Replace unnecessary noteOp calls with checkOps

Use checkOp calls instead of noteOp in scenarios where - * No data is delivered after checking permissions for the given uid * The record of permission check is not required This is done to improve permission checks performance and decrease the load on AppOpsManager since noteOp calls take significantly more time than checkOps. BUG: 323574186 Test: build MP Flag: EXEMPT bugfix Change-Id: Ie954e71e98dec28e4b7cb2dcacb6af7540b397aa
author: Garvita Jain <garvitajain@google.com> 2025-03-06 07:28:28 +0000
committer: Garvita Jain <garvitajain@google.com> 2025-03-09 23:37:21 -0700
commit: 5d0faf116a4bea965d68c10cef44b79fb2867c9d (patch)
tree: e0a21223792f5a5cb492ba11e0a27c858fa179d2 /src
parent: b8adbe55ecc57942497bda3d1e45f1317f5b4869 (diff)
3 files changed, 16 insertions, 15 deletions
diff --git a/src/com/android/providers/media/LocalCallingIdentity.java b/src/com/android/providers/media/LocalCallingIdentity.java
index ef98544ec..b85cdc881 100644
--- a/src/com/android/providers/media/LocalCallingIdentity.java
+++ b/src/com/android/providers/media/LocalCallingIdentity.java
@@ -430,7 +430,7 @@ public class LocalCallingIdentity {
                         context, pid, uid, getPackageName(), attributionTag, forDataDelivery);
             case PERMISSION_IS_SYSTEM_GALLERY:
                 return checkWriteImagesOrVideoAppOps(
-                        context, uid, getPackageName(), attributionTag);
+                        context, uid, getPackageName(), attributionTag, forDataDelivery);
             case PERMISSION_INSTALL_PACKAGES:
                 return checkPermissionInstallPackages(
                         context, pid, uid, getPackageName(), attributionTag);
@@ -475,8 +475,7 @@ public class LocalCallingIdentity {
         // To address b/338519249, we will check for sdk version V+
         boolean targetSdkIsAtLeastV =
                 getTargetSdkVersion() >= Build.VERSION_CODES.VANILLA_ICE_CREAM;
-        return checkIsLegacyStorageGranted(context, uid, getPackageName(), attributionTag,
-                targetSdkIsAtLeastV);
+        return checkIsLegacyStorageGranted(context, uid, getPackageName(), targetSdkIsAtLeastV);
     }
 
     private volatile boolean shouldBypass;
diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
index 399826d6c..8d9e886d5 100644
--- a/src/com/android/providers/media/MediaProvider.java
+++ b/src/com/android/providers/media/MediaProvider.java
@@ -7783,7 +7783,8 @@ public class MediaProvider extends ContentProvider {
             String packageName = arg;
             int uid = extras.getInt(MediaStore.EXTRA_IS_SYSTEM_GALLERY_UID);
             boolean isSystemGallery = PermissionUtils.checkWriteImagesOrVideoAppOps(
-                    getContext(), uid, packageName, getContext().getAttributionTag());
+                    getContext(), uid, packageName, getContext().getAttributionTag(),
+                    /*forDataDelivery*/ false);
             Bundle res = new Bundle();
             res.putBoolean(MediaStore.EXTRA_IS_SYSTEM_GALLERY_RESPONSE, isSystemGallery);
             return res;
diff --git a/src/com/android/providers/media/util/PermissionUtils.java b/src/com/android/providers/media/util/PermissionUtils.java
index 3dcdc1150..97f14aebb 100644
--- a/src/com/android/providers/media/util/PermissionUtils.java
+++ b/src/com/android/providers/media/util/PermissionUtils.java
@@ -209,13 +209,13 @@ public class PermissionUtils {
     }
 
     public static boolean checkIsLegacyStorageGranted(@NonNull Context context, int uid,
-            String packageName, @Nullable String attributionTag, boolean isTargetSdkAtLeastV) {
+            String packageName, boolean isTargetSdkAtLeastV) {
         if (!isTargetSdkAtLeastV && context.getSystemService(AppOpsManager.class)
                 .unsafeCheckOp(OPSTR_LEGACY_STORAGE, uid, packageName) == MODE_ALLOWED) {
             return true;
         }
         // Check OPSTR_NO_ISOLATED_STORAGE app op.
-        return checkNoIsolatedStorageGranted(context, uid, packageName, attributionTag);
+        return checkNoIsolatedStorageGranted(context, uid, packageName);
     }
 
     public static boolean checkPermissionReadAudio(
@@ -385,13 +385,13 @@ public class PermissionUtils {
      * indicates the package is a system gallery.
      */
     public static boolean checkWriteImagesOrVideoAppOps(@NonNull Context context, int uid,
-            @NonNull String packageName, @Nullable String attributionTag) {
+            @NonNull String packageName, @Nullable String attributionTag, boolean forDataDelivery) {
         return checkAppOp(
                 context, OPSTR_WRITE_MEDIA_IMAGES, uid, packageName, attributionTag,
-                generateAppOpMessage(packageName, sOpDescription.get()))
+                generateAppOpMessage(packageName, sOpDescription.get()), forDataDelivery)
                 || checkAppOp(
                         context, OPSTR_WRITE_MEDIA_VIDEO, uid, packageName, attributionTag,
-                generateAppOpMessage(packageName, sOpDescription.get()));
+                generateAppOpMessage(packageName, sOpDescription.get()), forDataDelivery);
     }
 
     /**
@@ -401,7 +401,8 @@ public class PermissionUtils {
             int uid, @NonNull String[] sharedPackageNames, @Nullable String attributionTag) {
         for (String packageName : sharedPackageNames) {
             if (checkAppOp(context, OPSTR_REQUEST_INSTALL_PACKAGES, uid, packageName,
-                    attributionTag, generateAppOpMessage(packageName, sOpDescription.get()))) {
+                    attributionTag, generateAppOpMessage(packageName, sOpDescription.get()),
+                    /*forDataDelivery*/ false)) {
                 return true;
             }
         }
@@ -426,10 +427,9 @@ public class PermissionUtils {
 
     @VisibleForTesting
     static boolean checkNoIsolatedStorageGranted(@NonNull Context context, int uid,
-            @NonNull String packageName, @Nullable String attributionTag) {
+            @NonNull String packageName) {
         final AppOpsManager appOps = context.getSystemService(AppOpsManager.class);
-        int ret = appOps.noteOpNoThrow(OPSTR_NO_ISOLATED_STORAGE, uid, packageName, attributionTag,
-                generateAppOpMessage(packageName, "am instrument --no-isolated-storage"));
+        int ret = appOps.unsafeCheckOpNoThrow(OPSTR_NO_ISOLATED_STORAGE, uid, packageName);
         return ret == AppOpsManager.MODE_ALLOWED;
     }
 
@@ -466,9 +466,10 @@ public class PermissionUtils {
      */
     private static boolean checkAppOp(@NonNull Context context,
             @NonNull String op, int uid, @NonNull String packageName,
-            @Nullable String attributionTag, @Nullable String opMessage) {
+            @Nullable String attributionTag, @Nullable String opMessage, boolean forDataDelivery) {
         final AppOpsManager appOps = context.getSystemService(AppOpsManager.class);
-        final int mode = appOps.noteOpNoThrow(op, uid, packageName, attributionTag, opMessage);
+        final int mode = forDataDelivery ? appOps.noteOpNoThrow(op, uid, packageName,
+                attributionTag, opMessage) : appOps.unsafeCheckOpNoThrow(op, uid, packageName);
         switch (mode) {
             case AppOpsManager.MODE_ALLOWED:
                 return true;
author	Garvita Jain <garvitajain@google.com>	2025-03-06 07:28:28 +0000
committer	Garvita Jain <garvitajain@google.com>	2025-03-09 23:37:21 -0700
commit	5d0faf116a4bea965d68c10cef44b79fb2867c9d (patch)
tree	e0a21223792f5a5cb492ba11e0a27c858fa179d2 /src
parent	b8adbe55ecc57942497bda3d1e45f1317f5b4869 (diff)