diff options
| -rw-r--r-- | services/core/java/com/android/server/pm/permission/PermissionManagerService.java | 76 |
1 files changed, 40 insertions, 36 deletions
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java index 765ecb9710cb..82c02a4ebefe 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java @@ -3319,47 +3319,51 @@ public class PermissionManagerService extends IPermissionManager.Stub { if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivileged() && !platformPackage && platformPermission) { if (!hasPrivappWhitelistEntry(perm, pkg)) { - ApexManager apexMgr = ApexManager.getInstance(); - String apexContainingPkg = apexMgr.getActiveApexPackageNameContainingPackage(pkg); - // Only enforce whitelist this on boot if (!mSystemReady // Updated system apps do not need to be whitelisted - && !pkgSetting.getPkgState().isUpdatedSystemApp() - // Apps that are in updated apexs' do not need to be whitelisted - && (apexContainingPkg == null || apexMgr.isFactory( - apexMgr.getPackageInfo(apexContainingPkg, MATCH_ACTIVE_PACKAGE)))) { - // it's only a reportable violation if the permission isn't explicitly denied - ArraySet<String> deniedPermissions = null; - if (pkg.isVendor()) { - deniedPermissions = SystemConfig.getInstance() - .getVendorPrivAppDenyPermissions(pkg.getPackageName()); - } else if (pkg.isProduct()) { - deniedPermissions = SystemConfig.getInstance() - .getProductPrivAppDenyPermissions(pkg.getPackageName()); - } else if (pkg.isSystemExt()) { - deniedPermissions = SystemConfig.getInstance() - .getSystemExtPrivAppDenyPermissions(pkg.getPackageName()); - } else { - deniedPermissions = SystemConfig.getInstance() - .getPrivAppDenyPermissions(pkg.getPackageName()); - } - final boolean permissionViolation = - deniedPermissions == null || !deniedPermissions.contains(perm); - if (permissionViolation) { - Slog.w(TAG, "Privileged permission " + perm + " for package " - + pkg.getPackageName() + " (" + pkg.getCodePath() - + ") not in privapp-permissions whitelist"); - - if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { - if (mPrivappPermissionsViolations == null) { - mPrivappPermissionsViolations = new ArraySet<>(); + && !pkgSetting.getPkgState().isUpdatedSystemApp()) { + ApexManager apexMgr = ApexManager.getInstance(); + String apexContainingPkg = apexMgr.getActiveApexPackageNameContainingPackage( + pkg); + + // Apps that are in updated apexs' do not need to be whitelisted + if (apexContainingPkg == null || apexMgr.isFactory( + apexMgr.getPackageInfo(apexContainingPkg, MATCH_ACTIVE_PACKAGE))) { + // it's only a reportable violation if the permission isn't explicitly + // denied + ArraySet<String> deniedPermissions = null; + if (pkg.isVendor()) { + deniedPermissions = SystemConfig.getInstance() + .getVendorPrivAppDenyPermissions(pkg.getPackageName()); + } else if (pkg.isProduct()) { + deniedPermissions = SystemConfig.getInstance() + .getProductPrivAppDenyPermissions(pkg.getPackageName()); + } else if (pkg.isSystemExt()) { + deniedPermissions = SystemConfig.getInstance() + .getSystemExtPrivAppDenyPermissions(pkg.getPackageName()); + } else { + deniedPermissions = SystemConfig.getInstance() + .getPrivAppDenyPermissions(pkg.getPackageName()); + } + final boolean permissionViolation = + deniedPermissions == null || !deniedPermissions.contains(perm); + if (permissionViolation) { + Slog.w(TAG, "Privileged permission " + perm + " for package " + + pkg.getPackageName() + " (" + pkg.getCodePath() + + ") not in privapp-permissions whitelist"); + + if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { + if (mPrivappPermissionsViolations == null) { + mPrivappPermissionsViolations = new ArraySet<>(); + } + mPrivappPermissionsViolations.add( + pkg.getPackageName() + " (" + pkg.getCodePath() + "): " + + perm); } - mPrivappPermissionsViolations.add( - pkg.getPackageName() + " (" + pkg.getCodePath() + "): " + perm); + } else { + return false; } - } else { - return false; } } if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) { |