summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author Eugene Susla <eugenesusla@google.com> 2018-11-05 12:23:30 -0800
committer Eugene Susla <eugenesusla@google.com> 2018-11-15 11:25:39 -0800
commite4ee2c21388fc04a4da16c87de7ffe9f001b2015 (patch)
treedbc8d456e82770e41b03c644c74926be7baf2b6a
parent27600ff5ddb3aff918013bf76e5f8d4130e11263 (diff)
Flip appops corresponding to default-granted permissions
Not that we're starting to change appops' default values for sms/calllog permissions, default grants by DefaultPermissionGrantPolicy must take care to also flip the appops, otherwise permission grants don't take the desired effect. This also fixes the `appops get` shell command to reflect both uid and package mode, consistent with how appops are checked Bug: 117623587 Test: - enable kill switch for sms access restriction - adb install -g $ANDROID_BUILD_TOP/out/target/product/sailfish/data/app/CellBroadcastReceiverTests/CellBroadcastReceiverTests.apk - launch the app and press any button - ensure no "Appop denial" warning in logcat ---- - adb shell appops get com.android.cellbroadcastreceiver android:receive_sms - ensure result reflects uid mode Change-Id: I59bb0c89423d3636c310c21b7a1cbf0481c992eb
Diffstat
-rw-r--r--core/java/android/app/AppOpsManager.java2
-rw-r--r--services/core/java/com/android/server/AppOpsService.java30
-rw-r--r--services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java15
3 files changed, 43 insertions, 4 deletions
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
index 2be5dc966746..6e31c0fb9205 100644
--- a/core/java/android/app/AppOpsManager.java
+++ b/core/java/android/app/AppOpsManager.java
@@ -1000,7 +1000,7 @@ public class AppOpsManager {
"WRITE_WALLPAPER",
"ASSIST_STRUCTURE",
"ASSIST_SCREENSHOT",
- "OP_READ_PHONE_STATE",
+ "READ_PHONE_STATE",
"ADD_VOICEMAIL",
"USE_SIP",
"PROCESS_OUTGOING_CALLS",
diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java
index 5814064e5fbd..99f7eb484dab 100644
--- a/services/core/java/com/android/server/AppOpsService.java
+++ b/services/core/java/com/android/server/AppOpsService.java
@@ -25,6 +25,8 @@ import static android.app.AppOpsManager.UID_STATE_LAST_NON_RESTRICTED;
import static android.app.AppOpsManager.UID_STATE_PERSISTENT;
import static android.app.AppOpsManager.UID_STATE_TOP;
import static android.app.AppOpsManager._NUM_UID_STATE;
+import static android.app.AppOpsManager.modeToName;
+import static android.app.AppOpsManager.opToName;
import android.Manifest;
import android.annotation.NonNull;
@@ -877,6 +879,9 @@ public class AppOpsService extends IAppOpsService.Stub {
}
private ArrayList<AppOpsManager.OpEntry> collectOps(SparseIntArray uidOps, int[] ops) {
+ if (uidOps == null) {
+ return null;
+ }
ArrayList<AppOpsManager.OpEntry> resOps = null;
if (ops == null) {
resOps = new ArrayList<>();
@@ -1131,6 +1136,11 @@ public class AppOpsService extends IAppOpsService.Stub {
@Override
public void setUidMode(int code, int uid, int mode) {
+ if (DEBUG) {
+ Slog.i(TAG, "uid " + uid + " OP_" + opToName(code) + " := " + modeToName(mode)
+ + " by uid " + Binder.getCallingUid());
+ }
+
enforceManageAppOpsModes(Binder.getCallingPid(), Binder.getCallingUid(), uid);
verifyIncomingOp(code);
code = AppOpsManager.opToSwitch(code);
@@ -3024,11 +3034,21 @@ public class AppOpsService extends IAppOpsService.Stub {
return res;
}
- List<AppOpsManager.PackageOps> ops;
+ List<AppOpsManager.PackageOps> ops = new ArrayList<>();
if (shell.packageName != null) {
- ops = shell.mInterface.getOpsForPackage(
+ // Uid mode overrides package mode, so make sure it's also reported
+ List<AppOpsManager.PackageOps> r = shell.mInterface.getUidOps(
+ shell.packageUid,
+ shell.op != AppOpsManager.OP_NONE ? new int[]{shell.op} : null);
+ if (r != null) {
+ ops.addAll(r);
+ }
+ r = shell.mInterface.getOpsForPackage(
shell.packageUid, shell.packageName,
shell.op != AppOpsManager.OP_NONE ? new int[]{shell.op} : null);
+ if (r != null) {
+ ops.addAll(r);
+ }
} else {
ops = shell.mInterface.getUidOps(
shell.nonpackageUid,
@@ -3044,7 +3064,11 @@ public class AppOpsService extends IAppOpsService.Stub {
}
final long now = System.currentTimeMillis();
for (int i=0; i<ops.size(); i++) {
- List<AppOpsManager.OpEntry> entries = ops.get(i).getOps();
+ AppOpsManager.PackageOps packageOps = ops.get(i);
+ if (packageOps.getPackageName() == null) {
+ pw.print("Uid mode: ");
+ }
+ List<AppOpsManager.OpEntry> entries = packageOps.getOps();
for (int j=0; j<entries.size(); j++) {
AppOpsManager.OpEntry ent = entries.get(j);
pw.print(AppOpsManager.opToName(ent.getOp()));
diff --git a/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java b/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
index 32b2bf05ac48..774134c994b3 100644
--- a/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
+++ b/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
@@ -1205,6 +1205,21 @@ public final class DefaultPermissionGrantPolicy {
if (DEBUG) {
Log.i(TAG, "Granted " + (systemFixed ? "fixed " : "not fixed ")
+ permission + " to default handler " + pkg);
+
+ int appOp = AppOpsManager.permissionToOpCode(permission);
+ if (appOp != AppOpsManager.OP_NONE
+ && AppOpsManager.opToDefaultMode(appOp)
+ != AppOpsManager.MODE_ALLOWED) {
+ // Permission has a corresponding appop which is not allowed by default
+ // We must allow it as well, as it's usually checked alongside the
+ // permission
+ if (DEBUG) {
+ Log.i(TAG, "Granting OP_" + AppOpsManager.opToName(appOp)
+ + " to " + pkg.packageName);
+ }
+ mContext.getSystemService(AppOpsManager.class).setUidMode(
+ appOp, pkg.applicationInfo.uid, AppOpsManager.MODE_ALLOWED);
+ }
}
}
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-10-30 16:14:51 +0000