attrs_manifest.xml
index 1c71baeaf46a..96ebc127e9ba 100644
--- a/core/res/res/values/attrs_manifest.xml
+++ b/core/res/res/values/attrs_manifest.xml
@@ -344,6 +344,11 @@
              the app is uninstalled.
         -->
         <flag name="immutablyRestricted" value="0x10" />
+        <!--
+             Modifier for permission restriction. This permission cannot
+             be exempted by the installer.
+        -->
+        <flag name="installerExemptIgnored" value="0x20" />
     </attr>
 
     <!-- Specified the name of a group that this permission is associated
diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt
index 6a9dc2df612c..86a9d3908fd8 100644
--- a/non-updatable-api/current.txt
+++ b/non-updatable-api/current.txt
@@ -12345,6 +12345,7 @@ package android.content.pm {
     field public static final int FLAG_HARD_RESTRICTED = 4; // 0x4
     field public static final int FLAG_IMMUTABLY_RESTRICTED = 16; // 0x10
     field public static final int FLAG_INSTALLED = 1073741824; // 0x40000000
+    field public static final int FLAG_INSTALLER_EXEMPT_IGNORED = 32; // 0x20
     field public static final int FLAG_SOFT_RESTRICTED = 8; // 0x8
     field public static final int PROTECTION_DANGEROUS = 1; // 0x1
     field public static final int PROTECTION_FLAG_APPOP = 64; // 0x40
diff --git a/services/core/java/com/android/server/pm/permission/BasePermission.java b/services/core/java/com/android/server/pm/permission/BasePermission.java
index 865b8a1e97eb..d8162493010a 100644
--- a/services/core/java/com/android/server/pm/permission/BasePermission.java
+++ b/services/core/java/com/android/server/pm/permission/BasePermission.java
@@ -206,6 +206,11 @@ public final class BasePermission {
         return perm != null && (perm.getFlags() & PermissionInfo.FLAG_IMMUTABLY_RESTRICTED) != 0;
     }
 
+    public boolean isInstallerExemptIgnored() {
+        return perm != null
+                && (perm.getFlags() & PermissionInfo.FLAG_INSTALLER_EXEMPT_IGNORED) != 0;
+    }
+
     public boolean isSignature() {
         return (protectionLevel & PermissionInfo.PROTECTION_MASK_BASE) ==
                 PermissionInfo.PROTECTION_SIGNATURE;
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 544f1225916e..ce2e68f9f875 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -787,6 +787,10 @@ public class PermissionManagerService extends IPermissionManager.Stub {
             throw new IllegalArgumentException("Unknown permission: " + permName);
         }
 
+        if (bp.isInstallerExemptIgnored()) {
+            flagValues &= ~FLAG_PERMISSION_RESTRICTION_INSTALLER_EXEMPT;
+        }
+
         final UidPermissionState uidState = getUidState(pkg, userId);
         if (uidState == null) {
             Slog.e(TAG, "Missing permissions state for " + packageName + " and user " + userId);
author	Evan Severson <evanseverson@google.com>	2020-08-06 13:54:37 -0700
committer	Evan Severson <evanseverson@google.com>	2020-09-23 14:06:06 -0700
commit	d7087b25ce394ec54cc6ec8e2852aee0a12c0e8a (patch)
tree	3b453988348693dc2edadf4cb47f9b202acc4382
parent	4f30e0baeb0c6b6645c6f2f44c72c7fd11115ac3 (diff)