1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.server.pm.permission; 18 19 import static android.os.Process.FIRST_APPLICATION_UID; 20 21 import android.Manifest; 22 import android.annotation.NonNull; 23 import android.annotation.Nullable; 24 import android.annotation.UserIdInt; 25 import android.app.ActivityManager; 26 import android.app.DownloadManager; 27 import android.app.SearchManager; 28 import android.app.admin.DevicePolicyManager; 29 import android.companion.CompanionDeviceManager; 30 import android.content.Context; 31 import android.content.Intent; 32 import android.content.pm.ApplicationInfo; 33 import android.content.pm.PackageInfo; 34 import android.content.pm.PackageManager; 35 import android.content.pm.PackageManager.NameNotFoundException; 36 import android.content.pm.PackageManagerInternal; 37 import android.content.pm.PermissionInfo; 38 import android.content.pm.ProviderInfo; 39 import android.content.pm.ResolveInfo; 40 import android.media.RingtoneManager; 41 import android.media.midi.MidiManager; 42 import android.net.Uri; 43 import android.os.Build; 44 import android.os.Environment; 45 import android.os.Handler; 46 import android.os.HandlerThread; 47 import android.os.Message; 48 import android.os.Process; 49 import android.os.UserHandle; 50 import android.os.storage.StorageManager; 51 import android.permission.PermissionManager; 52 import android.print.PrintManager; 53 import android.provider.CalendarContract; 54 import android.provider.ContactsContract; 55 import android.provider.MediaStore; 56 import android.provider.Telephony.Sms.Intents; 57 import android.security.Credentials; 58 import android.speech.RecognitionService; 59 import android.telephony.TelephonyManager; 60 import android.util.ArrayMap; 61 import android.util.ArraySet; 62 import android.util.Log; 63 import android.util.Slog; 64 import android.util.SparseArray; 65 import android.util.Xml; 66 67 import com.android.internal.R; 68 import com.android.internal.util.ArrayUtils; 69 import com.android.internal.util.XmlUtils; 70 import com.android.modules.utils.TypedXmlPullParser; 71 import com.android.server.LocalServices; 72 import com.android.server.ServiceThread; 73 import com.android.server.pm.KnownPackages; 74 import com.android.server.pm.permission.LegacyPermissionManagerInternal.PackagesProvider; 75 import com.android.server.pm.permission.LegacyPermissionManagerInternal.SyncAdapterPackagesProvider; 76 77 import org.xmlpull.v1.XmlPullParser; 78 import org.xmlpull.v1.XmlPullParserException; 79 80 import java.io.File; 81 import java.io.FileInputStream; 82 import java.io.IOException; 83 import java.io.InputStream; 84 import java.util.ArrayList; 85 import java.util.Arrays; 86 import java.util.Collections; 87 import java.util.List; 88 import java.util.Map; 89 import java.util.Objects; 90 import java.util.Set; 91 92 /** 93 * This class is the policy for granting runtime permissions to 94 * platform components and default handlers in the system such 95 * that the device is usable out-of-the-box. For example, the 96 * shell UID is a part of the system and the Phone app should 97 * have phone related permission by default. 98 * <p> 99 * NOTE: This class is at the wrong abstraction level. It is a part of the package manager 100 * service but knows about lots of higher level subsystems. The correct way to do this is 101 * to have an interface defined in the package manager but have the impl next to other 102 * policy stuff like PhoneWindowManager 103 */ 104 final class DefaultPermissionGrantPolicy { 105 private static final String TAG = "DefaultPermGrantPolicy"; // must be <= 23 chars 106 private static final boolean DEBUG = false; 107 108 @PackageManager.ResolveInfoFlagsBits 109 private static final int DEFAULT_INTENT_QUERY_FLAGS = 110 PackageManager.MATCH_DIRECT_BOOT_AWARE | PackageManager.MATCH_DIRECT_BOOT_UNAWARE 111 | PackageManager.MATCH_UNINSTALLED_PACKAGES; 112 113 @PackageManager.PackageInfoFlagsBits 114 private static final int DEFAULT_PACKAGE_INFO_QUERY_FLAGS = 115 PackageManager.MATCH_UNINSTALLED_PACKAGES 116 | PackageManager.MATCH_DISABLED_UNTIL_USED_COMPONENTS 117 | PackageManager.MATCH_HIDDEN_UNTIL_INSTALLED_COMPONENTS 118 | PackageManager.GET_PERMISSIONS; 119 120 private static final String AUDIO_MIME_TYPE = "audio/mpeg"; 121 122 private static final String TAG_EXCEPTIONS = "exceptions"; 123 private static final String TAG_EXCEPTION = "exception"; 124 private static final String TAG_PERMISSION = "permission"; 125 private static final String ATTR_PACKAGE = "package"; 126 private static final String ATTR_NAME = "name"; 127 private static final String ATTR_FIXED = "fixed"; 128 private static final String ATTR_WHITELISTED = "whitelisted"; 129 130 private static final Set<String> PHONE_PERMISSIONS = new ArraySet<>(); 131 132 133 static { 134 PHONE_PERMISSIONS.add(Manifest.permission.READ_PHONE_STATE); 135 PHONE_PERMISSIONS.add(Manifest.permission.CALL_PHONE); 136 PHONE_PERMISSIONS.add(Manifest.permission.READ_CALL_LOG); 137 PHONE_PERMISSIONS.add(Manifest.permission.WRITE_CALL_LOG); 138 PHONE_PERMISSIONS.add(Manifest.permission.ADD_VOICEMAIL); 139 PHONE_PERMISSIONS.add(Manifest.permission.USE_SIP); 140 PHONE_PERMISSIONS.add(Manifest.permission.PROCESS_OUTGOING_CALLS); 141 } 142 143 private static final Set<String> CONTACTS_PERMISSIONS = new ArraySet<>(); 144 static { 145 CONTACTS_PERMISSIONS.add(Manifest.permission.READ_CONTACTS); 146 CONTACTS_PERMISSIONS.add(Manifest.permission.WRITE_CONTACTS); 147 CONTACTS_PERMISSIONS.add(Manifest.permission.GET_ACCOUNTS); 148 } 149 150 private static final Set<String> ALWAYS_LOCATION_PERMISSIONS = new ArraySet<>(); 151 static { 152 ALWAYS_LOCATION_PERMISSIONS.add(Manifest.permission.ACCESS_FINE_LOCATION); 153 ALWAYS_LOCATION_PERMISSIONS.add(Manifest.permission.ACCESS_COARSE_LOCATION); 154 ALWAYS_LOCATION_PERMISSIONS.add(Manifest.permission.ACCESS_BACKGROUND_LOCATION); 155 } 156 157 private static final Set<String> FOREGROUND_LOCATION_PERMISSIONS = new ArraySet<>(); 158 static { 159 FOREGROUND_LOCATION_PERMISSIONS.add(Manifest.permission.ACCESS_FINE_LOCATION); 160 FOREGROUND_LOCATION_PERMISSIONS.add(Manifest.permission.ACCESS_COARSE_LOCATION); 161 } 162 163 private static final Set<String> COARSE_BACKGROUND_LOCATION_PERMISSIONS = new ArraySet<>(); 164 static { 165 COARSE_BACKGROUND_LOCATION_PERMISSIONS.add(Manifest.permission.ACCESS_COARSE_LOCATION); 166 COARSE_BACKGROUND_LOCATION_PERMISSIONS.add(Manifest.permission.ACCESS_BACKGROUND_LOCATION); 167 } 168 169 private static final Set<String> FINE_LOCATION_PERMISSIONS = new ArraySet<>(); 170 static { 171 FINE_LOCATION_PERMISSIONS.add(Manifest.permission.ACCESS_FINE_LOCATION); 172 } 173 174 private static final Set<String> ACTIVITY_RECOGNITION_PERMISSIONS = new ArraySet<>(); 175 static { 176 ACTIVITY_RECOGNITION_PERMISSIONS.add(Manifest.permission.ACTIVITY_RECOGNITION); 177 } 178 179 private static final Set<String> CALENDAR_PERMISSIONS = new ArraySet<>(); 180 static { 181 CALENDAR_PERMISSIONS.add(Manifest.permission.READ_CALENDAR); 182 CALENDAR_PERMISSIONS.add(Manifest.permission.WRITE_CALENDAR); 183 } 184 185 private static final Set<String> SMS_PERMISSIONS = new ArraySet<>(); 186 static { 187 SMS_PERMISSIONS.add(Manifest.permission.SEND_SMS); 188 SMS_PERMISSIONS.add(Manifest.permission.RECEIVE_SMS); 189 SMS_PERMISSIONS.add(Manifest.permission.READ_SMS); 190 SMS_PERMISSIONS.add(Manifest.permission.RECEIVE_WAP_PUSH); 191 SMS_PERMISSIONS.add(Manifest.permission.RECEIVE_MMS); 192 SMS_PERMISSIONS.add(Manifest.permission.READ_CELL_BROADCASTS); 193 } 194 195 private static final Set<String> MICROPHONE_PERMISSIONS = new ArraySet<>(); 196 static { 197 MICROPHONE_PERMISSIONS.add(Manifest.permission.RECORD_AUDIO); 198 } 199 200 private static final Set<String> CAMERA_PERMISSIONS = new ArraySet<>(); 201 static { 202 CAMERA_PERMISSIONS.add(Manifest.permission.CAMERA); 203 } 204 205 private static final Set<String> SENSORS_PERMISSIONS = new ArraySet<>(); 206 static { 207 SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS); 208 SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS_BACKGROUND); 209 } 210 211 private static final Set<String> STORAGE_PERMISSIONS = new ArraySet<>(); 212 static { 213 STORAGE_PERMISSIONS.add(Manifest.permission.READ_EXTERNAL_STORAGE); 214 STORAGE_PERMISSIONS.add(Manifest.permission.WRITE_EXTERNAL_STORAGE); 215 STORAGE_PERMISSIONS.add(Manifest.permission.ACCESS_MEDIA_LOCATION); 216 STORAGE_PERMISSIONS.add(Manifest.permission.READ_MEDIA_AUDIO); 217 STORAGE_PERMISSIONS.add(Manifest.permission.READ_MEDIA_VIDEO); 218 STORAGE_PERMISSIONS.add(Manifest.permission.READ_MEDIA_IMAGES); 219 STORAGE_PERMISSIONS.add(Manifest.permission.READ_MEDIA_VISUAL_USER_SELECTED); 220 } 221 222 private static final Set<String> NEARBY_DEVICES_PERMISSIONS = new ArraySet<>(); 223 static { 224 NEARBY_DEVICES_PERMISSIONS.add(Manifest.permission.BLUETOOTH_ADVERTISE); 225 NEARBY_DEVICES_PERMISSIONS.add(Manifest.permission.BLUETOOTH_CONNECT); 226 NEARBY_DEVICES_PERMISSIONS.add(Manifest.permission.BLUETOOTH_SCAN); 227 NEARBY_DEVICES_PERMISSIONS.add(Manifest.permission.UWB_RANGING); 228 NEARBY_DEVICES_PERMISSIONS.add(Manifest.permission.NEARBY_WIFI_DEVICES); 229 } 230 231 private static final Set<String> NOTIFICATION_PERMISSIONS = new ArraySet<>(); 232 static { 233 NOTIFICATION_PERMISSIONS.add(Manifest.permission.POST_NOTIFICATIONS); 234 } 235 236 private static final int MSG_READ_DEFAULT_PERMISSION_EXCEPTIONS = 1; 237 238 private static final String ACTION_TRACK = "com.android.fitness.TRACK"; 239 240 private final Handler mHandler; 241 242 private PackagesProvider mLocationPackagesProvider; 243 private PackagesProvider mLocationExtraPackagesProvider; 244 private PackagesProvider mVoiceInteractionPackagesProvider; 245 private PackagesProvider mSmsAppPackagesProvider; 246 private PackagesProvider mDialerAppPackagesProvider; 247 private PackagesProvider mSimCallManagerPackagesProvider; 248 private PackagesProvider mUseOpenWifiAppPackagesProvider; 249 private SyncAdapterPackagesProvider mSyncAdapterPackagesProvider; 250 251 private ArrayMap<String, List<DefaultPermissionGrant>> mGrantExceptions; 252 private final Context mContext; 253 private final Object mLock = new Object(); 254 private final PackageManagerInternal mServiceInternal; 255 256 /** Directly interact with the PackageManger */ 257 private final PackageManagerWrapper NO_PM_CACHE = new PackageManagerWrapper() { 258 @Override 259 public int getPermissionFlags(@NonNull String permission, @NonNull PackageInfo pkg, 260 @NonNull UserHandle user) { 261 return mContext.getPackageManager().getPermissionFlags(permission, pkg.packageName, 262 user); 263 } 264 265 @Override 266 public void updatePermissionFlags(@NonNull String permission, @NonNull PackageInfo pkg, 267 int flagMask, int flagValues, @NonNull UserHandle user) { 268 mContext.getPackageManager().updatePermissionFlags(permission, pkg.packageName, 269 flagMask, flagValues, user); 270 } 271 272 @Override 273 public void grantPermission(@NonNull String permission, @NonNull PackageInfo pkg, 274 @NonNull UserHandle user) { 275 mContext.getPackageManager().grantRuntimePermission(pkg.packageName, permission, 276 user); 277 } 278 279 @Override 280 public void revokePermission(@NonNull String permission, @NonNull PackageInfo pkg, 281 @NonNull UserHandle user) { 282 mContext.getPackageManager().revokeRuntimePermission(pkg.packageName, permission, 283 user); 284 } 285 286 @Override 287 public boolean isGranted(@NonNull String permission, @NonNull PackageInfo pkg, 288 @NonNull UserHandle user) { 289 return mContext.createContextAsUser(user, 0).getPackageManager().checkPermission( 290 permission, pkg.packageName) == PackageManager.PERMISSION_GRANTED; 291 } 292 293 @Override 294 public @Nullable PermissionInfo getPermissionInfo(@NonNull String permissionName) { 295 if (permissionName == null) { 296 return null; 297 } 298 299 try { 300 return mContext.getPackageManager().getPermissionInfo(permissionName, 0); 301 } catch (NameNotFoundException e) { 302 Slog.w(TAG, "Permission not found: " + permissionName); 303 return null; 304 } 305 } 306 307 @Override 308 public @Nullable PackageInfo getPackageInfo(@NonNull String pkg) { 309 if (pkg == null) { 310 return null; 311 } 312 313 try { 314 return mContext.getPackageManager().getPackageInfo(pkg, 315 DEFAULT_PACKAGE_INFO_QUERY_FLAGS); 316 } catch (NameNotFoundException e) { 317 Slog.e(TAG, "Package not found: " + pkg); 318 return null; 319 } 320 } 321 }; 322 DefaultPermissionGrantPolicy(@onNull Context context)323 DefaultPermissionGrantPolicy(@NonNull Context context) { 324 mContext = context; 325 HandlerThread handlerThread = new ServiceThread(TAG, 326 Process.THREAD_PRIORITY_BACKGROUND, true /*allowIo*/); 327 handlerThread.start(); 328 mHandler = new Handler(handlerThread.getLooper()) { 329 @Override 330 public void handleMessage(Message msg) { 331 if (msg.what == MSG_READ_DEFAULT_PERMISSION_EXCEPTIONS) { 332 synchronized (mLock) { 333 if (mGrantExceptions == null) { 334 mGrantExceptions = readDefaultPermissionExceptionsLocked(NO_PM_CACHE); 335 } 336 } 337 } 338 } 339 }; 340 mServiceInternal = LocalServices.getService(PackageManagerInternal.class); 341 } 342 setLocationPackagesProvider(PackagesProvider provider)343 public void setLocationPackagesProvider(PackagesProvider provider) { 344 synchronized (mLock) { 345 mLocationPackagesProvider = provider; 346 } 347 } 348 349 /** Sets the provider for loction extra packages. */ setLocationExtraPackagesProvider(PackagesProvider provider)350 public void setLocationExtraPackagesProvider(PackagesProvider provider) { 351 synchronized (mLock) { 352 mLocationExtraPackagesProvider = provider; 353 } 354 } 355 setVoiceInteractionPackagesProvider(PackagesProvider provider)356 public void setVoiceInteractionPackagesProvider(PackagesProvider provider) { 357 synchronized (mLock) { 358 mVoiceInteractionPackagesProvider = provider; 359 } 360 } 361 setSmsAppPackagesProvider(PackagesProvider provider)362 public void setSmsAppPackagesProvider(PackagesProvider provider) { 363 synchronized (mLock) { 364 mSmsAppPackagesProvider = provider; 365 } 366 } 367 setDialerAppPackagesProvider(PackagesProvider provider)368 public void setDialerAppPackagesProvider(PackagesProvider provider) { 369 synchronized (mLock) { 370 mDialerAppPackagesProvider = provider; 371 } 372 } 373 setSimCallManagerPackagesProvider(PackagesProvider provider)374 public void setSimCallManagerPackagesProvider(PackagesProvider provider) { 375 synchronized (mLock) { 376 mSimCallManagerPackagesProvider = provider; 377 } 378 } 379 setUseOpenWifiAppPackagesProvider(PackagesProvider provider)380 public void setUseOpenWifiAppPackagesProvider(PackagesProvider provider) { 381 synchronized (mLock) { 382 mUseOpenWifiAppPackagesProvider = provider; 383 } 384 } 385 setSyncAdapterPackagesProvider(SyncAdapterPackagesProvider provider)386 public void setSyncAdapterPackagesProvider(SyncAdapterPackagesProvider provider) { 387 synchronized (mLock) { 388 mSyncAdapterPackagesProvider = provider; 389 } 390 } 391 grantDefaultPermissions(int userId)392 public void grantDefaultPermissions(int userId) { 393 DelayingPackageManagerCache pm = new DelayingPackageManagerCache(); 394 395 grantPermissionsToSysComponentsAndPrivApps(pm, userId); 396 grantDefaultSystemHandlerPermissions(pm, userId); 397 grantSignatureAppsNotificationPermissions(pm, userId); 398 grantDefaultPermissionExceptions(pm, userId); 399 400 // Apply delayed state 401 pm.apply(); 402 } 403 grantSignatureAppsNotificationPermissions(PackageManagerWrapper pm, int userId)404 private void grantSignatureAppsNotificationPermissions(PackageManagerWrapper pm, int userId) { 405 Log.i(TAG, "Granting Notification permissions to platform signature apps for user " 406 + userId); 407 List<PackageInfo> packages = mContext.getPackageManager().getInstalledPackagesAsUser( 408 DEFAULT_PACKAGE_INFO_QUERY_FLAGS, UserHandle.USER_SYSTEM); 409 for (PackageInfo pkg : packages) { 410 if (pkg == null || !pkg.applicationInfo.isSystemApp() 411 || !pkg.applicationInfo.isSignedWithPlatformKey()) { 412 continue; 413 } 414 grantRuntimePermissionsForSystemPackage(pm, userId, pkg, NOTIFICATION_PERMISSIONS); 415 } 416 417 } 418 grantRuntimePermissionsForSystemPackage(PackageManagerWrapper pm, int userId, PackageInfo pkg)419 private void grantRuntimePermissionsForSystemPackage(PackageManagerWrapper pm, 420 int userId, PackageInfo pkg) { 421 grantRuntimePermissionsForSystemPackage(pm, userId, pkg, null); 422 } 423 grantRuntimePermissionsForSystemPackage(PackageManagerWrapper pm, int userId, PackageInfo pkg, Set<String> filterPermissions)424 private void grantRuntimePermissionsForSystemPackage(PackageManagerWrapper pm, 425 int userId, PackageInfo pkg, Set<String> filterPermissions) { 426 if (ArrayUtils.isEmpty(pkg.requestedPermissions)) { 427 return; 428 } 429 Set<String> permissions = new ArraySet<>(); 430 for (String permission : pkg.requestedPermissions) { 431 final PermissionInfo perm = pm.getPermissionInfo(permission); 432 if (perm == null 433 || (filterPermissions != null && !filterPermissions.contains(permission))) { 434 continue; 435 } 436 if (perm.isRuntime()) { 437 permissions.add(permission); 438 } 439 } 440 if (!permissions.isEmpty()) { 441 grantRuntimePermissions(pm, pkg, permissions, true /*systemFixed*/, userId); 442 } 443 } 444 scheduleReadDefaultPermissionExceptions()445 public void scheduleReadDefaultPermissionExceptions() { 446 mHandler.sendEmptyMessage(MSG_READ_DEFAULT_PERMISSION_EXCEPTIONS); 447 } 448 grantPermissionsToSysComponentsAndPrivApps(DelayingPackageManagerCache pm, int userId)449 private void grantPermissionsToSysComponentsAndPrivApps(DelayingPackageManagerCache pm, 450 int userId) { 451 Log.i(TAG, "Granting permissions to platform components for user " + userId); 452 List<PackageInfo> packages = mContext.getPackageManager().getInstalledPackagesAsUser( 453 DEFAULT_PACKAGE_INFO_QUERY_FLAGS, UserHandle.USER_SYSTEM); 454 for (PackageInfo pkg : packages) { 455 if (pkg == null) { 456 continue; 457 } 458 459 // Package info is already loaded, cache it 460 pm.addPackageInfo(pkg.packageName, pkg); 461 462 if (!pm.isSysComponentOrPersistentPlatformSignedPrivApp(pkg) 463 || !doesPackageSupportRuntimePermissions(pkg) 464 || ArrayUtils.isEmpty(pkg.requestedPermissions)) { 465 continue; 466 } 467 grantRuntimePermissionsForSystemPackage(pm, userId, pkg); 468 } 469 470 // Re-grant READ_PHONE_STATE as non-fixed to all system apps that have 471 // READ_PRIVILEGED_PHONE_STATE and READ_PHONE_STATE granted -- this is to undo the fixed 472 // grant from R. 473 for (PackageInfo pkg : packages) { 474 if (pkg == null 475 || !doesPackageSupportRuntimePermissions(pkg) 476 || ArrayUtils.isEmpty(pkg.requestedPermissions) 477 || !pm.isGranted(Manifest.permission.READ_PRIVILEGED_PHONE_STATE, 478 pkg, UserHandle.of(userId)) 479 || !pm.isGranted(Manifest.permission.READ_PHONE_STATE, pkg, 480 UserHandle.of(userId)) 481 || pm.isSysComponentOrPersistentPlatformSignedPrivApp(pkg)) { 482 continue; 483 } 484 485 pm.updatePermissionFlags(Manifest.permission.READ_PHONE_STATE, pkg, 486 PackageManager.FLAG_PERMISSION_SYSTEM_FIXED, 487 0, 488 UserHandle.of(userId)); 489 } 490 491 } 492 493 @SafeVarargs grantIgnoringSystemPackage(PackageManagerWrapper pm, String packageName, int userId, Set<String>... permissionGroups)494 private final void grantIgnoringSystemPackage(PackageManagerWrapper pm, String packageName, 495 int userId, Set<String>... permissionGroups) { 496 grantPermissionsToPackage(pm, packageName, userId, true /* ignoreSystemPackage */, 497 true /*whitelistRestrictedPermissions*/, permissionGroups); 498 } 499 500 @SafeVarargs grantSystemFixedPermissionsToSystemPackage(PackageManagerWrapper pm, String packageName, int userId, Set<String>... permissionGroups)501 private final void grantSystemFixedPermissionsToSystemPackage(PackageManagerWrapper pm, 502 String packageName, int userId, Set<String>... permissionGroups) { 503 grantPermissionsToSystemPackage(pm, packageName, userId, true /* systemFixed */, 504 permissionGroups); 505 } 506 507 @SafeVarargs grantPermissionsToSystemPackage(PackageManagerWrapper pm, String packageName, int userId, Set<String>... permissionGroups)508 private final void grantPermissionsToSystemPackage(PackageManagerWrapper pm, 509 String packageName, int userId, Set<String>... permissionGroups) { 510 grantPermissionsToSystemPackage(pm, packageName, userId, false /* systemFixed */, 511 permissionGroups); 512 } 513 514 @SafeVarargs grantPermissionsToSystemPackage(PackageManagerWrapper pm, String packageName, int userId, boolean systemFixed, Set<String>... permissionGroups)515 private final void grantPermissionsToSystemPackage(PackageManagerWrapper pm, String packageName, 516 int userId, boolean systemFixed, Set<String>... permissionGroups) { 517 if (!pm.isSystemPackage(packageName)) { 518 return; 519 } 520 grantPermissionsToPackage(pm, pm.getSystemPackageInfo(packageName), 521 userId, systemFixed, false /* ignoreSystemPackage */, 522 true /*whitelistRestrictedPermissions*/, permissionGroups); 523 } 524 525 @SafeVarargs grantPermissionsToPackage(PackageManagerWrapper pm, String packageName, int userId, boolean ignoreSystemPackage, boolean whitelistRestrictedPermissions, Set<String>... permissionGroups)526 private final void grantPermissionsToPackage(PackageManagerWrapper pm, String packageName, 527 int userId, boolean ignoreSystemPackage, boolean whitelistRestrictedPermissions, 528 Set<String>... permissionGroups) { 529 grantPermissionsToPackage(pm, pm.getPackageInfo(packageName), 530 userId, false /* systemFixed */, ignoreSystemPackage, 531 whitelistRestrictedPermissions, permissionGroups); 532 } 533 534 @SafeVarargs grantPermissionsToPackage(PackageManagerWrapper pm, PackageInfo packageInfo, int userId, boolean systemFixed, boolean ignoreSystemPackage, boolean whitelistRestrictedPermissions, Set<String>... permissionGroups)535 private final void grantPermissionsToPackage(PackageManagerWrapper pm, PackageInfo packageInfo, 536 int userId, boolean systemFixed, boolean ignoreSystemPackage, 537 boolean whitelistRestrictedPermissions, Set<String>... permissionGroups) { 538 if (packageInfo == null) { 539 return; 540 } 541 if (doesPackageSupportRuntimePermissions(packageInfo)) { 542 for (Set<String> permissionGroup : permissionGroups) { 543 grantRuntimePermissions(pm, packageInfo, permissionGroup, systemFixed, 544 ignoreSystemPackage, whitelistRestrictedPermissions, userId); 545 } 546 } 547 } 548 grantDefaultSystemHandlerPermissions(PackageManagerWrapper pm, int userId)549 private void grantDefaultSystemHandlerPermissions(PackageManagerWrapper pm, int userId) { 550 Log.i(TAG, "Granting permissions to default platform handlers for user " + userId); 551 552 final PackagesProvider locationPackagesProvider; 553 final PackagesProvider locationExtraPackagesProvider; 554 final PackagesProvider voiceInteractionPackagesProvider; 555 final PackagesProvider smsAppPackagesProvider; 556 final PackagesProvider dialerAppPackagesProvider; 557 final PackagesProvider simCallManagerPackagesProvider; 558 final PackagesProvider useOpenWifiAppPackagesProvider; 559 final SyncAdapterPackagesProvider syncAdapterPackagesProvider; 560 561 synchronized (mLock) { 562 locationPackagesProvider = mLocationPackagesProvider; 563 locationExtraPackagesProvider = mLocationExtraPackagesProvider; 564 voiceInteractionPackagesProvider = mVoiceInteractionPackagesProvider; 565 smsAppPackagesProvider = mSmsAppPackagesProvider; 566 dialerAppPackagesProvider = mDialerAppPackagesProvider; 567 simCallManagerPackagesProvider = mSimCallManagerPackagesProvider; 568 useOpenWifiAppPackagesProvider = mUseOpenWifiAppPackagesProvider; 569 syncAdapterPackagesProvider = mSyncAdapterPackagesProvider; 570 } 571 572 String[] voiceInteractPackageNames = (voiceInteractionPackagesProvider != null) 573 ? voiceInteractionPackagesProvider.getPackages(userId) : null; 574 String[] locationPackageNames = (locationPackagesProvider != null) 575 ? locationPackagesProvider.getPackages(userId) : null; 576 String[] locationExtraPackageNames = (locationExtraPackagesProvider != null) 577 ? locationExtraPackagesProvider.getPackages(userId) : null; 578 String[] smsAppPackageNames = (smsAppPackagesProvider != null) 579 ? smsAppPackagesProvider.getPackages(userId) : null; 580 String[] dialerAppPackageNames = (dialerAppPackagesProvider != null) 581 ? dialerAppPackagesProvider.getPackages(userId) : null; 582 String[] simCallManagerPackageNames = (simCallManagerPackagesProvider != null) 583 ? simCallManagerPackagesProvider.getPackages(userId) : null; 584 String[] useOpenWifiAppPackageNames = (useOpenWifiAppPackagesProvider != null) 585 ? useOpenWifiAppPackagesProvider.getPackages(userId) : null; 586 String[] contactsSyncAdapterPackages = (syncAdapterPackagesProvider != null) ? 587 syncAdapterPackagesProvider.getPackages(ContactsContract.AUTHORITY, userId) : null; 588 String[] calendarSyncAdapterPackages = (syncAdapterPackagesProvider != null) ? 589 syncAdapterPackagesProvider.getPackages(CalendarContract.AUTHORITY, userId) : null; 590 591 // PermissionController 592 grantSystemFixedPermissionsToSystemPackage(pm, 593 mContext.getPackageManager().getPermissionControllerPackageName(), userId, 594 NOTIFICATION_PERMISSIONS); 595 596 // Installer 597 grantSystemFixedPermissionsToSystemPackage(pm, 598 ArrayUtils.firstOrNull(getKnownPackages( 599 KnownPackages.PACKAGE_INSTALLER, userId)), 600 userId, STORAGE_PERMISSIONS, NOTIFICATION_PERMISSIONS); 601 602 // Verifier 603 final String verifier = ArrayUtils.firstOrNull(getKnownPackages( 604 KnownPackages.PACKAGE_VERIFIER, userId)); 605 grantSystemFixedPermissionsToSystemPackage(pm, verifier, userId, STORAGE_PERMISSIONS); 606 grantPermissionsToSystemPackage(pm, verifier, userId, PHONE_PERMISSIONS, SMS_PERMISSIONS, 607 NOTIFICATION_PERMISSIONS); 608 609 // SetupWizard 610 final String setupWizardPackage = ArrayUtils.firstOrNull(getKnownPackages( 611 KnownPackages.PACKAGE_SETUP_WIZARD, userId)); 612 grantPermissionsToSystemPackage(pm, setupWizardPackage, userId, PHONE_PERMISSIONS, 613 CONTACTS_PERMISSIONS, ALWAYS_LOCATION_PERMISSIONS, CAMERA_PERMISSIONS, 614 NEARBY_DEVICES_PERMISSIONS); 615 grantSystemFixedPermissionsToSystemPackage(pm, setupWizardPackage, userId, 616 NOTIFICATION_PERMISSIONS); 617 618 // SearchSelector 619 grantPermissionsToSystemPackage(pm, getDefaultSearchSelectorPackage(), userId, 620 NOTIFICATION_PERMISSIONS); 621 622 // Captive Portal Login 623 grantPermissionsToSystemPackage(pm, getDefaultCaptivePortalLoginPackage(), userId, 624 NOTIFICATION_PERMISSIONS); 625 626 // Dock Manager 627 grantPermissionsToSystemPackage(pm, getDefaultDockManagerPackage(), userId, 628 NOTIFICATION_PERMISSIONS); 629 630 // Camera 631 grantPermissionsToSystemPackage(pm, 632 getDefaultSystemHandlerActivityPackage(pm, MediaStore.ACTION_IMAGE_CAPTURE, userId), 633 userId, CAMERA_PERMISSIONS, MICROPHONE_PERMISSIONS, STORAGE_PERMISSIONS); 634 635 // Sound recorder 636 grantPermissionsToSystemPackage(pm, 637 getDefaultSystemHandlerActivityPackage(pm, 638 MediaStore.Audio.Media.RECORD_SOUND_ACTION, userId), 639 userId, MICROPHONE_PERMISSIONS); 640 641 // Media provider 642 grantSystemFixedPermissionsToSystemPackage(pm, 643 getDefaultProviderAuthorityPackage(MediaStore.AUTHORITY, userId), userId, 644 STORAGE_PERMISSIONS, NOTIFICATION_PERMISSIONS); 645 646 // Downloads provider 647 grantSystemFixedPermissionsToSystemPackage(pm, 648 getDefaultProviderAuthorityPackage("downloads", userId), userId, 649 STORAGE_PERMISSIONS, NOTIFICATION_PERMISSIONS); 650 651 // Downloads UI 652 grantSystemFixedPermissionsToSystemPackage(pm, 653 getDefaultSystemHandlerActivityPackage(pm, 654 DownloadManager.ACTION_VIEW_DOWNLOADS, userId), 655 userId, STORAGE_PERMISSIONS); 656 657 // Storage provider 658 grantSystemFixedPermissionsToSystemPackage(pm, 659 getDefaultProviderAuthorityPackage("com.android.externalstorage.documents", userId), 660 userId, STORAGE_PERMISSIONS); 661 662 // CertInstaller 663 grantSystemFixedPermissionsToSystemPackage(pm, 664 getDefaultSystemHandlerActivityPackage(pm, Credentials.INSTALL_ACTION, userId), 665 userId, STORAGE_PERMISSIONS); 666 667 // Dialer 668 if (dialerAppPackageNames == null) { 669 String dialerPackage = 670 getDefaultSystemHandlerActivityPackage(pm, Intent.ACTION_DIAL, userId); 671 grantDefaultPermissionsToDefaultSystemDialerApp(pm, dialerPackage, userId); 672 } else { 673 for (String dialerAppPackageName : dialerAppPackageNames) { 674 grantDefaultPermissionsToDefaultSystemDialerApp(pm, dialerAppPackageName, userId); 675 } 676 } 677 678 // Sim call manager 679 if (simCallManagerPackageNames != null) { 680 for (String simCallManagerPackageName : simCallManagerPackageNames) { 681 grantDefaultPermissionsToDefaultSystemSimCallManager(pm, 682 simCallManagerPackageName, userId); 683 } 684 } 685 686 // Use Open Wifi 687 if (useOpenWifiAppPackageNames != null) { 688 for (String useOpenWifiPackageName : useOpenWifiAppPackageNames) { 689 grantDefaultPermissionsToDefaultSystemUseOpenWifiApp(pm, 690 useOpenWifiPackageName, userId); 691 } 692 } 693 694 // SMS 695 if (smsAppPackageNames == null) { 696 String smsPackage = getDefaultSystemHandlerActivityPackageForCategory(pm, 697 Intent.CATEGORY_APP_MESSAGING, userId); 698 grantDefaultPermissionsToDefaultSystemSmsApp(pm, smsPackage, userId); 699 } else { 700 for (String smsPackage : smsAppPackageNames) { 701 grantDefaultPermissionsToDefaultSystemSmsApp(pm, smsPackage, userId); 702 } 703 } 704 705 // Cell Broadcast Receiver 706 grantSystemFixedPermissionsToSystemPackage(pm, 707 getDefaultSystemHandlerActivityPackage(pm, Intents.SMS_CB_RECEIVED_ACTION, userId), 708 userId, SMS_PERMISSIONS, NEARBY_DEVICES_PERMISSIONS, NOTIFICATION_PERMISSIONS); 709 710 // Carrier Provisioning Service 711 grantPermissionsToSystemPackage(pm, 712 getDefaultSystemHandlerServicePackage(pm, Intents.SMS_CARRIER_PROVISION_ACTION, 713 userId), 714 userId, SMS_PERMISSIONS); 715 716 // Calendar 717 grantPermissionsToSystemPackage(pm, 718 getDefaultSystemHandlerActivityPackageForCategory(pm, 719 Intent.CATEGORY_APP_CALENDAR, userId), 720 userId, CALENDAR_PERMISSIONS, CONTACTS_PERMISSIONS, NOTIFICATION_PERMISSIONS); 721 722 // Calendar provider 723 String calendarProvider = 724 getDefaultProviderAuthorityPackage(CalendarContract.AUTHORITY, userId); 725 grantPermissionsToSystemPackage(pm, calendarProvider, userId, 726 CONTACTS_PERMISSIONS, STORAGE_PERMISSIONS); 727 grantSystemFixedPermissionsToSystemPackage(pm, calendarProvider, userId, 728 CALENDAR_PERMISSIONS); 729 730 // Calendar provider sync adapters 731 if (calendarSyncAdapterPackages != null) { 732 grantPermissionToEachSystemPackage(pm, 733 getHeadlessSyncAdapterPackages(pm, calendarSyncAdapterPackages, userId), 734 userId, CALENDAR_PERMISSIONS); 735 } 736 737 // Contacts 738 grantPermissionsToSystemPackage(pm, 739 getDefaultSystemHandlerActivityPackageForCategory(pm, 740 Intent.CATEGORY_APP_CONTACTS, userId), 741 userId, CONTACTS_PERMISSIONS, PHONE_PERMISSIONS); 742 743 // Contacts provider sync adapters 744 if (contactsSyncAdapterPackages != null) { 745 grantPermissionToEachSystemPackage(pm, 746 getHeadlessSyncAdapterPackages(pm, contactsSyncAdapterPackages, userId), 747 userId, CONTACTS_PERMISSIONS); 748 } 749 750 // Contacts provider 751 String contactsProviderPackage = 752 getDefaultProviderAuthorityPackage(ContactsContract.AUTHORITY, userId); 753 grantSystemFixedPermissionsToSystemPackage(pm, contactsProviderPackage, userId, 754 CONTACTS_PERMISSIONS, PHONE_PERMISSIONS); 755 grantPermissionsToSystemPackage(pm, contactsProviderPackage, userId, STORAGE_PERMISSIONS); 756 757 // Device provisioning 758 grantPermissionsToSystemPackage(pm, 759 getDefaultSystemHandlerActivityPackage(pm, 760 DevicePolicyManager.ACTION_PROVISION_MANAGED_DEVICE, userId), 761 userId, CONTACTS_PERMISSIONS, NOTIFICATION_PERMISSIONS); 762 763 // Maps 764 if (mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE, 0)) { 765 grantPermissionsToSystemPackage(pm, 766 getDefaultSystemHandlerActivityPackageForCategory(pm, 767 Intent.CATEGORY_APP_MAPS, userId), 768 userId, FOREGROUND_LOCATION_PERMISSIONS); 769 } 770 771 // Email 772 grantPermissionsToSystemPackage(pm, 773 getDefaultSystemHandlerActivityPackageForCategory(pm, 774 Intent.CATEGORY_APP_EMAIL, userId), 775 userId, CONTACTS_PERMISSIONS, CALENDAR_PERMISSIONS); 776 777 // Browser 778 String browserPackage = ArrayUtils.firstOrNull(getKnownPackages( 779 KnownPackages.PACKAGE_BROWSER, userId)); 780 if (browserPackage == null) { 781 browserPackage = getDefaultSystemHandlerActivityPackageForCategory(pm, 782 Intent.CATEGORY_APP_BROWSER, userId); 783 if (!pm.isSystemPackage(browserPackage)) { 784 browserPackage = null; 785 } 786 } 787 grantPermissionsToPackage(pm, browserPackage, userId, false /* ignoreSystemPackage */, 788 true /*whitelistRestrictedPermissions*/, FOREGROUND_LOCATION_PERMISSIONS); 789 790 // Voice interaction 791 if (voiceInteractPackageNames != null) { 792 for (String voiceInteractPackageName : voiceInteractPackageNames) { 793 grantPermissionsToSystemPackage(pm, voiceInteractPackageName, userId, 794 CONTACTS_PERMISSIONS, CALENDAR_PERMISSIONS, MICROPHONE_PERMISSIONS, 795 PHONE_PERMISSIONS, SMS_PERMISSIONS, COARSE_BACKGROUND_LOCATION_PERMISSIONS, 796 NEARBY_DEVICES_PERMISSIONS, NOTIFICATION_PERMISSIONS); 797 revokeRuntimePermissions(pm, voiceInteractPackageName, FINE_LOCATION_PERMISSIONS, 798 false, userId); 799 } 800 } 801 802 if (ActivityManager.isLowRamDeviceStatic()) { 803 // Allow voice search on low-ram devices 804 grantPermissionsToSystemPackage(pm, 805 getDefaultSystemHandlerActivityPackage(pm, 806 SearchManager.INTENT_ACTION_GLOBAL_SEARCH, userId), 807 userId, MICROPHONE_PERMISSIONS, ALWAYS_LOCATION_PERMISSIONS, 808 NOTIFICATION_PERMISSIONS); 809 } 810 811 // Voice recognition 812 Intent voiceRecoIntent = new Intent(RecognitionService.SERVICE_INTERFACE) 813 .addCategory(Intent.CATEGORY_DEFAULT); 814 grantPermissionsToSystemPackage(pm, 815 getDefaultSystemHandlerServicePackage(pm, voiceRecoIntent, userId), userId, 816 MICROPHONE_PERMISSIONS); 817 818 // Location 819 if (locationPackageNames != null) { 820 for (String packageName : locationPackageNames) { 821 grantPermissionsToSystemPackage(pm, packageName, userId, 822 CONTACTS_PERMISSIONS, CALENDAR_PERMISSIONS, MICROPHONE_PERMISSIONS, 823 PHONE_PERMISSIONS, SMS_PERMISSIONS, CAMERA_PERMISSIONS, 824 SENSORS_PERMISSIONS, STORAGE_PERMISSIONS, NEARBY_DEVICES_PERMISSIONS, 825 NOTIFICATION_PERMISSIONS); 826 grantSystemFixedPermissionsToSystemPackage(pm, packageName, userId, 827 ALWAYS_LOCATION_PERMISSIONS, ACTIVITY_RECOGNITION_PERMISSIONS); 828 } 829 } 830 if (locationExtraPackageNames != null) { 831 // Also grant location and activity recognition permission to location extra packages. 832 for (String packageName : locationExtraPackageNames) { 833 grantPermissionsToSystemPackage(pm, packageName, userId, 834 ALWAYS_LOCATION_PERMISSIONS, NEARBY_DEVICES_PERMISSIONS); 835 grantSystemFixedPermissionsToSystemPackage(pm, packageName, userId, 836 ACTIVITY_RECOGNITION_PERMISSIONS); 837 } 838 } 839 840 // Music 841 Intent musicIntent = new Intent(Intent.ACTION_VIEW) 842 .addCategory(Intent.CATEGORY_DEFAULT) 843 .setDataAndType(Uri.fromFile(new File("foo.mp3")), AUDIO_MIME_TYPE); 844 grantPermissionsToSystemPackage(pm, 845 getDefaultSystemHandlerActivityPackage(pm, musicIntent, userId), userId, 846 STORAGE_PERMISSIONS); 847 848 // Home 849 Intent homeIntent = new Intent(Intent.ACTION_MAIN) 850 .addCategory(Intent.CATEGORY_HOME) 851 .addCategory(Intent.CATEGORY_LAUNCHER_APP); 852 grantPermissionsToSystemPackage(pm, 853 getDefaultSystemHandlerActivityPackage(pm, homeIntent, userId), userId, 854 ALWAYS_LOCATION_PERMISSIONS, NOTIFICATION_PERMISSIONS); 855 856 // Watches 857 if (mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH, 0)) { 858 // Home application on watches 859 860 String wearPackage = getDefaultSystemHandlerActivityPackageForCategory(pm, 861 Intent.CATEGORY_HOME_MAIN, userId); 862 grantPermissionsToSystemPackage(pm, wearPackage, userId, 863 CONTACTS_PERMISSIONS, MICROPHONE_PERMISSIONS, ALWAYS_LOCATION_PERMISSIONS); 864 grantSystemFixedPermissionsToSystemPackage(pm, wearPackage, userId, PHONE_PERMISSIONS, 865 ACTIVITY_RECOGNITION_PERMISSIONS); 866 867 // Fitness tracking on watches 868 if (mContext.getResources().getBoolean(R.bool.config_trackerAppNeedsPermissions)) { 869 Log.d(TAG, "Wear: Skipping permission grant for Default fitness tracker app : " 870 + wearPackage); 871 } else { 872 grantPermissionsToSystemPackage(pm, 873 getDefaultSystemHandlerActivityPackage(pm, ACTION_TRACK, userId), userId, 874 SENSORS_PERMISSIONS); 875 } 876 } 877 878 // Print Spooler 879 grantSystemFixedPermissionsToSystemPackage(pm, PrintManager.PRINT_SPOOLER_PACKAGE_NAME, 880 userId, ALWAYS_LOCATION_PERMISSIONS, NOTIFICATION_PERMISSIONS); 881 882 // EmergencyInfo 883 grantSystemFixedPermissionsToSystemPackage(pm, 884 getDefaultSystemHandlerActivityPackage(pm, 885 TelephonyManager.ACTION_EMERGENCY_ASSISTANCE, userId), 886 userId, CONTACTS_PERMISSIONS, PHONE_PERMISSIONS); 887 888 // NFC Tag viewer 889 Intent nfcTagIntent = new Intent(Intent.ACTION_VIEW) 890 .setType("vnd.android.cursor.item/ndef_msg"); 891 grantPermissionsToSystemPackage(pm, 892 getDefaultSystemHandlerActivityPackage(pm, nfcTagIntent, userId), userId, 893 CONTACTS_PERMISSIONS, PHONE_PERMISSIONS); 894 895 // Storage Manager 896 grantSystemFixedPermissionsToSystemPackage(pm, 897 getDefaultSystemHandlerActivityPackage(pm, 898 StorageManager.ACTION_MANAGE_STORAGE, userId), 899 userId, STORAGE_PERMISSIONS); 900 901 // Companion devices 902 grantSystemFixedPermissionsToSystemPackage(pm, 903 CompanionDeviceManager.COMPANION_DEVICE_DISCOVERY_PACKAGE_NAME, userId, 904 ALWAYS_LOCATION_PERMISSIONS, NEARBY_DEVICES_PERMISSIONS); 905 906 // Ringtone Picker 907 grantSystemFixedPermissionsToSystemPackage(pm, 908 getDefaultSystemHandlerActivityPackage(pm, 909 RingtoneManager.ACTION_RINGTONE_PICKER, userId), 910 userId, STORAGE_PERMISSIONS); 911 912 // TextClassifier Service 913 for (String textClassifierPackage : 914 getKnownPackages(KnownPackages.PACKAGE_SYSTEM_TEXT_CLASSIFIER, userId)) { 915 grantPermissionsToSystemPackage(pm, textClassifierPackage, userId, 916 COARSE_BACKGROUND_LOCATION_PERMISSIONS, CONTACTS_PERMISSIONS); 917 } 918 919 // There is no real "marker" interface to identify the shared storage backup, it is 920 // hardcoded in BackupManagerService.SHARED_BACKUP_AGENT_PACKAGE. 921 grantSystemFixedPermissionsToSystemPackage(pm, "com.android.sharedstoragebackup", userId, 922 STORAGE_PERMISSIONS); 923 924 // Bluetooth MIDI Service 925 grantSystemFixedPermissionsToSystemPackage(pm, 926 MidiManager.BLUETOOTH_MIDI_SERVICE_PACKAGE, userId, 927 NEARBY_DEVICES_PERMISSIONS); 928 929 // Ad Service 930 String commonServiceAction = "android.adservices.AD_SERVICES_COMMON_SERVICE"; 931 grantPermissionsToSystemPackage(pm, getDefaultSystemHandlerServicePackage(pm, 932 commonServiceAction, userId), userId, NOTIFICATION_PERMISSIONS); 933 } 934 getDefaultSystemHandlerActivityPackageForCategory(PackageManagerWrapper pm, String category, int userId)935 private String getDefaultSystemHandlerActivityPackageForCategory(PackageManagerWrapper pm, 936 String category, int userId) { 937 return getDefaultSystemHandlerActivityPackage(pm, 938 new Intent(Intent.ACTION_MAIN).addCategory(category), userId); 939 } 940 getDefaultSearchSelectorPackage()941 private String getDefaultSearchSelectorPackage() { 942 return mContext.getString(R.string.config_defaultSearchSelectorPackageName); 943 } 944 getDefaultCaptivePortalLoginPackage()945 private String getDefaultCaptivePortalLoginPackage() { 946 return mContext.getString(R.string.config_defaultCaptivePortalLoginPackageName); 947 } 948 getDefaultDockManagerPackage()949 private String getDefaultDockManagerPackage() { 950 return mContext.getString(R.string.config_defaultDockManagerPackageName); 951 } 952 953 @SafeVarargs grantPermissionToEachSystemPackage(PackageManagerWrapper pm, ArrayList<String> packages, int userId, Set<String>... permissions)954 private final void grantPermissionToEachSystemPackage(PackageManagerWrapper pm, 955 ArrayList<String> packages, int userId, Set<String>... permissions) { 956 if (packages == null) return; 957 final int count = packages.size(); 958 for (int i = 0; i < count; i++) { 959 grantPermissionsToSystemPackage(pm, packages.get(i), userId, permissions); 960 } 961 } 962 getKnownPackages(int knownPkgId, int userId)963 private @NonNull String[] getKnownPackages(int knownPkgId, int userId) { 964 return mServiceInternal.getKnownPackageNames(knownPkgId, userId); 965 } 966 grantDefaultPermissionsToDefaultSystemDialerApp(PackageManagerWrapper pm, String dialerPackage, int userId)967 private void grantDefaultPermissionsToDefaultSystemDialerApp(PackageManagerWrapper pm, 968 String dialerPackage, int userId) { 969 if (dialerPackage == null) { 970 return; 971 } 972 boolean isPhonePermFixed = 973 mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH, 0); 974 if (isPhonePermFixed) { 975 grantSystemFixedPermissionsToSystemPackage(pm, dialerPackage, userId, 976 PHONE_PERMISSIONS, NOTIFICATION_PERMISSIONS); 977 } else { 978 grantPermissionsToSystemPackage(pm, dialerPackage, userId, PHONE_PERMISSIONS); 979 } 980 grantPermissionsToSystemPackage(pm, dialerPackage, userId, 981 CONTACTS_PERMISSIONS, SMS_PERMISSIONS, MICROPHONE_PERMISSIONS, CAMERA_PERMISSIONS, 982 NOTIFICATION_PERMISSIONS); 983 boolean isAndroidAutomotive = 984 mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE, 0); 985 if (isAndroidAutomotive) { 986 grantPermissionsToSystemPackage(pm, dialerPackage, userId, NEARBY_DEVICES_PERMISSIONS); 987 } 988 } 989 grantDefaultPermissionsToDefaultSystemSmsApp(PackageManagerWrapper pm, String smsPackage, int userId)990 private void grantDefaultPermissionsToDefaultSystemSmsApp(PackageManagerWrapper pm, 991 String smsPackage, int userId) { 992 grantPermissionsToSystemPackage(pm, smsPackage, userId, 993 PHONE_PERMISSIONS, CONTACTS_PERMISSIONS, SMS_PERMISSIONS, 994 STORAGE_PERMISSIONS, MICROPHONE_PERMISSIONS, CAMERA_PERMISSIONS, 995 NOTIFICATION_PERMISSIONS); 996 } 997 grantDefaultPermissionsToDefaultSystemUseOpenWifiApp(PackageManagerWrapper pm, String useOpenWifiPackage, int userId)998 private void grantDefaultPermissionsToDefaultSystemUseOpenWifiApp(PackageManagerWrapper pm, 999 String useOpenWifiPackage, int userId) { 1000 grantPermissionsToSystemPackage(pm, useOpenWifiPackage, userId, 1001 ALWAYS_LOCATION_PERMISSIONS); 1002 } 1003 grantDefaultPermissionsToDefaultUseOpenWifiApp(String packageName, int userId)1004 public void grantDefaultPermissionsToDefaultUseOpenWifiApp(String packageName, int userId) { 1005 Log.i(TAG, "Granting permissions to default Use Open WiFi app for user:" + userId); 1006 grantIgnoringSystemPackage(NO_PM_CACHE, packageName, userId, ALWAYS_LOCATION_PERMISSIONS); 1007 } 1008 grantDefaultPermissionsToDefaultSimCallManager(String packageName, int userId)1009 public void grantDefaultPermissionsToDefaultSimCallManager(String packageName, int userId) { 1010 grantDefaultPermissionsToDefaultSimCallManager(NO_PM_CACHE, packageName, userId); 1011 } 1012 grantDefaultPermissionsToDefaultSimCallManager(PackageManagerWrapper pm, String packageName, int userId)1013 private void grantDefaultPermissionsToDefaultSimCallManager(PackageManagerWrapper pm, 1014 String packageName, int userId) { 1015 if (packageName == null) { 1016 return; 1017 } 1018 Log.i(TAG, "Granting permissions to sim call manager for user:" + userId); 1019 grantPermissionsToPackage(pm, packageName, userId, false /* ignoreSystemPackage */, 1020 true /*whitelistRestrictedPermissions*/, PHONE_PERMISSIONS, MICROPHONE_PERMISSIONS); 1021 } 1022 grantDefaultPermissionsToDefaultSystemSimCallManager(PackageManagerWrapper pm, String packageName, int userId)1023 private void grantDefaultPermissionsToDefaultSystemSimCallManager(PackageManagerWrapper pm, 1024 String packageName, int userId) { 1025 if (pm.isSystemPackage(packageName)) { 1026 grantDefaultPermissionsToDefaultSimCallManager(pm, packageName, userId); 1027 } 1028 } 1029 grantDefaultPermissionsToEnabledCarrierApps(String[] packageNames, int userId)1030 public void grantDefaultPermissionsToEnabledCarrierApps(String[] packageNames, int userId) { 1031 Log.i(TAG, "Granting permissions to enabled carrier apps for user:" + userId); 1032 if (packageNames == null) { 1033 return; 1034 } 1035 for (String packageName : packageNames) { 1036 grantPermissionsToSystemPackage(NO_PM_CACHE, packageName, userId, 1037 PHONE_PERMISSIONS, ALWAYS_LOCATION_PERMISSIONS, SMS_PERMISSIONS); 1038 } 1039 } 1040 grantDefaultPermissionsToEnabledImsServices(String[] packageNames, int userId)1041 public void grantDefaultPermissionsToEnabledImsServices(String[] packageNames, int userId) { 1042 Log.i(TAG, "Granting permissions to enabled ImsServices for user:" + userId); 1043 if (packageNames == null) { 1044 return; 1045 } 1046 for (String packageName : packageNames) { 1047 grantPermissionsToSystemPackage(NO_PM_CACHE, packageName, userId, 1048 PHONE_PERMISSIONS, MICROPHONE_PERMISSIONS, ALWAYS_LOCATION_PERMISSIONS, 1049 CAMERA_PERMISSIONS, CONTACTS_PERMISSIONS); 1050 } 1051 } 1052 grantDefaultPermissionsToEnabledTelephonyDataServices( String[] packageNames, int userId)1053 public void grantDefaultPermissionsToEnabledTelephonyDataServices( 1054 String[] packageNames, int userId) { 1055 Log.i(TAG, "Granting permissions to enabled data services for user:" + userId); 1056 if (packageNames == null) { 1057 return; 1058 } 1059 for (String packageName : packageNames) { 1060 // Grant these permissions as system-fixed, so that nobody can accidentally 1061 // break cellular data. 1062 grantSystemFixedPermissionsToSystemPackage(NO_PM_CACHE, packageName, userId, 1063 PHONE_PERMISSIONS, ALWAYS_LOCATION_PERMISSIONS); 1064 } 1065 } 1066 revokeDefaultPermissionsFromDisabledTelephonyDataServices( String[] packageNames, int userId)1067 public void revokeDefaultPermissionsFromDisabledTelephonyDataServices( 1068 String[] packageNames, int userId) { 1069 Log.i(TAG, "Revoking permissions from disabled data services for user:" + userId); 1070 if (packageNames == null) { 1071 return; 1072 } 1073 for (String packageName : packageNames) { 1074 PackageInfo pkg = NO_PM_CACHE.getSystemPackageInfo(packageName); 1075 if (NO_PM_CACHE.isSystemPackage(pkg) && doesPackageSupportRuntimePermissions(pkg)) { 1076 revokeRuntimePermissions(NO_PM_CACHE, packageName, PHONE_PERMISSIONS, true, 1077 userId); 1078 revokeRuntimePermissions(NO_PM_CACHE, packageName, ALWAYS_LOCATION_PERMISSIONS, 1079 true, userId); 1080 } 1081 } 1082 } 1083 grantDefaultPermissionsToActiveLuiApp(String packageName, int userId)1084 public void grantDefaultPermissionsToActiveLuiApp(String packageName, int userId) { 1085 Log.i(TAG, "Granting permissions to active LUI app for user:" + userId); 1086 grantSystemFixedPermissionsToSystemPackage(NO_PM_CACHE, packageName, userId, 1087 CAMERA_PERMISSIONS, NOTIFICATION_PERMISSIONS); 1088 } 1089 revokeDefaultPermissionsFromLuiApps(String[] packageNames, int userId)1090 public void revokeDefaultPermissionsFromLuiApps(String[] packageNames, int userId) { 1091 Log.i(TAG, "Revoke permissions from LUI apps for user:" + userId); 1092 if (packageNames == null) { 1093 return; 1094 } 1095 for (String packageName : packageNames) { 1096 PackageInfo pkg = NO_PM_CACHE.getSystemPackageInfo(packageName); 1097 if (NO_PM_CACHE.isSystemPackage(pkg) && doesPackageSupportRuntimePermissions(pkg)) { 1098 revokeRuntimePermissions(NO_PM_CACHE, packageName, CAMERA_PERMISSIONS, true, 1099 userId); 1100 } 1101 } 1102 } 1103 grantDefaultPermissionsToCarrierServiceApp(@onNull String packageName, @UserIdInt int userId)1104 public void grantDefaultPermissionsToCarrierServiceApp(@NonNull String packageName, 1105 @UserIdInt int userId) { 1106 Log.i(TAG, "Grant permissions to Carrier Service app " + packageName + " for user:" 1107 + userId); 1108 grantPermissionsToPackage(NO_PM_CACHE, packageName, userId, /* ignoreSystemPackage */ false, 1109 /* whitelistRestricted */ true, NOTIFICATION_PERMISSIONS); 1110 } 1111 getDefaultSystemHandlerActivityPackage(PackageManagerWrapper pm, String intentAction, int userId)1112 private String getDefaultSystemHandlerActivityPackage(PackageManagerWrapper pm, 1113 String intentAction, int userId) { 1114 return getDefaultSystemHandlerActivityPackage(pm, new Intent(intentAction), userId); 1115 } 1116 getDefaultSystemHandlerActivityPackage(PackageManagerWrapper pm, Intent intent, int userId)1117 private String getDefaultSystemHandlerActivityPackage(PackageManagerWrapper pm, Intent intent, 1118 int userId) { 1119 ResolveInfo handler = mContext.getPackageManager().resolveActivityAsUser( 1120 intent, DEFAULT_INTENT_QUERY_FLAGS, userId); 1121 if (handler == null || handler.activityInfo == null) { 1122 return null; 1123 } 1124 if (mServiceInternal.isResolveActivityComponent(handler.activityInfo)) { 1125 return null; 1126 } 1127 String packageName = handler.activityInfo.packageName; 1128 return pm.isSystemPackage(packageName) ? packageName : null; 1129 } 1130 getDefaultSystemHandlerServicePackage(PackageManagerWrapper pm, String intentAction, int userId)1131 private String getDefaultSystemHandlerServicePackage(PackageManagerWrapper pm, 1132 String intentAction, int userId) { 1133 return getDefaultSystemHandlerServicePackage(pm, new Intent(intentAction), userId); 1134 } 1135 getDefaultSystemHandlerServicePackage(PackageManagerWrapper pm, Intent intent, int userId)1136 private String getDefaultSystemHandlerServicePackage(PackageManagerWrapper pm, 1137 Intent intent, int userId) { 1138 List<ResolveInfo> handlers = mContext.getPackageManager().queryIntentServicesAsUser( 1139 intent, DEFAULT_INTENT_QUERY_FLAGS, userId); 1140 if (handlers == null) { 1141 return null; 1142 } 1143 final int handlerCount = handlers.size(); 1144 for (int i = 0; i < handlerCount; i++) { 1145 ResolveInfo handler = handlers.get(i); 1146 String handlerPackage = handler.serviceInfo.packageName; 1147 if (pm.isSystemPackage(handlerPackage)) { 1148 return handlerPackage; 1149 } 1150 } 1151 return null; 1152 } 1153 getHeadlessSyncAdapterPackages(PackageManagerWrapper pm, String[] syncAdapterPackageNames, int userId)1154 private ArrayList<String> getHeadlessSyncAdapterPackages(PackageManagerWrapper pm, 1155 String[] syncAdapterPackageNames, int userId) { 1156 ArrayList<String> syncAdapterPackages = new ArrayList<>(); 1157 1158 Intent homeIntent = new Intent(Intent.ACTION_MAIN).addCategory(Intent.CATEGORY_LAUNCHER); 1159 1160 for (String syncAdapterPackageName : syncAdapterPackageNames) { 1161 homeIntent.setPackage(syncAdapterPackageName); 1162 1163 ResolveInfo homeActivity = mContext.getPackageManager().resolveActivityAsUser( 1164 homeIntent, DEFAULT_INTENT_QUERY_FLAGS, userId); 1165 if (homeActivity != null) { 1166 continue; 1167 } 1168 1169 if (pm.isSystemPackage(syncAdapterPackageName)) { 1170 syncAdapterPackages.add(syncAdapterPackageName); 1171 } 1172 } 1173 1174 return syncAdapterPackages; 1175 } 1176 getDefaultProviderAuthorityPackage(String authority, int userId)1177 private String getDefaultProviderAuthorityPackage(String authority, int userId) { 1178 ProviderInfo provider = mContext.getPackageManager().resolveContentProviderAsUser( 1179 authority, DEFAULT_INTENT_QUERY_FLAGS, userId); 1180 if (provider != null) { 1181 return provider.packageName; 1182 } 1183 return null; 1184 } 1185 grantRuntimePermissions(PackageManagerWrapper pm, PackageInfo pkg, Set<String> permissions, boolean systemFixed, int userId)1186 private void grantRuntimePermissions(PackageManagerWrapper pm, PackageInfo pkg, 1187 Set<String> permissions, boolean systemFixed, int userId) { 1188 grantRuntimePermissions(pm, pkg, permissions, systemFixed, false, 1189 true /*whitelistRestrictedPermissions*/, userId); 1190 } 1191 revokeRuntimePermissions(PackageManagerWrapper pm, String packageName, Set<String> permissions, boolean systemFixed, int userId)1192 private void revokeRuntimePermissions(PackageManagerWrapper pm, String packageName, 1193 Set<String> permissions, boolean systemFixed, int userId) { 1194 PackageInfo pkg = pm.getSystemPackageInfo(packageName); 1195 if (pkg == null || ArrayUtils.isEmpty(pkg.requestedPermissions)) { 1196 return; 1197 } 1198 Set<String> revokablePermissions = new ArraySet<>(Arrays.asList(pkg.requestedPermissions)); 1199 1200 for (String permission : permissions) { 1201 // We can't revoke what wasn't requested. 1202 if (!revokablePermissions.contains(permission)) { 1203 continue; 1204 } 1205 1206 UserHandle user = UserHandle.of(userId); 1207 final int flags = pm.getPermissionFlags(permission, pm.getPackageInfo(packageName), 1208 user); 1209 1210 // We didn't get this through the default grant policy. Move along. 1211 if ((flags & PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT) == 0) { 1212 continue; 1213 } 1214 // We aren't going to clobber device policy with a DefaultGrant. 1215 if ((flags & PackageManager.FLAG_PERMISSION_POLICY_FIXED) != 0) { 1216 continue; 1217 } 1218 // Do not revoke system fixed permissions unless caller set them that way; 1219 // there is no refcount for the number of sources of this, so there 1220 // should be at most one grantor doing SYSTEM_FIXED for any given package. 1221 if ((flags & PackageManager.FLAG_PERMISSION_SYSTEM_FIXED) != 0 && !systemFixed) { 1222 continue; 1223 } 1224 pm.revokePermission(permission, pkg, user); 1225 1226 if (DEBUG) { 1227 Log.i(TAG, "revoked " + (systemFixed ? "fixed " : "not fixed ") 1228 + permission + " to " + packageName); 1229 } 1230 1231 // Remove the GRANTED_BY_DEFAULT flag without touching the others. 1232 // Note that we do not revoke FLAG_PERMISSION_SYSTEM_FIXED. That bit remains 1233 // sticky once set. 1234 pm.updatePermissionFlags(permission, pkg, 1235 PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT, 0, user); 1236 } 1237 } 1238 1239 /** 1240 * Check if a permission is already fixed or is set by the user. 1241 * 1242 * <p>A permission should not be set by the default policy if the user or other policies already 1243 * set the permission. 1244 * 1245 * @param flags The flags of the permission 1246 * 1247 * @return {@code true} iff the permission can be set without violating a policy of the users 1248 * intention 1249 */ isFixedOrUserSet(int flags)1250 private boolean isFixedOrUserSet(int flags) { 1251 return (flags & (PackageManager.FLAG_PERMISSION_USER_SET 1252 | PackageManager.FLAG_PERMISSION_USER_FIXED 1253 | PackageManager.FLAG_PERMISSION_POLICY_FIXED 1254 | PackageManager.FLAG_PERMISSION_SYSTEM_FIXED)) != 0; 1255 } 1256 grantRuntimePermissions(PackageManagerWrapper pm, PackageInfo pkg, Set<String> permissionsWithoutSplits, boolean systemFixed, boolean ignoreSystemPackage, boolean whitelistRestrictedPermissions, int userId)1257 private void grantRuntimePermissions(PackageManagerWrapper pm, PackageInfo pkg, 1258 Set<String> permissionsWithoutSplits, boolean systemFixed, boolean ignoreSystemPackage, 1259 boolean whitelistRestrictedPermissions, int userId) { 1260 UserHandle user = UserHandle.of(userId); 1261 if (pkg == null) { 1262 return; 1263 } 1264 1265 String[] requestedPermissions = pkg.requestedPermissions; 1266 if (ArrayUtils.isEmpty(requestedPermissions)) { 1267 return; 1268 } 1269 1270 // Intersect the requestedPermissions for a factory image with that of its current update 1271 // in case the latter one removed a <uses-permission> 1272 String[] requestedByNonSystemPackage = pm.getPackageInfo(pkg.packageName) 1273 .requestedPermissions; 1274 int size = requestedPermissions.length; 1275 for (int i = 0; i < size; i++) { 1276 if (!ArrayUtils.contains(requestedByNonSystemPackage, requestedPermissions[i])) { 1277 requestedPermissions[i] = null; 1278 } 1279 } 1280 requestedPermissions = ArrayUtils.filterNotNull(requestedPermissions, String[]::new); 1281 1282 final ArraySet<String> permissions = new ArraySet<>(permissionsWithoutSplits); 1283 ApplicationInfo applicationInfo = pkg.applicationInfo; 1284 1285 int newFlags = PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT; 1286 if (systemFixed) { 1287 newFlags |= PackageManager.FLAG_PERMISSION_SYSTEM_FIXED; 1288 } 1289 1290 // Automatically attempt to grant split permissions to older APKs 1291 final List<PermissionManager.SplitPermissionInfo> splitPermissions = 1292 mContext.getSystemService(PermissionManager.class).getSplitPermissions(); 1293 final int numSplitPerms = splitPermissions.size(); 1294 for (int splitPermNum = 0; splitPermNum < numSplitPerms; splitPermNum++) { 1295 final PermissionManager.SplitPermissionInfo splitPerm = 1296 splitPermissions.get(splitPermNum); 1297 1298 if (applicationInfo != null 1299 && applicationInfo.targetSdkVersion < splitPerm.getTargetSdk() 1300 && permissionsWithoutSplits.contains(splitPerm.getSplitPermission())) { 1301 permissions.addAll(splitPerm.getNewPermissions()); 1302 } 1303 } 1304 1305 Set<String> grantablePermissions = null; 1306 1307 // In some cases, like for the Phone or SMS app, we grant permissions regardless 1308 // of if the version on the system image declares the permission as used since 1309 // selecting the app as the default for that function the user makes a deliberate 1310 // choice to grant this app the permissions needed to function. For all other 1311 // apps, (default grants on first boot and user creation) we don't grant default 1312 // permissions if the version on the system image does not declare them. 1313 if (!ignoreSystemPackage 1314 && applicationInfo != null 1315 && applicationInfo.isUpdatedSystemApp()) { 1316 final PackageInfo disabledPkg = pm.getSystemPackageInfo( 1317 mServiceInternal.getDisabledSystemPackageName(pkg.packageName)); 1318 if (disabledPkg != null) { 1319 if (ArrayUtils.isEmpty(disabledPkg.requestedPermissions)) { 1320 return; 1321 } 1322 if (!Arrays.equals(requestedPermissions, disabledPkg.requestedPermissions)) { 1323 grantablePermissions = new ArraySet<>(Arrays.asList(requestedPermissions)); 1324 requestedPermissions = disabledPkg.requestedPermissions; 1325 } 1326 } 1327 } 1328 1329 final int numRequestedPermissions = requestedPermissions.length; 1330 1331 // Sort requested permissions so that all permissions that are a foreground permission (i.e. 1332 // permissions that have a background permission) are before their background permissions. 1333 final String[] sortedRequestedPermissions = new String[numRequestedPermissions]; 1334 int numForeground = 0; 1335 int numOther = 0; 1336 for (int i = 0; i < numRequestedPermissions; i++) { 1337 String permission = requestedPermissions[i]; 1338 if (pm.getBackgroundPermission(permission) != null) { 1339 sortedRequestedPermissions[numForeground] = permission; 1340 numForeground++; 1341 } else { 1342 sortedRequestedPermissions[numRequestedPermissions - 1 - numOther] = 1343 permission; 1344 numOther++; 1345 } 1346 } 1347 1348 for (int requestedPermissionNum = 0; requestedPermissionNum < numRequestedPermissions; 1349 requestedPermissionNum++) { 1350 String permission = requestedPermissions[requestedPermissionNum]; 1351 1352 // If there is a disabled system app it may request a permission the updated 1353 // version ot the data partition doesn't, In this case skip the permission. 1354 if (grantablePermissions != null && !grantablePermissions.contains(permission)) { 1355 continue; 1356 } 1357 1358 if (permissions.contains(permission)) { 1359 final int flags = pm.getPermissionFlags(permission, pkg, user); 1360 1361 // If we are trying to grant as system fixed and already system fixed 1362 // then the system can change the system fixed grant state. 1363 final boolean changingGrantForSystemFixed = systemFixed 1364 && (flags & PackageManager.FLAG_PERMISSION_SYSTEM_FIXED) != 0; 1365 1366 // Certain flags imply that the permission's current state by the system or 1367 // device/profile owner or the user. In these cases we do not want to clobber the 1368 // current state. 1369 // 1370 // Unless the caller wants to override user choices. The override is 1371 // to make sure we can grant the needed permission to the default 1372 // sms and phone apps after the user chooses this in the UI. 1373 if (!isFixedOrUserSet(flags) || ignoreSystemPackage 1374 || changingGrantForSystemFixed) { 1375 // Never clobber policy fixed permissions. 1376 // We must allow the grant of a system-fixed permission because 1377 // system-fixed is sticky, but the permission itself may be revoked. 1378 if ((flags & PackageManager.FLAG_PERMISSION_POLICY_FIXED) != 0) { 1379 continue; 1380 } 1381 1382 // Preserve allowlisting flags. 1383 newFlags |= (flags & PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT); 1384 1385 // If we are allowlisting the permission, update the exempt flag before grant. 1386 if (whitelistRestrictedPermissions && pm.isPermissionRestricted(permission)) { 1387 pm.updatePermissionFlags(permission, pkg, 1388 PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT, 1389 PackageManager.FLAG_PERMISSION_RESTRICTION_SYSTEM_EXEMPT, user); 1390 } 1391 1392 // If the system tries to change a system fixed permission from one fixed 1393 // state to another we need to drop the fixed flag to allow the grant. 1394 if (changingGrantForSystemFixed) { 1395 pm.updatePermissionFlags(permission, pkg, flags, 1396 flags & ~PackageManager.FLAG_PERMISSION_SYSTEM_FIXED, user); 1397 } 1398 1399 if (!pm.isGranted(permission, pkg, user)) { 1400 pm.grantPermission(permission, pkg, user); 1401 } 1402 1403 // clear the REVIEW_REQUIRED flag, if set 1404 int flagMask = newFlags | PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED; 1405 pm.updatePermissionFlags(permission, pkg, flagMask, newFlags, user); 1406 } 1407 1408 // If a component gets a permission for being the default handler A 1409 // and also default handler B, we grant the weaker grant form. 1410 if ((flags & PackageManager.FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0 1411 && (flags & PackageManager.FLAG_PERMISSION_SYSTEM_FIXED) != 0 1412 && !systemFixed) { 1413 if (DEBUG) { 1414 Log.i(TAG, "Granted not fixed " + permission + " to default handler " 1415 + pkg); 1416 } 1417 pm.updatePermissionFlags(permission, pkg, 1418 PackageManager.FLAG_PERMISSION_SYSTEM_FIXED, 0, user); 1419 } 1420 } 1421 } 1422 } 1423 grantDefaultPermissionExceptions(PackageManagerWrapper pm, int userId)1424 private void grantDefaultPermissionExceptions(PackageManagerWrapper pm, int userId) { 1425 mHandler.removeMessages(MSG_READ_DEFAULT_PERMISSION_EXCEPTIONS); 1426 1427 synchronized (mLock) { 1428 // mGrantExceptions is null only before the first read and then 1429 // it serves as a cache of the default grants that should be 1430 // performed for every user. If there is an entry then the app 1431 // is on the system image and supports runtime permissions. 1432 if (mGrantExceptions == null) { 1433 mGrantExceptions = readDefaultPermissionExceptionsLocked(pm); 1434 } 1435 } 1436 1437 Set<String> permissions = null; 1438 final int exceptionCount = mGrantExceptions.size(); 1439 for (int i = 0; i < exceptionCount; i++) { 1440 String packageName = mGrantExceptions.keyAt(i); 1441 PackageInfo pkg = pm.getSystemPackageInfo(packageName); 1442 List<DefaultPermissionGrant> permissionGrants = mGrantExceptions.valueAt(i); 1443 final int permissionGrantCount = permissionGrants.size(); 1444 for (int j = 0; j < permissionGrantCount; j++) { 1445 DefaultPermissionGrant permissionGrant = permissionGrants.get(j); 1446 if (!pm.isPermissionDangerous(permissionGrant.name)) { 1447 Log.w(TAG, "Ignoring permission " + permissionGrant.name 1448 + " which isn't dangerous"); 1449 continue; 1450 } 1451 if (permissions == null) { 1452 permissions = new ArraySet<>(); 1453 } else { 1454 permissions.clear(); 1455 } 1456 permissions.add(permissionGrant.name); 1457 1458 1459 grantRuntimePermissions(pm, pkg, permissions, permissionGrant.fixed, 1460 permissionGrant.whitelisted, true /*whitelistRestrictedPermissions*/, 1461 userId); 1462 } 1463 } 1464 } 1465 getDefaultPermissionFiles()1466 private File[] getDefaultPermissionFiles() { 1467 ArrayList<File> ret = new ArrayList<File>(); 1468 File dir = new File(Environment.getRootDirectory(), "etc/default-permissions"); 1469 if (dir.isDirectory() && dir.canRead()) { 1470 Collections.addAll(ret, dir.listFiles()); 1471 } 1472 dir = new File(Environment.getVendorDirectory(), "etc/default-permissions"); 1473 if (dir.isDirectory() && dir.canRead()) { 1474 Collections.addAll(ret, dir.listFiles()); 1475 } 1476 dir = new File(Environment.getOdmDirectory(), "etc/default-permissions"); 1477 if (dir.isDirectory() && dir.canRead()) { 1478 Collections.addAll(ret, dir.listFiles()); 1479 } 1480 dir = new File(Environment.getProductDirectory(), "etc/default-permissions"); 1481 if (dir.isDirectory() && dir.canRead()) { 1482 Collections.addAll(ret, dir.listFiles()); 1483 } 1484 dir = new File(Environment.getSystemExtDirectory(), "etc/default-permissions"); 1485 if (dir.isDirectory() && dir.canRead()) { 1486 Collections.addAll(ret, dir.listFiles()); 1487 } 1488 // For IoT devices, we check the oem partition for default permissions for each app. 1489 if (mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_EMBEDDED, 0)) { 1490 dir = new File(Environment.getOemDirectory(), "etc/default-permissions"); 1491 if (dir.isDirectory() && dir.canRead()) { 1492 Collections.addAll(ret, dir.listFiles()); 1493 } 1494 } 1495 return ret.isEmpty() ? null : ret.toArray(new File[0]); 1496 } 1497 1498 private @NonNull ArrayMap<String, List<DefaultPermissionGrant>> readDefaultPermissionExceptionsLocked(PackageManagerWrapper pm)1499 readDefaultPermissionExceptionsLocked(PackageManagerWrapper pm) { 1500 File[] files = getDefaultPermissionFiles(); 1501 if (files == null) { 1502 return new ArrayMap<>(0); 1503 } 1504 1505 ArrayMap<String, List<DefaultPermissionGrant>> grantExceptions = new ArrayMap<>(); 1506 1507 // Iterate over the files in the directory and scan .xml files 1508 for (File file : files) { 1509 if (!file.getPath().endsWith(".xml")) { 1510 Slog.i(TAG, "Non-xml file " + file 1511 + " in " + file.getParent() + " directory, ignoring"); 1512 continue; 1513 } 1514 if (!file.canRead()) { 1515 Slog.w(TAG, "Default permissions file " + file + " cannot be read"); 1516 continue; 1517 } 1518 try (InputStream str = new FileInputStream(file)) { 1519 TypedXmlPullParser parser = Xml.resolvePullParser(str); 1520 parse(pm, parser, grantExceptions); 1521 } catch (XmlPullParserException | IOException e) { 1522 Slog.w(TAG, "Error reading default permissions file " + file, e); 1523 } 1524 } 1525 1526 return grantExceptions; 1527 } 1528 parse(PackageManagerWrapper pm, TypedXmlPullParser parser, Map<String, List<DefaultPermissionGrant>> outGrantExceptions)1529 private void parse(PackageManagerWrapper pm, TypedXmlPullParser parser, 1530 Map<String, List<DefaultPermissionGrant>> outGrantExceptions) 1531 throws IOException, XmlPullParserException { 1532 final int outerDepth = parser.getDepth(); 1533 int type; 1534 while ((type = parser.next()) != XmlPullParser.END_DOCUMENT 1535 && (type != XmlPullParser.END_TAG || parser.getDepth() > outerDepth)) { 1536 if (type == XmlPullParser.END_TAG || type == XmlPullParser.TEXT) { 1537 continue; 1538 } 1539 if (TAG_EXCEPTIONS.equals(parser.getName())) { 1540 parseExceptions(pm, parser, outGrantExceptions); 1541 } else { 1542 Log.e(TAG, "Unknown tag " + parser.getName()); 1543 } 1544 } 1545 } 1546 parseExceptions(PackageManagerWrapper pm, TypedXmlPullParser parser, Map<String, List<DefaultPermissionGrant>> outGrantExceptions)1547 private void parseExceptions(PackageManagerWrapper pm, TypedXmlPullParser parser, 1548 Map<String, List<DefaultPermissionGrant>> outGrantExceptions) 1549 throws IOException, XmlPullParserException { 1550 final int outerDepth = parser.getDepth(); 1551 int type; 1552 while ((type = parser.next()) != XmlPullParser.END_DOCUMENT 1553 && (type != XmlPullParser.END_TAG || parser.getDepth() > outerDepth)) { 1554 if (type == XmlPullParser.END_TAG || type == XmlPullParser.TEXT) { 1555 continue; 1556 } 1557 if (TAG_EXCEPTION.equals(parser.getName())) { 1558 String packageName = parser.getAttributeValue(null, ATTR_PACKAGE); 1559 1560 List<DefaultPermissionGrant> packageExceptions = 1561 outGrantExceptions.get(packageName); 1562 if (packageExceptions == null) { 1563 // The package must be on the system image 1564 PackageInfo packageInfo = pm.getSystemPackageInfo(packageName); 1565 1566 if (packageInfo == null) { 1567 Log.w(TAG, "No such package:" + packageName); 1568 XmlUtils.skipCurrentTag(parser); 1569 continue; 1570 } 1571 1572 if (!pm.isSystemPackage(packageInfo)) { 1573 Log.w(TAG, "Unknown system package:" + packageName); 1574 XmlUtils.skipCurrentTag(parser); 1575 continue; 1576 } 1577 1578 // The package must support runtime permissions 1579 if (!doesPackageSupportRuntimePermissions(packageInfo)) { 1580 Log.w(TAG, "Skipping non supporting runtime permissions package:" 1581 + packageName); 1582 XmlUtils.skipCurrentTag(parser); 1583 continue; 1584 } 1585 packageExceptions = new ArrayList<>(); 1586 outGrantExceptions.put(packageName, packageExceptions); 1587 } 1588 1589 parsePermission(parser, packageExceptions); 1590 } else { 1591 Log.e(TAG, "Unknown tag " + parser.getName() + "under <exceptions>"); 1592 } 1593 } 1594 } 1595 parsePermission(TypedXmlPullParser parser, List<DefaultPermissionGrant> outPackageExceptions)1596 private void parsePermission(TypedXmlPullParser parser, List<DefaultPermissionGrant> 1597 outPackageExceptions) throws IOException, XmlPullParserException { 1598 final int outerDepth = parser.getDepth(); 1599 int type; 1600 while ((type = parser.next()) != XmlPullParser.END_DOCUMENT 1601 && (type != XmlPullParser.END_TAG || parser.getDepth() > outerDepth)) { 1602 if (type == XmlPullParser.END_TAG || type == XmlPullParser.TEXT) { 1603 continue; 1604 } 1605 1606 if (TAG_PERMISSION.contains(parser.getName())) { 1607 String name = parser.getAttributeValue(null, ATTR_NAME); 1608 if (name == null) { 1609 Log.w(TAG, "Mandatory name attribute missing for permission tag"); 1610 XmlUtils.skipCurrentTag(parser); 1611 continue; 1612 } 1613 1614 final boolean fixed = 1615 parser.getAttributeBoolean(null, ATTR_FIXED, false); 1616 final boolean whitelisted = 1617 parser.getAttributeBoolean(null, ATTR_WHITELISTED, false); 1618 1619 DefaultPermissionGrant exception = new DefaultPermissionGrant( 1620 name, fixed, whitelisted); 1621 outPackageExceptions.add(exception); 1622 } else { 1623 Log.e(TAG, "Unknown tag " + parser.getName() + "under <exception>"); 1624 } 1625 } 1626 } 1627 doesPackageSupportRuntimePermissions(PackageInfo pkg)1628 private static boolean doesPackageSupportRuntimePermissions(PackageInfo pkg) { 1629 return pkg.applicationInfo != null 1630 && pkg.applicationInfo.targetSdkVersion > Build.VERSION_CODES.LOLLIPOP_MR1; 1631 } 1632 1633 /** 1634 * A wrapper for package manager calls done by this class 1635 */ 1636 private abstract class PackageManagerWrapper { getPermissionFlags(@onNull String permission, @NonNull PackageInfo pkg, @NonNull UserHandle user)1637 abstract int getPermissionFlags(@NonNull String permission, @NonNull PackageInfo pkg, 1638 @NonNull UserHandle user); 1639 updatePermissionFlags(@onNull String permission, @NonNull PackageInfo pkg, int flagMask, int flagValues, @NonNull UserHandle user)1640 abstract void updatePermissionFlags(@NonNull String permission, @NonNull PackageInfo pkg, 1641 int flagMask, int flagValues, @NonNull UserHandle user); 1642 grantPermission(@onNull String permission, @NonNull PackageInfo pkg, @NonNull UserHandle user)1643 abstract void grantPermission(@NonNull String permission, @NonNull PackageInfo pkg, 1644 @NonNull UserHandle user); 1645 revokePermission(@onNull String permission, @NonNull PackageInfo pkg, @NonNull UserHandle user)1646 abstract void revokePermission(@NonNull String permission, @NonNull PackageInfo pkg, 1647 @NonNull UserHandle user); 1648 isGranted(@onNull String permission, @NonNull PackageInfo pkg, @NonNull UserHandle user)1649 abstract boolean isGranted(@NonNull String permission, @NonNull PackageInfo pkg, 1650 @NonNull UserHandle user); 1651 getPermissionInfo(@onNull String permissionName)1652 abstract @Nullable PermissionInfo getPermissionInfo(@NonNull String permissionName); 1653 getPackageInfo(@onNull String pkg)1654 abstract @Nullable PackageInfo getPackageInfo(@NonNull String pkg); 1655 getSystemPackageInfo(@onNull String pkg)1656 @Nullable PackageInfo getSystemPackageInfo(@NonNull String pkg) { 1657 PackageInfo pi = getPackageInfo(pkg); 1658 if (pi == null || !pi.applicationInfo.isSystemApp()) { 1659 return null; 1660 } 1661 return pi; 1662 } 1663 isPermissionRestricted(@onNull String name)1664 boolean isPermissionRestricted(@NonNull String name) { 1665 PermissionInfo pi = getPermissionInfo(name); 1666 if (pi == null) { 1667 return false; 1668 } 1669 1670 return pi.isRestricted(); 1671 } 1672 isPermissionDangerous(@onNull String name)1673 boolean isPermissionDangerous(@NonNull String name) { 1674 PermissionInfo pi = getPermissionInfo(name); 1675 if (pi == null) { 1676 return false; 1677 } 1678 1679 return pi.getProtection() == PermissionInfo.PROTECTION_DANGEROUS; 1680 } 1681 1682 /** 1683 * Return the background permission for a permission. 1684 * 1685 * @param permission The name of the foreground permission 1686 * 1687 * @return The name of the background permission or {@code null} if the permission has no 1688 * background permission 1689 */ getBackgroundPermission(@onNull String permission)1690 @Nullable String getBackgroundPermission(@NonNull String permission) { 1691 PermissionInfo pi = getPermissionInfo(permission); 1692 if (pi == null) { 1693 return null; 1694 } 1695 1696 return pi.backgroundPermission; 1697 } 1698 isSystemPackage(@ullable String packageName)1699 boolean isSystemPackage(@Nullable String packageName) { 1700 return isSystemPackage(getPackageInfo(packageName)); 1701 } 1702 isSystemPackage(@ullable PackageInfo pkg)1703 boolean isSystemPackage(@Nullable PackageInfo pkg) { 1704 if (pkg == null) { 1705 return false; 1706 } 1707 return pkg.applicationInfo.isSystemApp() 1708 && !isSysComponentOrPersistentPlatformSignedPrivApp(pkg); 1709 } 1710 isSysComponentOrPersistentPlatformSignedPrivApp(@onNull PackageInfo pkg)1711 boolean isSysComponentOrPersistentPlatformSignedPrivApp(@NonNull PackageInfo pkg) { 1712 if (UserHandle.getAppId(pkg.applicationInfo.uid) < FIRST_APPLICATION_UID) { 1713 return true; 1714 } 1715 if (!pkg.applicationInfo.isPrivilegedApp()) { 1716 return false; 1717 } 1718 final PackageInfo disabledPkg = getSystemPackageInfo( 1719 mServiceInternal.getDisabledSystemPackageName(pkg.applicationInfo.packageName)); 1720 if (disabledPkg != null) { 1721 ApplicationInfo disabledPackageAppInfo = disabledPkg.applicationInfo; 1722 if (disabledPackageAppInfo != null 1723 && (disabledPackageAppInfo.flags & ApplicationInfo.FLAG_PERSISTENT) == 0) { 1724 return false; 1725 } 1726 } else if ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_PERSISTENT) == 0) { 1727 return false; 1728 } 1729 return mServiceInternal.isPlatformSigned(pkg.packageName); 1730 } 1731 } 1732 1733 /** 1734 * Do package manager calls but cache state and delay any change until {@link #apply()} is 1735 * called 1736 */ 1737 private class DelayingPackageManagerCache extends PackageManagerWrapper { 1738 /** uid -> permission -> isGranted, flags */ 1739 private SparseArray<ArrayMap<String, PermissionState>> mDelayedPermissionState = 1740 new SparseArray<>(); 1741 /** userId -> context */ 1742 private SparseArray<Context> mUserContexts = new SparseArray<>(); 1743 /** Permission name -> info */ 1744 private ArrayMap<String, PermissionInfo> mPermissionInfos = new ArrayMap<>(); 1745 /** Package name -> info */ 1746 private ArrayMap<String, PackageInfo> mPackageInfos = new ArrayMap<>(); 1747 1748 /** 1749 * Apply the cached state 1750 */ apply()1751 void apply() { 1752 PackageManager.corkPackageInfoCache(); 1753 for (int uidIdx = 0; uidIdx < mDelayedPermissionState.size(); uidIdx++) { 1754 for (int permIdx = 0; permIdx < mDelayedPermissionState.valueAt(uidIdx).size(); 1755 permIdx++) { 1756 try { 1757 mDelayedPermissionState.valueAt(uidIdx).valueAt(permIdx).apply(); 1758 } catch (IllegalArgumentException e) { 1759 Slog.w(TAG, "Cannot set permission " + mDelayedPermissionState.valueAt( 1760 uidIdx).keyAt(permIdx) + " of uid " + mDelayedPermissionState.keyAt( 1761 uidIdx), e); 1762 } 1763 } 1764 } 1765 PackageManager.uncorkPackageInfoCache(); 1766 } 1767 addPackageInfo(@onNull String packageName, @NonNull PackageInfo pkg)1768 void addPackageInfo(@NonNull String packageName, @NonNull PackageInfo pkg) { 1769 mPackageInfos.put(packageName, pkg); 1770 } 1771 createContextAsUser(@onNull UserHandle user)1772 private @NonNull Context createContextAsUser(@NonNull UserHandle user) { 1773 int index = mUserContexts.indexOfKey(user.getIdentifier()); 1774 if (index >= 0) { 1775 return mUserContexts.valueAt(index); 1776 } 1777 1778 Context uc = mContext.createContextAsUser(user, 0); 1779 1780 mUserContexts.put(user.getIdentifier(), uc); 1781 1782 return uc; 1783 } 1784 getPermissionState(@onNull String permission, @NonNull PackageInfo pkg, @NonNull UserHandle user)1785 private @NonNull PermissionState getPermissionState(@NonNull String permission, 1786 @NonNull PackageInfo pkg, @NonNull UserHandle user) { 1787 int uid = UserHandle.getUid(user.getIdentifier(), 1788 UserHandle.getAppId(pkg.applicationInfo.uid)); 1789 int uidIdx = mDelayedPermissionState.indexOfKey(uid); 1790 1791 ArrayMap<String, PermissionState> uidState; 1792 if (uidIdx >= 0) { 1793 uidState = mDelayedPermissionState.valueAt(uidIdx); 1794 } else { 1795 uidState = new ArrayMap<>(); 1796 mDelayedPermissionState.put(uid, uidState); 1797 } 1798 1799 int permIdx = uidState.indexOfKey(permission); 1800 1801 PermissionState permState; 1802 if (permIdx >= 0) { 1803 permState = uidState.valueAt(permIdx); 1804 // Quick and dirty fix for shared UID packages - we should grant permission with the 1805 // correct package even if a previous checkPermission() used a package that isn't 1806 // requesting the permission. Ideally we should use package manager snapshot and get 1807 // rid of this entire inner class. 1808 if (!ArrayUtils.contains(permState.mPkgRequestingPerm.requestedPermissions, 1809 permission) && ArrayUtils.contains(pkg.requestedPermissions, 1810 permission)) { 1811 permState.mPkgRequestingPerm = pkg; 1812 } 1813 } else { 1814 permState = new PermissionState(permission, pkg, user); 1815 uidState.put(permission, permState); 1816 } 1817 1818 return permState; 1819 } 1820 1821 @Override getPermissionFlags(@onNull String permission, @NonNull PackageInfo pkg, @NonNull UserHandle user)1822 public int getPermissionFlags(@NonNull String permission, @NonNull PackageInfo pkg, 1823 @NonNull UserHandle user) { 1824 PermissionState state = getPermissionState(permission, pkg, user); 1825 state.initFlags(); 1826 return state.newFlags; 1827 } 1828 1829 @Override updatePermissionFlags(@onNull String permission, @NonNull PackageInfo pkg, int flagMask, int flagValues, @NonNull UserHandle user)1830 public void updatePermissionFlags(@NonNull String permission, @NonNull PackageInfo pkg, 1831 int flagMask, int flagValues, @NonNull UserHandle user) { 1832 PermissionState state = getPermissionState(permission, pkg, user); 1833 state.initFlags(); 1834 state.newFlags = (state.newFlags & ~flagMask) | (flagValues & flagMask); 1835 } 1836 1837 @Override grantPermission(@onNull String permission, @NonNull PackageInfo pkg, @NonNull UserHandle user)1838 public void grantPermission(@NonNull String permission, @NonNull PackageInfo pkg, 1839 @NonNull UserHandle user) { 1840 if (PermissionManager.DEBUG_TRACE_GRANTS 1841 && PermissionManager.shouldTraceGrant( 1842 pkg.packageName, permission, user.getIdentifier())) { 1843 Log.i(PermissionManager.LOG_TAG_TRACE_GRANTS, 1844 "PregrantPolicy is granting " + pkg.packageName + " " 1845 + permission + " for user " + user.getIdentifier(), 1846 new RuntimeException()); 1847 } 1848 PermissionState state = getPermissionState(permission, pkg, user); 1849 state.initGranted(); 1850 state.newGranted = true; 1851 } 1852 1853 @Override revokePermission(@onNull String permission, @NonNull PackageInfo pkg, @NonNull UserHandle user)1854 public void revokePermission(@NonNull String permission, @NonNull PackageInfo pkg, 1855 @NonNull UserHandle user) { 1856 PermissionState state = getPermissionState(permission, pkg, user); 1857 state.initGranted(); 1858 state.newGranted = false; 1859 } 1860 1861 @Override isGranted(@onNull String permission, @NonNull PackageInfo pkg, @NonNull UserHandle user)1862 public boolean isGranted(@NonNull String permission, @NonNull PackageInfo pkg, 1863 @NonNull UserHandle user) { 1864 PermissionState state = getPermissionState(permission, pkg, user); 1865 state.initGranted(); 1866 return state.newGranted; 1867 } 1868 1869 @Override getPermissionInfo(@onNull String permissionName)1870 public @Nullable PermissionInfo getPermissionInfo(@NonNull String permissionName) { 1871 int index = mPermissionInfos.indexOfKey(permissionName); 1872 if (index >= 0) { 1873 return mPermissionInfos.valueAt(index); 1874 } 1875 1876 PermissionInfo pi = NO_PM_CACHE.getPermissionInfo(permissionName); 1877 mPermissionInfos.put(permissionName, pi); 1878 1879 return pi; 1880 } 1881 1882 @Override getPackageInfo(@onNull String pkg)1883 public @Nullable PackageInfo getPackageInfo(@NonNull String pkg) { 1884 int index = mPackageInfos.indexOfKey(pkg); 1885 if (index >= 0) { 1886 return mPackageInfos.valueAt(index); 1887 } 1888 1889 PackageInfo pi = NO_PM_CACHE.getPackageInfo(pkg); 1890 mPackageInfos.put(pkg, pi); 1891 1892 return pi; 1893 } 1894 1895 /** 1896 * State of a single permission belonging to a single uid 1897 */ 1898 private class PermissionState { 1899 private final @NonNull String mPermission; 1900 private @NonNull PackageInfo mPkgRequestingPerm; 1901 private final @NonNull UserHandle mUser; 1902 1903 /** Permission flags when the state was created */ 1904 private @Nullable Integer mOriginalFlags; 1905 /** Altered permission flags or {@code null} if no change was requested */ 1906 @Nullable Integer newFlags; 1907 1908 /** Grant state when the state was created */ 1909 private @Nullable Boolean mOriginalGranted; 1910 /** Altered grant state or {@code null} if no change was requested */ 1911 @Nullable Boolean newGranted; 1912 PermissionState(@onNull String permission, @NonNull PackageInfo pkgRequestingPerm, @NonNull UserHandle user)1913 private PermissionState(@NonNull String permission, 1914 @NonNull PackageInfo pkgRequestingPerm, @NonNull UserHandle user) { 1915 mPermission = permission; 1916 mPkgRequestingPerm = pkgRequestingPerm; 1917 mUser = user; 1918 } 1919 1920 /** 1921 * Apply the changes to the permission to the system 1922 */ apply()1923 void apply() { 1924 if (DEBUG) { 1925 Slog.i(TAG, "Granting " + mPermission + " to user " + mUser.getIdentifier() 1926 + " pkg=" + mPkgRequestingPerm.packageName + " granted=" + newGranted 1927 + " flags=" + Integer.toBinaryString(newFlags)); 1928 } 1929 1930 int flagsToAdd = 0; 1931 int flagsToRemove = 0; 1932 if (newFlags != null) { 1933 flagsToAdd = newFlags & ~mOriginalFlags; 1934 flagsToRemove = mOriginalFlags & ~newFlags; 1935 } 1936 1937 // Need to remove e.g. SYSTEM_FIXED flags first as otherwise permission cannot be 1938 // changed 1939 if (flagsToRemove != 0) { 1940 NO_PM_CACHE.updatePermissionFlags(mPermission, mPkgRequestingPerm, 1941 flagsToRemove, 0, mUser); 1942 } 1943 1944 // Need to unrestrict first as otherwise permission grants might fail 1945 if ((flagsToAdd & PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT) != 0) { 1946 int newRestrictionExcemptFlags = 1947 flagsToAdd & PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT; 1948 1949 NO_PM_CACHE.updatePermissionFlags(mPermission, 1950 mPkgRequestingPerm, newRestrictionExcemptFlags, -1, mUser); 1951 } 1952 1953 if (newGranted != null && !Objects.equals(newGranted, mOriginalGranted)) { 1954 if (newGranted) { 1955 NO_PM_CACHE.grantPermission(mPermission, mPkgRequestingPerm, mUser); 1956 } else { 1957 NO_PM_CACHE.revokePermission(mPermission, mPkgRequestingPerm, mUser); 1958 } 1959 } 1960 1961 if ((flagsToAdd & ~PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT) != 0) { 1962 int newFlags = 1963 flagsToAdd & ~PackageManager.FLAGS_PERMISSION_RESTRICTION_ANY_EXEMPT; 1964 1965 NO_PM_CACHE.updatePermissionFlags(mPermission, mPkgRequestingPerm, newFlags, 1966 -1, mUser); 1967 } 1968 } 1969 1970 /** 1971 * Load the state of the flags before first use 1972 */ initFlags()1973 void initFlags() { 1974 if (newFlags == null) { 1975 mOriginalFlags = NO_PM_CACHE.getPermissionFlags(mPermission, mPkgRequestingPerm, 1976 mUser); 1977 newFlags = mOriginalFlags; 1978 } 1979 } 1980 1981 /** 1982 * Load the grant state before first use 1983 */ initGranted()1984 void initGranted() { 1985 if (newGranted == null) { 1986 // Don't call NO_PM_CACHE here so that contexts are reused 1987 mOriginalGranted = createContextAsUser(mUser).getPackageManager() 1988 .checkPermission(mPermission, mPkgRequestingPerm.packageName) 1989 == PackageManager.PERMISSION_GRANTED; 1990 newGranted = mOriginalGranted; 1991 } 1992 } 1993 } 1994 } 1995 1996 private static final class DefaultPermissionGrant { 1997 final String name; 1998 final boolean fixed; 1999 final boolean whitelisted; 2000 DefaultPermissionGrant(String name, boolean fixed, boolean whitelisted)2001 public DefaultPermissionGrant(String name, boolean fixed, 2002 boolean whitelisted) { 2003 this.name = name; 2004 this.fixed = fixed; 2005 this.whitelisted = whitelisted; 2006 } 2007 } 2008 } 2009