From de7b0f6dd071617724e4ac3a1c1451d05054008f Mon Sep 17 00:00:00 2001 From: Evan Severson Date: Mon, 11 Jul 2022 13:28:39 -0700 Subject: DO NOT MERGE: Revert "Make CheckOp return allowed if any attr tag for a package is excluded" This reverts commit 25f1b6a1ac5c71ebafe4b9235829aa3a79d1dd21. Revert "Allow system server uid to bypass location restriction" This reverts commit 1dddfe1f703cab6e159fafad45f51e8bad207dba. Revert "Disallow privileged apps to bypass location restriction" This reverts commit 807f4cfc80728313d04f95343e5aea14691aceb0. Ice55cbe9524e6d3526210861ad9c431df7255d99 isn't ready in sc Bug: 231496105 Change-Id: I2a0bd4f2ae75ef300eaf77953baad4ebdae6e189 --- core/java/android/app/AppOpsManager.java | 23 +++++++----------- .../com/android/server/appop/AppOpsService.java | 28 +++++++--------------- 2 files changed, 18 insertions(+), 33 deletions(-) diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java index fc89e1395073..d932a29beca6 100644 --- a/core/java/android/app/AppOpsManager.java +++ b/core/java/android/app/AppOpsManager.java @@ -2463,8 +2463,8 @@ public class AppOpsManager { * restriction} for a certain app-op. */ private static RestrictionBypass[] sOpAllowSystemRestrictionBypass = new RestrictionBypass[] { - new RestrictionBypass(true, false, false), //COARSE_LOCATION - new RestrictionBypass(true, false, false), //FINE_LOCATION + new RestrictionBypass(true, false), //COARSE_LOCATION + new RestrictionBypass(true, false), //FINE_LOCATION null, //GPS null, //VIBRATE null, //READ_CONTACTS @@ -2473,7 +2473,7 @@ public class AppOpsManager { null, //WRITE_CALL_LOG null, //READ_CALENDAR null, //WRITE_CALENDAR - new RestrictionBypass(false, true, false), //WIFI_SCAN + new RestrictionBypass(true, false), //WIFI_SCAN null, //POST_NOTIFICATION null, //NEIGHBORING_CELLS null, //CALL_PHONE @@ -2487,10 +2487,10 @@ public class AppOpsManager { null, //READ_ICC_SMS null, //WRITE_ICC_SMS null, //WRITE_SETTINGS - new RestrictionBypass(false, true, false), //SYSTEM_ALERT_WINDOW + new RestrictionBypass(true, false), //SYSTEM_ALERT_WINDOW null, //ACCESS_NOTIFICATIONS null, //CAMERA - new RestrictionBypass(false, false, true), //RECORD_AUDIO + new RestrictionBypass(false, true), //RECORD_AUDIO null, //PLAY_AUDIO null, //READ_CLIPBOARD null, //WRITE_CLIPBOARD @@ -2508,7 +2508,7 @@ public class AppOpsManager { null, //MONITOR_HIGH_POWER_LOCATION null, //GET_USAGE_STATS null, //MUTE_MICROPHONE - new RestrictionBypass(false, true, false), //TOAST_WINDOW + new RestrictionBypass(true, false), //TOAST_WINDOW null, //PROJECT_MEDIA null, //ACTIVATE_VPN null, //WALLPAPER @@ -2540,7 +2540,7 @@ public class AppOpsManager { null, // ACCEPT_HANDOVER null, // MANAGE_IPSEC_HANDOVERS null, // START_FOREGROUND - new RestrictionBypass(false, true, false), // BLUETOOTH_SCAN + new RestrictionBypass(true, false), // BLUETOOTH_SCAN null, // USE_BIOMETRIC null, // ACTIVITY_RECOGNITION null, // SMS_FINANCIAL_TRANSACTIONS @@ -3105,9 +3105,6 @@ public class AppOpsManager { * @hide */ public static class RestrictionBypass { - /** Does the app need to be system uid to bypass the restriction */ - public boolean isSystemUid; - /** Does the app need to be privileged to bypass the restriction */ public boolean isPrivileged; @@ -3117,14 +3114,12 @@ public class AppOpsManager { */ public boolean isRecordAudioRestrictionExcept; - public RestrictionBypass(boolean isSystemUid, boolean isPrivileged, - boolean isRecordAudioRestrictionExcept) { - this.isSystemUid = isSystemUid; + public RestrictionBypass(boolean isPrivileged, boolean isRecordAudioRestrictionExcept) { this.isPrivileged = isPrivileged; this.isRecordAudioRestrictionExcept = isRecordAudioRestrictionExcept; } - public static RestrictionBypass UNRESTRICTED = new RestrictionBypass(false, true, true); + public static RestrictionBypass UNRESTRICTED = new RestrictionBypass(true, true); } /** diff --git a/services/core/java/com/android/server/appop/AppOpsService.java b/services/core/java/com/android/server/appop/AppOpsService.java index 3808e0c93a38..6d29c379d1b1 100644 --- a/services/core/java/com/android/server/appop/AppOpsService.java +++ b/services/core/java/com/android/server/appop/AppOpsService.java @@ -3242,7 +3242,7 @@ public class AppOpsService extends IAppOpsService.Stub { return AppOpsManager.MODE_IGNORED; } synchronized (this) { - if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, true)) { + if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) { return AppOpsManager.MODE_IGNORED; } code = AppOpsManager.opToSwitch(code); @@ -3459,7 +3459,7 @@ public class AppOpsService extends IAppOpsService.Stub { final int switchCode = AppOpsManager.opToSwitch(code); final UidState uidState = ops.uidState; - if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, false)) { + if (isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass)) { attributedOp.rejected(uidState.state, flags); scheduleOpNotedIfNeededLocked(code, uid, packageName, attributionTag, flags, AppOpsManager.MODE_IGNORED); @@ -3973,8 +3973,7 @@ public class AppOpsService extends IAppOpsService.Stub { final Op op = getOpLocked(ops, code, uid, true); final AttributedOp attributedOp = op.getOrCreateAttribution(op, attributionTag); final UidState uidState = ops.uidState; - isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass, - false); + isRestricted = isOpRestrictedLocked(uid, code, packageName, attributionTag, pvr.bypass); final int switchCode = AppOpsManager.opToSwitch(code); // If there is a non-default per UID policy (we set UID op mode only if // non-default) it takes over, otherwise use the per package policy. @@ -4503,9 +4502,8 @@ public class AppOpsService extends IAppOpsService.Stub { * @return The restriction matching the package */ private RestrictionBypass getBypassforPackage(@NonNull AndroidPackage pkg) { - return new RestrictionBypass(pkg.getUid() == Process.SYSTEM_UID, pkg.isPrivileged(), - mContext.checkPermission(android.Manifest.permission - .EXEMPT_FROM_AUDIO_RECORD_RESTRICTIONS, -1, pkg.getUid()) + return new RestrictionBypass(pkg.isPrivileged(), mContext.checkPermission( + android.Manifest.permission.EXEMPT_FROM_AUDIO_RECORD_RESTRICTIONS, -1, pkg.getUid()) == PackageManager.PERMISSION_GRANTED); } @@ -4765,7 +4763,7 @@ public class AppOpsService extends IAppOpsService.Stub { } private boolean isOpRestrictedLocked(int uid, int code, String packageName, - String attributionTag, @Nullable RestrictionBypass appBypass, boolean isCheckOp) { + String attributionTag, @Nullable RestrictionBypass appBypass) { int restrictionSetCount = mOpGlobalRestrictions.size(); for (int i = 0; i < restrictionSetCount; i++) { @@ -4782,15 +4780,11 @@ public class AppOpsService extends IAppOpsService.Stub { // For each client, check that the given op is not restricted, or that the given // package is exempt from the restriction. ClientUserRestrictionState restrictionState = mOpUserRestrictions.valueAt(i); - if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle, - isCheckOp)) { + if (restrictionState.hasRestriction(code, packageName, attributionTag, userHandle)) { RestrictionBypass opBypass = opAllowSystemBypassRestriction(code); if (opBypass != null) { // If we are the system, bypass user restrictions for certain codes synchronized (this) { - if (opBypass.isSystemUid && appBypass != null && appBypass.isSystemUid) { - return false; - } if (opBypass.isPrivileged && appBypass != null && appBypass.isPrivileged) { return false; } @@ -7143,7 +7137,7 @@ public class AppOpsService extends IAppOpsService.Stub { } public boolean hasRestriction(int restriction, String packageName, String attributionTag, - int userId, boolean isCheckOp) { + int userId) { if (perUserRestrictions == null) { return false; } @@ -7162,9 +7156,6 @@ public class AppOpsService extends IAppOpsService.Stub { return true; } - if (isCheckOp) { - return !perUserExclusions.includes(packageName); - } return !perUserExclusions.contains(packageName, attributionTag); } @@ -7331,8 +7322,7 @@ public class AppOpsService extends IAppOpsService.Stub { int numRestrictions = mOpUserRestrictions.size(); for (int i = 0; i < numRestrictions; i++) { if (mOpUserRestrictions.valueAt(i) - .hasRestriction(code, pkg, attributionTag, user.getIdentifier(), - false)) { + .hasRestriction(code, pkg, attributionTag, user.getIdentifier())) { number++; } } -- cgit v1.2.3-59-g8ed1b