AppIdPermissionPolicy: Move package update permission revoke to after package evaluation.

This ensures that all flag changes (implicit or otherwise) occur before we evaluate for additional revocation. Bug: 401614607 Test: atest PermissionServiceMockingTests Flag: EXEMPT bugfix Change-Id: I6dc9f276568676aadce1b425df2074fb3c252836
author: Justin Lannin <jlannin@google.com> 2025-03-21 14:49:59 -0700
committer: Justin Lannin <jlannin@google.com> 2025-03-21 14:57:41 -0700
commit: 05bbc74ec1b827110a423fddd36c0801fe58f327 (patch)
tree: eadd19a8525543583b08a3eb551b058a6c4cbdd1
parent: 91c12d7e7154bb170f0a2baf806187789339326b (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt b/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
index 662e0c06f261..eeac70afcffb 100644
--- a/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
+++ b/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
@@ -112,7 +112,6 @@ class AppIdPermissionPolicy : SchemePolicy() {
             addPermissions(packageState, changedPermissionNames)
             trimPermissions(packageState.packageName, changedPermissionNames)
             trimPermissionStates(packageState.appId)
-            revokePermissionsOnPackageUpdate(packageState.appId)
         }
         changedPermissionNames.forEachIndexed { _, permissionName ->
             evaluatePermissionStateForAllPackages(permissionName, null)
@@ -130,6 +129,7 @@ class AppIdPermissionPolicy : SchemePolicy() {
             newState.externalState.userIds.forEachIndexed { _, userId ->
                 inheritImplicitPermissionStates(packageState.appId, userId)
             }
+            revokePermissionsOnPackageUpdate(packageState.appId)
         }
     }
 
@@ -140,7 +140,6 @@ class AppIdPermissionPolicy : SchemePolicy() {
         addPermissions(packageState, changedPermissionNames)
         trimPermissions(packageState.packageName, changedPermissionNames)
         trimPermissionStates(packageState.appId)
-        revokePermissionsOnPackageUpdate(packageState.appId)
         changedPermissionNames.forEachIndexed { _, permissionName ->
             evaluatePermissionStateForAllPackages(permissionName, null)
         }
@@ -148,6 +147,7 @@ class AppIdPermissionPolicy : SchemePolicy() {
         newState.externalState.userIds.forEachIndexed { _, userId ->
             inheritImplicitPermissionStates(packageState.appId, userId)
         }
+        revokePermissionsOnPackageUpdate(packageState.appId)
     }
 
     override fun MutateStateScope.onPackageRemoved(packageName: String, appId: Int) {
@@ -700,6 +700,10 @@ class AppIdPermissionPolicy : SchemePolicy() {
     }
 
     private fun MutateStateScope.revokePermissionsOnPackageUpdate(appId: Int) {
+        revokeStorageAndMediaPermissionsOnPackageUpdate(appId)
+    }
+
+    private fun MutateStateScope.revokeStorageAndMediaPermissionsOnPackageUpdate(appId: Int) {
         val hasOldPackage =
             appId in oldState.externalState.appIdPackageNames &&
                 anyPackageInAppId(appId, oldState) { true }
author	Justin Lannin <jlannin@google.com>	2025-03-21 14:49:59 -0700
committer	Justin Lannin <jlannin@google.com>	2025-03-21 14:57:41 -0700
commit	05bbc74ec1b827110a423fddd36c0801fe58f327 (patch)
tree	eadd19a8525543583b08a3eb551b058a6c4cbdd1
parent	91c12d7e7154bb170f0a2baf806187789339326b (diff)