5 files changed, 48 insertions, 7 deletions

diff --git a/core/java/android/permission/flags.aconfig b/core/java/android/permission/flags.aconfig
index 34fb963924ae..e029e520f1b1 100644
--- a/core/java/android/permission/flags.aconfig
+++ b/core/java/android/permission/flags.aconfig
@@ -193,7 +193,7 @@ flag {
     namespace: "permissions"
     description: "Enable getDeviceId API in OpEventProxyInfo"
     bug: "337340961"
- }
+}
 
 flag {
     name: "device_aware_app_op_new_schema_enabled"
@@ -201,4 +201,15 @@ flag {
     namespace: "permissions"
     description: "Persist device attributed AppOp accesses on the disk"
     bug: "308201969"
-}
\ No newline at end of file
+}
+
+flag {
+    name: "apex_signature_permission_allowlist_enabled"
+    is_fixed_read_only: true
+    namespace: "permissions"
+    description: "Enable reading signature permission allowlist from APEXes"
+    bug: "308573169"
+    metadata {
+        purpose: PURPOSE_BUGFIX
+    }
+}
diff --git a/services/core/java/com/android/server/SystemConfig.java b/services/core/java/com/android/server/SystemConfig.java
index 6285015d02dc..44aea15b2bde 100644
--- a/services/core/java/com/android/server/SystemConfig.java
+++ b/services/core/java/com/android/server/SystemConfig.java
@@ -720,6 +720,9 @@ public class SystemConfig {
         }
         // Read configuration of features, libs and priv-app permissions from apex module.
         int apexPermissionFlag = ALLOW_LIBS | ALLOW_FEATURES | ALLOW_PRIVAPP_PERMISSIONS;
+        if (android.permission.flags.Flags.apexSignaturePermissionAllowlistEnabled()) {
+            apexPermissionFlag |= ALLOW_SIGNATURE_PERMISSIONS;
+        }
         // TODO: Use a solid way to filter apex module folders?
         for (File f: FileUtils.listFilesOrEmpty(Environment.getApexDirectory())) {
             if (f.isFile() || f.getPath().contains("@")) {
@@ -1322,6 +1325,8 @@ public class SystemConfig {
                                     Environment.getProductDirectory().toPath() + "/");
                             boolean systemExt = permFile.toPath().startsWith(
                                     Environment.getSystemExtDirectory().toPath() + "/");
+                            boolean apex = permFile.toPath().startsWith(
+                                    Environment.getApexDirectory().toPath() + "/");
                             if (vendor) {
                                 readSignatureAppPermissions(parser,
                                         mPermissionAllowlist.getVendorSignatureAppAllowlist());
@@ -1331,6 +1336,9 @@ public class SystemConfig {
                             } else if (systemExt) {
                                 readSignatureAppPermissions(parser,
                                         mPermissionAllowlist.getSystemExtSignatureAppAllowlist());
+                            } else if (apex) {
+                                readSignatureAppPermissions(parser,
+                                        mPermissionAllowlist.getApexSignatureAppAllowlist());
                             } else {
                                 readSignatureAppPermissions(parser,
                                         mPermissionAllowlist.getSignatureAppAllowlist());
diff --git a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
index 0410764e8594..a8766163297b 100644
--- a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
+++ b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
@@ -2946,6 +2946,9 @@ class PackageManagerShellCommand extends ShellCommand {
             case "system-ext":
                 allowlist = permissionAllowlist.getSystemExtSignatureAppAllowlist();
                 break;
+            case "apex":
+                allowlist = permissionAllowlist.getApexSignatureAppAllowlist();
+                break;
             default:
                 getErrPrintWriter().println("Error: unknown partition: " + partition);
                 return 1;
@@ -4923,7 +4926,7 @@ class PackageManagerShellCommand extends ShellCommand {
         pw.println("");
         pw.println("  get-signature-permission-allowlist PARTITION");
         pw.println("    Prints the signature permission allowlist for a partition.");
-        pw.println("    PARTITION is one of system, vendor, product and system-ext");
+        pw.println("    PARTITION is one of system, vendor, product, system-ext and apex");
         pw.println("");
         pw.println("  get-shared-uid-allowlist");
         pw.println("    Prints the shared UID allowlist.");
diff --git a/services/core/java/com/android/server/pm/permission/PermissionAllowlist.java b/services/core/java/com/android/server/pm/permission/PermissionAllowlist.java
index d138606369b9..6b99cbb2cba9 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionAllowlist.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionAllowlist.java
@@ -55,6 +55,9 @@ public final class PermissionAllowlist {
     @NonNull
     private final ArrayMap<String, ArrayMap<String, Boolean>> mSystemExtSignatureAppAllowlist =
             new ArrayMap<>();
+    @NonNull
+    private final ArrayMap<String, ArrayMap<String, Boolean>> mApexSignatureAppAllowlist =
+            new ArrayMap<>();
 
     @NonNull
     public ArrayMap<String, ArrayMap<String, Boolean>> getOemAppAllowlist() {
@@ -107,6 +110,11 @@ public final class PermissionAllowlist {
         return mSystemExtSignatureAppAllowlist;
     }
 
+    @NonNull
+    public ArrayMap<String, ArrayMap<String, Boolean>> getApexSignatureAppAllowlist() {
+        return mApexSignatureAppAllowlist;
+    }
+
     @Nullable
     public Boolean getOemAppAllowlistState(@NonNull String packageName,
             @NonNull String permissionName) {
@@ -211,4 +219,14 @@ public final class PermissionAllowlist {
         }
         return permissions.get(permissionName);
     }
+
+    @Nullable
+    public Boolean getApexSignatureAppAllowlistState(@NonNull String packageName,
+            @NonNull String permissionName) {
+        ArrayMap<String, Boolean> permissions = mApexSignatureAppAllowlist.get(packageName);
+        if (permissions == null) {
+            return null;
+        }
+        return permissions.get(permissionName);
+    }
 }
diff --git a/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt b/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
index d3072000a56e..bb0838db97b5 100644
--- a/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
+++ b/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
@@ -1277,10 +1277,11 @@ class AppIdPermissionPolicy : SchemePolicy() {
                     permissionName
                 )
             else ->
-                permissionAllowlist.getProductSignatureAppAllowlistState(
-                    packageName,
-                    permissionName
-                )
+                permissionAllowlist.getApexSignatureAppAllowlistState(packageName, permissionName)
+                    ?: permissionAllowlist.getProductSignatureAppAllowlistState(
+                        packageName,
+                        permissionName
+                    )
                     ?: permissionAllowlist.getVendorSignatureAppAllowlistState(
                         packageName,
                         permissionName