Merge "Control privileged permissions for priv-apps"
diff --git a/core/java/com/android/internal/os/RoSystemProperties.java b/core/java/com/android/internal/os/RoSystemProperties.java
index 80c55fb..7591488 100644
--- a/core/java/com/android/internal/os/RoSystemProperties.java
+++ b/core/java/com/android/internal/os/RoSystemProperties.java
@@ -27,6 +27,8 @@
SystemProperties.getInt("ro.debuggable", 0) == 1;
public static final int FACTORYTEST =
SystemProperties.getInt("ro.factorytest", 0);
+ public static final boolean CONTROL_PRIVAPP_PERMISSIONS =
+ SystemProperties.getBoolean("ro.control_privapp_permissions", false);
// ------ ro.config.* -------- //
public static final boolean CONFIG_LOW_RAM =
diff --git a/core/java/com/android/server/SystemConfig.java b/core/java/com/android/server/SystemConfig.java
index 429131b..168da5f 100644
--- a/core/java/com/android/server/SystemConfig.java
+++ b/core/java/com/android/server/SystemConfig.java
@@ -25,6 +25,7 @@
import android.os.Environment;
import android.os.Process;
import android.os.storage.StorageManager;
+import android.text.TextUtils;
import android.util.ArrayMap;
import android.util.ArraySet;
import android.util.Slog;
@@ -129,6 +130,9 @@
final ArrayMap<String, List<String>> mDisabledUntilUsedPreinstalledCarrierAssociatedApps =
new ArrayMap<>();
+
+ final ArrayMap<String, ArraySet<String>> mPrivAppPermissions = new ArrayMap<>();
+
public static SystemConfig getInstance() {
synchronized (SystemConfig.class) {
if (sInstance == null) {
@@ -194,6 +198,10 @@
return mDisabledUntilUsedPreinstalledCarrierAssociatedApps;
}
+ public ArraySet<String> getPrivAppPermissions(String packageName) {
+ return mPrivAppPermissions.get(packageName);
+ }
+
SystemConfig() {
// Read configuration from system
readPermissions(Environment.buildPath(
@@ -507,6 +515,8 @@
associatedPkgs.add(pkgname);
}
XmlUtils.skipCurrentTag(parser);
+ } else if ("privapp-permissions".equals(name) && allowAppConfigs) {
+ readPrivAppPermissions(parser);
} else {
XmlUtils.skipCurrentTag(parser);
continue;
@@ -584,4 +594,32 @@
XmlUtils.skipCurrentTag(parser);
}
}
+
+ void readPrivAppPermissions(XmlPullParser parser) throws IOException, XmlPullParserException {
+ String packageName = parser.getAttributeValue(null, "package");
+ if (TextUtils.isEmpty(packageName)) {
+ Slog.w(TAG, "package is required for <privapp-permissions> in "
+ + parser.getPositionDescription());
+ return;
+ }
+
+ ArraySet<String> permissions = mPrivAppPermissions.get(packageName);
+ if (permissions == null) {
+ permissions = new ArraySet<>();
+ }
+ int depth = parser.getDepth();
+ while (XmlUtils.nextElementWithin(parser, depth)) {
+ String name = parser.getName();
+ if ("permission".equals(name)) {
+ String permName = parser.getAttributeValue(null, "name");
+ if (TextUtils.isEmpty(permName)) {
+ Slog.w(TAG, "name is required for <permission> in "
+ + parser.getPositionDescription());
+ continue;
+ }
+ permissions.add(permName);
+ }
+ }
+ mPrivAppPermissions.put(packageName, permissions);
+ }
}
diff --git a/data/etc/Android.mk b/data/etc/Android.mk
index 134ac0c..6718259 100644
--- a/data/etc/Android.mk
+++ b/data/etc/Android.mk
@@ -18,30 +18,17 @@
########################
include $(CLEAR_VARS)
-
LOCAL_MODULE := platform.xml
-
LOCAL_MODULE_CLASS := ETC
-
-# This will install the file in /system/etc/permissions
-#
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions
-
LOCAL_SRC_FILES := $(LOCAL_MODULE)
-
include $(BUILD_PREBUILT)
########################
-#include $(CLEAR_VARS)
+include $(CLEAR_VARS)
+LOCAL_MODULE := privapp-permissions-platform.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+include $(BUILD_PREBUILT)
-#LOCAL_MODULE := required_hardware.xml
-
-#LOCAL_MODULE_CLASS := ETC
-
-# This will install the file in /system/etc/permissions
-#
-#LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/permissions
-
-#LOCAL_SRC_FILES := $(LOCAL_MODULE)
-
-#include $(BUILD_PREBUILT)
diff --git a/data/etc/privapp-permissions-platform.xml b/data/etc/privapp-permissions-platform.xml
new file mode 100644
index 0000000..3fc7914
--- /dev/null
+++ b/data/etc/privapp-permissions-platform.xml
@@ -0,0 +1,324 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ ~ Copyright (C) 2016 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License
+ -->
+
+<!--
+This XML file declares which signature|privileged permissions should be granted to privileged
+applications that come with the platform
+-->
+<permissions>
+ <privapp-permissions package="com.android.backupconfirm">
+ <permission name="android.permission.BACKUP"/>
+ <permission name="android.permission.CRYPT_KEEPER"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.cellbroadcastreceiver">
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.MANAGE_USERS"/>
+ <permission name="android.permission.MODIFY_PHONE_STATE"/>
+ <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/>
+ <permission name="android.permission.RECEIVE_EMERGENCY_BROADCAST"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.contacts">
+ <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/>
+ <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.defcontainer">
+ <permission name="android.permission.ACCESS_CACHE_FILESYSTEM"/>
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.WRITE_MEDIA_STORAGE"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.dialer">
+ <permission name="android.permission.ALLOW_ANY_CODEC_FOR_PLAYBACK"/>
+ <permission name="android.permission.CONTROL_INCALL_EXPERIENCE"/>
+ <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/>
+ <permission name="android.permission.MODIFY_PHONE_STATE"/>
+ <permission name="android.permission.STOP_APP_SWITCHES"/>
+ <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/>
+ <permission name="com.android.voicemail.permission.WRITE_VOICEMAIL"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.emergency">
+ <permission name="android.permission.MANAGE_USERS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.externalstorage">
+ <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/>
+ <permission name="android.permission.WRITE_MEDIA_STORAGE"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.launcher">
+ <permission name="android.permission.BIND_APPWIDGET"/>
+ <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.location.fused">
+ <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.managedprovisioning">
+ <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/>
+ <permission name="android.permission.CHANGE_CONFIGURATION"/>
+ <permission name="android.permission.CONNECTIVITY_INTERNAL"/>
+ <permission name="android.permission.CRYPT_KEEPER"/>
+ <permission name="android.permission.DELETE_PACKAGES"/>
+ <permission name="android.permission.INSTALL_PACKAGES"/>
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.MANAGE_DEVICE_ADMINS"/>
+ <permission name="android.permission.MANAGE_USERS"/>
+ <permission name="android.permission.MASTER_CLEAR"/>
+ <permission name="android.permission.PERFORM_CDMA_PROVISIONING"/>
+ <permission name="android.permission.SET_TIME"/>
+ <permission name="android.permission.SET_TIME_ZONE"/>
+ <permission name="android.permission.SHUTDOWN"/>
+ <permission name="android.permission.WRITE_SECURE_SETTINGS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.mms.service">
+ <permission name="android.permission.BIND_CARRIER_MESSAGING_SERVICE"/>
+ <permission name="android.permission.BIND_CARRIER_SERVICES"/>
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.mtp">
+ <permission name="android.permission.MANAGE_USB"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.musicfx">
+ <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.packageinstaller">
+ <permission name="android.permission.CLEAR_APP_CACHE"/>
+ <permission name="android.permission.DELETE_PACKAGES"/>
+ <permission name="android.permission.INSTALL_PACKAGES"/>
+ <permission name="android.permission.MANAGE_USERS"/>
+ <permission name="android.permission.UPDATE_APP_OPS_STATS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.phone">
+ <permission name="android.permission.ACCESS_IMS_CALL_SERVICE"/>
+ <permission name="android.permission.BIND_CARRIER_MESSAGING_SERVICE"/>
+ <permission name="android.permission.BIND_CARRIER_SERVICES"/>
+ <permission name="android.permission.CALL_PRIVILEGED"/>
+ <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/>
+ <permission name="android.permission.CHANGE_CONFIGURATION"/>
+ <permission name="android.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST"/>
+ <permission name="android.permission.CONNECTIVITY_INTERNAL"/>
+ <permission name="android.permission.DUMP"/>
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.LOCAL_MAC_ADDRESS"/>
+ <permission name="android.permission.MANAGE_USERS"/>
+ <permission name="android.permission.MODIFY_PHONE_STATE"/>
+ <permission name="android.permission.PERFORM_CDMA_PROVISIONING"/>
+ <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/>
+ <permission name="android.permission.READ_SEARCH_INDEXABLES"/>
+ <permission name="android.permission.REBOOT"/>
+ <permission name="android.permission.REGISTER_CALL_PROVIDER"/>
+ <permission name="android.permission.REGISTER_SIM_SUBSCRIPTION"/>
+ <permission name="android.permission.SEND_RESPOND_VIA_MESSAGE"/>
+ <permission name="android.permission.SET_TIME"/>
+ <permission name="android.permission.SET_TIME_ZONE"/>
+ <permission name="android.permission.SHUTDOWN"/>
+ <permission name="android.permission.STATUS_BAR"/>
+ <permission name="android.permission.STOP_APP_SWITCHES"/>
+ <permission name="android.permission.UPDATE_APP_OPS_STATS"/>
+ <permission name="android.permission.UPDATE_DEVICE_STATS"/>
+ <permission name="android.permission.UPDATE_LOCK"/>
+ <permission name="android.permission.WRITE_APN_SETTINGS"/>
+ <permission name="android.permission.WRITE_SECURE_SETTINGS"/>
+ <permission name="com.android.voicemail.permission.READ_VOICEMAIL"/>
+ <permission name="com.android.voicemail.permission.WRITE_VOICEMAIL"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.providers.calendar">
+ <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/>
+ <permission name="android.permission.UPDATE_APP_OPS_STATS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.providers.contacts">
+ <permission name="android.permission.BIND_DIRECTORY_SEARCH"/>
+ <permission name="android.permission.GET_ACCOUNTS_PRIVILEGED"/>
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.MANAGE_USERS"/>
+ <permission name="android.permission.UPDATE_APP_OPS_STATS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.providers.downloads">
+ <permission name="android.permission.ACCESS_CACHE_FILESYSTEM"/>
+ <permission name="android.permission.CLEAR_APP_CACHE"/>
+ <permission name="android.permission.CONNECTIVITY_INTERNAL"/>
+ <permission name="android.permission.MODIFY_NETWORK_ACCOUNTING"/>
+ <permission name="android.permission.UPDATE_APP_OPS_STATS"/>
+ <permission name="android.permission.UPDATE_DEVICE_STATS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.providers.media">
+ <permission name="android.permission.ACCESS_MTP"/>
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.MANAGE_USERS"/>
+ <permission name="android.permission.WRITE_MEDIA_STORAGE"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.providers.telephony">
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.MODIFY_PHONE_STATE"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.provision">
+ <permission name="android.permission.WRITE_SECURE_SETTINGS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.server.telecom">
+ <permission name="android.permission.BIND_CONNECTION_SERVICE"/>
+ <permission name="android.permission.BIND_INCALL_SERVICE"/>
+ <permission name="android.permission.CALL_PRIVILEGED"/>
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.MANAGE_USERS"/>
+ <permission name="android.permission.MODIFY_PHONE_STATE"/>
+ <permission name="android.permission.STOP_APP_SWITCHES"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.settings">
+ <permission name="android.permission.ACCESS_CHECKIN_PROPERTIES"/>
+ <permission name="android.permission.ACCESS_NOTIFICATIONS"/>
+ <permission name="android.permission.BACKUP"/>
+ <permission name="android.permission.BATTERY_STATS"/>
+ <permission name="android.permission.BLUETOOTH_PRIVILEGED"/>
+ <permission name="android.permission.CHANGE_CONFIGURATION"/>
+ <permission name="android.permission.DELETE_PACKAGES"/>
+ <permission name="android.permission.FORCE_STOP_PACKAGES"/>
+ <permission name="android.permission.MANAGE_DEVICE_ADMINS"/>
+ <permission name="android.permission.MANAGE_FINGERPRINT"/>
+ <permission name="android.permission.MANAGE_USB"/>
+ <permission name="android.permission.MANAGE_USERS"/>
+ <permission name="android.permission.MASTER_CLEAR"/>
+ <permission name="android.permission.MODIFY_PHONE_STATE"/>
+ <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/>
+ <permission name="android.permission.MOVE_PACKAGE"/>
+ <permission name="android.permission.OVERRIDE_WIFI_CONFIG"/>
+ <permission name="android.permission.PACKAGE_USAGE_STATS"/>
+ <permission name="android.permission.READ_SEARCH_INDEXABLES"/>
+ <permission name="android.permission.REBOOT"/>
+ <permission name="android.permission.SET_TIME"/>
+ <permission name="android.permission.STATUS_BAR"/>
+ <permission name="android.permission.TETHER_PRIVILEGED"/>
+ <permission name="android.permission.USER_ACTIVITY"/>
+ <permission name="android.permission.WRITE_APN_SETTINGS"/>
+ <permission name="android.permission.WRITE_MEDIA_STORAGE"/>
+ <permission name="android.permission.WRITE_SECURE_SETTINGS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.sharedstoragebackup">
+ <permission name="android.permission.WRITE_MEDIA_STORAGE"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.shell">
+ <permission name="android.permission.BACKUP"/>
+ <permission name="android.permission.BATTERY_STATS"/>
+ <permission name="android.permission.BIND_APPWIDGET"/>
+ <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/>
+ <permission name="android.permission.CHANGE_CONFIGURATION"/>
+ <permission name="android.permission.CONNECTIVITY_INTERNAL"/>
+ <permission name="android.permission.DELETE_CACHE_FILES"/>
+ <permission name="android.permission.DELETE_PACKAGES"/>
+ <permission name="android.permission.DUMP"/>
+ <permission name="android.permission.FORCE_STOP_PACKAGES"/>
+ <permission name="android.permission.GET_APP_OPS_STATS"/>
+ <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
+ <permission name="android.permission.INSTALL_PACKAGES"/>
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.MANAGE_ACTIVITY_STACKS"/>
+ <permission name="android.permission.MANAGE_DEVICE_ADMINS"/>
+ <permission name="android.permission.MODIFY_APPWIDGET_BIND_PERMISSIONS"/>
+ <permission name="android.permission.MODIFY_PHONE_STATE"/>
+ <permission name="android.permission.MOUNT_FORMAT_FILESYSTEMS"/>
+ <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/>
+ <permission name="android.permission.MOVE_PACKAGE"/>
+ <permission name="android.permission.READ_FRAME_BUFFER"/>
+ <permission name="android.permission.REAL_GET_TASKS"/>
+ <permission name="android.permission.REGISTER_CALL_PROVIDER"/>
+ <permission name="android.permission.REGISTER_CONNECTION_MANAGER"/>
+ <permission name="android.permission.REGISTER_SIM_SUBSCRIPTION"/>
+ <permission name="android.permission.RETRIEVE_WINDOW_CONTENT"/>
+ <permission name="android.permission.SET_ALWAYS_FINISH"/>
+ <permission name="android.permission.SET_ANIMATION_SCALE"/>
+ <permission name="android.permission.SET_DEBUG_APP"/>
+ <permission name="android.permission.SET_PROCESS_LIMIT"/>
+ <permission name="android.permission.SIGNAL_PERSISTENT_PROCESSES"/>
+ <permission name="android.permission.STOP_APP_SWITCHES"/>
+ <permission name="android.permission.SUBSTITUTE_NOTIFICATION_APP_NAME"/>
+ <permission name="android.permission.UPDATE_APP_OPS_STATS"/>
+ <permission name="android.permission.WRITE_MEDIA_STORAGE"/>
+ <permission name="android.permission.WRITE_SECURE_SETTINGS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.statementservice">
+ <permission name="android.permission.INTENT_FILTER_VERIFICATION_AGENT"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.storagemanager">
+ <permission name="android.permission.DELETE_PACKAGES"/>
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.MANAGE_USERS"/>
+ <permission name="android.permission.PACKAGE_USAGE_STATS"/>
+ <permission name="android.permission.WRITE_SECURE_SETTINGS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.systemui">
+ <permission name="android.permission.BATTERY_STATS"/>
+ <permission name="android.permission.BIND_APPWIDGET"/>
+ <permission name="android.permission.BLUETOOTH_PRIVILEGED"/>
+ <permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/>
+ <permission name="android.permission.CONNECTIVITY_INTERNAL"/>
+ <permission name="android.permission.CONTROL_VPN"/>
+ <permission name="android.permission.DUMP"/>
+ <permission name="android.permission.GET_APP_OPS_STATS"/>
+ <permission name="android.permission.INTERACT_ACROSS_USERS"/>
+ <permission name="android.permission.MANAGE_ACTIVITY_STACKS"/>
+ <permission name="android.permission.MANAGE_USB"/>
+ <permission name="android.permission.MANAGE_USERS"/>
+ <permission name="android.permission.MASTER_CLEAR"/>
+ <permission name="android.permission.MEDIA_CONTENT_CONTROL"/>
+ <permission name="android.permission.MODIFY_PHONE_STATE"/>
+ <permission name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/>
+ <permission name="android.permission.OVERRIDE_WIFI_CONFIG"/>
+ <permission name="android.permission.READ_DREAM_STATE"/>
+ <permission name="android.permission.READ_FRAME_BUFFER"/>
+ <permission name="android.permission.READ_NETWORK_USAGE_HISTORY"/>
+ <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/>
+ <permission name="android.permission.REAL_GET_TASKS"/>
+ <permission name="android.permission.RECEIVE_MEDIA_RESOURCE_USAGE"/>
+ <permission name="android.permission.START_TASKS_FROM_RECENTS"/>
+ <permission name="android.permission.STATUS_BAR"/>
+ <permission name="android.permission.STOP_APP_SWITCHES"/>
+ <permission name="android.permission.SUBSTITUTE_NOTIFICATION_APP_NAME"/>
+ <permission name="android.permission.TETHER_PRIVILEGED"/>
+ <permission name="android.permission.UPDATE_APP_OPS_STATS"/>
+ <permission name="android.permission.WRITE_DREAM_STATE"/>
+ <permission name="android.permission.WRITE_MEDIA_STORAGE"/>
+ <permission name="android.permission.WRITE_SECURE_SETTINGS"/>
+ </privapp-permissions>
+
+ <privapp-permissions package="com.android.vpndialogs">
+ <permission name="android.permission.CONNECTIVITY_INTERNAL"/>
+ <permission name="android.permission.CONTROL_VPN"/>
+ </privapp-permissions>
+
+</permissions>
\ No newline at end of file
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index a9d10dd..d9e7019 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -233,6 +233,7 @@
import com.android.internal.logging.MetricsLogger;
import com.android.internal.os.IParcelFileDescriptorFactory;
import com.android.internal.os.InstallerConnection.InstallerException;
+import com.android.internal.os.RoSystemProperties;
import com.android.internal.os.SomeArgs;
import com.android.internal.os.Zygote;
import com.android.internal.telephony.CarrierAppUtils;
@@ -10394,14 +10395,28 @@
private boolean grantSignaturePermission(String perm, PackageParser.Package pkg,
BasePermission bp, PermissionsState origPermissions) {
- boolean allowed;
- allowed = (compareSignatures(
+ boolean privilegedPermission = (bp.protectionLevel
+ & PermissionInfo.PROTECTION_FLAG_PRIVILEGED) != 0;
+ boolean controlPrivappPermissions = RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS;
+ boolean platformPermission = PLATFORM_PACKAGE_NAME.equals(bp.sourcePackage);
+ boolean platformPackage = PLATFORM_PACKAGE_NAME.equals(pkg.packageName);
+ if (controlPrivappPermissions && privilegedPermission && pkg.isPrivilegedApp()
+ && !platformPackage && platformPermission) {
+ ArraySet<String> wlPermissions = SystemConfig.getInstance()
+ .getPrivAppPermissions(pkg.packageName);
+ boolean whitelisted = wlPermissions != null && wlPermissions.contains(perm);
+ if (!whitelisted) {
+ Slog.e(TAG, "Not granting privileged permission " + perm + " for package "
+ + pkg.packageName + " - not in privapp-permissions whitelist");
+ return false;
+ }
+ }
+ boolean allowed = (compareSignatures(
bp.packageSetting.signatures.mSignatures, pkg.mSignatures)
== PackageManager.SIGNATURE_MATCH)
|| (compareSignatures(mPlatformPackage.mSignatures, pkg.mSignatures)
== PackageManager.SIGNATURE_MATCH);
- if (!allowed && (bp.protectionLevel
- & PermissionInfo.PROTECTION_FLAG_PRIVILEGED) != 0) {
+ if (!allowed && privilegedPermission) {
if (isSystemApp(pkg)) {
// For updated system applications, a system permission
// is granted only if it had been defined by the original application.