diff options
| -rw-r--r-- | core/java/android/app/AppOpsManager.java | 23 | ||||
| -rw-r--r-- | services/core/java/com/android/server/appop/AppOpsService.java | 28 |
2 files changed, 33 insertions, 18 deletions
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java index d932a29beca6..fc89e1395073 100644 --- a/core/java/android/app/AppOpsManager.java +++ b/core/java/android/app/AppOpsManager.java @@ -2463,8 +2463,8 @@ public class AppOpsManager { * restriction} for a certain app-op. */ private static RestrictionBypass[] sOpAllowSystemRestrictionBypass = new RestrictionBypass[] { - new RestrictionBypass(true, false), //COARSE_LOCATION - new RestrictionBypass(true, false), //FINE_LOCATION + new RestrictionBypass(true, false, false), //COARSE_LOCATION + new RestrictionBypass(true, false, false), //FINE_LOCATION null, //GPS null, //VIBRATE null, //READ_CONTACTS @@ -2473,7 +2473,7 @@ public class AppOpsManager { null, //WRITE_CALL_LOG null, //READ_CALENDAR null, //WRITE_CALENDAR - new RestrictionBypass(true, false), //WIFI_SCAN + new RestrictionBypass(false, true, false), //WIFI_SCAN null, //POST_NOTIFICATION null, //NEIGHBORING_CELLS null, //CALL_PHONE @@ -2487,10 +2487,10 @@ public class AppOpsManager { null, //READ_ICC_SMS null, //WRITE_ICC_SMS null, //WRITE_SETTINGS - new RestrictionBypass(true, false), //SYSTEM_ALERT_WINDOW + new RestrictionBypass(false, true, false), //SYSTEM_ALERT_WINDOW null, //ACCESS_NOTIFICATIONS null, //CAMERA - new RestrictionBypass(false, true), //RECORD_AUDIO + new RestrictionBypass(false, false, true), //RECORD_AUDIO null, //PLAY_AUDIO null, //READ_CLIPBOARD null, //WRITE_CLIPBOARD @@ -2508,7 +2508,7 @@ public class AppOpsManager { null, //MONITOR_HIGH_POWER_LOCATION null, //GET_USAGE_STATS null, //MUTE_MICROPHONE - new RestrictionBypass(true, false), //TOAST_WINDOW + new RestrictionBypass(false, true, false), //TOAST_WINDOW null, //PROJECT_MEDIA null, //ACTIVATE_VPN null, //WALLPAPER @@ -2540,7 +2540,7 @@ public class AppOpsManager { null, // ACCEPT_HANDOVER null, // MANAGE_IPSEC_HANDOVERS null, // START_FOREGROUND - new RestrictionBypass(true, false), // BLUETOOTH_SCAN + new RestrictionBypass(false, true, false), // BLUETOOTH_SCAN null, // USE_BIOMETRIC null, // ACTIVITY_RECOGNITION null, // SMS_FINANCIAL_TRANSACTIONS @@ -3105,6 +3105,9 @@ public class AppOpsManager { * @hide */ public static class RestrictionBypass { + /** Does the app need to be system uid to bypass the restriction */ + public boolean isSystemUid; + /** Does the app need to be privileged to bypass the restriction */ public boolean isPrivileged; @@ -3114,12 +3117,14 @@ public class AppOpsManager { */ public boolean isRecordAudioRestrictionExcept; - public RestrictionBypass(boolean isPrivileged, boolean isRecordAudioRestrictionExcept) { + public RestrictionBypass(boolean isSystemUid, boolean isPrivileged, + boolean isRecordAudioRestrictionExcept) { + this.isSystemUid = isSystemUid; this.isPrivileged = isPrivileged; this.isRecordAudioRestrictionExcept = isRecordAudioRestrictionExcept; } - public static RestrictionBypass UNRESTRICTED = new RestrictionBypass(true, true); + public static RestrictionBypass UNRESTRICTED = new RestrictionBypass(false, true, true); } /** diff --git a/services/core/java/com/android/server/appop/AppOpsService.java b/services/core/java/com/android/server/appop/AppOpsService.java index 6d29c379d1b1..3808e0c93a38 100644 --- a/services/core/java/com/android/server/appop/AppOpsService.java +++ b/services/core/java/com/android/server/appop/AppOpsService.java @@ -3242,7 +3242,7 @@ public class AppOpsService extends IAppOpsService.Stub { return AppOpsManager.MODE_IGNORED; } synchronized (this) { - if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) { + if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, true)) { return AppOpsManager.MODE_IGNORED; } code = AppOpsManager.opToSwitch(code); @@ -3459,7 +3459,7 @@ public class AppOpsService extends IAppOpsService.Stub { final int switchCode = AppOpsManager.opToSwitch(code); final UidState uidState = ops.uidState; - if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) { + if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, false)) { attributedOp.rejected(uidState.state, flags); scheduleOpNotedIfNeededLocked(code, uid, packageName, attributionTag, flags, AppOpsManager.MODE_IGNORED); @@ -3973,7 +3973,8 @@ public class AppOpsService extends IAppOpsService.Stub { final Op op = getOpLocked(ops, code, uid, true); final AttributedOp attributedOp = op.getOrCreateAttribution(op, attributionTag); final UidState uidState = ops.uidState; - isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass); + isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, + false); final int switchCode = AppOpsManager.opToSwitch(code); // If there is a non-default per UID policy (we set UID op mode only if // non-default) it takes over, otherwise use the per package policy. @@ -4502,8 +4503,9 @@ public class AppOpsService extends IAppOpsService.Stub { * @return The restriction matching the package */ private RestrictionBypass getBypassforPackage(@NonNull AndroidPackage pkg) { - return new RestrictionBypass(pkg.isPrivileged(), mContext.checkPermission( - android.Manifest.permission.EXEMPT_FROM_AUDIO_RECORD_RESTRICTIONS, -1, pkg.getUid()) + return new RestrictionBypass(pkg.getUid() == Process.SYSTEM_UID, pkg.isPrivileged(), + mContext.checkPermission(android.Manifest.permission + .EXEMPT_FROM_AUDIO_RECORD_RESTRICTIONS, -1, pkg.getUid()) == PackageManager.PERMISSION_GRANTED); } @@ -4763,7 +4765,7 @@ public class AppOpsService extends IAppOpsService.Stub { } private boolean isOpRestrictedLocked(int uid, int code, String packageName, - String attributionTag, @Nullable RestrictionBypass appBypass) { + String attributionTag, @Nullable RestrictionBypass appBypass, boolean isCheckOp) { int restrictionSetCount = mOpGlobalRestrictions.size(); for (int i = 0; i < restrictionSetCount; i++) { @@ -4780,11 +4782,15 @@ public class AppOpsService extends IAppOpsService.Stub { // For each client, check that the given op is not restricted, or that the given // package is exempt from the restriction. ClientUserRestrictionState restrictionState = mOpUserRestrictions.valueAt(i); - if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle)) { + if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle, + isCheckOp)) { RestrictionBypass opBypass = opAllowSystemBypassRestriction(code); if (opBypass != null) { // If we are the system, bypass user restrictions for certain codes synchronized (this) { + if (opBypass.isSystemUid && appBypass != null && appBypass.isSystemUid) { + return false; + } if (opBypass.isPrivileged && appBypass != null && appBypass.isPrivileged) { return false; } @@ -7137,7 +7143,7 @@ public class AppOpsService extends IAppOpsService.Stub { } public boolean hasRestriction(int restriction, String packageName, String attributionTag, - int userId) { + int userId, boolean isCheckOp) { if (perUserRestrictions == null) { return false; } @@ -7156,6 +7162,9 @@ public class AppOpsService extends IAppOpsService.Stub { return true; } + if (isCheckOp) { + return !perUserExclusions.includes(packageName); + } return !perUserExclusions.contains(packageName, attributionTag); } @@ -7322,7 +7331,8 @@ public class AppOpsService extends IAppOpsService.Stub { int numRestrictions = mOpUserRestrictions.size(); for (int i = 0; i < numRestrictions; i++) { if (mOpUserRestrictions.valueAt(i) - .hasRestriction(code, pkg, attributionTag, user.getIdentifier())) { + .hasRestriction(code, pkg, attributionTag, user.getIdentifier(), + false)) { number++; } } |