diff options
10 files changed, 32 insertions, 262 deletions
diff --git a/core/java/android/app/ActivityManager.java b/core/java/android/app/ActivityManager.java index a36b167004f8..17368b789645 100644 --- a/core/java/android/app/ActivityManager.java +++ b/core/java/android/app/ActivityManager.java @@ -64,7 +64,6 @@ import android.os.ServiceManager; import android.os.SystemProperties; import android.os.UserHandle; import android.os.WorkSource; -import android.permission.PermissionManager; import android.util.ArrayMap; import android.util.DisplayMetrics; import android.util.Singleton; @@ -3739,7 +3738,6 @@ public class ActivityManager { } // Isolated processes don't get any permissions. if (UserHandle.isIsolated(uid)) { - PermissionManager.addPermissionDenialHint("uid " + uid + " is isolated"); return PackageManager.PERMISSION_DENIED; } // If there is a uid that owns whatever is being accessed, it has @@ -3755,26 +3753,24 @@ public class ActivityManager { Slog.w(TAG, "Permission denied: checkComponentPermission() owningUid=" + owningUid, here); */ - PermissionManager.addPermissionDenialHint( - "Target is not exported. owningUid=" + owningUid); return PackageManager.PERMISSION_DENIED; } if (permission == null) { return PackageManager.PERMISSION_GRANTED; } - return checkUidPermission(permission, uid); + try { + return AppGlobals.getPackageManager() + .checkUidPermission(permission, uid); + } catch (RemoteException e) { + throw e.rethrowFromSystemServer(); + } } /** @hide */ public static int checkUidPermission(String permission, int uid) { try { - List<String> hints = PermissionManager.getPermissionDenialHints(); - if (hints == null) { - return AppGlobals.getPackageManager().checkUidPermission(permission, uid); - } else { - return AppGlobals.getPackageManager() - .checkUidPermissionWithDenialHintForwarding(permission, uid, hints); - } + return AppGlobals.getPackageManager() + .checkUidPermission(permission, uid); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } diff --git a/core/java/android/app/ContextImpl.java b/core/java/android/app/ContextImpl.java index 931e3553c2b6..41a4fba0434c 100644 --- a/core/java/android/app/ContextImpl.java +++ b/core/java/android/app/ContextImpl.java @@ -68,7 +68,6 @@ import android.os.Trace; import android.os.UserHandle; import android.os.UserManager; import android.os.storage.StorageManager; -import android.permission.PermissionManager; import android.system.ErrnoException; import android.system.Os; import android.system.OsConstants; @@ -99,7 +98,6 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.nio.ByteOrder; import java.util.ArrayList; -import java.util.List; import java.util.Objects; import java.util.concurrent.Executor; @@ -1830,17 +1828,11 @@ class ContextImpl extends Context { } Slog.w(TAG, "Missing ActivityManager; assuming " + uid + " does not hold " + permission); - PermissionManager.addPermissionDenialHint("Missing ActivityManager"); return PackageManager.PERMISSION_DENIED; } try { - List<String> hints = PermissionManager.getPermissionDenialHints(); - if (hints == null) { - return am.checkPermission(permission, pid, uid); - } else { - return am.checkPermissionWithDenialHintForwarding(permission, pid, uid, hints); - } + return am.checkPermission(permission, pid, uid); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -1897,61 +1889,43 @@ class ContextImpl extends Context { String permission, int resultOfCheck, boolean selfToo, int uid, String message) { if (resultOfCheck != PackageManager.PERMISSION_GRANTED) { - List<String> hints = PermissionManager.getPermissionDenialHints(); throw new SecurityException( (message != null ? (message + ": ") : "") + (selfToo ? "Neither user " + uid + " nor current process has " - : "uid " + uid + " does not have ") - + permission + "." - + (hints == null ? "" : " Hints: " + hints)); + : "uid " + uid + " does not have ") + + permission + + "."); } } @Override public void enforcePermission( String permission, int pid, int uid, String message) { - List<String> prev = PermissionManager.collectPermissionDenialHints(this, uid); - try { - enforce(permission, - checkPermission(permission, pid, uid), - false, - uid, - message); - } finally { - PermissionManager.resetPermissionDenialHints(prev); - } + enforce(permission, + checkPermission(permission, pid, uid), + false, + uid, + message); } @Override public void enforceCallingPermission(String permission, String message) { - List<String> prev = PermissionManager.collectPermissionDenialHints(this, - Binder.getCallingUid()); - try { - enforce(permission, - checkCallingPermission(permission), - false, - Binder.getCallingUid(), - message); - } finally { - PermissionManager.resetPermissionDenialHints(prev); - } + enforce(permission, + checkCallingPermission(permission), + false, + Binder.getCallingUid(), + message); } @Override public void enforceCallingOrSelfPermission( String permission, String message) { - List<String> prev = PermissionManager.collectPermissionDenialHints(this, - Binder.getCallingUid()); - try { - enforce(permission, - checkCallingOrSelfPermission(permission), - true, - Binder.getCallingUid(), - message); - } finally { - PermissionManager.resetPermissionDenialHints(prev); - } + enforce(permission, + checkCallingOrSelfPermission(permission), + true, + Binder.getCallingUid(), + message); } @Override diff --git a/core/java/android/app/IActivityManager.aidl b/core/java/android/app/IActivityManager.aidl index f82536f65ddb..48ca71690a1b 100644 --- a/core/java/android/app/IActivityManager.aidl +++ b/core/java/android/app/IActivityManager.aidl @@ -194,7 +194,6 @@ interface IActivityManager { int getProcessLimit(); @UnsupportedAppUsage int checkPermission(in String permission, int pid, int uid); - int checkPermissionWithDenialHintForwarding(in String permission, int pid, int uid, inout List<String> permissionDenialHints); int checkUriPermission(in Uri uri, int pid, int uid, int mode, int userId, in IBinder callerToken); void grantUriPermission(in IApplicationThread caller, in String targetPkg, in Uri uri, diff --git a/core/java/android/content/pm/IPackageManager.aidl b/core/java/android/content/pm/IPackageManager.aidl index 225eec13d6eb..6ab4657d727d 100644 --- a/core/java/android/content/pm/IPackageManager.aidl +++ b/core/java/android/content/pm/IPackageManager.aidl @@ -108,7 +108,6 @@ interface IPackageManager { @UnsupportedAppUsage int checkPermission(String permName, String pkgName, int userId); - int checkUidPermissionWithDenialHintForwarding(String permName, int uid, inout List<String> permissionDenialHints); int checkUidPermission(String permName, int uid); @UnsupportedAppUsage diff --git a/core/java/android/permission/PermissionManager.java b/core/java/android/permission/PermissionManager.java index 55bb3fe1817c..2a41c2065c46 100644 --- a/core/java/android/permission/PermissionManager.java +++ b/core/java/android/permission/PermissionManager.java @@ -19,22 +19,15 @@ package android.permission; import android.Manifest; import android.annotation.IntRange; import android.annotation.NonNull; -import android.annotation.Nullable; import android.annotation.RequiresPermission; import android.annotation.SystemApi; import android.annotation.SystemService; import android.annotation.TestApi; -import android.content.ContentResolver; import android.content.Context; import android.content.pm.IPackageManager; -import android.content.pm.PackageManager; -import android.os.Build; import android.os.RemoteException; -import android.provider.Settings; -import android.util.Log; import com.android.internal.annotations.Immutable; -import com.android.internal.util.ArrayUtils; import com.android.server.SystemConfig; import java.util.ArrayList; @@ -49,8 +42,6 @@ import java.util.Objects; @SystemApi @SystemService(Context.PERMISSION_SERVICE) public final class PermissionManager { - private static final String LOG_TAG = PermissionManager.class.getSimpleName(); - /** * {@link android.content.pm.PackageParser} needs access without having a {@link Context}. * @@ -63,119 +54,6 @@ public final class PermissionManager { private final IPackageManager mPackageManager; - /** Permission denials added via {@link addPermissionDenial} */ - private static final ThreadLocal<List<String>> sPermissionDenialHints = new ThreadLocal<>(); - - /** - * Report a hint that might explain why a permission check returned - * {@link PackageManager#PERMISSION_DENIED}. - * - * <p>Hints are only collected if enabled via {@link collectPermissionDenialHints} or - * when a non-null value was passed to {@link resetPermissionDenialHints} - * - * @param hint A description of the reason - * - * @hide - */ - public static void addPermissionDenialHint(@NonNull String hint) { - List<String> hints = sPermissionDenialHints.get(); - if (hints == null) { - return; - } - - hints.add(hint); - } - - /** - * @return hints added via {@link #addPermissionDenialHint(String)} on this thread before. - * - * @hide - */ - public static @Nullable List<String> getPermissionDenialHints() { - if (Build.IS_USER) { - return null; - } - - return sPermissionDenialHints.get(); - } - - /** - * Reset the permission denial hints for this thread. - * - * @param initial The initial values. If not null, enabled collection on this thread. - * - * @return the previously collected hints - * - * @hide - */ - public static @Nullable List<String> resetPermissionDenialHints( - @Nullable List<String> initial) { - List<String> prev = getPermissionDenialHints(); - if (initial == null) { - sPermissionDenialHints.remove(); - } else { - sPermissionDenialHints.set(initial); - } - return prev; - } - - /** - * Enable permission denial hint collection if package is in - * {@link Settings.Secure.DEBUG_PACKAGE_PERMISSION_CHECK} - * - * @param context A context to use - * @param uid The uid the permission check is for. - * - * @return the previously collected hints - * - * @hide - */ - public static @Nullable List<String> collectPermissionDenialHints(@NonNull Context context, - int uid) { - List<String> prev = getPermissionDenialHints(); - - if (Build.IS_USER) { - return prev; - } - - ContentResolver cr = context.getContentResolver(); - if (cr == null) { - return prev; - } - - String debugSetting; - try { - debugSetting = Settings.Secure.getString(cr, - Settings.Secure.DEBUG_PACKAGE_PERMISSION_CHECK); - } catch (IllegalStateException e) { - Log.e(LOG_TAG, "Cannot access settings", e); - return prev; - } - if (debugSetting == null) { - return prev; - } - String[] debugPkgs = debugSetting.split(","); - - PackageManager pm = context.getPackageManager(); - if (pm == null) { - return prev; - } - - String[] packages = pm.getPackagesForUid(uid); - if (packages == null) { - return prev; - } - - for (String pkg : packages) { - if (ArrayUtils.contains(debugPkgs, pkg)) { - sPermissionDenialHints.set(new ArrayList<>(0)); - break; - } - } - - return prev; - } - /** * Creates a new instance. * diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java index dbc62f4a12fa..7c5a1fb5f787 100644 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java @@ -5786,16 +5786,6 @@ public final class Settings { public static final String ANDROID_ID = "android_id"; /** - * Comma separated list packages to enable collection of permission denial hints for. - * - * @hide - * - * @see android.permission.PermissionManager#collectPermissionDenialHints(Context, int) - */ - public static final String DEBUG_PACKAGE_PERMISSION_CHECK = - "debug_package_permission_check"; - - /** * @deprecated Use {@link android.provider.Settings.Global#BLUETOOTH_ON} instead */ @Deprecated diff --git a/core/tests/coretests/src/android/provider/SettingsBackupTest.java b/core/tests/coretests/src/android/provider/SettingsBackupTest.java index a71460270252..e76754582fe9 100644 --- a/core/tests/coretests/src/android/provider/SettingsBackupTest.java +++ b/core/tests/coretests/src/android/provider/SettingsBackupTest.java @@ -622,7 +622,6 @@ public class SettingsBackupTest { Settings.Secure.COMPLETED_CATEGORY_PREFIX, Settings.Secure.CONNECTIVITY_RELEASE_PENDING_INTENT_DELAY_MS, Settings.Secure.CONTENT_CAPTURE_ENABLED, - Settings.Secure.DEBUG_PACKAGE_PERMISSION_CHECK, Settings.Secure.DEFAULT_INPUT_METHOD, Settings.Secure.DEVICE_PAIRED, Settings.Secure.DIALER_DEFAULT_APPLICATION, diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java index 46c8ce77d7cf..4d0d3d2dc578 100644 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java @@ -272,7 +272,6 @@ import android.os.UserManager; import android.os.WorkSource; import android.os.storage.IStorageManager; import android.os.storage.StorageManager; -import android.permission.PermissionManager; import android.provider.DeviceConfig; import android.provider.Settings; import android.sysprop.VoldProperties; @@ -5737,17 +5736,6 @@ public class ActivityManagerService extends IActivityManager.Stub owningUid, exported); } - @Override - public int checkPermissionWithDenialHintForwarding(String permission, int pid, int uid, - List<String> permissionDenialHints) { - List<String> prev = PermissionManager.resetPermissionDenialHints(permissionDenialHints); - try { - return checkPermission(permission, pid, uid); - } finally { - PermissionManager.resetPermissionDenialHints(prev); - } - } - /** * As the only public entry point for permissions checking, this method * can enforce the semantic that requesting a check on a null global @@ -5760,7 +5748,6 @@ public class ActivityManagerService extends IActivityManager.Stub @Override public int checkPermission(String permission, int pid, int uid) { if (permission == null) { - PermissionManager.addPermissionDenialHint("Permission is null"); return PackageManager.PERMISSION_DENIED; } return checkComponentPermission(permission, pid, uid, -1, true); diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index 648522a61dbc..e935771aea63 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -240,7 +240,6 @@ import android.os.storage.StorageManager; import android.os.storage.StorageManagerInternal; import android.os.storage.VolumeInfo; import android.os.storage.VolumeRecord; -import android.permission.PermissionManager; import android.provider.DeviceConfig; import android.provider.MediaStore; import android.provider.Settings.Global; @@ -4331,19 +4330,13 @@ public class PackageManagerService extends IPackageManager.Stub @Nullable ComponentName component, @ComponentType int componentType, int userId) { // if we're in an isolated process, get the real calling UID if (Process.isIsolated(callingUid)) { - int newCallingUid = mIsolatedOwners.get(callingUid); - PermissionManager.addPermissionDenialHint( - "callingUid=" + callingUid + " is changed to " + newCallingUid - + " as process is isolated"); - callingUid = newCallingUid; + callingUid = mIsolatedOwners.get(callingUid); } final String instantAppPkgName = getInstantAppPackageName(callingUid); final boolean callerIsInstantApp = instantAppPkgName != null; if (ps == null) { if (callerIsInstantApp) { // pretend the application exists, but, needs to be filtered - PermissionManager.addPermissionDenialHint( - "No package setting but caller is instant app"); return true; } return false; @@ -4355,7 +4348,6 @@ public class PackageManagerService extends IPackageManager.Stub if (callerIsInstantApp) { // both caller and target are both instant, but, different applications, filter if (ps.getInstantApp(userId)) { - PermissionManager.addPermissionDenialHint("Apps are different instant apps"); return true; } // request for a specific component; if it hasn't been explicitly exposed through @@ -4367,23 +4359,10 @@ public class PackageManagerService extends IPackageManager.Stub && isCallerSameApp(instrumentation.info.targetPackage, callingUid)) { return false; } - if (!isComponentVisibleToInstantApp(component, componentType)) { - PermissionManager.addPermissionDenialHint( - "Component is not visible to instant app: " - + component.flattenToShortString()); - return true; - } else { - return false; - } + return !isComponentVisibleToInstantApp(component, componentType); } // request for application; if no components have been explicitly exposed, filter - if (!ps.pkg.visibleToInstantApps) { - PermissionManager.addPermissionDenialHint( - "Package is not visible to instant app: " + ps.pkg.packageName); - return true; - } else { - return false; - } + return !ps.pkg.visibleToInstantApps; } if (ps.getInstantApp(userId)) { // caller can see all components of all instant applications, don't filter @@ -4392,19 +4371,11 @@ public class PackageManagerService extends IPackageManager.Stub } // request for a specific instant application component, filter if (component != null) { - PermissionManager.addPermissionDenialHint( - "Component is not null: " + component.flattenToShortString()); return true; } // request for an instant application; if the caller hasn't been granted access, filter - if (!mInstantAppRegistry.isInstantAccessGranted( - userId, UserHandle.getAppId(callingUid), ps.appId)) { - PermissionManager.addPermissionDenialHint( - "Instant access is not granted: " + ps.appId); - return true; - } else { - return false; - } + return !mInstantAppRegistry.isInstantAccessGranted( + userId, UserHandle.getAppId(callingUid), ps.appId); } return false; } @@ -5649,17 +5620,6 @@ public class PackageManagerService extends IPackageManager.Stub } @Override - public int checkUidPermissionWithDenialHintForwarding(String permName, int uid, - List<String> permissionDenialHints) { - List<String> prev = PermissionManager.resetPermissionDenialHints(permissionDenialHints); - try { - return checkUidPermission(permName, uid); - } finally { - PermissionManager.resetPermissionDenialHints(prev); - } - } - - @Override public int checkUidPermission(String permName, int uid) { final CheckPermissionDelegate checkPermissionDelegate; synchronized (mPackages) { diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java index 448e595014bc..d45a8ef4e0ae 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java @@ -333,22 +333,15 @@ public class PermissionManagerService { mPackageManagerInt.getInstantAppPackageName(uid) != null; final int userId = UserHandle.getUserId(uid); if (!mUserManagerInt.exists(userId)) { - PermissionManager.addPermissionDenialHint("User does not exist. userId=" + userId); return PackageManager.PERMISSION_DENIED; } if (pkg != null) { if (pkg.mSharedUserId != null) { if (isCallerInstantApp) { - PermissionManager.addPermissionDenialHint( - "Caller is instant app. Pkg is shared. callingUid=" + callingUid - + " pkg=" + pkg.packageName); return PackageManager.PERMISSION_DENIED; } } else if (mPackageManagerInt.filterAppAccess(pkg, callingUid, callingUserId)) { - PermissionManager.addPermissionDenialHint( - "Access is filtered. pkg=" + pkg + " callingUid=" + callingUid - + " callingUserId=" + callingUserId); return PackageManager.PERMISSION_DENIED; } final PermissionsState permissionsState = @@ -358,8 +351,6 @@ public class PermissionManagerService { if (mSettings.isPermissionInstant(permName)) { return PackageManager.PERMISSION_GRANTED; } - PermissionManager.addPermissionDenialHint( - "Caller instant app, but perm is not instant"); } else { return PackageManager.PERMISSION_GRANTED; } @@ -367,7 +358,6 @@ public class PermissionManagerService { if (isImpliedPermissionGranted(permissionsState, permName, userId)) { return PackageManager.PERMISSION_GRANTED; } - PermissionManager.addPermissionDenialHint("Does not have permission " + permName); } else { ArraySet<String> perms = mSystemPermissions.get(uid); if (perms != null) { @@ -379,8 +369,6 @@ public class PermissionManagerService { return PackageManager.PERMISSION_GRANTED; } } - PermissionManager.addPermissionDenialHint( - "System permissions do not contain " + permName); } return PackageManager.PERMISSION_DENIED; } |