summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--services/permission/java/com/android/server/permission/access/AccessCheckingService.kt102
-rw-r--r--services/permission/java/com/android/server/permission/access/AccessPolicy.kt13
-rw-r--r--services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt30
3 files changed, 43 insertions, 102 deletions
diff --git a/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt b/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt
index 93530cf5b0a9..acaec211440d 100644
--- a/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt
+++ b/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt
@@ -16,7 +16,6 @@
package com.android.server.permission.access
-import android.app.admin.DevicePolicyManagerInternal
import android.content.Context
import android.content.pm.PackageManager
import android.content.pm.PackageManagerInternal
@@ -75,7 +74,7 @@ class AccessCheckingService(context: Context) : SystemService(context) {
val userIds = MutableIntSet(userManagerService.userIdsIncludingPreCreated)
val (packageStates, disabledSystemPackageStates) = packageManagerLocal.allPackageStates
- val knownPackages = packageManagerInternal.getKnownPackages(packageStates)
+ val knownPackages = packageManagerInternal.knownPackages
val isLeanback = systemConfig.isLeanback
val configPermissions = systemConfig.permissions
val privilegedPermissionAllowlistPackages =
@@ -152,7 +151,7 @@ class AccessCheckingService(context: Context) : SystemService(context) {
isSystemUpdated: Boolean
) {
val (packageStates, disabledSystemPackageStates) = packageManagerLocal.allPackageStates
- val knownPackages = packageManagerInternal.getKnownPackages(packageStates)
+ val knownPackages = packageManagerInternal.knownPackages
mutateState {
with(policy) {
onStorageVolumeMounted(
@@ -169,7 +168,7 @@ class AccessCheckingService(context: Context) : SystemService(context) {
internal fun onPackageAdded(packageName: String) {
val (packageStates, disabledSystemPackageStates) = packageManagerLocal.allPackageStates
- val knownPackages = packageManagerInternal.getKnownPackages(packageStates)
+ val knownPackages = packageManagerInternal.knownPackages
mutateState {
with(policy) {
onPackageAdded(
@@ -184,7 +183,7 @@ class AccessCheckingService(context: Context) : SystemService(context) {
internal fun onPackageRemoved(packageName: String, appId: Int) {
val (packageStates, disabledSystemPackageStates) = packageManagerLocal.allPackageStates
- val knownPackages = packageManagerInternal.getKnownPackages(packageStates)
+ val knownPackages = packageManagerInternal.knownPackages
mutateState {
with(policy) {
onPackageRemoved(
@@ -200,7 +199,7 @@ class AccessCheckingService(context: Context) : SystemService(context) {
internal fun onPackageInstalled(packageName: String, userId: Int) {
val (packageStates, disabledSystemPackageStates) = packageManagerLocal.allPackageStates
- val knownPackages = packageManagerInternal.getKnownPackages(packageStates)
+ val knownPackages = packageManagerInternal.knownPackages
mutateState {
with(policy) {
onPackageInstalled(
@@ -216,7 +215,7 @@ class AccessCheckingService(context: Context) : SystemService(context) {
internal fun onPackageUninstalled(packageName: String, appId: Int, userId: Int) {
val (packageStates, disabledSystemPackageStates) = packageManagerLocal.allPackageStates
- val knownPackages = packageManagerInternal.getKnownPackages(packageStates)
+ val knownPackages = packageManagerInternal.knownPackages
mutateState {
with(policy) {
onPackageUninstalled(
@@ -232,69 +231,50 @@ class AccessCheckingService(context: Context) : SystemService(context) {
}
internal fun onSystemReady() {
- val (packageStates, disabledSystemPackageStates) = packageManagerLocal.allPackageStates
- val knownPackages = packageManagerInternal.getKnownPackages(packageStates)
- mutateState {
- with(policy) {
- onSystemReady(packageStates, disabledSystemPackageStates, knownPackages)
- }
- }
+ mutateState { with(policy) { onSystemReady() } }
}
private val PackageManagerLocal.allPackageStates:
Pair<Map<String, PackageState>, Map<String, PackageState>>
get() = withUnfilteredSnapshot().use { it.packageStates to it.disabledSystemPackageStates }
- private fun PackageManagerInternal.getKnownPackages(
- packageStates: Map<String, PackageState>
- ): IntMap<Array<String>> =
- MutableIntMap<Array<String>>().apply {
- this[KnownPackages.PACKAGE_INSTALLER] =
- getKnownPackageNames(KnownPackages.PACKAGE_INSTALLER, UserHandle.USER_SYSTEM)
- this[KnownPackages.PACKAGE_PERMISSION_CONTROLLER] =
- getKnownPackageNames(
- KnownPackages.PACKAGE_PERMISSION_CONTROLLER,
- UserHandle.USER_SYSTEM
+ private val PackageManagerInternal.knownPackages: IntMap<Array<String>>
+ get() =
+ MutableIntMap<Array<String>>().apply {
+ this[KnownPackages.PACKAGE_INSTALLER] = getKnownPackageNames(
+ KnownPackages.PACKAGE_INSTALLER, UserHandle.USER_SYSTEM
)
- this[KnownPackages.PACKAGE_VERIFIER] =
- getKnownPackageNames(KnownPackages.PACKAGE_VERIFIER, UserHandle.USER_SYSTEM)
- this[KnownPackages.PACKAGE_SETUP_WIZARD] =
- getKnownPackageNames(KnownPackages.PACKAGE_SETUP_WIZARD, UserHandle.USER_SYSTEM)
- this[KnownPackages.PACKAGE_SYSTEM_TEXT_CLASSIFIER] =
- getKnownPackageNames(
- KnownPackages.PACKAGE_SYSTEM_TEXT_CLASSIFIER,
- UserHandle.USER_SYSTEM
+ this[KnownPackages.PACKAGE_PERMISSION_CONTROLLER] = getKnownPackageNames(
+ KnownPackages.PACKAGE_PERMISSION_CONTROLLER, UserHandle.USER_SYSTEM
)
- this[KnownPackages.PACKAGE_CONFIGURATOR] =
- getKnownPackageNames(KnownPackages.PACKAGE_CONFIGURATOR, UserHandle.USER_SYSTEM)
- this[KnownPackages.PACKAGE_INCIDENT_REPORT_APPROVER] =
- getKnownPackageNames(
- KnownPackages.PACKAGE_INCIDENT_REPORT_APPROVER,
- UserHandle.USER_SYSTEM
+ this[KnownPackages.PACKAGE_VERIFIER] = getKnownPackageNames(
+ KnownPackages.PACKAGE_VERIFIER, UserHandle.USER_SYSTEM
)
- this[KnownPackages.PACKAGE_APP_PREDICTOR] =
- getKnownPackageNames(KnownPackages.PACKAGE_APP_PREDICTOR, UserHandle.USER_SYSTEM)
- this[KnownPackages.PACKAGE_COMPANION] =
- getKnownPackageNames(KnownPackages.PACKAGE_COMPANION, UserHandle.USER_SYSTEM)
- this[KnownPackages.PACKAGE_RETAIL_DEMO] =
- getKnownPackageNames(KnownPackages.PACKAGE_RETAIL_DEMO, UserHandle.USER_SYSTEM)
- .filter { isProfileOwner(it, packageStates) }
- .toTypedArray()
- this[KnownPackages.PACKAGE_RECENTS] =
- getKnownPackageNames(KnownPackages.PACKAGE_RECENTS, UserHandle.USER_SYSTEM)
- }
-
- private fun isProfileOwner(
- packageName: String,
- packageStates: Map<String, PackageState>
- ): Boolean {
- val appId = packageStates[packageName]?.appId ?: return false
- val devicePolicyManagerInternal =
- LocalServices.getService(DevicePolicyManagerInternal::class.java) ?: return false
- // TODO(b/169395065): Figure out if this flow makes sense in Device Owner mode.
- return devicePolicyManagerInternal.isActiveProfileOwner(appId) ||
- devicePolicyManagerInternal.isActiveDeviceOwner(appId)
- }
+ this[KnownPackages.PACKAGE_SETUP_WIZARD] = getKnownPackageNames(
+ KnownPackages.PACKAGE_SETUP_WIZARD, UserHandle.USER_SYSTEM
+ )
+ this[KnownPackages.PACKAGE_SYSTEM_TEXT_CLASSIFIER] = getKnownPackageNames(
+ KnownPackages.PACKAGE_SYSTEM_TEXT_CLASSIFIER, UserHandle.USER_SYSTEM
+ )
+ this[KnownPackages.PACKAGE_CONFIGURATOR] = getKnownPackageNames(
+ KnownPackages.PACKAGE_CONFIGURATOR, UserHandle.USER_SYSTEM
+ )
+ this[KnownPackages.PACKAGE_INCIDENT_REPORT_APPROVER] = getKnownPackageNames(
+ KnownPackages.PACKAGE_INCIDENT_REPORT_APPROVER, UserHandle.USER_SYSTEM
+ )
+ this[KnownPackages.PACKAGE_APP_PREDICTOR] = getKnownPackageNames(
+ KnownPackages.PACKAGE_APP_PREDICTOR, UserHandle.USER_SYSTEM
+ )
+ this[KnownPackages.PACKAGE_COMPANION] = getKnownPackageNames(
+ KnownPackages.PACKAGE_COMPANION, UserHandle.USER_SYSTEM
+ )
+ this[KnownPackages.PACKAGE_RETAIL_DEMO] = getKnownPackageNames(
+ KnownPackages.PACKAGE_RETAIL_DEMO, UserHandle.USER_SYSTEM
+ )
+ this[KnownPackages.PACKAGE_RECENTS] = getKnownPackageNames(
+ KnownPackages.PACKAGE_RECENTS, UserHandle.USER_SYSTEM
+ )
+ }
@OptIn(ExperimentalContracts::class)
internal inline fun <T> getState(action: GetStateScope.() -> T): T {
diff --git a/services/permission/java/com/android/server/permission/access/AccessPolicy.kt b/services/permission/java/com/android/server/permission/access/AccessPolicy.kt
index 754f77ec38f9..29fe95c1e252 100644
--- a/services/permission/java/com/android/server/permission/access/AccessPolicy.kt
+++ b/services/permission/java/com/android/server/permission/access/AccessPolicy.kt
@@ -262,17 +262,8 @@ private constructor(
forEachSchemePolicy { with(it) { onPackageUninstalled(packageName, appId, userId) } }
}
- fun MutateStateScope.onSystemReady(
- packageStates: Map<String, PackageState>,
- disabledSystemPackageStates: Map<String, PackageState>,
- knownPackages: IntMap<Array<String>>
- ) {
- newState.mutateExternalState().apply {
- setPackageStates(packageStates)
- setDisabledSystemPackageStates(disabledSystemPackageStates)
- setKnownPackages(knownPackages)
- setSystemReady(true)
- }
+ fun MutateStateScope.onSystemReady() {
+ newState.mutateExternalState().setSystemReady(true)
forEachSchemePolicy { with(it) { onSystemReady() } }
}
diff --git a/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt b/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
index 08ba75397a09..010604f9aaaa 100644
--- a/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
+++ b/services/permission/java/com/android/server/permission/access/permission/AppIdPermissionPolicy.kt
@@ -1448,15 +1448,6 @@ class AppIdPermissionPolicy : SchemePolicy() {
// Special permissions for the system companion device manager.
return true
}
- if (
- permission.isRetailDemo &&
- packageName in knownPackages[KnownPackages.PACKAGE_RETAIL_DEMO]!!
- ) {
- // Special permission granted only to the OEM specified retail demo app.
- // Note that the original code was passing app ID as UID, so this behavior is kept
- // unchanged.
- return true
- }
if (permission.isRecents && packageName in knownPackages[KnownPackages.PACKAGE_RECENTS]!!) {
// Special permission for the recents app.
return true
@@ -1511,27 +1502,6 @@ class AppIdPermissionPolicy : SchemePolicy() {
}
override fun MutateStateScope.onSystemReady() {
- // HACK: PACKAGE_USAGE_STATS is the only permission with the retailDemo protection flag,
- // and we have to wait until DevicePolicyManagerService is started to know whether the
- // retail demo package is a profile owner so that it can have the permission.
- // Since there's no simple callback for profile owner change, and we are deprecating and
- // removing the retailDemo protection flag in favor of a proper role soon, we can just
- // re-evaluate the permission here, which is also how the old implementation has been
- // working.
- // TODO: Partially revert ag/22690114 once we can remove support for the retailDemo
- // protection flag.
- val externalState = newState.externalState
- for (packageName in externalState.knownPackages[KnownPackages.PACKAGE_RETAIL_DEMO]!!) {
- val appId = externalState.packageStates[packageName]?.appId ?: continue
- newState.userStates.forEachIndexed { _, userId, _ ->
- evaluatePermissionState(
- appId,
- userId,
- Manifest.permission.PACKAGE_USAGE_STATS,
- null
- )
- }
- }
if (!privilegedPermissionAllowlistViolations.isEmpty()) {
throw IllegalStateException(
"Signature|privileged permissions not in privileged" +
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-12-02 02:44:50 +0000