diff options
21 files changed, 570 insertions, 258 deletions
diff --git a/core/api/system-current.txt b/core/api/system-current.txt index cb699dd4176c..f30c8cf15dc1 100644 --- a/core/api/system-current.txt +++ b/core/api/system-current.txt @@ -11300,6 +11300,7 @@ package android.permission { public final class PermissionManager { method public int checkDeviceIdentifierAccess(@Nullable String, @Nullable String, @Nullable String, int, int); + method @FlaggedApi("android.permission.flags.device_aware_permission_apis_enabled") public static int checkPermission(@NonNull String, @NonNull String, @NonNull String, int); method @RequiresPermission(value=android.Manifest.permission.UPDATE_APP_OPS_STATS, conditional=true) public int checkPermissionForDataDelivery(@NonNull String, @NonNull android.content.AttributionSource, @Nullable String); method @RequiresPermission(value=android.Manifest.permission.UPDATE_APP_OPS_STATS, conditional=true) public int checkPermissionForDataDeliveryFromDataSource(@NonNull String, @NonNull android.content.AttributionSource, @Nullable String); method public int checkPermissionForPreflight(@NonNull String, @NonNull android.content.AttributionSource); @@ -11307,12 +11308,16 @@ package android.permission { method public void finishDataDelivery(@NonNull String, @NonNull android.content.AttributionSource); method @NonNull @RequiresPermission(android.Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY) public java.util.Set<java.lang.String> getAutoRevokeExemptionGrantedPackages(); method @NonNull @RequiresPermission(android.Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY) public java.util.Set<java.lang.String> getAutoRevokeExemptionRequestedPackages(); + method @FlaggedApi("android.permission.flags.device_aware_permission_apis_enabled") @RequiresPermission(anyOf={android.Manifest.permission.GRANT_RUNTIME_PERMISSIONS, android.Manifest.permission.REVOKE_RUNTIME_PERMISSIONS, android.Manifest.permission.GET_RUNTIME_PERMISSIONS}) public int getPermissionFlags(@NonNull String, @NonNull String, @NonNull String); method @IntRange(from=0) @RequiresPermission(anyOf={android.Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY, android.Manifest.permission.UPGRADE_RUNTIME_PERMISSIONS}) public int getRuntimePermissionsVersion(); method @NonNull public java.util.List<android.permission.PermissionManager.SplitPermissionInfo> getSplitPermissions(); + method @FlaggedApi("android.permission.flags.device_aware_permission_apis_enabled") @RequiresPermission(android.Manifest.permission.GRANT_RUNTIME_PERMISSIONS) public void grantRuntimePermission(@NonNull String, @NonNull String, @NonNull String); + method @FlaggedApi("android.permission.flags.device_aware_permission_apis_enabled") @RequiresPermission(android.Manifest.permission.REVOKE_RUNTIME_PERMISSIONS) public void revokeRuntimePermission(@NonNull String, @NonNull String, @NonNull String, @Nullable String); method @RequiresPermission(anyOf={android.Manifest.permission.ADJUST_RUNTIME_PERMISSIONS_POLICY, android.Manifest.permission.UPGRADE_RUNTIME_PERMISSIONS}) public void setRuntimePermissionsVersion(@IntRange(from=0) int); method @Deprecated @RequiresPermission(android.Manifest.permission.MANAGE_ONE_TIME_PERMISSION_SESSIONS) public void startOneTimePermissionSession(@NonNull String, long, int, int); method @RequiresPermission(android.Manifest.permission.MANAGE_ONE_TIME_PERMISSION_SESSIONS) public void startOneTimePermissionSession(@NonNull String, long, long, int, int); method @RequiresPermission(android.Manifest.permission.MANAGE_ONE_TIME_PERMISSION_SESSIONS) public void stopOneTimePermissionSession(@NonNull String); + method @FlaggedApi("android.permission.flags.device_aware_permission_apis_enabled") @RequiresPermission(anyOf={android.Manifest.permission.GRANT_RUNTIME_PERMISSIONS, android.Manifest.permission.REVOKE_RUNTIME_PERMISSIONS}) public void updatePermissionFlags(@NonNull String, @NonNull String, @NonNull String, int, int); field @RequiresPermission(android.Manifest.permission.START_REVIEW_PERMISSION_DECISIONS) public static final String ACTION_REVIEW_PERMISSION_DECISIONS = "android.permission.action.REVIEW_PERMISSION_DECISIONS"; field public static final String EXTRA_PERMISSION_USAGES = "android.permission.extra.PERMISSION_USAGES"; field public static final int PERMISSION_GRANTED = 0; // 0x0 diff --git a/core/java/android/app/ApplicationPackageManager.java b/core/java/android/app/ApplicationPackageManager.java index d8aded40df7b..3ec39b5145a7 100644 --- a/core/java/android/app/ApplicationPackageManager.java +++ b/core/java/android/app/ApplicationPackageManager.java @@ -836,7 +836,7 @@ public class ApplicationPackageManager extends PackageManager { @Override public int checkPermission(String permName, String pkgName) { - return PermissionManager.checkPackageNamePermission(permName, pkgName, + return getPermissionManager().checkPackageNamePermission(permName, pkgName, mContext.getDeviceId(), getUserId()); } diff --git a/core/java/android/app/UiAutomationConnection.java b/core/java/android/app/UiAutomationConnection.java index ce1d43d10c34..33e260f352aa 100644 --- a/core/java/android/app/UiAutomationConnection.java +++ b/core/java/android/app/UiAutomationConnection.java @@ -23,6 +23,7 @@ import android.accessibilityservice.IAccessibilityServiceClient; import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.UserIdInt; +import android.companion.virtual.VirtualDeviceManager; import android.compat.annotation.UnsupportedAppUsage; import android.content.Context; import android.graphics.Rect; @@ -363,7 +364,7 @@ public final class UiAutomationConnection extends IUiAutomationConnection.Stub { final long identity = Binder.clearCallingIdentity(); try { mPermissionManager.grantRuntimePermission(packageName, permission, - Context.DEVICE_ID_DEFAULT, userId); + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId); } finally { Binder.restoreCallingIdentity(identity); } @@ -383,7 +384,7 @@ public final class UiAutomationConnection extends IUiAutomationConnection.Stub { final long identity = Binder.clearCallingIdentity(); try { mPermissionManager.revokeRuntimePermission(packageName, permission, - Context.DEVICE_ID_DEFAULT, userId, null); + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId, null); } finally { Binder.restoreCallingIdentity(identity); } diff --git a/core/java/android/permission/IPermissionManager.aidl b/core/java/android/permission/IPermissionManager.aidl index 471f95bb21f3..380962cbc766 100644 --- a/core/java/android/permission/IPermissionManager.aidl +++ b/core/java/android/permission/IPermissionManager.aidl @@ -42,10 +42,12 @@ interface IPermissionManager { void removePermission(String permissionName); - int getPermissionFlags(String packageName, String permissionName, int deviceId, int userId); + int getPermissionFlags(String packageName, String permissionName, String persistentDeviceId, + int userId); void updatePermissionFlags(String packageName, String permissionName, int flagMask, - int flagValues, boolean checkAdjustPolicyFlagPermission, int deviceId, int userId); + int flagValues, boolean checkAdjustPolicyFlagPermission, String persistentDeviceId, + int userId); void updatePermissionFlagsForAllApps(int flagMask, int flagValues, int userId); @@ -62,10 +64,11 @@ interface IPermissionManager { boolean removeAllowlistedRestrictedPermission(String packageName, String permissionName, int flags, int userId); - void grantRuntimePermission(String packageName, String permissionName, int deviceId, int userId); + void grantRuntimePermission(String packageName, String permissionName, + String persistentDeviceId, int userId); - void revokeRuntimePermission(String packageName, String permissionName, int deviceId, - int userId, String reason); + void revokeRuntimePermission(String packageName, String permissionName, + String persistentDeviceId, int userId, String reason); void revokePostNotificationPermissionWithoutKillForTest(String packageName, int userId); @@ -96,7 +99,8 @@ interface IPermissionManager { boolean isRegisteredAttributionSource(in AttributionSourceState source); - int checkPermission(String packageName, String permissionName, int deviceId, int userId); + int checkPermission(String packageName, String permissionName, String persistentDeviceId, + int userId); int checkUidPermission(int uid, String permissionName, int deviceId); } diff --git a/core/java/android/permission/PermissionManager.java b/core/java/android/permission/PermissionManager.java index 4af6e3a9f8d4..d6e8ce701b39 100644 --- a/core/java/android/permission/PermissionManager.java +++ b/core/java/android/permission/PermissionManager.java @@ -28,6 +28,7 @@ import static android.permission.flags.Flags.serverSideAttributionRegistration; import android.Manifest; import android.annotation.CheckResult; import android.annotation.DurationMillisLong; +import android.annotation.FlaggedApi; import android.annotation.IntDef; import android.annotation.IntRange; import android.annotation.NonNull; @@ -45,6 +46,8 @@ import android.app.AppGlobals; import android.app.AppOpsManager; import android.app.IActivityManager; import android.app.PropertyInvalidatedCache; +import android.companion.virtual.VirtualDevice; +import android.companion.virtual.VirtualDeviceManager; import android.compat.annotation.ChangeId; import android.compat.annotation.EnabledAfter; import android.content.AttributionSource; @@ -68,6 +71,7 @@ import android.os.RemoteException; import android.os.ServiceManager; import android.os.SystemClock; import android.os.UserHandle; +import android.permission.flags.Flags; import android.text.TextUtils; import android.util.ArrayMap; import android.util.ArraySet; @@ -240,6 +244,8 @@ public final class PermissionManager { private final LegacyPermissionManager mLegacyPermissionManager; + private final VirtualDeviceManager mVirtualDeviceManager; + private final ArrayMap<PackageManager.OnPermissionsChangedListener, IOnPermissionsChangeListener> mPermissionListeners = new ArrayMap<>(); private PermissionUsageHelper mUsageHelper; @@ -260,6 +266,7 @@ public final class PermissionManager { mPermissionManager = IPermissionManager.Stub.asInterface(ServiceManager.getServiceOrThrow( "permissionmgr")); mLegacyPermissionManager = context.getSystemService(LegacyPermissionManager.class); + mVirtualDeviceManager = context.getSystemService(VirtualDeviceManager.class); } /** @@ -616,15 +623,50 @@ public final class PermissionManager { //@SystemApi public void grantRuntimePermission(@NonNull String packageName, @NonNull String permissionName, @NonNull UserHandle user) { + String persistentDeviceId = getPersistentDeviceId(mContext.getDeviceId()); + if (persistentDeviceId == null) { + return; + } + + grantRuntimePermissionInternal(packageName, permissionName, persistentDeviceId, user); + } + + /** + * Grant a runtime permission to an application which the application does not already have. The + * permission must have been requested by the application. If the application is not allowed to + * hold the permission, a {@link java.lang.SecurityException} is thrown. If the package or + * permission is invalid, a {@link java.lang.IllegalArgumentException} is thrown. + * + * @param packageName the package to which to grant the permission + * @param permissionName the permission name to grant + * @param persistentDeviceId the device Id to which to grant the permission + * + * @see #revokeRuntimePermission(String, String, String, String) + * + * @hide + */ + @RequiresPermission(android.Manifest.permission.GRANT_RUNTIME_PERMISSIONS) + @SystemApi + @FlaggedApi(Flags.FLAG_DEVICE_AWARE_PERMISSION_APIS_ENABLED) + public void grantRuntimePermission(@NonNull String packageName, + @NonNull String permissionName, @NonNull String persistentDeviceId) { + grantRuntimePermissionInternal(packageName, permissionName, persistentDeviceId, + mContext.getUser()); + } + + private void grantRuntimePermissionInternal(@NonNull String packageName, + @NonNull String permissionName, @NonNull String persistentDeviceId, + @NonNull UserHandle user) { if (DEBUG_TRACE_GRANTS && shouldTraceGrant(packageName, permissionName, user.getIdentifier())) { Log.i(LOG_TAG_TRACE_GRANTS, "App " + mContext.getPackageName() + " is granting " + packageName + " " - + permissionName + " for user " + user.getIdentifier(), new RuntimeException()); + + permissionName + " for user " + user.getIdentifier() + + " for persistent device " + persistentDeviceId, new RuntimeException()); } try { mPermissionManager.grantRuntimePermission(packageName, permissionName, - mContext.getDeviceId(), user.getIdentifier()); + persistentDeviceId, user.getIdentifier()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -642,7 +684,7 @@ public final class PermissionManager { * user {@code android.permission.INTERACT_ACROSS_USERS_FULL}. * * @param packageName the package from which to revoke the permission - * @param permName the permission name to revoke + * @param permissionName the permission name to revoke * @param user the user for which to revoke the permission * @param reason the reason for the revoke, or {@code null} for unspecified * @@ -653,16 +695,56 @@ public final class PermissionManager { @RequiresPermission(android.Manifest.permission.REVOKE_RUNTIME_PERMISSIONS) //@SystemApi public void revokeRuntimePermission(@NonNull String packageName, - @NonNull String permName, @NonNull UserHandle user, @Nullable String reason) { + @NonNull String permissionName, @NonNull UserHandle user, @Nullable String reason) { + String persistentDeviceId = getPersistentDeviceId(mContext.getDeviceId()); + if (persistentDeviceId == null) { + return; + } + + revokeRuntimePermissionInternal(packageName, permissionName, persistentDeviceId, user, + reason); + } + + /** + * Revoke a runtime permission that was previously granted by + * {@link #grantRuntimePermission(String, String, String)}. The permission must + * have been requested by and granted to the application. If the application is not allowed to + * hold the permission, a {@link java.lang.SecurityException} is thrown. If the package or + * permission is invalid, a {@link java.lang.IllegalArgumentException} is thrown. + * + * @param packageName the package from which to revoke the permission + * @param permissionName the permission name to revoke + * @param persistentDeviceId the persistent device id for which to revoke the permission + * @param reason the reason for the revoke, or {@code null} for unspecified + * + * @see #grantRuntimePermission(String, String, String) + * + * @hide + */ + @RequiresPermission(android.Manifest.permission.REVOKE_RUNTIME_PERMISSIONS) + @SystemApi + @FlaggedApi(Flags.FLAG_DEVICE_AWARE_PERMISSION_APIS_ENABLED) + public void revokeRuntimePermission(@NonNull String packageName, + @NonNull String permissionName, @NonNull String persistentDeviceId, + @Nullable String reason) { + revokeRuntimePermissionInternal(packageName, permissionName, persistentDeviceId, + mContext.getUser(), reason); + } + + private void revokeRuntimePermissionInternal(@NonNull String packageName, + @NonNull String permissionName, @NonNull String persistentDeviceId, + @NonNull UserHandle user, @Nullable String reason) { if (DEBUG_TRACE_PERMISSION_UPDATES - && shouldTraceGrant(packageName, permName, user.getIdentifier())) { + && shouldTraceGrant(packageName, permissionName, user.getIdentifier())) { Log.i(LOG_TAG, "App " + mContext.getPackageName() + " is revoking " + packageName + " " - + permName + " for user " + user.getIdentifier() + " with reason " + + permissionName + " for user " + user.getIdentifier() + + " for persistent device " + + persistentDeviceId + " with reason " + reason, new RuntimeException()); } try { - mPermissionManager.revokeRuntimePermission(packageName, permName, - mContext.getDeviceId(), user.getIdentifier(), reason); + mPermissionManager.revokeRuntimePermission(packageName, permissionName, + persistentDeviceId, user.getIdentifier(), reason); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -687,9 +769,44 @@ public final class PermissionManager { //@SystemApi public int getPermissionFlags(@NonNull String packageName, @NonNull String permissionName, @NonNull UserHandle user) { + String persistentDeviceId = getPersistentDeviceId(mContext.getDeviceId()); + if (persistentDeviceId == null) { + return 0; + } + + return getPermissionFlagsInternal(packageName, permissionName, persistentDeviceId, user); + } + + /** + * Gets the state flags associated with a permission. + * + * @param packageName the package name for which to get the flags + * @param permissionName the permission for which to get the flags + * @param persistentDeviceId the persistent device Id for which to get permission flags + * @return the permission flags + * + * @hide + */ + @PackageManager.PermissionFlags + @RequiresPermission(anyOf = { + android.Manifest.permission.GRANT_RUNTIME_PERMISSIONS, + android.Manifest.permission.REVOKE_RUNTIME_PERMISSIONS, + android.Manifest.permission.GET_RUNTIME_PERMISSIONS + }) + @SystemApi + @FlaggedApi(Flags.FLAG_DEVICE_AWARE_PERMISSION_APIS_ENABLED) + public int getPermissionFlags(@NonNull String packageName, @NonNull String permissionName, + @NonNull String persistentDeviceId) { + return getPermissionFlagsInternal(packageName, permissionName, persistentDeviceId, + mContext.getUser()); + } + + private int getPermissionFlagsInternal(@NonNull String packageName, + @NonNull String permissionName, @NonNull String persistentDeviceId, + @NonNull UserHandle user) { try { return mPermissionManager.getPermissionFlags(packageName, permissionName, - mContext.getDeviceId(), user.getIdentifier()); + persistentDeviceId, user.getIdentifier()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -715,21 +832,63 @@ public final class PermissionManager { public void updatePermissionFlags(@NonNull String packageName, @NonNull String permissionName, @PackageManager.PermissionFlags int flagMask, @PackageManager.PermissionFlags int flagValues, @NonNull UserHandle user) { + String persistentDeviceId = getPersistentDeviceId(mContext.getDeviceId()); + if (persistentDeviceId == null) { + return; + } + + updatePermissionFlagsInternal(packageName, permissionName, flagMask, flagValues, + persistentDeviceId, user); + } + + /** + * Updates the flags associated with a permission by replacing the flags in the specified mask + * with the provided flag values. + * + * @param packageName The package name for which to update the flags + * @param permissionName The permission for which to update the flags + * @param persistentDeviceId The persistent device for which to update the permission flags + * @param flagMask The flags which to replace + * @param flagValues The flags with which to replace + * + * @hide + */ + @RequiresPermission(anyOf = { + android.Manifest.permission.GRANT_RUNTIME_PERMISSIONS, + android.Manifest.permission.REVOKE_RUNTIME_PERMISSIONS + }) + @SystemApi + @FlaggedApi(Flags.FLAG_DEVICE_AWARE_PERMISSION_APIS_ENABLED) + public void updatePermissionFlags(@NonNull String packageName, @NonNull String permissionName, + @NonNull String persistentDeviceId, + @PackageManager.PermissionFlags int flagMask, + @PackageManager.PermissionFlags int flagValues + ) { + updatePermissionFlagsInternal(packageName, permissionName, flagMask, flagValues, + persistentDeviceId, mContext.getUser()); + } + + private void updatePermissionFlagsInternal(@NonNull String packageName, + @NonNull String permissionName, + @PackageManager.PermissionFlags int flagMask, + @PackageManager.PermissionFlags int flagValues, @NonNull String persistentDeviceId, + @NonNull UserHandle user + ) { if (DEBUG_TRACE_PERMISSION_UPDATES && shouldTraceGrant(packageName, permissionName, user.getIdentifier())) { Log.i(LOG_TAG, "App " + mContext.getPackageName() + " is updating flags for " + packageName + " " + permissionName + " for user " - + user.getIdentifier() + ": " + DebugUtils.flagsToString( - PackageManager.class, "FLAG_PERMISSION_", flagMask) + " := " - + DebugUtils.flagsToString(PackageManager.class, "FLAG_PERMISSION_", - flagValues), new RuntimeException()); + + user.getIdentifier() + " for persistentDeviceId " + persistentDeviceId + ": " + + DebugUtils.flagsToString(PackageManager.class, "FLAG_PERMISSION_", flagMask) + + " := " + DebugUtils.flagsToString(PackageManager.class, "FLAG_PERMISSION_", + flagValues), new RuntimeException()); } try { final boolean checkAdjustPolicyFlagPermission = mContext.getApplicationInfo().targetSdkVersion >= Build.VERSION_CODES.Q; mPermissionManager.updatePermissionFlags(packageName, permissionName, flagMask, flagValues, checkAdjustPolicyFlagPermission, - mContext.getDeviceId(), user.getIdentifier()); + persistentDeviceId, user.getIdentifier()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -1642,15 +1801,15 @@ public final class PermissionManager { private static final class PackageNamePermissionQuery { final String permName; final String pkgName; - final int deviceId; + final String persistentDeviceId; @UserIdInt final int userId; PackageNamePermissionQuery(@Nullable String permName, @Nullable String pkgName, - int deviceId, @UserIdInt int userId) { + @Nullable String persistentDeviceId, @UserIdInt int userId) { this.permName = permName; this.pkgName = pkgName; - this.deviceId = deviceId; + this.persistentDeviceId = persistentDeviceId; this.userId = userId; } @@ -1658,13 +1817,13 @@ public final class PermissionManager { public String toString() { return TextUtils.formatSimple( "PackageNamePermissionQuery(pkgName=\"%s\", permName=\"%s\", " - + "deviceId=%s, userId=%s\")", - pkgName, permName, deviceId, userId); + + "persistentDeviceId=%s, userId=%s\")", + pkgName, permName, persistentDeviceId, userId); } @Override public int hashCode() { - return Objects.hash(permName, pkgName, deviceId, userId); + return Objects.hash(permName, pkgName, persistentDeviceId, userId); } @Override @@ -1680,17 +1839,17 @@ public final class PermissionManager { } return Objects.equals(permName, other.permName) && Objects.equals(pkgName, other.pkgName) - && deviceId == other.deviceId + && Objects.equals(persistentDeviceId, other.persistentDeviceId) && userId == other.userId; } } /* @hide */ private static int checkPackageNamePermissionUncached( - String permName, String pkgName, int deviceId, @UserIdInt int userId) { + String permName, String pkgName, String persistentDeviceId, @UserIdInt int userId) { try { return ActivityThread.getPermissionManager().checkPermission( - pkgName, permName, deviceId, userId); + pkgName, permName, persistentDeviceId, userId); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -1704,7 +1863,7 @@ public final class PermissionManager { @Override public Integer recompute(PackageNamePermissionQuery query) { return checkPackageNamePermissionUncached( - query.permName, query.pkgName, query.deviceId, query.userId); + query.permName, query.pkgName, query.persistentDeviceId, query.userId); } @Override public boolean bypass(PackageNamePermissionQuery query) { @@ -1717,10 +1876,65 @@ public final class PermissionManager { * * @hide */ - public static int checkPackageNamePermission(String permName, String pkgName, int deviceId, - @UserIdInt int userId) { + public int checkPackageNamePermission(String permName, String pkgName, + int deviceId, @UserIdInt int userId) { + String persistentDeviceId = getPersistentDeviceId(deviceId); + return sPackageNamePermissionCache.query( + new PackageNamePermissionQuery(permName, pkgName, persistentDeviceId, userId)); + } + + @Nullable + private String getPersistentDeviceId(int deviceId) { + String persistentDeviceId = null; + + if (deviceId == Context.DEVICE_ID_DEFAULT) { + persistentDeviceId = VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT; + } else if (android.companion.virtual.flags.Flags.vdmPublicApis()) { + VirtualDevice virtualDevice = mVirtualDeviceManager.getVirtualDevice(deviceId); + if (virtualDevice == null) { + Slog.e(LOG_TAG, "Virtual device is not found with device Id " + deviceId); + return null; + } + persistentDeviceId = virtualDevice.getPersistentDeviceId(); + if (persistentDeviceId == null) { + Slog.e(LOG_TAG, "Cannot find persistent device Id for " + deviceId); + } + } else { + Slog.e(LOG_TAG, "vdmPublicApis flag is not enabled when device Id " + deviceId + + "is not default."); + } + return persistentDeviceId; + } + + /** + * Check whether a package has been granted a permission on a given device. + * <p> + * <strong>Note: </strong>This API returns the underlying permission state + * as-is and is mostly intended for permission managing system apps. To + * perform an access check for a certain app, please use the + * {@link Context#checkPermission} APIs instead. + * + * @param permissionName The name of the permission you are checking for. + * @param packageName The name of the package you are checking against. + * @param persistentDeviceId The persistent device id you are checking against. + * @param userId The user Id associated with context. + * + * @return If the package has the permission on the device, PERMISSION_GRANTED is + * returned. If it does not have the permission on the device, PERMISSION_DENIED + * is returned. + * + * @see PackageManager#PERMISSION_GRANTED + * @see PackageManager#PERMISSION_DENIED + * + * @hide + */ + @SystemApi + @FlaggedApi(Flags.FLAG_DEVICE_AWARE_PERMISSION_APIS_ENABLED) + public static int checkPermission(@NonNull String permissionName, @NonNull String packageName, + @NonNull String persistentDeviceId, @UserIdInt int userId) { return sPackageNamePermissionCache.query( - new PackageNamePermissionQuery(permName, pkgName, deviceId, userId)); + new PackageNamePermissionQuery(permissionName, packageName, persistentDeviceId, + userId)); } /** diff --git a/services/core/java/com/android/server/notification/PermissionHelper.java b/services/core/java/com/android/server/notification/PermissionHelper.java index e14f7c09770f..b6f48890c528 100644 --- a/services/core/java/com/android/server/notification/PermissionHelper.java +++ b/services/core/java/com/android/server/notification/PermissionHelper.java @@ -24,6 +24,7 @@ import static android.content.pm.PackageManager.PERMISSION_GRANTED; import android.Manifest; import android.annotation.NonNull; import android.annotation.UserIdInt; +import android.companion.virtual.VirtualDeviceManager; import android.content.Context; import android.content.pm.IPackageManager; import android.content.pm.PackageInfo; @@ -196,18 +197,20 @@ public final class PermissionHelper { boolean currentlyGranted = hasPermission(uid); if (grant && !currentlyGranted) { mPermManager.grantRuntimePermission(packageName, NOTIFICATION_PERMISSION, - Context.DEVICE_ID_DEFAULT, userId); + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId); } else if (!grant && currentlyGranted) { mPermManager.revokeRuntimePermission(packageName, NOTIFICATION_PERMISSION, - Context.DEVICE_ID_DEFAULT, userId, TAG); + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId, TAG); } int flagMask = FLAG_PERMISSION_USER_SET | FLAG_PERMISSION_USER_FIXED; if (userSet) { mPermManager.updatePermissionFlags(packageName, NOTIFICATION_PERMISSION, flagMask, - FLAG_PERMISSION_USER_SET, true, Context.DEVICE_ID_DEFAULT, userId); + FLAG_PERMISSION_USER_SET, true, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId); } else { mPermManager.updatePermissionFlags(packageName, NOTIFICATION_PERMISSION, - flagMask, 0, true, Context.DEVICE_ID_DEFAULT, userId); + flagMask, 0, true, VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, + userId); } } catch (RemoteException e) { Slog.e(TAG, "Could not reach system server", e); @@ -235,7 +238,7 @@ public final class PermissionHelper { try { try { int flags = mPermManager.getPermissionFlags(packageName, NOTIFICATION_PERMISSION, - Context.DEVICE_ID_DEFAULT, userId); + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId); return (flags & PackageManager.FLAG_PERMISSION_SYSTEM_FIXED) != 0 || (flags & PackageManager.FLAG_PERMISSION_POLICY_FIXED) != 0; } catch (RemoteException e) { @@ -252,7 +255,7 @@ public final class PermissionHelper { try { try { int flags = mPermManager.getPermissionFlags(packageName, NOTIFICATION_PERMISSION, - Context.DEVICE_ID_DEFAULT, userId); + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId); return (flags & (PackageManager.FLAG_PERMISSION_USER_SET | PackageManager.FLAG_PERMISSION_USER_FIXED)) != 0; } catch (RemoteException e) { @@ -269,7 +272,7 @@ public final class PermissionHelper { try { try { int flags = mPermManager.getPermissionFlags(packageName, NOTIFICATION_PERMISSION, - Context.DEVICE_ID_DEFAULT, userId); + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId); return (flags & (PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT | PackageManager.FLAG_PERMISSION_GRANTED_BY_ROLE)) != 0; } catch (RemoteException e) { diff --git a/services/core/java/com/android/server/pm/BackgroundInstallControlService.java b/services/core/java/com/android/server/pm/BackgroundInstallControlService.java index 3468081088a3..524bad58ce07 100644 --- a/services/core/java/com/android/server/pm/BackgroundInstallControlService.java +++ b/services/core/java/com/android/server/pm/BackgroundInstallControlService.java @@ -24,6 +24,7 @@ import android.annotation.RequiresPermission; import android.app.Flags; import android.app.usage.UsageEvents; import android.app.usage.UsageStatsManagerInternal; +import android.companion.virtual.VirtualDeviceManager; import android.content.Context; import android.content.pm.ApplicationInfo; import android.content.pm.IBackgroundInstallControlService; @@ -271,7 +272,7 @@ public class BackgroundInstallControlService extends SystemService { if (mPermissionManager.checkPermission( installerPackageName, android.Manifest.permission.INSTALL_PACKAGES, - Context.DEVICE_ID_DEFAULT, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId) != PERMISSION_GRANTED) { return; @@ -479,7 +480,7 @@ public class BackgroundInstallControlService extends SystemService { return mPermissionManager.checkPermission( pkgName, android.Manifest.permission.INSTALL_PACKAGES, - Context.DEVICE_ID_DEFAULT, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId) == PERMISSION_GRANTED; } diff --git a/services/core/java/com/android/server/pm/ComputerEngine.java b/services/core/java/com/android/server/pm/ComputerEngine.java index ac89feccef7e..9afdde53643c 100644 --- a/services/core/java/com/android/server/pm/ComputerEngine.java +++ b/services/core/java/com/android/server/pm/ComputerEngine.java @@ -69,6 +69,7 @@ import android.annotation.Nullable; import android.annotation.UserIdInt; import android.app.ActivityManager; import android.app.admin.DevicePolicyManagerInternal; +import android.companion.virtual.VirtualDeviceManager; import android.content.ComponentName; import android.content.Context; import android.content.Intent; @@ -4615,7 +4616,8 @@ public class ComputerEngine implements Computer { for (int i=0; i<permissions.length; i++) { final String permission = permissions[i]; if (mPermissionManager.checkPermission(ps.getPackageName(), permission, - Context.DEVICE_ID_DEFAULT, userId) == PERMISSION_GRANTED) { + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId) + == PERMISSION_GRANTED) { tmp[i] = true; numMatch++; } else { diff --git a/services/core/java/com/android/server/pm/DumpHelper.java b/services/core/java/com/android/server/pm/DumpHelper.java index 2a00a442542d..104e8bee50c8 100644 --- a/services/core/java/com/android/server/pm/DumpHelper.java +++ b/services/core/java/com/android/server/pm/DumpHelper.java @@ -22,8 +22,8 @@ import static com.android.server.pm.KnownPackages.LAST_KNOWN_PACKAGE; import static com.android.server.pm.PackageManagerServiceUtils.dumpCriticalInfo; import android.annotation.NonNull; +import android.companion.virtual.VirtualDeviceManager; import android.content.ComponentName; -import android.content.Context; import android.content.pm.FeatureInfo; import android.content.pm.PackageManager; import android.os.Binder; @@ -162,7 +162,7 @@ final class DumpHelper { PackageManager.VERSION_CODE_HIGHEST); pw.println(mPermissionManager.checkPermission( - pkg, perm, Context.DEVICE_ID_DEFAULT, user)); + pkg, perm, VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, user)); return; } else if ("l".equals(cmd) || "libraries".equals(cmd)) { dumpState.setDump(DumpState.DUMP_LIBS); diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index afd4fb17dff5..dadafd7f9438 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -65,6 +65,7 @@ import android.app.admin.IDevicePolicyManager; import android.app.admin.SecurityLog; import android.app.backup.IBackupManager; import android.app.role.RoleManager; +import android.companion.virtual.VirtualDeviceManager; import android.compat.annotation.ChangeId; import android.compat.annotation.EnabledAfter; import android.content.BroadcastReceiver; @@ -2994,8 +2995,8 @@ public class PackageManagerService implements PackageSender, TestUtilityService // NOTE: Can't remove due to unsupported app usage public int checkPermission(String permName, String pkgName, int userId) { - return mPermissionManager.checkPermission(pkgName, permName, Context.DEVICE_ID_DEFAULT, - userId); + return mPermissionManager.checkPermission(pkgName, permName, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId); } public String getSdkSandboxPackageName() { diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java index 40f226435194..f1dca77fcc7a 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java @@ -217,7 +217,7 @@ public class PermissionManagerService extends IPermissionManager.Stub { @Override @PackageManager.PermissionResult - public int checkPermission(String packageName, String permissionName, int deviceId, + public int checkPermission(String packageName, String permissionName, String persistentDeviceId, @UserIdInt int userId) { // Not using Objects.requireNonNull() here for compatibility reasons. if (packageName == null || permissionName == null) { @@ -231,10 +231,10 @@ public class PermissionManagerService extends IPermissionManager.Stub { if (checkPermissionDelegate == null) { return mPermissionManagerServiceImpl.checkPermission(packageName, permissionName, - deviceId, userId); + persistentDeviceId, userId); } return checkPermissionDelegate.checkPermission(packageName, permissionName, - deviceId, userId, mPermissionManagerServiceImpl::checkPermission); + persistentDeviceId, userId, mPermissionManagerServiceImpl::checkPermission); } @Override @@ -527,17 +527,18 @@ public class PermissionManagerService extends IPermissionManager.Stub { } @Override - public int getPermissionFlags(String packageName, String permissionName, int deviceId, - int userId) { + public int getPermissionFlags(String packageName, String permissionName, + String persistentDeviceId, int userId) { return mPermissionManagerServiceImpl - .getPermissionFlags(packageName, permissionName, deviceId, userId); + .getPermissionFlags(packageName, permissionName, persistentDeviceId, userId); } @Override public void updatePermissionFlags(String packageName, String permissionName, int flagMask, - int flagValues, boolean checkAdjustPolicyFlagPermission, int deviceId, int userId) { + int flagValues, boolean checkAdjustPolicyFlagPermission, String persistentDeviceId, + int userId) { mPermissionManagerServiceImpl.updatePermissionFlags(packageName, permissionName, flagMask, - flagValues, checkAdjustPolicyFlagPermission, deviceId, userId); + flagValues, checkAdjustPolicyFlagPermission, persistentDeviceId, userId); } @Override @@ -577,17 +578,17 @@ public class PermissionManagerService extends IPermissionManager.Stub { } @Override - public void grantRuntimePermission(String packageName, String permissionName, int deviceId, - int userId) { + public void grantRuntimePermission(String packageName, String permissionName, + String persistentDeviceId, int userId) { mPermissionManagerServiceImpl.grantRuntimePermission(packageName, permissionName, - deviceId, userId); + persistentDeviceId, userId); } @Override - public void revokeRuntimePermission(String packageName, String permissionName, int deviceId, - int userId, String reason) { + public void revokeRuntimePermission(String packageName, String permissionName, + String persistentDeviceId, int userId, String reason) { mPermissionManagerServiceImpl.revokeRuntimePermission(packageName, permissionName, - deviceId, userId, reason); + persistentDeviceId, userId, reason); } @Override @@ -620,9 +621,9 @@ public class PermissionManagerService extends IPermissionManager.Stub { private class PermissionManagerServiceInternalImpl implements PermissionManagerServiceInternal { @Override public int checkPermission(@NonNull String packageName, @NonNull String permissionName, - int deviceId, @UserIdInt int userId) { + @NonNull String persistentDeviceId, @UserIdInt int userId) { return PermissionManagerService.this.checkPermission(packageName, permissionName, - deviceId, userId); + persistentDeviceId, userId); } @Override @@ -888,7 +889,7 @@ public class PermissionManagerService extends IPermissionManager.Stub { * * @param packageName the name of the package to be checked * @param permissionName the name of the permission to be checked - * @param deviceId The device ID + * @param persistentDeviceId The persistent device ID * @param userId the user ID * @param superImpl the original implementation that can be delegated to * @return {@link android.content.pm.PackageManager#PERMISSION_GRANTED} if the package has @@ -897,8 +898,8 @@ public class PermissionManagerService extends IPermissionManager.Stub { * @see android.content.pm.PackageManager#checkPermission(String, String) */ int checkPermission(@NonNull String packageName, @NonNull String permissionName, - int deviceId, @UserIdInt int userId, - @NonNull QuadFunction<String, String, Integer, Integer, Integer> superImpl); + String persistentDeviceId, @UserIdInt int userId, + @NonNull QuadFunction<String, String, String, Integer, Integer> superImpl); /** * Check whether the given UID has been granted the specified permission. @@ -940,18 +941,19 @@ public class PermissionManagerService extends IPermissionManager.Stub { @Override public int checkPermission(@NonNull String packageName, @NonNull String permissionName, - int deviceId, int userId, - @NonNull QuadFunction<String, String, Integer, Integer, Integer> superImpl) { + String persistentDeviceId, int userId, + @NonNull QuadFunction<String, String, String, Integer, Integer> superImpl) { if (mDelegatedPackageName.equals(packageName) && isDelegatedPermission(permissionName)) { final long identity = Binder.clearCallingIdentity(); try { - return superImpl.apply("com.android.shell", permissionName, deviceId, userId); + return superImpl.apply("com.android.shell", permissionName, persistentDeviceId, + userId); } finally { Binder.restoreCallingIdentity(identity); } } - return superImpl.apply(packageName, permissionName, deviceId, userId); + return superImpl.apply(packageName, permissionName, persistentDeviceId, userId); } @Override diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java index 6a5736269e51..9afd36f8f0de 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java @@ -682,7 +682,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt } @Override - public int getPermissionFlags(String packageName, String permName, int deviceId, int userId) { + public int getPermissionFlags(String packageName, String permName, String persistentDeviceId, + int userId) { final int callingUid = Binder.getCallingUid(); return getPermissionFlagsInternal(packageName, permName, callingUid, userId); } @@ -725,7 +726,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt @Override public void updatePermissionFlags(String packageName, String permName, int flagMask, - int flagValues, boolean checkAdjustPolicyFlagPermission, int deviceId, int userId) { + int flagValues, boolean checkAdjustPolicyFlagPermission, String persistentDeviceId, + int userId) { final int callingUid = Binder.getCallingUid(); boolean overridePolicy = false; @@ -910,11 +912,13 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt } private int checkPermission(String pkgName, String permName, int userId) { - return checkPermission(pkgName, permName, Context.DEVICE_ID_DEFAULT, userId); + return checkPermission(pkgName, permName, VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, + userId); } @Override - public int checkPermission(String pkgName, String permName, int deviceId, int userId) { + public int checkPermission(String pkgName, String permName, String persistentDeviceId, + int userId) { if (!mUserManagerInt.exists(userId)) { return PackageManager.PERMISSION_DENIED; } @@ -1304,8 +1308,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt } @Override - public void grantRuntimePermission(String packageName, String permName, int deviceId, - int userId) { + public void grantRuntimePermission(String packageName, String permName, + String persistentDeviceId, int userId) { final int callingUid = Binder.getCallingUid(); final boolean overridePolicy = checkUidPermission(callingUid, ADJUST_RUNTIME_PERMISSIONS_POLICY) @@ -1478,12 +1482,12 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt } @Override - public void revokeRuntimePermission(String packageName, String permName, int deviceId, - int userId, String reason) { + public void revokeRuntimePermission(String packageName, String permName, + String persistentDeviceId, int userId, String reason) { final int callingUid = Binder.getCallingUid(); final boolean overridePolicy = - checkUidPermission(callingUid, ADJUST_RUNTIME_PERMISSIONS_POLICY, deviceId) - == PackageManager.PERMISSION_GRANTED; + checkUidPermission(callingUid, ADJUST_RUNTIME_PERMISSIONS_POLICY, + Context.DEVICE_ID_DEFAULT) == PackageManager.PERMISSION_GRANTED; revokeRuntimePermissionInternal(packageName, permName, overridePolicy, callingUid, userId, reason, mDefaultPermissionCallback); @@ -2070,8 +2074,8 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt continue; } boolean isSystemOrPolicyFixed = (getPermissionFlags(newPackage.getPackageName(), - permInfo.name, Context.DEVICE_ID_DEFAULT, userId) & ( - FLAG_PERMISSION_SYSTEM_FIXED | FLAG_PERMISSION_POLICY_FIXED)) != 0; + permInfo.name, VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId) + & (FLAG_PERMISSION_SYSTEM_FIXED | FLAG_PERMISSION_POLICY_FIXED)) != 0; if (isSystemOrPolicyFixed) { continue; } @@ -2238,7 +2242,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt final int permissionState = checkPermission(packageName, permName, userId); final int flags = getPermissionFlags(packageName, permName, - Context.DEVICE_ID_DEFAULT, userId); + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId); final int flagMask = FLAG_PERMISSION_SYSTEM_FIXED | FLAG_PERMISSION_POLICY_FIXED | FLAG_PERMISSION_GRANTED_BY_DEFAULT diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInterface.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInterface.java index 2d824aa1ba13..b12d8acc11b4 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInterface.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInterface.java @@ -140,11 +140,11 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte * * @param packageName the package name for which to get the flags * @param permName the permission for which to get the flags - * @param deviceId The device for which to get the flags + * @param persistentDeviceId The device for which to get the flags * @param userId the user for which to get permission flags * @return the permission flags */ - int getPermissionFlags(String packageName, String permName, int deviceId, + int getPermissionFlags(String packageName, String permName, String persistentDeviceId, @UserIdInt int userId); /** @@ -155,11 +155,12 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte * @param permName The permission for which to update the flags * @param flagMask The flags which to replace * @param flagValues The flags with which to replace - * @param deviceId The device for which to update the permission flags + * @param persistentDeviceId The device for which to update the permission flags * @param userId The user for which to update the permission flags */ void updatePermissionFlags(String packageName, String permName, int flagMask, int flagValues, - boolean checkAdjustPolicyFlagPermission, int deviceId, @UserIdInt int userId); + boolean checkAdjustPolicyFlagPermission, String persistentDeviceId, + @UserIdInt int userId); /** * Update the permission flags for all packages and runtime permissions of a user in order @@ -293,17 +294,17 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte * * @param packageName the package to which to grant the permission * @param permName the permission name to grant - * @param deviceId the device for which to grant the permission + * @param persistentDeviceId the device for which to grant the permission * @param userId the user for which to grant the permission * - * @see #revokeRuntimePermission(String, String, int, int, String) + * @see #revokeRuntimePermission(String, String, String, int, String) */ - void grantRuntimePermission(String packageName, String permName, int deviceId, + void grantRuntimePermission(String packageName, String permName, String persistentDeviceId, @UserIdInt int userId); /** * Revoke a runtime permission that was previously granted by - * {@link #grantRuntimePermission(String, String, android.os.UserHandle)}. The permission must + * {@link #grantRuntimePermission(String, String, String, int)}. The permission must * have been requested by and granted to the application. If the application is not allowed to * hold the permission, a {@link java.lang.SecurityException} is thrown. If the package or * permission is invalid, a {@link java.lang.IllegalArgumentException} is thrown. @@ -314,13 +315,13 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte * * @param packageName the package from which to revoke the permission * @param permName the permission name to revoke - * @param deviceId the device for which to revoke the permission + * @param persistentDeviceId the device for which to revoke the permission * @param userId the user for which to revoke the permission * @param reason the reason for the revoke, or {@code null} for unspecified * - * @see #grantRuntimePermission(String, String, int, int) + * @see #grantRuntimePermission(String, String, String, int) */ - void revokeRuntimePermission(String packageName, String permName, int deviceId, + void revokeRuntimePermission(String packageName, String permName, String persistentDeviceId, @UserIdInt int userId, String reason); /** @@ -387,11 +388,12 @@ public interface PermissionManagerServiceInterface extends PermissionManagerInte * * @param pkgName package name * @param permName permission name - * @param deviceId device ID + * @param persistentDeviceId persistent device ID * @param userId user ID * @return permission result {@link PackageManager.PermissionResult} */ - int checkPermission(String pkgName, String permName, int deviceId, @UserIdInt int userId); + int checkPermission(String pkgName, String permName, String persistentDeviceId, + @UserIdInt int userId); /** * Check whether a permission is granted or not to an UID. diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java index 98adeb66388e..132cdcee8f8e 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java @@ -46,14 +46,14 @@ public interface PermissionManagerServiceInternal extends PermissionManagerInter * * @param packageName the name of the package you are checking against * @param permissionName the name of the permission you are checking for - * @param deviceId the device ID + * @param persistentDeviceId the persistent device ID to check permission for * @param userId the user ID * @return {@code PERMISSION_GRANTED} if the permission is granted, or {@code PERMISSION_DENIED} * otherwise */ //@SystemApi(client = SystemApi.Client.SYSTEM_SERVER) - int checkPermission(@NonNull String packageName, @NonNull String permissionName, int deviceId, - @UserIdInt int userId); + int checkPermission(@NonNull String packageName, @NonNull String permissionName, + @NonNull String persistentDeviceId, @UserIdInt int userId); /** * Check whether a particular UID has been granted a particular permission. diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceLoggingDecorator.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceLoggingDecorator.java index dacb8c6890a0..835ddcbfc2ba 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceLoggingDecorator.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceLoggingDecorator.java @@ -120,21 +120,24 @@ public class PermissionManagerServiceLoggingDecorator implements PermissionManag } @Override - public int getPermissionFlags(String packageName, String permName, int deviceId, int userId) { + public int getPermissionFlags(String packageName, String permName, String persistentDeviceId, + int userId) { Log.i(LOG_TAG, "getPermissionFlags(packageName = " + packageName + ", permName = " - + permName + ", deviceId = " + deviceId + ", userId = " + userId + ")"); - return mService.getPermissionFlags(packageName, permName, deviceId, userId); + + permName + ", persistentDeviceId = " + persistentDeviceId + ", userId = " + userId + + ")"); + return mService.getPermissionFlags(packageName, permName, persistentDeviceId, userId); } @Override public void updatePermissionFlags(String packageName, String permName, int flagMask, - int flagValues, boolean checkAdjustPolicyFlagPermission, int deviceId, int userId) { + int flagValues, boolean checkAdjustPolicyFlagPermission, String persistentDeviceId, + int userId) { Log.i(LOG_TAG, "updatePermissionFlags(packageName = " + packageName + ", permName = " + permName + ", flagMask = " + flagMask + ", flagValues = " + flagValues + ", checkAdjustPolicyFlagPermission = " + checkAdjustPolicyFlagPermission - + ", deviceId = " + deviceId + ", userId = " + userId + ")"); + + ", persistentDeviceId = " + persistentDeviceId + ", userId = " + userId + ")"); mService.updatePermissionFlags(packageName, permName, flagMask, flagValues, - checkAdjustPolicyFlagPermission, deviceId, userId); + checkAdjustPolicyFlagPermission, persistentDeviceId, userId); } @Override @@ -182,20 +185,21 @@ public class PermissionManagerServiceLoggingDecorator implements PermissionManag } @Override - public void grantRuntimePermission(String packageName, String permName, int deviceId, - int userId) { + public void grantRuntimePermission(String packageName, String permName, + String persistentDeviceId, int userId) { Log.i(LOG_TAG, "grantRuntimePermission(packageName = " + packageName + ", permName = " - + permName + ", deviceId = " + deviceId + ", userId = " + userId + ")"); - mService.grantRuntimePermission(packageName, permName, deviceId, userId); + + permName + ", persistentDeviceId = " + persistentDeviceId + ", userId = " + userId + + ")"); + mService.grantRuntimePermission(packageName, permName, persistentDeviceId, userId); } @Override - public void revokeRuntimePermission(String packageName, String permName, int deviceId, - int userId, String reason) { + public void revokeRuntimePermission(String packageName, String permName, + String persistentDeviceId, int userId, String reason) { Log.i(LOG_TAG, "revokeRuntimePermission(packageName = " + packageName + ", permName = " - + permName + ", deviceId = " + deviceId + ", userId = " + userId + + permName + ", persistentDeviceId = " + persistentDeviceId + ", userId = " + userId + ", reason = " + reason + ")"); - mService.revokeRuntimePermission(packageName, permName, deviceId, userId, reason); + mService.revokeRuntimePermission(packageName, permName, persistentDeviceId, userId, reason); } @Override @@ -230,10 +234,11 @@ public class PermissionManagerServiceLoggingDecorator implements PermissionManag } @Override - public int checkPermission(String pkgName, String permName, int deviceId, int userId) { + public int checkPermission(String pkgName, String permName, String persistentDeviceId, + int userId) { Log.i(LOG_TAG, "checkPermission(pkgName = " + pkgName + ", permName = " + permName - + ", deviceId = " + deviceId + ", userId = " + userId + ")"); - return mService.checkPermission(pkgName, permName, deviceId, userId); + + ", persistentDeviceId = " + persistentDeviceId + ", userId = " + userId + ")"); + return mService.checkPermission(pkgName, permName, persistentDeviceId, userId); } @Override diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceTestingShim.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceTestingShim.java index 35d165b9b54a..66a6f3cf39dc 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceTestingShim.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceTestingShim.java @@ -153,10 +153,12 @@ public class PermissionManagerServiceTestingShim implements PermissionManagerSer } @Override - public int getPermissionFlags(String packageName, String permName, int deviceId, + public int getPermissionFlags(String packageName, String permName, String persistentDeviceId, @UserIdInt int userId) { - int oldVal = mOldImplementation.getPermissionFlags(packageName, permName, deviceId, userId); - int newVal = mNewImplementation.getPermissionFlags(packageName, permName, deviceId, userId); + int oldVal = mOldImplementation.getPermissionFlags(packageName, permName, + persistentDeviceId, userId); + int newVal = mNewImplementation.getPermissionFlags(packageName, permName, + persistentDeviceId, userId); if (!Objects.equals(oldVal, newVal)) { signalImplDifference("getPermissionFlags"); @@ -166,12 +168,12 @@ public class PermissionManagerServiceTestingShim implements PermissionManagerSer @Override public void updatePermissionFlags(String packageName, String permName, int flagMask, - int flagValues, boolean checkAdjustPolicyFlagPermission, int deviceId, + int flagValues, boolean checkAdjustPolicyFlagPermission, String persistentDeviceId, @UserIdInt int userId) { mOldImplementation.updatePermissionFlags(packageName, permName, flagMask, flagValues, - checkAdjustPolicyFlagPermission, deviceId, userId); + checkAdjustPolicyFlagPermission, persistentDeviceId, userId); mNewImplementation.updatePermissionFlags(packageName, permName, flagMask, flagValues, - checkAdjustPolicyFlagPermission, deviceId, userId); + checkAdjustPolicyFlagPermission, persistentDeviceId, userId); } @Override @@ -236,17 +238,21 @@ public class PermissionManagerServiceTestingShim implements PermissionManagerSer } @Override - public void grantRuntimePermission(String packageName, String permName, int deviceId, - @UserIdInt int userId) { - mOldImplementation.grantRuntimePermission(packageName, permName, deviceId, userId); - mNewImplementation.grantRuntimePermission(packageName, permName, deviceId, userId); + public void grantRuntimePermission(String packageName, String permName, + String persistentDeviceId, @UserIdInt int userId) { + mOldImplementation.grantRuntimePermission(packageName, permName, persistentDeviceId, + userId); + mNewImplementation.grantRuntimePermission(packageName, permName, persistentDeviceId, + userId); } @Override - public void revokeRuntimePermission(String packageName, String permName, int deviceId, - @UserIdInt int userId, String reason) { - mOldImplementation.revokeRuntimePermission(packageName, permName, deviceId, userId, reason); - mNewImplementation.revokeRuntimePermission(packageName, permName, deviceId, userId, reason); + public void revokeRuntimePermission(String packageName, String permName, + String persistentDeviceId, @UserIdInt int userId, String reason) { + mOldImplementation.revokeRuntimePermission(packageName, permName, persistentDeviceId, + userId, reason); + mNewImplementation.revokeRuntimePermission(packageName, permName, persistentDeviceId, + userId, reason); } @Override @@ -296,9 +302,12 @@ public class PermissionManagerServiceTestingShim implements PermissionManagerSer } @Override - public int checkPermission(String pkgName, String permName, int deviceId, int userId) { - int oldVal = mOldImplementation.checkPermission(pkgName, permName, deviceId, userId); - int newVal = mNewImplementation.checkPermission(pkgName, permName, deviceId, userId); + public int checkPermission(String pkgName, String permName, String persistentDeviceId, + int userId) { + int oldVal = mOldImplementation.checkPermission(pkgName, permName, persistentDeviceId, + userId); + int newVal = mNewImplementation.checkPermission(pkgName, permName, persistentDeviceId, + userId); if (!Objects.equals(oldVal, newVal)) { signalImplDifference("checkPermission"); diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceTracingDecorator.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceTracingDecorator.java index cbeede0f425c..f21993ca97cf 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceTracingDecorator.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceTracingDecorator.java @@ -158,10 +158,11 @@ public class PermissionManagerServiceTracingDecorator implements PermissionManag } @Override - public int getPermissionFlags(String packageName, String permName, int deviceId, int userId) { + public int getPermissionFlags(String packageName, String permName, String persistentDeviceId, + int userId) { Trace.traceBegin(TRACE_TAG, "TaggedTracingPermissionManagerServiceImpl#getPermissionFlags"); try { - return mService.getPermissionFlags(packageName, permName, deviceId, userId); + return mService.getPermissionFlags(packageName, permName, persistentDeviceId, userId); } finally { Trace.traceEnd(TRACE_TAG); } @@ -169,12 +170,13 @@ public class PermissionManagerServiceTracingDecorator implements PermissionManag @Override public void updatePermissionFlags(String packageName, String permName, int flagMask, - int flagValues, boolean checkAdjustPolicyFlagPermission, int deviceId, int userId) { + int flagValues, boolean checkAdjustPolicyFlagPermission, String persistentDeviceId, + int userId) { Trace.traceBegin(TRACE_TAG, "TaggedTracingPermissionManagerServiceImpl#updatePermissionFlags"); try { mService.updatePermissionFlags(packageName, permName, flagMask, flagValues, - checkAdjustPolicyFlagPermission, deviceId, userId); + checkAdjustPolicyFlagPermission, persistentDeviceId, userId); } finally { Trace.traceEnd(TRACE_TAG); } @@ -253,24 +255,25 @@ public class PermissionManagerServiceTracingDecorator implements PermissionManag } @Override - public void grantRuntimePermission(String packageName, String permName, int deviceId, - int userId) { + public void grantRuntimePermission(String packageName, String permName, + String persistentDeviceId, int userId) { Trace.traceBegin(TRACE_TAG, "TaggedTracingPermissionManagerServiceImpl#grantRuntimePermission"); try { - mService.grantRuntimePermission(packageName, permName, deviceId, userId); + mService.grantRuntimePermission(packageName, permName, persistentDeviceId, userId); } finally { Trace.traceEnd(TRACE_TAG); } } @Override - public void revokeRuntimePermission(String packageName, String permName, int deviceId, - int userId, String reason) { + public void revokeRuntimePermission(String packageName, String permName, + String persistentDeviceId, int userId, String reason) { Trace.traceBegin(TRACE_TAG, "TaggedTracingPermissionManagerServiceImpl#revokeRuntimePermission"); try { - mService.revokeRuntimePermission(packageName, permName, deviceId, userId, reason); + mService.revokeRuntimePermission(packageName, permName, persistentDeviceId, userId, + reason); } finally { Trace.traceEnd(TRACE_TAG); } @@ -324,10 +327,11 @@ public class PermissionManagerServiceTracingDecorator implements PermissionManag } @Override - public int checkPermission(String pkgName, String permName, int deviceId, int userId) { + public int checkPermission(String pkgName, String permName, String persistentDeviceId, + int userId) { Trace.traceBegin(TRACE_TAG, "TaggedTracingPermissionManagerServiceImpl#checkPermission"); try { - return mService.checkPermission(pkgName, permName, deviceId, userId); + return mService.checkPermission(pkgName, permName, persistentDeviceId, userId); } finally { Trace.traceEnd(TRACE_TAG); } diff --git a/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt b/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt index 097d73a9a05b..1241ce60af12 100644 --- a/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt +++ b/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt @@ -423,6 +423,7 @@ class PermissionService(private val service: AccessCheckingService) : with(policy) { removePermission(permission) } } } + private fun GetStateScope.getAndEnforcePermissionTree(permissionName: String): Permission { val callingUid = Binder.getCallingUid() val permissionTree = with(policy) { findPermissionTree(permissionName) } @@ -486,9 +487,16 @@ class PermissionService(private val service: AccessCheckingService) : ) return PackageManager.PERMISSION_DENIED } + + val persistentDeviceId = getPersistentDeviceId(deviceId) + if (persistentDeviceId == null) { + Slog.e(LOG_TAG, "Cannot find persistent device id for $deviceId.") + return PackageManager.PERMISSION_DENIED + } + val isPermissionGranted = service.getState { - isPermissionGranted(packageState, userId, permissionName, deviceId) + isPermissionGranted(packageState, userId, permissionName, persistentDeviceId) } return if (isPermissionGranted) { PackageManager.PERMISSION_GRANTED @@ -522,7 +530,7 @@ class PermissionService(private val service: AccessCheckingService) : override fun checkPermission( packageName: String, permissionName: String, - deviceId: Int, + persistentDeviceId: String, userId: Int ): Int { if (!userManagerInternal.exists(userId)) { @@ -536,7 +544,9 @@ class PermissionService(private val service: AccessCheckingService) : ?: return PackageManager.PERMISSION_DENIED val isPermissionGranted = - service.getState { isPermissionGranted(packageState, userId, permissionName, deviceId) } + service.getState { + isPermissionGranted(packageState, userId, permissionName, persistentDeviceId) + } return if (isPermissionGranted) { PackageManager.PERMISSION_GRANTED } else { @@ -554,13 +564,21 @@ class PermissionService(private val service: AccessCheckingService) : packageState: PackageState, userId: Int, permissionName: String, - deviceId: Int + persistentDeviceId: String ): Boolean { val appId = packageState.appId // Note that instant apps can't have shared UIDs, so we only need to check the current // package state. val isInstantApp = packageState.getUserStateOrDefault(userId).isInstantApp - if (isSinglePermissionGranted(appId, userId, isInstantApp, permissionName, deviceId)) { + if ( + isSinglePermissionGranted( + appId, + userId, + isInstantApp, + permissionName, + persistentDeviceId + ) + ) { return true } @@ -572,7 +590,7 @@ class PermissionService(private val service: AccessCheckingService) : userId, isInstantApp, fullerPermissionName, - deviceId + persistentDeviceId ) ) { return true @@ -587,9 +605,9 @@ class PermissionService(private val service: AccessCheckingService) : userId: Int, isInstantApp: Boolean, permissionName: String, - deviceId: Int, + persistentDeviceId: String, ): Boolean { - val flags = getPermissionFlagsWithPolicy(appId, userId, permissionName, deviceId) + val flags = getPermissionFlagsWithPolicy(appId, userId, permissionName, persistentDeviceId) if (!PermissionFlags.isPermissionGranted(flags)) { return false } @@ -626,7 +644,7 @@ class PermissionService(private val service: AccessCheckingService) : packageState, userId, permissionName, - Context.DEVICE_ID_DEFAULT + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT ) ) { permissionName @@ -670,16 +688,22 @@ class PermissionService(private val service: AccessCheckingService) : override fun grantRuntimePermission( packageName: String, permissionName: String, - deviceId: Int, + persistentDeviceId: String, userId: Int ) { - setRuntimePermissionGranted(packageName, userId, permissionName, deviceId, isGranted = true) + setRuntimePermissionGranted( + packageName, + userId, + permissionName, + persistentDeviceId, + isGranted = true + ) } override fun revokeRuntimePermission( packageName: String, permissionName: String, - deviceId: Int, + persistentDeviceId: String, userId: Int, reason: String? ) { @@ -687,7 +711,7 @@ class PermissionService(private val service: AccessCheckingService) : packageName, userId, permissionName, - deviceId, + persistentDeviceId, isGranted = false, revokeReason = reason ) @@ -701,7 +725,7 @@ class PermissionService(private val service: AccessCheckingService) : packageName, userId, Manifest.permission.POST_NOTIFICATIONS, - Context.DEVICE_ID_DEFAULT, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, isGranted = false, skipKillUid = true ) @@ -715,7 +739,7 @@ class PermissionService(private val service: AccessCheckingService) : packageName: String, userId: Int, permissionName: String, - deviceId: Int, + persistentDeviceId: String, isGranted: Boolean, skipKillUid: Boolean = false, revokeReason: String? = null @@ -739,7 +763,8 @@ class PermissionService(private val service: AccessCheckingService) : " permissionName = $permissionName" + (if (isGranted) "" else "skipKillUid = $skipKillUid, reason = $revokeReason") + ", userId = $userId," + - " callingUid = $callingUidName ($callingUid))", + " callingUid = $callingUidName ($callingUid))," + + " persistentDeviceId = $persistentDeviceId", RuntimeException() ) } @@ -809,7 +834,7 @@ class PermissionService(private val service: AccessCheckingService) : packageState, userId, permissionName, - deviceId, + persistentDeviceId, isGranted, canManageRolePermission, overridePolicyFixed, @@ -853,7 +878,7 @@ class PermissionService(private val service: AccessCheckingService) : packageState, userId, permissionName, - Context.DEVICE_ID_DEFAULT, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, isGranted = true, canManageRolePermission = false, overridePolicyFixed = false, @@ -864,7 +889,7 @@ class PermissionService(private val service: AccessCheckingService) : packageState.appId, userId, permissionName, - Context.DEVICE_ID_DEFAULT, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED or PackageManager.FLAG_PERMISSION_REVOKED_COMPAT, 0, @@ -897,7 +922,7 @@ class PermissionService(private val service: AccessCheckingService) : packageState: PackageState, userId: Int, permissionName: String, - deviceId: Int, + persistentDeviceId: String, isGranted: Boolean, canManageRolePermission: Boolean, overridePolicyFixed: Boolean, @@ -956,12 +981,14 @@ class PermissionService(private val service: AccessCheckingService) : } val appId = packageState.appId - val oldFlags = getPermissionFlagsWithPolicy(appId, userId, permissionName, deviceId) + val oldFlags = + getPermissionFlagsWithPolicy(appId, userId, permissionName, persistentDeviceId) if (permissionName !in androidPackage.requestedPermissions && oldFlags == 0) { if (reportError) { Slog.e( - LOG_TAG, "Permission $permissionName isn't requested by package $packageName" + LOG_TAG, + "Permission $permissionName isn't requested by package $packageName" ) } return @@ -1027,7 +1054,7 @@ class PermissionService(private val service: AccessCheckingService) : return } - setPermissionFlagsWithPolicy(appId, userId, permissionName, deviceId, newFlags) + setPermissionFlagsWithPolicy(appId, userId, permissionName, persistentDeviceId, newFlags) if (permission.isRuntime) { val action = @@ -1061,7 +1088,7 @@ class PermissionService(private val service: AccessCheckingService) : override fun getPermissionFlags( packageName: String, permissionName: String, - deviceId: Int, + persistentDeviceId: String, userId: Int, ): Int { if (!userManagerInternal.exists(userId)) { @@ -1097,7 +1124,12 @@ class PermissionService(private val service: AccessCheckingService) : } val flags = - getPermissionFlagsWithPolicy(packageState.appId, userId, permissionName, deviceId) + getPermissionFlagsWithPolicy( + packageState.appId, + userId, + permissionName, + persistentDeviceId + ) return PermissionFlags.toApiFlags(flags) } @@ -1127,13 +1159,24 @@ class PermissionService(private val service: AccessCheckingService) : } ?: return false + val persistentDeviceId = getPersistentDeviceId(deviceId) + if (persistentDeviceId == null) { + Slog.w(LOG_TAG, "Cannot find persistent device Id for $deviceId") + return false + } + service.getState { - if (isPermissionGranted(packageState, userId, permissionName, deviceId)) { + if (isPermissionGranted(packageState, userId, permissionName, persistentDeviceId)) { return false } val flags = - getPermissionFlagsWithPolicy(packageState.appId, userId, permissionName, deviceId) + getPermissionFlagsWithPolicy( + packageState.appId, + userId, + permissionName, + persistentDeviceId + ) return flags.hasBits(PermissionFlags.POLICY_FIXED) } @@ -1183,13 +1226,19 @@ class PermissionService(private val service: AccessCheckingService) : return false } + val persistentDeviceId = getPersistentDeviceId(deviceId) + if (persistentDeviceId == null) { + Slog.w(LOG_TAG, "Cannot find persistent device Id for $deviceId") + return false + } + val flags: Int service.getState { - if (isPermissionGranted(packageState, userId, permissionName, deviceId)) { + if (isPermissionGranted(packageState, userId, permissionName, persistentDeviceId)) { return false } - flags = getPermissionFlagsWithPolicy(appId, userId, permissionName, deviceId) + flags = getPermissionFlagsWithPolicy(appId, userId, permissionName, persistentDeviceId) } if (flags.hasAnyBit(UNREQUESTABLE_MASK)) { return false @@ -1228,7 +1277,7 @@ class PermissionService(private val service: AccessCheckingService) : flagMask: Int, flagValues: Int, enforceAdjustPolicyPermission: Boolean, - deviceId: Int, + persistentDeviceId: String, userId: Int ) { val callingUid = Binder.getCallingUid() @@ -1254,6 +1303,7 @@ class PermissionService(private val service: AccessCheckingService) : "updatePermissionFlags(packageName = $packageName," + " permissionName = $permissionName, flagMask = $flagMaskString," + " flagValues = $flagValuesString, userId = $userId," + + " persistentDeviceId = $persistentDeviceId," + " callingUid = $callingUidName ($callingUid))", RuntimeException() ) @@ -1343,7 +1393,7 @@ class PermissionService(private val service: AccessCheckingService) : appId, userId, permissionName, - deviceId, + persistentDeviceId, flagMask, flagValues, canUpdateSystemFlags, @@ -1410,7 +1460,7 @@ class PermissionService(private val service: AccessCheckingService) : packageState.appId, userId, permissionName, - Context.DEVICE_ID_DEFAULT, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, flagMask, flagValues, canUpdateSystemFlags, @@ -1429,7 +1479,7 @@ class PermissionService(private val service: AccessCheckingService) : appId: Int, userId: Int, permissionName: String, - deviceId: Int, + persistentDeviceId: String, flagMask: Int, flagValues: Int, canUpdateSystemFlags: Boolean, @@ -1463,7 +1513,8 @@ class PermissionService(private val service: AccessCheckingService) : return } - val oldFlags = getPermissionFlagsWithPolicy(appId, userId, permissionName, deviceId) + val oldFlags = + getPermissionFlagsWithPolicy(appId, userId, permissionName, persistentDeviceId) if (!isPermissionRequested && oldFlags == 0) { Slog.w( LOG_TAG, @@ -1474,7 +1525,7 @@ class PermissionService(private val service: AccessCheckingService) : } val newFlags = PermissionFlags.updateFlags(permission, oldFlags, flagMask, flagValues) - setPermissionFlagsWithPolicy(appId, userId, permissionName, deviceId, newFlags) + setPermissionFlagsWithPolicy(appId, userId, permissionName, persistentDeviceId, newFlags) } override fun getAllowlistedRestrictedPermissions( @@ -1549,10 +1600,12 @@ class PermissionService(private val service: AccessCheckingService) : appId: Int, userId: Int, permissionName: String, - deviceId: Int, + persistentDeviceId: String, ): Int { - return if (!Flags.deviceAwarePermissionApisEnabled() || - deviceId == Context.DEVICE_ID_DEFAULT) { + return if ( + !Flags.deviceAwarePermissionApisEnabled() || + persistentDeviceId == VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT + ) { with(policy) { getPermissionFlags(appId, userId, permissionName) } } else { if (permissionName !in DEVICE_AWARE_PERMISSIONS) { @@ -1563,19 +1616,8 @@ class PermissionService(private val service: AccessCheckingService) : ) return with(policy) { getPermissionFlags(appId, userId, permissionName) } } - val virtualDeviceManagerInternal = virtualDeviceManagerInternal - if (virtualDeviceManagerInternal == null) { - Slog.e(LOG_TAG, "Virtual device manager service is not available.") - return 0 - } - val persistentDeviceId = virtualDeviceManagerInternal.getPersistentIdForDevice(deviceId) - if (persistentDeviceId != null) { - with(devicePolicy) { - getPermissionFlags(appId, persistentDeviceId, userId, permissionName) - } - } else { - Slog.e(LOG_TAG, "Invalid device ID $deviceId.") - 0 + with(devicePolicy) { + getPermissionFlags(appId, persistentDeviceId, userId, permissionName) } } } @@ -1584,11 +1626,13 @@ class PermissionService(private val service: AccessCheckingService) : appId: Int, userId: Int, permissionName: String, - deviceId: Int, + persistentDeviceId: String, flags: Int ): Boolean { - return if (!Flags.deviceAwarePermissionApisEnabled() || - deviceId == Context.DEVICE_ID_DEFAULT) { + return if ( + !Flags.deviceAwarePermissionApisEnabled() || + persistentDeviceId == VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT + ) { with(policy) { setPermissionFlags(appId, userId, permissionName, flags) } } else { if (permissionName !in DEVICE_AWARE_PERMISSIONS) { @@ -1600,23 +1644,24 @@ class PermissionService(private val service: AccessCheckingService) : return with(policy) { setPermissionFlags(appId, userId, permissionName, flags) } } - val virtualDeviceManagerInternal = virtualDeviceManagerInternal - if (virtualDeviceManagerInternal == null) { - Slog.e(LOG_TAG, "Virtual device manager service is not available.") - return false - } - val persistentDeviceId = virtualDeviceManagerInternal.getPersistentIdForDevice(deviceId) - if (persistentDeviceId != null) { - with(devicePolicy) { - setPermissionFlags(appId, persistentDeviceId, userId, permissionName, flags) - } - } else { - Slog.e(LOG_TAG, "Invalid device ID $deviceId.") - false + with(devicePolicy) { + setPermissionFlags(appId, persistentDeviceId, userId, permissionName, flags) } } } + private fun getPersistentDeviceId(deviceId: Int): String? { + if (deviceId == Context.DEVICE_ID_DEFAULT) { + return VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT + } + + if (virtualDeviceManagerInternal == null) { + virtualDeviceManagerInternal = + LocalServices.getService(VirtualDeviceManagerInternal::class.java) + } + return virtualDeviceManagerInternal?.getPersistentIdForDevice(deviceId) + } + /** * This method does not enforce checks on the caller, should only be called after required * checks. diff --git a/services/tests/mockingservicestests/src/com/android/server/am/BackgroundRestrictionTest.java b/services/tests/mockingservicestests/src/com/android/server/am/BackgroundRestrictionTest.java index bb91939c430e..067dd3bf1f7d 100644 --- a/services/tests/mockingservicestests/src/com/android/server/am/BackgroundRestrictionTest.java +++ b/services/tests/mockingservicestests/src/com/android/server/am/BackgroundRestrictionTest.java @@ -113,6 +113,7 @@ import android.app.Notification; import android.app.NotificationManager; import android.app.role.RoleManager; import android.app.usage.AppStandbyInfo; +import android.companion.virtual.VirtualDeviceManager; import android.content.Context; import android.content.Intent; import android.content.pm.PackageManager; @@ -2439,7 +2440,8 @@ public final class BackgroundRestrictionTest { doReturn(granted ? PERMISSION_GRANTED : PERMISSION_DENIED) .when(mPermissionManagerServiceInternal) .checkPermission( - packageName, perm, Context.DEVICE_ID_DEFAULT, UserHandle.getUserId(uid)); + packageName, perm, VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, + UserHandle.getUserId(uid)); try { doReturn(granted ? PERMISSION_GRANTED : PERMISSION_DENIED) .when(mIActivityManager) diff --git a/services/tests/servicestests/src/com/android/server/pm/BackgroundInstallControlServiceTest.java b/services/tests/servicestests/src/com/android/server/pm/BackgroundInstallControlServiceTest.java index bf87e3ac1f7e..1ae6e63c3ff1 100644 --- a/services/tests/servicestests/src/com/android/server/pm/BackgroundInstallControlServiceTest.java +++ b/services/tests/servicestests/src/com/android/server/pm/BackgroundInstallControlServiceTest.java @@ -407,7 +407,7 @@ public final class BackgroundInstallControlServiceTest { 0, mBackgroundInstallControlService.getInstallerForegroundTimeFrames().numMaps()); doReturn(PackageManager.PERMISSION_DENIED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent(UsageEvents.Event.ACTIVITY_RESUMED, USER_ID_1, INSTALLER_NAME_1, 0); mTestLooper.dispatchAll(); assertEquals( @@ -420,7 +420,7 @@ public final class BackgroundInstallControlServiceTest { 0, mBackgroundInstallControlService.getInstallerForegroundTimeFrames().numMaps()); doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent(UsageEvents.Event.ACTIVITY_RESUMED, USER_ID_1, INSTALLER_NAME_1, 0); mTestLooper.dispatchAll(); assertEquals( @@ -433,7 +433,7 @@ public final class BackgroundInstallControlServiceTest { 0, mBackgroundInstallControlService.getInstallerForegroundTimeFrames().numMaps()); doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent(UsageEvents.Event.USER_INTERACTION, USER_ID_1, INSTALLER_NAME_1, 0); mTestLooper.dispatchAll(); assertEquals( @@ -446,7 +446,7 @@ public final class BackgroundInstallControlServiceTest { 0, mBackgroundInstallControlService.getInstallerForegroundTimeFrames().numMaps()); doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent( UsageEvents.Event.ACTIVITY_RESUMED, USER_ID_1, @@ -473,7 +473,7 @@ public final class BackgroundInstallControlServiceTest { 0, mBackgroundInstallControlService.getInstallerForegroundTimeFrames().numMaps()); doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent( UsageEvents.Event.ACTIVITY_RESUMED, USER_ID_1, @@ -502,7 +502,7 @@ public final class BackgroundInstallControlServiceTest { 0, mBackgroundInstallControlService.getInstallerForegroundTimeFrames().numMaps()); doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent( UsageEvents.Event.ACTIVITY_RESUMED, USER_ID_1, @@ -540,7 +540,7 @@ public final class BackgroundInstallControlServiceTest { 0, mBackgroundInstallControlService.getInstallerForegroundTimeFrames().numMaps()); doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent( Event.ACTIVITY_STOPPED, USER_ID_1, INSTALLER_NAME_1, USAGE_EVENT_TIMESTAMP_1); mTestLooper.dispatchAll(); @@ -624,7 +624,7 @@ public final class BackgroundInstallControlServiceTest { // mBackgroundInstallControlService.getBackgroundInstalledPackages() doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent( UsageEvents.Event.ACTIVITY_RESUMED, USER_ID_1, @@ -673,7 +673,7 @@ public final class BackgroundInstallControlServiceTest { // mBackgroundInstallControlService.getBackgroundInstalledPackages() doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent( UsageEvents.Event.ACTIVITY_RESUMED, USER_ID_1, @@ -727,7 +727,7 @@ public final class BackgroundInstallControlServiceTest { // mBackgroundInstallControlService.getBackgroundInstalledPackages() doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent( UsageEvents.Event.ACTIVITY_RESUMED, USER_ID_2, @@ -782,7 +782,7 @@ public final class BackgroundInstallControlServiceTest { // install getBackgroundInstalledPackages() is expected to return null doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent( UsageEvents.Event.ACTIVITY_RESUMED, USER_ID_1, @@ -835,7 +835,7 @@ public final class BackgroundInstallControlServiceTest { // install getBackgroundInstalledPackages() is expected to return null doReturn(PERMISSION_GRANTED) .when(mPermissionManager) - .checkPermission(anyString(), anyString(), anyInt(), anyInt()); + .checkPermission(anyString(), anyString(), anyString(), anyInt()); generateUsageEvent( UsageEvents.Event.ACTIVITY_RESUMED, USER_ID_1, diff --git a/services/tests/uiservicestests/src/com/android/server/notification/PermissionHelperTest.java b/services/tests/uiservicestests/src/com/android/server/notification/PermissionHelperTest.java index 3034942953a1..2f52d5c48b6b 100644 --- a/services/tests/uiservicestests/src/com/android/server/notification/PermissionHelperTest.java +++ b/services/tests/uiservicestests/src/com/android/server/notification/PermissionHelperTest.java @@ -36,6 +36,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; import android.Manifest; +import android.companion.virtual.VirtualDeviceManager; import android.content.Context; import android.content.pm.ApplicationInfo; import android.content.pm.IPackageManager; @@ -246,9 +247,11 @@ public class PermissionHelperTest extends UiServiceTestCase { mPermissionHelper.setNotificationPermission("pkg", 10, true, true); verify(mPermManager).grantRuntimePermission( - "pkg", Manifest.permission.POST_NOTIFICATIONS, Context.DEVICE_ID_DEFAULT, 10); + "pkg", Manifest.permission.POST_NOTIFICATIONS, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, 10); verify(mPermManager).updatePermissionFlags("pkg", Manifest.permission.POST_NOTIFICATIONS, - USER_FLAG_MASK, FLAG_PERMISSION_USER_SET, true, Context.DEVICE_ID_DEFAULT, 10); + USER_FLAG_MASK, FLAG_PERMISSION_USER_SET, true, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, 10); } @Test @@ -258,15 +261,17 @@ public class PermissionHelperTest extends UiServiceTestCase { .thenReturn(PERMISSION_DENIED); when(mPermManager.getPermissionFlags(anyString(), eq(Manifest.permission.POST_NOTIFICATIONS), - anyInt(), anyInt())).thenReturn(FLAG_PERMISSION_GRANTED_BY_DEFAULT); + anyString(), anyInt())).thenReturn(FLAG_PERMISSION_GRANTED_BY_DEFAULT); PermissionHelper.PackagePermission pkgPerm = new PermissionHelper.PackagePermission( "pkg", 10, true, false); mPermissionHelper.setNotificationPermission(pkgPerm); verify(mPermManager).grantRuntimePermission( - "pkg", Manifest.permission.POST_NOTIFICATIONS, Context.DEVICE_ID_DEFAULT, 10); + "pkg", Manifest.permission.POST_NOTIFICATIONS, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, 10); verify(mPermManager).updatePermissionFlags("pkg", Manifest.permission.POST_NOTIFICATIONS, - USER_FLAG_MASK, FLAG_PERMISSION_USER_SET, true, Context.DEVICE_ID_DEFAULT, 10); + USER_FLAG_MASK, FLAG_PERMISSION_USER_SET, true, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, 10); } @Test @@ -278,9 +283,10 @@ public class PermissionHelperTest extends UiServiceTestCase { verify(mPermManager).revokeRuntimePermission( eq("pkg"), eq(Manifest.permission.POST_NOTIFICATIONS), - eq(Context.DEVICE_ID_DEFAULT), eq(10), anyString()); + eq(VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT), eq(10), anyString()); verify(mPermManager).updatePermissionFlags("pkg", Manifest.permission.POST_NOTIFICATIONS, - USER_FLAG_MASK, FLAG_PERMISSION_USER_SET, true, Context.DEVICE_ID_DEFAULT, 10); + USER_FLAG_MASK, FLAG_PERMISSION_USER_SET, true, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, 10); } @Test @@ -291,9 +297,10 @@ public class PermissionHelperTest extends UiServiceTestCase { mPermissionHelper.setNotificationPermission("pkg", 10, true, false); verify(mPermManager).grantRuntimePermission( - "pkg", Manifest.permission.POST_NOTIFICATIONS, Context.DEVICE_ID_DEFAULT, 10); + "pkg", Manifest.permission.POST_NOTIFICATIONS, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, 10); verify(mPermManager).updatePermissionFlags("pkg", Manifest.permission.POST_NOTIFICATIONS, - USER_FLAG_MASK, 0, true, Context.DEVICE_ID_DEFAULT, 10); + USER_FLAG_MASK, 0, true, VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, 10); } @Test @@ -305,35 +312,35 @@ public class PermissionHelperTest extends UiServiceTestCase { verify(mPermManager).revokeRuntimePermission( eq("pkg"), eq(Manifest.permission.POST_NOTIFICATIONS), - eq(Context.DEVICE_ID_DEFAULT), eq(10), anyString()); + eq(VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT), eq(10), anyString()); verify(mPermManager).updatePermissionFlags("pkg", Manifest.permission.POST_NOTIFICATIONS, - USER_FLAG_MASK, 0, true, Context.DEVICE_ID_DEFAULT, 10); + USER_FLAG_MASK, 0, true, VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, 10); } @Test public void testSetNotificationPermission_SystemFixedPermNotSet() throws Exception { when(mPermManager.getPermissionFlags(anyString(), eq(Manifest.permission.POST_NOTIFICATIONS), - anyInt(), anyInt())).thenReturn(FLAG_PERMISSION_SYSTEM_FIXED); + anyString(), anyInt())).thenReturn(FLAG_PERMISSION_SYSTEM_FIXED); mPermissionHelper.setNotificationPermission("pkg", 10, false, true); verify(mPermManager, never()).revokeRuntimePermission( - anyString(), anyString(), anyInt(), anyInt(), anyString()); + anyString(), anyString(), anyString(), anyInt(), anyString()); verify(mPermManager, never()).updatePermissionFlags( - anyString(), anyString(), anyInt(), anyInt(), anyBoolean(), anyInt(), anyInt()); + anyString(), anyString(), anyInt(), anyInt(), anyBoolean(), anyString(), anyInt()); } @Test public void testSetNotificationPermission_PolicyFixedPermNotSet() throws Exception { when(mPermManager.getPermissionFlags(anyString(), eq(Manifest.permission.POST_NOTIFICATIONS), - anyInt(), anyInt())).thenReturn(FLAG_PERMISSION_POLICY_FIXED); + anyString(), anyInt())).thenReturn(FLAG_PERMISSION_POLICY_FIXED); mPermissionHelper.setNotificationPermission("pkg", 10, false, true); verify(mPermManager, never()).revokeRuntimePermission( - anyString(), anyString(), anyInt(), anyInt(), anyString()); + anyString(), anyString(), anyString(), anyInt(), anyString()); verify(mPermManager, never()).updatePermissionFlags( - anyString(), anyString(), anyInt(), anyInt(), anyBoolean(), anyInt(), anyInt()); + anyString(), anyString(), anyInt(), anyInt(), anyBoolean(), anyString(), anyInt()); } @Test @@ -343,7 +350,8 @@ public class PermissionHelperTest extends UiServiceTestCase { mPermissionHelper.setNotificationPermission("pkg", 10, true, false); verify(mPermManager, never()).grantRuntimePermission( - "pkg", Manifest.permission.POST_NOTIFICATIONS, Context.DEVICE_ID_DEFAULT, 10); + "pkg", Manifest.permission.POST_NOTIFICATIONS, + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, 10); } @Test @@ -354,7 +362,7 @@ public class PermissionHelperTest extends UiServiceTestCase { verify(mPermManager, never()).revokeRuntimePermission( eq("pkg"), eq(Manifest.permission.POST_NOTIFICATIONS), - eq(Context.DEVICE_ID_DEFAULT), eq(10), anyString()); + eq(VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT), eq(10), anyString()); } @Test @@ -365,7 +373,7 @@ public class PermissionHelperTest extends UiServiceTestCase { when(mPackageManager.getPackageUid(anyString(), anyInt(), anyInt())) .thenReturn(testUid); PackageInfo testPkgInfo = new PackageInfo(); - testPkgInfo.requestedPermissions = new String[]{ Manifest.permission.RECORD_AUDIO }; + testPkgInfo.requestedPermissions = new String[]{Manifest.permission.RECORD_AUDIO}; when(mPackageManager.getPackageInfo(anyString(), anyLong(), anyInt())) .thenReturn(testPkgInfo); mPermissionHelper.setNotificationPermission("pkg", 10, false, false); @@ -374,26 +382,26 @@ public class PermissionHelperTest extends UiServiceTestCase { eq(Manifest.permission.POST_NOTIFICATIONS), eq(-1), eq(testUid)); verify(mPermManager, never()).revokeRuntimePermission( eq("pkg"), eq(Manifest.permission.POST_NOTIFICATIONS), - eq(Context.DEVICE_ID_DEFAULT), eq(10), anyString()); + eq(VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT), eq(10), anyString()); } @Test public void testIsPermissionFixed() throws Exception { when(mPermManager.getPermissionFlags(anyString(), eq(Manifest.permission.POST_NOTIFICATIONS), - anyInt(), anyInt())).thenReturn(FLAG_PERMISSION_USER_SET); + anyString(), anyInt())).thenReturn(FLAG_PERMISSION_USER_SET); assertThat(mPermissionHelper.isPermissionFixed("pkg", 0)).isFalse(); when(mPermManager.getPermissionFlags(anyString(), - eq(Manifest.permission.POST_NOTIFICATIONS), anyInt(), - anyInt())).thenReturn(FLAG_PERMISSION_USER_SET|FLAG_PERMISSION_POLICY_FIXED); + eq(Manifest.permission.POST_NOTIFICATIONS), anyString(), + anyInt())).thenReturn(FLAG_PERMISSION_USER_SET | FLAG_PERMISSION_POLICY_FIXED); assertThat(mPermissionHelper.isPermissionFixed("pkg", 0)).isTrue(); when(mPermManager.getPermissionFlags(anyString(), eq(Manifest.permission.POST_NOTIFICATIONS), - anyInt(), anyInt())).thenReturn(FLAG_PERMISSION_SYSTEM_FIXED); + anyString(), anyInt())).thenReturn(FLAG_PERMISSION_SYSTEM_FIXED); assertThat(mPermissionHelper.isPermissionFixed("pkg", 0)).isTrue(); } @@ -435,19 +443,19 @@ public class PermissionHelperTest extends UiServiceTestCase { // 2 and 3 are user-set permissions when(mPermManager.getPermissionFlags("first", Manifest.permission.POST_NOTIFICATIONS, - Context.DEVICE_ID_DEFAULT, userId)) + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId)) .thenReturn(0); when(mPermManager.getPermissionFlags("second", Manifest.permission.POST_NOTIFICATIONS, - Context.DEVICE_ID_DEFAULT, userId)) + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId)) .thenReturn(FLAG_PERMISSION_USER_SET); when(mPermManager.getPermissionFlags("third", Manifest.permission.POST_NOTIFICATIONS, - Context.DEVICE_ID_DEFAULT, userId)) + VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT, userId)) .thenReturn(FLAG_PERMISSION_USER_SET); Map<Pair<Integer, String>, Pair<Boolean, Boolean>> expected = ImmutableMap.of(new Pair(1, "first"), new Pair(true, false), - new Pair(2, "second"), new Pair(true, true), - new Pair(3, "third"), new Pair(false, true)); + new Pair(2, "second"), new Pair(true, true), + new Pair(3, "third"), new Pair(false, true)); Map<Pair<Integer, String>, Pair<Boolean, Boolean>> actual = mPermissionHelper.getNotificationPermissionValues(userId); |