Snap for 9170954 from 8ab73389b49de44517d3700e8959f768baefcad7 to qt-aml-tzdata-releaseq_tzdata_aml_297100400q_tzdata_aml_297100300q_tzdata_aml_297100000q_tzdata_aml_296200000q_tzdata_aml_295600118q_tzdata_aml_295600110q_tzdata_aml_295500002q_tzdata_aml_295500001q_tzdata_aml_297100000android10-mainline-tzdata-releaseandroid10-android13-mainline-tzdata-release

Change-Id: I9ad9399fed3c39037ab0be10d321efa51b46cee7

3 files changed, 60 insertions, 2 deletions

diff --git a/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java b/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java
index d846ce092..c6d5cd021 100644
--- a/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java
+++ b/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java
@@ -35,6 +35,7 @@ import android.content.pm.PackageInfo;
 import android.content.pm.PackageManager;
 import android.os.AsyncTask;
 import android.os.UserHandle;
+import android.os.UserManager;
 import android.permission.PermissionControllerService;
 import android.permission.PermissionManager;
 import android.permission.RuntimePermissionPresentationInfo;
@@ -49,6 +50,7 @@ import androidx.annotation.Nullable;
 import com.android.packageinstaller.permission.model.AppPermissionGroup;
 import com.android.packageinstaller.permission.model.AppPermissions;
 import com.android.packageinstaller.permission.model.Permission;
+import com.android.packageinstaller.permission.utils.AdminRestrictedPermissionsUtils;
 import com.android.packageinstaller.permission.utils.Utils;
 
 import org.xmlpull.v1.XmlPullParser;
@@ -528,6 +530,8 @@ public final class PermissionControllerServiceImpl extends PermissionControllerS
 
         AppPermissions app = new AppPermissions(this, pkgInfo, false, true, null);
 
+        final boolean isManagedProfile = getSystemService(UserManager.class).isManagedProfile();
+
         int numPerms = expandedPermissions.size();
         for (int i = 0; i < numPerms; i++) {
             String permName = expandedPermissions.get(i);
@@ -543,8 +547,14 @@ public final class PermissionControllerServiceImpl extends PermissionControllerS
 
             switch (grantState) {
                 case PERMISSION_GRANT_STATE_GRANTED:
-                    perm.setPolicyFixed(true);
-                    group.grantRuntimePermissions(false, new String[]{permName});
+                    if (AdminRestrictedPermissionsUtils.mayAdminGrantPermission(perm.getName(),
+                            isManagedProfile)) {
+                        perm.setPolicyFixed(true);
+                        group.grantRuntimePermissions(false, new String[]{permName});
+                    } else {
+                        // similar to PERMISSION_GRANT_STATE_DEFAULT
+                        perm.setPolicyFixed(false);
+                    }
                     break;
                 case PERMISSION_GRANT_STATE_DENIED:
                     perm.setPolicyFixed(true);
diff --git a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java
index c21bb169c..1483d4df5 100644
--- a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java
+++ b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java
@@ -21,6 +21,7 @@ import android.content.pm.PackageInfo;
 import android.content.pm.PackageManager;
 import android.os.Bundle;
 import android.text.TextUtils;
+import android.view.WindowManager;
 
 import androidx.fragment.app.Fragment;
 import androidx.fragment.app.FragmentActivity;
@@ -39,6 +40,9 @@ public final class ReviewPermissionsActivity extends FragmentActivity
     protected void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
 
+        getWindow().addSystemFlags(
+                WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
+
         PackageInfo packageInfo = getTargetPackageInfo();
         if (packageInfo == null) {
             finish();
diff --git a/src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java b/src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java
new file mode 100644
index 000000000..337983076
--- /dev/null
+++ b/src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package com.android.packageinstaller.permission.utils;
+
+import android.Manifest;
+import android.util.ArraySet;
+
+/**
+ * A class for dealing with permissions that the admin may not grant in certain configurations.
+ */
+public final class AdminRestrictedPermissionsUtils {
+
+    /**
+     * A set of permissions that the managed Profile Owner cannot grant.
+     */
+    private static final ArraySet<String> MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS =
+            new ArraySet<>();
+
+    static {
+        MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.add(Manifest.permission.READ_SMS);
+    }
+
+    /**
+     * Returns true if the admin may grant this permission, false otherwise.
+     */
+    public static boolean mayAdminGrantPermission(String permission, boolean isManagedProfile) {
+        return !isManagedProfile
+                || !MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission);
+    }
+}
\ No newline at end of file