Whitelist all permission in apks on /system

As these apps never get installed, there is no entity white-listing
these permissions. Hence the system needs to do that.

Test: Added permission to an app during OTA and made sure that it is
white-listed
Bug: 135950886
Change-Id: I882c033f995c684a4eb0460c7adce0bb870a16c8

1 files changed, 48 insertions, 0 deletions

diff --git a/src/com/android/packageinstaller/permission/service/RuntimePermissionsUpgradeController.java b/src/com/android/packageinstaller/permission/service/RuntimePermissionsUpgradeController.java
index bac015a6..cac2ef2c 100644
--- a/src/com/android/packageinstaller/permission/service/RuntimePermissionsUpgradeController.java
+++ b/src/com/android/packageinstaller/permission/service/RuntimePermissionsUpgradeController.java
@@ -22,6 +22,7 @@ import android.Manifest;
 import android.content.Context;
 import android.content.pm.PackageInfo;
 import android.content.pm.PackageManager;
+import android.content.pm.PermissionInfo;
 import android.permission.PermissionManager;
 import android.text.TextUtils;
 import android.util.Log;
@@ -54,6 +55,8 @@ class RuntimePermissionsUpgradeController {
                 PermissionManager.class);
         final int currentVersion = permissionManager.getRuntimePermissionsVersion();
 
+        whitelistAllSystemAppPermissions(context);
+
         final int upgradedVersion = onUpgradeLocked(context, currentVersion);
 
         if (upgradedVersion != LATEST_VERSION) {
@@ -70,6 +73,51 @@ class RuntimePermissionsUpgradeController {
     }
 
     /**
+     * Whitelist permissions of system-apps.
+     *
+     * <p>Apps that are updated via OTAs are never installed. Hence their permission are never
+     * whitelisted. This code replaces that by always whitelisting them.
+     *
+     * @param context A context to talk to the platform
+     */
+    private static void whitelistAllSystemAppPermissions(@NonNull Context context) {
+        // Only whitelist permissions that are in the OTA. For non-OTA updates the installer should
+        // do the white-listing
+        final List<PackageInfo> apps = context.getPackageManager()
+                .getInstalledPackages(PackageManager.GET_PERMISSIONS
+                        | PackageManager.MATCH_UNINSTALLED_PACKAGES
+                        | PackageManager.MATCH_FACTORY_ONLY);
+
+        final int appCount = apps.size();
+        for (int i = 0; i < appCount; i++) {
+            final PackageInfo app = apps.get(i);
+
+            if (app.requestedPermissions == null) {
+                continue;
+            }
+
+            for (String requestedPermission : app.requestedPermissions) {
+                final PermissionInfo permInfo;
+                try {
+                    permInfo = context.getPackageManager().getPermissionInfo(
+                            requestedPermission, 0);
+                } catch (PackageManager.NameNotFoundException e) {
+                    continue;
+                }
+
+                if ((permInfo.flags & (PermissionInfo.FLAG_HARD_RESTRICTED
+                        | PermissionInfo.FLAG_SOFT_RESTRICTED)) == 0) {
+                    continue;
+                }
+
+                context.getPackageManager().addWhitelistedRestrictedPermission(
+                        app.packageName, requestedPermission,
+                        PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE);
+            }
+        }
+    }
+
+    /**
      * You must perform all necessary mutations to bring the runtime permissions
      * database from the old to the new version. When you add a new upgrade step
      * you *must* update LATEST_VERSION.