diff options
author | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-01-03 23:50:06 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2023-01-03 23:50:06 +0000 |
commit | 6b97e190fa2196d1c2ebb655027651d310ccee3a (patch) | |
tree | 5c62f3284cd3838a5cbe506f3605dfbe846185e8 | |
parent | cbcf269102907ce099a0466808116227cce9bf5f (diff) | |
parent | 246f03ead77b4d61daa8c24c74e926a29a19f39f (diff) | |
download | PackageInstaller-android11-gsi.tar.gz |
Merge "Merge cherrypicks of [19946225] into rvc-platform-release. am: 25cdbfb251" into android11-gsiandroid11-gsi
2 files changed, 57 insertions, 3 deletions
diff --git a/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java b/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java index b4a79b41c..8d082c08b 100644 --- a/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java +++ b/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java @@ -36,6 +36,7 @@ import android.os.Handler; import android.os.Looper; import android.os.Process; import android.os.UserHandle; +import android.os.UserManager; import android.permission.PermissionManager; import android.permission.RuntimePermissionPresentationInfo; import android.permission.RuntimePermissionUsageInfo; @@ -56,6 +57,7 @@ import com.android.permissioncontroller.permission.model.livedatatypes.AppPermGr import com.android.permissioncontroller.permission.model.livedatatypes.AppPermGroupUiInfo.PermGrantState; import com.android.permissioncontroller.permission.ui.AutoGrantPermissionsNotifier; import com.android.permissioncontroller.permission.utils.ArrayUtils; +import com.android.permissioncontroller.permission.utils.AdminRestrictedPermissionsUtils; import com.android.permissioncontroller.permission.utils.KotlinUtils; import com.android.permissioncontroller.permission.utils.UserSensitiveFlagsUtils; import com.android.permissioncontroller.permission.utils.Utils; @@ -518,6 +520,8 @@ public final class PermissionControllerServiceImpl extends PermissionControllerL AutoGrantPermissionsNotifier autoGrantPermissionsNotifier = new AutoGrantPermissionsNotifier(this, pkgInfo); + final boolean isManagedProfile = getSystemService(UserManager.class).isManagedProfile(); + int numPerms = expandedPermissions.size(); for (int i = 0; i < numPerms; i++) { String permName = expandedPermissions.get(i); @@ -533,9 +537,15 @@ public final class PermissionControllerServiceImpl extends PermissionControllerL switch (grantState) { case PERMISSION_GRANT_STATE_GRANTED: - perm.setPolicyFixed(true); - group.grantRuntimePermissions(false, false, new String[]{permName}); - autoGrantPermissionsNotifier.onPermissionAutoGranted(permName); + if (AdminRestrictedPermissionsUtils.mayAdminGrantPermission(perm.getName(), + isManagedProfile)) { + perm.setPolicyFixed(true); + group.grantRuntimePermissions(false, false, new String[]{permName}); + autoGrantPermissionsNotifier.onPermissionAutoGranted(permName); + } else { + // similar to PERMISSION_GRANT_STATE_DEFAULT + perm.setPolicyFixed(false); + } break; case PERMISSION_GRANT_STATE_DENIED: perm.setPolicyFixed(true); diff --git a/src/com/android/permissioncontroller/permission/utils/AdminRestrictedPermissionsUtils.java b/src/com/android/permissioncontroller/permission/utils/AdminRestrictedPermissionsUtils.java new file mode 100644 index 000000000..917c6336a --- /dev/null +++ b/src/com/android/permissioncontroller/permission/utils/AdminRestrictedPermissionsUtils.java @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.android.permissioncontroller.permission.utils; + +import android.Manifest; +import android.util.ArraySet; + +/** + * A class for dealing with permissions that the admin may not grant in certain configurations. + */ +public final class AdminRestrictedPermissionsUtils { + + /** + * A set of permissions that the managed Profile Owner cannot grant. + */ + private static final ArraySet<String> MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS = + new ArraySet<>(); + + static { + MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.add(Manifest.permission.READ_SMS); + } + + /** + * Returns true if the admin may grant this permission, false otherwise. + */ + public static boolean mayAdminGrantPermission(String permission, boolean isManagedProfile) { + return !isManagedProfile + || !MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission); + } +} |