mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-21 21:01:13 -05:00
122 lines
5.7 KiB
Diff
122 lines
5.7 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Alex Johnston <acjohnston@google.com>
|
||
|
Date: Wed, 14 Sep 2022 08:02:27 +0000
|
||
|
Subject: [PATCH] DO NOT MERGE Stop managed profile owner granting READ_SMS
|
||
|
|
||
|
Reason: There is only one telephony stack shared
|
||
|
between the personal and work profile.
|
||
|
|
||
|
This change is a partial cherry-pick of ag/15371816.
|
||
|
DPM.canAdminGrantSensorsPermissions did not exist pre-S. Pre-S,
|
||
|
the admin was always able to grant permissions incl sensor permissions. The change here will continue to allow granting of permissions unless the admin is on a managed profile and the permission is READ_SMS.
|
||
|
|
||
|
Bug: 194382185
|
||
|
Bug: 189942529
|
||
|
Test: manual testing with TestDPC
|
||
|
Change-Id: Icc1e59a18c4786635cbc651aefc2561fbbddfdb1
|
||
|
(cherry picked from commit 7cd8e7f00cf2d921a2d9b2999cfc85a148c781b9)
|
||
|
Merged-In: Icc1e59a18c4786635cbc651aefc2561fbbddfdb1
|
||
|
(cherry picked from commit fead6f2d7549e57baa120c15a797e41712b85cf5)
|
||
|
---
|
||
|
.../PermissionControllerServiceImpl.java | 14 +++++-
|
||
|
.../AdminRestrictedPermissionsUtils.java | 44 +++++++++++++++++++
|
||
|
2 files changed, 56 insertions(+), 2 deletions(-)
|
||
|
create mode 100644 src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java
|
||
|
|
||
|
diff --git a/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java b/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java
|
||
|
index 57f399275..2121d6e5d 100644
|
||
|
--- a/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java
|
||
|
+++ b/src/com/android/packageinstaller/permission/service/PermissionControllerServiceImpl.java
|
||
|
@@ -35,6 +35,7 @@ import android.content.pm.PackageInfo;
|
||
|
import android.content.pm.PackageManager;
|
||
|
import android.os.AsyncTask;
|
||
|
import android.os.UserHandle;
|
||
|
+import android.os.UserManager;
|
||
|
import android.permission.PermissionControllerService;
|
||
|
import android.permission.PermissionManager;
|
||
|
import android.permission.RuntimePermissionPresentationInfo;
|
||
|
@@ -52,6 +53,7 @@ import com.android.packageinstaller.permission.model.AppPermissionUsage.GroupUsa
|
||
|
import com.android.packageinstaller.permission.model.AppPermissions;
|
||
|
import com.android.packageinstaller.permission.model.Permission;
|
||
|
import com.android.packageinstaller.permission.model.PermissionUsages;
|
||
|
+import com.android.packageinstaller.permission.utils.AdminRestrictedPermissionsUtils;
|
||
|
import com.android.packageinstaller.permission.utils.Utils;
|
||
|
|
||
|
import org.xmlpull.v1.XmlPullParser;
|
||
|
@@ -576,6 +578,8 @@ public final class PermissionControllerServiceImpl extends PermissionControllerS
|
||
|
|
||
|
AppPermissions app = new AppPermissions(this, pkgInfo, false, true, null);
|
||
|
|
||
|
+ final boolean isManagedProfile = getSystemService(UserManager.class).isManagedProfile();
|
||
|
+
|
||
|
int numPerms = expandedPermissions.size();
|
||
|
for (int i = 0; i < numPerms; i++) {
|
||
|
String permName = expandedPermissions.get(i);
|
||
|
@@ -591,8 +595,14 @@ public final class PermissionControllerServiceImpl extends PermissionControllerS
|
||
|
|
||
|
switch (grantState) {
|
||
|
case PERMISSION_GRANT_STATE_GRANTED:
|
||
|
- perm.setPolicyFixed(true);
|
||
|
- group.grantRuntimePermissions(false, new String[]{permName});
|
||
|
+ if (AdminRestrictedPermissionsUtils.mayAdminGrantPermission(perm.getName(),
|
||
|
+ isManagedProfile)) {
|
||
|
+ perm.setPolicyFixed(true);
|
||
|
+ group.grantRuntimePermissions(false, new String[]{permName});
|
||
|
+ } else {
|
||
|
+ // similar to PERMISSION_GRANT_STATE_DEFAULT
|
||
|
+ perm.setPolicyFixed(false);
|
||
|
+ }
|
||
|
break;
|
||
|
case PERMISSION_GRANT_STATE_DENIED:
|
||
|
perm.setPolicyFixed(true);
|
||
|
diff --git a/src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java b/src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java
|
||
|
new file mode 100644
|
||
|
index 000000000..5bbb37837
|
||
|
--- /dev/null
|
||
|
+++ b/src/com/android/packageinstaller/permission/utils/AdminRestrictedPermissionsUtils.java
|
||
|
@@ -0,0 +1,44 @@
|
||
|
+/*
|
||
|
+ * Copyright (C) 2022 The Android Open Source Project
|
||
|
+ *
|
||
|
+ * Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
+ * you may not use this file except in compliance with the License.
|
||
|
+ * You may obtain a copy of the License at
|
||
|
+ *
|
||
|
+ * http://www.apache.org/licenses/LICENSE-2.0
|
||
|
+ *
|
||
|
+ * Unless required by applicable law or agreed to in writing, software
|
||
|
+ * distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
+ * See the License for the specific language governing permissions and
|
||
|
+ * limitations under the License.
|
||
|
+ */
|
||
|
+
|
||
|
+package com.android.packageinstaller.permission.utils;
|
||
|
+
|
||
|
+import android.Manifest;
|
||
|
+import android.util.ArraySet;
|
||
|
+
|
||
|
+/**
|
||
|
+ * A class for dealing with permissions that the admin may not grant in certain configurations.
|
||
|
+ */
|
||
|
+public final class AdminRestrictedPermissionsUtils {
|
||
|
+
|
||
|
+ /**
|
||
|
+ * A set of permissions that the managed Profile Owner cannot grant.
|
||
|
+ */
|
||
|
+ private static final ArraySet<String> MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS =
|
||
|
+ new ArraySet<>();
|
||
|
+
|
||
|
+ static {
|
||
|
+ MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.add(Manifest.permission.READ_SMS);
|
||
|
+ }
|
||
|
+
|
||
|
+ /**
|
||
|
+ * Returns true if the admin may grant this permission, false otherwise.
|
||
|
+ */
|
||
|
+ public static boolean mayAdminGrantPermission(String permission, boolean isManagedProfile) {
|
||
|
+ return !isManagedProfile
|
||
|
+ || !MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission);
|
||
|
+ }
|
||
|
+}
|