1 files changed, 19 insertions, 4 deletions

diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 32fe61656e2f..61e39bfa1bea 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -13025,6 +13025,23 @@ public class PackageManagerService extends IPackageManager.Stub
         return allowed;
     }
 
+    /**
+     * Determines whether a package is whitelisted for a particular privapp permission.
+     *
+     * <p>Does NOT check whether the package is a privapp, just whether it's whitelisted.
+     *
+     * <p>This handles parent/child apps.
+     */
+    private boolean hasPrivappWhitelistEntry(String perm, PackageParser.Package pkg) {
+        ArraySet<String> wlPermissions = SystemConfig.getInstance()
+                .getPrivAppPermissions(pkg.packageName);
+        // Let's check if this package is whitelisted...
+        boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm);
+        // If it's not, we'll also tail-recurse to the parent.
+        return whitelisted ||
+                pkg.parentPackage != null && hasPrivappWhitelistEntry(perm, pkg.parentPackage);
+    }
+
     private boolean grantSignaturePermission(String perm, PackageParser.Package pkg,
             BasePermission bp, PermissionsState origPermissions) {
         boolean privilegedPermission = (bp.protectionLevel
@@ -13035,10 +13052,7 @@ public class PackageManagerService extends IPackageManager.Stub
         boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName);
         if (!privappPermissionsDisable && privilegedPermission && pkg.isPrivilegedApp()
                 && !platformPackage && platformPermission) {
-            ArraySet<String> wlPermissions = SystemConfig.getInstance()
-                    .getPrivAppPermissions(pkg.packageName);
-            boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm);
-            if (!whitelisted) {
+            if (!hasPrivappWhitelistEntry(perm, pkg)) {
                 Slog.w(TAG, "Privileged permission " + perm + " for package "
                         + pkg.packageName + " - not in privapp-permissions whitelist");
                 // Only report violations for apps on system image
@@ -13080,6 +13094,7 @@ public class PackageManagerService extends IPackageManager.Stub
                         // now get the new permission if the ancestral apk is
                         // privileged to get it.
                         if (sysPs != null && sysPs.pkg != null && sysPs.isPrivileged()) {
+                            // TODO(gboyer): This is the same as isPackageRequestingPermission().
                             for (int j = 0; j < sysPs.pkg.requestedPermissions.size(); j++) {
                                 if (perm.equals(sysPs.pkg.requestedPermissions.get(j))) {
                                     allowed = true;