From 262a70a0088e062822a424898ef4d8f3264b3bc4 Mon Sep 17 00:00:00 2001 From: "Philip P. Moltmann" Date: Tue, 25 Jun 2019 08:50:41 -0700 Subject: Whitelist all permission in apks on /system As these apps never get installed, there is no entity white-listing these permissions. Hence the system needs to do that. Test: Added permission to an app during OTA and made sure that it is white-listed Bug: 135950886 Change-Id: I882c033f995c684a4eb0460c7adce0bb870a16c8 --- .../RuntimePermissionsUpgradeController.java | 48 ++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/src/com/android/packageinstaller/permission/service/RuntimePermissionsUpgradeController.java b/src/com/android/packageinstaller/permission/service/RuntimePermissionsUpgradeController.java index bac015a6..cac2ef2c 100644 --- a/src/com/android/packageinstaller/permission/service/RuntimePermissionsUpgradeController.java +++ b/src/com/android/packageinstaller/permission/service/RuntimePermissionsUpgradeController.java @@ -22,6 +22,7 @@ import android.Manifest; import android.content.Context; import android.content.pm.PackageInfo; import android.content.pm.PackageManager; +import android.content.pm.PermissionInfo; import android.permission.PermissionManager; import android.text.TextUtils; import android.util.Log; @@ -54,6 +55,8 @@ class RuntimePermissionsUpgradeController { PermissionManager.class); final int currentVersion = permissionManager.getRuntimePermissionsVersion(); + whitelistAllSystemAppPermissions(context); + final int upgradedVersion = onUpgradeLocked(context, currentVersion); if (upgradedVersion != LATEST_VERSION) { @@ -69,6 +72,51 @@ class RuntimePermissionsUpgradeController { } } + /** + * Whitelist permissions of system-apps. + * + *

Apps that are updated via OTAs are never installed. Hence their permission are never + * whitelisted. This code replaces that by always whitelisting them. + * + * @param context A context to talk to the platform + */ + private static void whitelistAllSystemAppPermissions(@NonNull Context context) { + // Only whitelist permissions that are in the OTA. For non-OTA updates the installer should + // do the white-listing + final List apps = context.getPackageManager() + .getInstalledPackages(PackageManager.GET_PERMISSIONS + | PackageManager.MATCH_UNINSTALLED_PACKAGES + | PackageManager.MATCH_FACTORY_ONLY); + + final int appCount = apps.size(); + for (int i = 0; i < appCount; i++) { + final PackageInfo app = apps.get(i); + + if (app.requestedPermissions == null) { + continue; + } + + for (String requestedPermission : app.requestedPermissions) { + final PermissionInfo permInfo; + try { + permInfo = context.getPackageManager().getPermissionInfo( + requestedPermission, 0); + } catch (PackageManager.NameNotFoundException e) { + continue; + } + + if ((permInfo.flags & (PermissionInfo.FLAG_HARD_RESTRICTED + | PermissionInfo.FLAG_SOFT_RESTRICTED)) == 0) { + continue; + } + + context.getPackageManager().addWhitelistedRestrictedPermission( + app.packageName, requestedPermission, + PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE); + } + } + } + /** * You must perform all necessary mutations to bring the runtime permissions * database from the old to the new version. When you add a new upgrade step -- cgit v1.2.3