Merge "Add onlyGrantWhenAdded for role." into main

3 files changed, 34 insertions, 13 deletions

diff --git a/PermissionController/role-controller/java/com/android/role/controller/model/Role.java b/PermissionController/role-controller/java/com/android/role/controller/model/Role.java
index 31216f72d..fe062ef53 100644
--- a/PermissionController/role-controller/java/com/android/role/controller/model/Role.java
+++ b/PermissionController/role-controller/java/com/android/role/controller/model/Role.java
@@ -128,6 +128,11 @@ public class Role {
     private final int mMinSdkVersion;
 
     /**
+     * Whether this role should only grant privileges when a role holder is actively added.
+     */
+    private final boolean mOnlyGrantWhenAdded;
+
+    /**
      * Whether this role should override user's choice about privileges when granting.
      */
     private final boolean mOverrideUserWhenGranting;
@@ -224,11 +229,11 @@ public class Role {
             @Nullable RoleBehavior behavior, @Nullable String defaultHoldersResourceName,
             @StringRes int descriptionResource, boolean exclusive, boolean fallBackToDefaultHolder,
             @StringRes int labelResource, int maxSdkVersion, int minSdkVersion,
-            boolean overrideUserWhenGranting, @StringRes int requestDescriptionResource,
-            @StringRes int requestTitleResource, boolean requestable,
-            @StringRes int searchKeywordsResource, @StringRes int shortLabelResource,
-            boolean showNone, boolean statik, boolean systemOnly, boolean visible,
-            @NonNull List<RequiredComponent> requiredComponents,
+            boolean onlyGrantWhenAdded, boolean overrideUserWhenGranting,
+            @StringRes int requestDescriptionResource, @StringRes int requestTitleResource,
+            boolean requestable, @StringRes int searchKeywordsResource,
+            @StringRes int shortLabelResource, boolean showNone, boolean statik, boolean systemOnly,
+            boolean visible, @NonNull List<RequiredComponent> requiredComponents,
             @NonNull List<Permission> permissions, @NonNull List<Permission> appOpPermissions,
             @NonNull List<AppOp> appOps, @NonNull List<PreferredActivity> preferredActivities,
             @Nullable String uiBehaviorName) {
@@ -242,6 +247,7 @@ public class Role {
         mLabelResource = labelResource;
         mMaxSdkVersion = maxSdkVersion;
         mMinSdkVersion = minSdkVersion;
+        mOnlyGrantWhenAdded = onlyGrantWhenAdded;
         mOverrideUserWhenGranting = overrideUserWhenGranting;
         mRequestDescriptionResource = requestDescriptionResource;
         mRequestTitleResource = requestTitleResource;
@@ -309,6 +315,13 @@ public class Role {
     }
 
     /**
+     * @see #mOnlyGrantWhenAdded
+     */
+    public boolean shouldOnlyGrantWhenAdded() {
+        return mOnlyGrantWhenAdded;
+    }
+
+    /**
      * @see #mOverrideUserWhenGranting
      */
     public boolean shouldOverrideUserWhenGranting() {
@@ -1000,6 +1013,7 @@ public class Role {
                 + ", mLabelResource=" + mLabelResource
                 + ", mMaxSdkVersion=" + mMaxSdkVersion
                 + ", mMinSdkVersion=" + mMinSdkVersion
+                + ", mOnlyGrantWhenAdded=" + mOnlyGrantWhenAdded
                 + ", mOverrideUserWhenGranting=" + mOverrideUserWhenGranting
                 + ", mRequestDescriptionResource=" + mRequestDescriptionResource
                 + ", mRequestTitleResource=" + mRequestTitleResource
diff --git a/PermissionController/role-controller/java/com/android/role/controller/model/RoleParser.java b/PermissionController/role-controller/java/com/android/role/controller/model/RoleParser.java
index cc2d102c8..bd530d09d 100644
--- a/PermissionController/role-controller/java/com/android/role/controller/model/RoleParser.java
+++ b/PermissionController/role-controller/java/com/android/role/controller/model/RoleParser.java
@@ -92,6 +92,7 @@ public class RoleParser {
     private static final String ATTRIBUTE_LABEL = "label";
     private static final String ATTRIBUTE_MAX_SDK_VERSION = "maxSdkVersion";
     private static final String ATTRIBUTE_MIN_SDK_VERSION = "minSdkVersion";
+    private static final String ATTRIBUTE_ONLY_GRANT_WHEN_ADDED = "onlyGrantWhenAdded";
     private static final String ATTRIBUTE_OVERRIDE_USER_WHEN_GRANTING = "overrideUserWhenGranting";
     private static final String ATTRIBUTE_QUERY_FLAGS = "queryFlags";
     private static final String ATTRIBUTE_REQUEST_TITLE = "requestTitle";
@@ -396,6 +397,9 @@ public class RoleParser {
             return null;
         }
 
+        boolean onlyGrantWhenAdded = getAttributeBooleanValue(parser,
+                ATTRIBUTE_ONLY_GRANT_WHEN_ADDED, false);
+
         boolean overrideUserWhenGranting = getAttributeBooleanValue(parser,
                 ATTRIBUTE_OVERRIDE_USER_WHEN_GRANTING, false);
 
@@ -523,10 +527,11 @@ public class RoleParser {
         }
         return new Role(name, allowBypassingQualification, behavior, defaultHoldersResourceName,
                 descriptionResource, exclusive, fallBackToDefaultHolder, labelResource,
-                maxSdkVersion, minSdkVersion, overrideUserWhenGranting, requestDescriptionResource,
-                requestTitleResource, requestable, searchKeywordsResource, shortLabelResource,
-                showNone, statik, systemOnly, visible, requiredComponents, permissions,
-                appOpPermissions, appOps, preferredActivities, uiBehaviorName);
+                maxSdkVersion, minSdkVersion, onlyGrantWhenAdded, overrideUserWhenGranting,
+                requestDescriptionResource, requestTitleResource, requestable,
+                searchKeywordsResource, shortLabelResource, showNone, statik, systemOnly, visible,
+                requiredComponents, permissions, appOpPermissions, appOps, preferredActivities,
+                uiBehaviorName);
     }
 
     @NonNull
diff --git a/PermissionController/role-controller/java/com/android/role/controller/service/RoleControllerServiceImpl.java b/PermissionController/role-controller/java/com/android/role/controller/service/RoleControllerServiceImpl.java
index 2a6010c4d..bc7562c11 100644
--- a/PermissionController/role-controller/java/com/android/role/controller/service/RoleControllerServiceImpl.java
+++ b/PermissionController/role-controller/java/com/android/role/controller/service/RoleControllerServiceImpl.java
@@ -131,10 +131,12 @@ public class RoleControllerServiceImpl extends RoleControllerService {
                 String packageName = currentPackageNames.get(currentPackageNamesIndex);
 
                 if (role.isPackageQualifiedAsUser(packageName, mUser, mContext)) {
-                    // We should not override user set or fixed permissions because we are only
-                    // redoing the grant here. Otherwise, user won't be able to revoke permissions
-                    // granted by role.
-                    addRoleHolderInternal(role, packageName, false, false, true);
+                    if (!role.shouldOnlyGrantWhenAdded()) {
+                        // We should not override user set or fixed permissions because we are only
+                        // redoing the grant here. Otherwise, user won't be able to revoke
+                        // permissions granted by role.
+                        addRoleHolderInternal(role, packageName, false, false, true);
+                    }
                 } else {
                     Log.i(LOG_TAG, "Removing package that no longer qualifies for the role,"
                             + " package: " + packageName + ", role: " + roleName);