summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--api/current.txt1
-rw-r--r--api/system-current.txt1
-rw-r--r--api/test-current.txt1
-rw-r--r--core/java/android/content/pm/PackageParser.java1
-rw-r--r--core/java/android/content/pm/PermissionInfo.java10
-rw-r--r--core/res/AndroidManifest.xml2
-rw-r--r--core/res/res/values/attrs_manifest.xml4
-rw-r--r--services/core/java/com/android/server/pm/BasePermission.java4
-rw-r--r--services/core/java/com/android/server/pm/PackageManagerService.java11
9 files changed, 32 insertions, 3 deletions
diff --git a/api/current.txt b/api/current.txt
index 55221011ddfd..fe35f617680a 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -10807,6 +10807,7 @@ package android.content.pm {
field public static final int PROTECTION_FLAG_PRE23 = 128; // 0x80
field public static final int PROTECTION_FLAG_PREINSTALLED = 1024; // 0x400
field public static final int PROTECTION_FLAG_PRIVILEGED = 16; // 0x10
+ field public static final int PROTECTION_FLAG_RUNTIME_ONLY = 8192; // 0x2000
field public static final int PROTECTION_FLAG_SETUP = 2048; // 0x800
field public static final deprecated int PROTECTION_FLAG_SYSTEM = 16; // 0x10
field public static final int PROTECTION_FLAG_VERIFIER = 512; // 0x200
diff --git a/api/system-current.txt b/api/system-current.txt
index 1306f6d65d08..16e6f5b1e34d 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -11555,6 +11555,7 @@ package android.content.pm {
field public static final int PROTECTION_FLAG_PRE23 = 128; // 0x80
field public static final int PROTECTION_FLAG_PREINSTALLED = 1024; // 0x400
field public static final int PROTECTION_FLAG_PRIVILEGED = 16; // 0x10
+ field public static final int PROTECTION_FLAG_RUNTIME_ONLY = 8192; // 0x2000
field public static final int PROTECTION_FLAG_SETUP = 2048; // 0x800
field public static final deprecated int PROTECTION_FLAG_SYSTEM = 16; // 0x10
field public static final int PROTECTION_FLAG_VERIFIER = 512; // 0x200
diff --git a/api/test-current.txt b/api/test-current.txt
index ac381d63cdb0..d1dc37ccb904 100644
--- a/api/test-current.txt
+++ b/api/test-current.txt
@@ -10847,6 +10847,7 @@ package android.content.pm {
field public static final int PROTECTION_FLAG_PRE23 = 128; // 0x80
field public static final int PROTECTION_FLAG_PREINSTALLED = 1024; // 0x400
field public static final int PROTECTION_FLAG_PRIVILEGED = 16; // 0x10
+ field public static final int PROTECTION_FLAG_RUNTIME_ONLY = 8192; // 0x2000
field public static final int PROTECTION_FLAG_SETUP = 2048; // 0x800
field public static final deprecated int PROTECTION_FLAG_SYSTEM = 16; // 0x10
field public static final int PROTECTION_FLAG_VERIFIER = 512; // 0x200
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index 2dfb45f28453..940447ca5f08 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -3114,6 +3114,7 @@ public class PackageParser {
if ((perm.info.protectionLevel&PermissionInfo.PROTECTION_MASK_FLAGS) != 0) {
if ( (perm.info.protectionLevel&PermissionInfo.PROTECTION_FLAG_EPHEMERAL) == 0
+ && (perm.info.protectionLevel&PermissionInfo.PROTECTION_FLAG_RUNTIME_ONLY) == 0
&& (perm.info.protectionLevel&PermissionInfo.PROTECTION_MASK_BASE) !=
PermissionInfo.PROTECTION_SIGNATURE) {
outError[0] = "<permission> protectionLevel specifies a non-ephemeral flag but is "
diff --git a/core/java/android/content/pm/PermissionInfo.java b/core/java/android/content/pm/PermissionInfo.java
index 0703138287ba..694e60781546 100644
--- a/core/java/android/content/pm/PermissionInfo.java
+++ b/core/java/android/content/pm/PermissionInfo.java
@@ -131,6 +131,13 @@ public class PermissionInfo extends PackageItemInfo implements Parcelable {
public static final int PROTECTION_FLAG_EPHEMERAL = 0x1000;
/**
+ * Additional flag for {@link #protectionLevel}, corresponding
+ * to the <code>runtime</code> value of
+ * {@link android.R.attr#protectionLevel}.
+ */
+ public static final int PROTECTION_FLAG_RUNTIME_ONLY = 0x2000;
+
+ /**
* Mask for {@link #protectionLevel}: the basic protection type.
*/
public static final int PROTECTION_MASK_BASE = 0xf;
@@ -250,6 +257,9 @@ public class PermissionInfo extends PackageItemInfo implements Parcelable {
if ((level&PermissionInfo.PROTECTION_FLAG_EPHEMERAL) != 0) {
protLevel += "|ephemeral";
}
+ if ((level&PermissionInfo.PROTECTION_FLAG_RUNTIME_ONLY) != 0) {
+ protLevel += "|runtime";
+ }
return protLevel;
}
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 792225083e8d..313041e8e0c2 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -914,7 +914,7 @@
android:permissionGroup="android.permission-group.PHONE"
android:label="@string/permlab_answerPhoneCalls"
android:description="@string/permdesc_answerPhoneCalls"
- android:protectionLevel="dangerous" />
+ android:protectionLevel="dangerous|runtime" />
<!-- ====================================================================== -->
diff --git a/core/res/res/values/attrs_manifest.xml b/core/res/res/values/attrs_manifest.xml
index ed5a42b707f7..3e4b66d780ad 100644
--- a/core/res/res/values/attrs_manifest.xml
+++ b/core/res/res/values/attrs_manifest.xml
@@ -245,6 +245,10 @@
<!-- Additional flag from base permission type: this permission can be granted to ephemeral
apps -->
<flag name="ephemeral" value="0x1000" />
+ <!-- Additional flag from base permission type: this permission can only be granted to apps
+ that target runtime permissions ({@link android.os.Build.VERSION_CODES#M} and above)
+ -->
+ <flag name="runtime" value="0x2000" />
</attr>
<!-- Flags indicating more context for a permission group. -->
diff --git a/services/core/java/com/android/server/pm/BasePermission.java b/services/core/java/com/android/server/pm/BasePermission.java
index 07c9dec7b353..21000388e746 100644
--- a/services/core/java/com/android/server/pm/BasePermission.java
+++ b/services/core/java/com/android/server/pm/BasePermission.java
@@ -98,4 +98,8 @@ final class BasePermission {
public boolean isInstant() {
return (protectionLevel & PermissionInfo.PROTECTION_FLAG_EPHEMERAL) != 0;
}
+
+ public boolean isRuntimeOnly() {
+ return (protectionLevel & PermissionInfo.PROTECTION_FLAG_RUNTIME_ONLY) != 0;
+ }
}
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index a9d05cf975de..01847aeb919b 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -2056,6 +2056,7 @@ public class PackageManagerService extends IPackageManager.Stub {
}
if (bp != null && (bp.isRuntime() || bp.isDevelopment())
&& (!instantApp || bp.isInstant())
+ && (supportsRuntimePermissions || !bp.isRuntimeOnly())
&& (grantedPermissions == null
|| ArrayUtils.contains(grantedPermissions, permission))) {
final int flags = permissionsState.getPermissionFlags(permission, userId);
@@ -11415,6 +11416,8 @@ public class PackageManagerService extends IPackageManager.Stub {
for (int i=0; i<N; i++) {
final String name = pkg.requestedPermissions.get(i);
final BasePermission bp = mSettings.mPermissions.get(name);
+ final boolean appSupportsRuntimePermissions = pkg.applicationInfo.targetSdkVersion
+ >= Build.VERSION_CODES.M;
if (DEBUG_INSTALL) {
Log.i(TAG, "Package " + pkg.packageName + " checking " + name + ": " + bp);
@@ -11436,6 +11439,12 @@ public class PackageManagerService extends IPackageManager.Stub {
continue;
}
+ if (bp.isRuntimeOnly() && !appSupportsRuntimePermissions) {
+ Log.i(TAG, "Denying runtime-only permission " + bp.name + " for package "
+ + pkg.packageName);
+ continue;
+ }
+
final String perm = bp.name;
boolean allowedSig = false;
int grant = GRANT_DENIED;
@@ -11451,8 +11460,6 @@ public class PackageManagerService extends IPackageManager.Stub {
}
final int level = bp.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE;
- final boolean appSupportsRuntimePermissions = pkg.applicationInfo.targetSdkVersion
- >= Build.VERSION_CODES.M;
switch (level) {
case PermissionInfo.PROTECTION_NORMAL: {
// For all apps normal permissions are install time ones.
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-12-11 19:14:30 +0000