5 files changed, 28 insertions, 14 deletions

diff --git a/core/api/system-current.txt b/core/api/system-current.txt
index 831ac6f0f107..02f9e5eb1f7b 100644
--- a/core/api/system-current.txt
+++ b/core/api/system-current.txt
@@ -3660,7 +3660,6 @@ package android.hardware.location {
     field public static final int RESULT_FAILED_BAD_PARAMS = 2; // 0x2
     field public static final int RESULT_FAILED_BUSY = 4; // 0x4
     field public static final int RESULT_FAILED_HAL_UNAVAILABLE = 8; // 0x8
-    field public static final int RESULT_FAILED_PERMISSION_DENIED = 9; // 0x9
     field public static final int RESULT_FAILED_SERVICE_INTERNAL_FAILURE = 7; // 0x7
     field public static final int RESULT_FAILED_TIMEOUT = 6; // 0x6
     field public static final int RESULT_FAILED_UNINITIALIZED = 3; // 0x3
diff --git a/core/java/android/hardware/location/ContextHubClient.java b/core/java/android/hardware/location/ContextHubClient.java
index 49beeb3a2e96..21ac71cb9163 100644
--- a/core/java/android/hardware/location/ContextHubClient.java
+++ b/core/java/android/hardware/location/ContextHubClient.java
@@ -146,6 +146,8 @@ public class ContextHubClient implements Closeable {
      * @return the result of sending the message defined as in ContextHubTransaction.Result
      *
      * @throws NullPointerException if NanoAppMessage is null
+     * @throws SecurityException if this client doesn't have permissions to send a message to the
+     * nanoapp.
      *
      * @see NanoAppMessage
      * @see ContextHubTransaction.Result
diff --git a/core/java/android/hardware/location/ContextHubClientCallback.java b/core/java/android/hardware/location/ContextHubClientCallback.java
index 7e484dda283c..35d00f03de67 100644
--- a/core/java/android/hardware/location/ContextHubClientCallback.java
+++ b/core/java/android/hardware/location/ContextHubClientCallback.java
@@ -117,11 +117,10 @@ public class ContextHubClientCallback {
      * 4) {@link ContextHubClient} performs any cleanup required with the nanoapp
      * 5) Callback invoked with the nanoapp ID and {@link ContextHubManager#AUTHORIZATION_DENIED}.
      *    At this point, any further attempts of communication between the nanoapp and the
-     *    {@link ContextHubClient} will be dropped by the contexthub and a return value of
-     *    {@link ContextHubTransaction#RESULT_FAILED_PERMISSION_DENIED} will be used when calling
-     *    {@link ContextHubClient#sendMessageToNanoApp}. The {@link ContextHubClient} should assume
-     *    no communciation can happen again until {@link ContextHubManager#AUTHORIZATION_GRANTED} is
-     *    received.
+     *    {@link ContextHubClient} will be dropped by the contexthub and a security exception will
+     *    be thrown when calling {@link ContextHubClient#sendMessageToNanoApp}. The
+     *    {@link ContextHubClient} should assume no communciation can happen again until
+     *    {@link ContextHubManager#AUTHORIZATION_GRANTED} is received.
      *
      * @param client the client that is associated with this callback
      * @param nanoAppId the ID of the nanoapp associated with the new
diff --git a/core/java/android/hardware/location/ContextHubTransaction.java b/core/java/android/hardware/location/ContextHubTransaction.java
index 86f77c0bf138..d11e0a9b6081 100644
--- a/core/java/android/hardware/location/ContextHubTransaction.java
+++ b/core/java/android/hardware/location/ContextHubTransaction.java
@@ -81,8 +81,7 @@ public class ContextHubTransaction<T> {
             RESULT_FAILED_AT_HUB,
             RESULT_FAILED_TIMEOUT,
             RESULT_FAILED_SERVICE_INTERNAL_FAILURE,
-            RESULT_FAILED_HAL_UNAVAILABLE,
-            RESULT_FAILED_PERMISSION_DENIED
+            RESULT_FAILED_HAL_UNAVAILABLE
     })
     public @interface Result {}
     public static final int RESULT_SUCCESS = 0;
@@ -118,11 +117,6 @@ public class ContextHubTransaction<T> {
      * Failure mode when the Context Hub HAL was not available.
      */
     public static final int RESULT_FAILED_HAL_UNAVAILABLE = 8;
-    /**
-     * Failure mode when the user of the API doesn't have the required permissions to perform the
-     * operation.
-     */
-    public static final int RESULT_FAILED_PERMISSION_DENIED = 9;
 
     /**
      * A class describing the response for a ContextHubTransaction.
diff --git a/services/core/java/com/android/server/location/contexthub/ContextHubClientBroker.java b/services/core/java/com/android/server/location/contexthub/ContextHubClientBroker.java
index c8c212b3109c..fffa57afa994 100644
--- a/services/core/java/com/android/server/location/contexthub/ContextHubClientBroker.java
+++ b/services/core/java/com/android/server/location/contexthub/ContextHubClientBroker.java
@@ -25,6 +25,9 @@ import android.Manifest;
 import android.annotation.Nullable;
 import android.app.AppOpsManager;
 import android.app.PendingIntent;
+import android.compat.Compatibility;
+import android.compat.annotation.ChangeId;
+import android.compat.annotation.EnabledAfter;
 import android.content.Context;
 import android.content.Intent;
 import android.hardware.contexthub.V1_0.ContextHubMsg;
@@ -38,6 +41,7 @@ import android.hardware.location.IContextHubTransactionCallback;
 import android.hardware.location.NanoAppMessage;
 import android.hardware.location.NanoAppState;
 import android.os.Binder;
+import android.os.Build;
 import android.os.IBinder;
 import android.os.Looper;
 import android.os.RemoteException;
@@ -113,6 +117,14 @@ public class ContextHubClientBroker extends IContextHubClient.Stub
      */
     private static final String RECEIVE_MSG_NOTE = "NanoappMessageDelivery ";
 
+    /**
+     * For clients targeting S and above, a SecurityException is thrown when they are in the denied
+     * authorization state and attempt to send a message to a nanoapp.
+     */
+    @ChangeId
+    @EnabledAfter(targetSdkVersion = Build.VERSION_CODES.R)
+    private static final long CHANGE_ID_AUTH_STATE_DENIED = 181350407L;
+
     /*
      * The context of the service.
      */
@@ -351,6 +363,8 @@ public class ContextHubClientBroker extends IContextHubClient.Stub
      *
      * @param message the message to send
      * @return the error code of sending the message
+     * @throws SecurityException if this client doesn't have permissions to send a message to the
+     * nanoapp
      */
     @ContextHubTransaction.Result
     @Override
@@ -362,7 +376,13 @@ public class ContextHubClientBroker extends IContextHubClient.Stub
             int authState = mMessageChannelNanoappIdMap.getOrDefault(
                     message.getNanoAppId(), AUTHORIZATION_UNKNOWN);
             if (authState == AUTHORIZATION_DENIED) {
-                return ContextHubTransaction.RESULT_FAILED_PERMISSION_DENIED;
+                if (Compatibility.isChangeEnabled(CHANGE_ID_AUTH_STATE_DENIED)) {
+                    throw new SecurityException("Client doesn't have valid permissions to send"
+                            + " message to " + message.getNanoAppId());
+                }
+                // Return a bland error code for apps targeting old SDKs since they wouldn't be able
+                // to use an error code added in S.
+                return ContextHubTransaction.RESULT_FAILED_UNKNOWN;
             } else if (authState == AUTHORIZATION_UNKNOWN) {
                 // Only check permissions the first time a nanoapp is queried since nanoapp
                 // permissions don't currently change at runtime. If the host permission changes