Switch 16.0/17.1/18.1 to the more robust GrapheneOS sensors permission patchset

Like done for 19.1

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-04-10 20:24:01 -04:00
parent 0895190ffa
commit d50a3a043b
58 changed files with 1883 additions and 2714 deletions

View File

@ -92,12 +92,30 @@ nojit
12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/f1898802c8fd7474f723f9a44a316142d940dfed
12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/58c9f58bbde6789f944daf41d86acdc7b3e205f2
12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/2d14a42f7bc285e141377018285dc4e3fd8f8f86
11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/87837ab83af7ea8a9aa5e47c65e4361cd84479cf
11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/1aa3ca343e98d99d98fdc35fd3dd1d2e5a17fa7d
11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/a87929c2040dd4c36d72b52b211d281a74015dc2
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/8d68accb37299400bba65df9fce805fa5a98fc9a
10 https://github.com/GrapheneOS/platform_frameworks_base/commit/4d5d82f4e2fb9ff68158bf30f3944591bb74dd04
9 https://github.com/GrapheneOS/platform_frameworks_base/commit/09632b10185b9133949a431e27089f72b5cfeefa
[implemented] sensors permission
12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/452c474dfae9a312f6e01db5b28de308dbb14cc2
12 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/daed8c4e3ff8bf94a2a9aa319d32ec2ff5653c8f
12 https://github.com/GrapheneOS/platform_frameworks_native/commit/dcef490d7cab7bb9f96f8bfe19a8779ac140b26d
12 https://github.com/GrapheneOS/platform_frameworks_base/commit/a949bd530bdbedf2078119a90a93d7c15bca6975
11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/d18b364558ca86fe3d9bbb643f7dc79d1a57aa5d
11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/cc9b673157996228e8096f83b993cce33a717e14
11 https://github.com/GrapheneOS/platform_frameworks_native/commit/6ff4e668467a79b610a003bd989bc0833ade0912
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/83e312089610419029b9e20272c3947edb7a9cc5
10 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/a1204e6126189810018ff5540858536a1c58ac37
10 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/fc8c816e07ce39583774db8fe668e0505b6aa504
10 https://github.com/GrapheneOS/platform_frameworks_native/commit/ff005a6b6a38baef95c4a01d7e1fc75aac651a58
10 https://github.com/GrapheneOS/platform_frameworks_base/commit/9ec9f7f521323552fa658b46862c8408f1a7b41b
9 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/af08eeff533855ea164e80a42e18280f7002b4ea
9 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/ae0f7cd347a92540b55175a44e3520c2f7145bc5
9 https://github.com/GrapheneOS/platform_frameworks_native/commit/3e92487c4b0b4ff7b114640f7dcede2fe61bc6df
9 https://github.com/GrapheneOS/platform_frameworks_base/commit/899441075ddbfc945cff97e433c9e1c9d6bde7af
[implemented] network permission
12 https://github.com/GrapheneOS/platform_frameworks_base/commit/947744f753638c82775186a3876f2b2ffd7c0244
@ -114,6 +132,22 @@ nojit
12 https://github.com/GrapheneOS/platform_packages_modules_Connectivity/commit/dbf6ae4cd96450a21be0a4dd85fb5addeba67462
12 https://github.com/GrapheneOS/platform_packages_modules_Connectivity/commit/34cded990ebd8da8c47cab88f0b1ef523a05d122
12 https://github.com/GrapheneOS/platform_libcore/commit/7110daa77503720bbd2f233df53be90b742ce85a
11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/d4b073b2c17f382a4bc922c3f12dc3673e3d8472
11 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/7396a2da80a06f1405b34370a9e2883dca57ba79
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/2071543704d726333d77f934f73596c53d8f0595
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/811d25733eb627d0b1a97e9fe86009763ed58a20
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/826a021126b2d2592452205e8c37e5b26543809f
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/ae1a600f3bb804df86a3652e3fae977107addaf3
11 https://github.com/GrapheneOS/platform_frameworks_base/commit/1f69f6d5c07d1d883328f91e40e8011ba386fdf8
10 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/6c4f112dde47f21ce5a583f5bd8b217db6de5c02
10 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/a07271ed7e45239369f2ca33496d939d2e9cbd08
10 https://github.com/GrapheneOS/platform_frameworks_base/commit/246e5450929137c7c773c30fdc75268d30a1eea5
10 https://github.com/GrapheneOS/platform_frameworks_base/commit/b5c9f9407d5f5407686ea8c02fa67573ddc07824
10 https://github.com/GrapheneOS/platform_frameworks_base/commit/f412994d2c974b08941646acb61f0aee6cdfed05
9 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/880011e7af233249e1b70177daa3cd786574bc85
9 https://github.com/GrapheneOS/platform_packages_modules_Permission/commit/c3c6a3206c1753cac7a8db72e2f05ddcf4c66d99
9 https://github.com/GrapheneOS/platform_frameworks_base/commit/2dd00723364fcf10e6c9e6c2e022e31524fda92d
9 https://github.com/GrapheneOS/platform_frameworks_base/commit/6ef61fd6f745b9709269d3612a3a4eea2250ebec
[implemented] protected fifo/regular
12 https://github.com/GrapheneOS/platform_system_core/commit/ddf48612c160b13552588af4d64bc7bb55571618

View File

@ -1,206 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MSe1969 <mse1969@posteo.de>
Date: Fri, 15 Mar 2019 22:05:36 +0100
Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [base]
Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: allow, strict)
- OP_OTHER_SENSORS (default: allow)
Change-Id: Id12b91720f1e02ea5ca606ecefb30121d19b92bb
---
core/java/android/app/AppOpsManager.java | 35 ++++++++++++++++++++++--
core/res/res/values-de/cm_strings.xml | 2 ++
core/res/res/values-fr/cm_strings.xml | 2 ++
core/res/res/values/cm_strings.xml | 2 ++
core/res/res/values/lineage_arrays.xml | 4 +++
5 files changed, 43 insertions(+), 2 deletions(-)
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
index 5b763e50c38f..fef17859af8c 100644
--- a/core/java/android/app/AppOpsManager.java
+++ b/core/java/android/app/AppOpsManager.java
@@ -371,8 +371,12 @@ public class AppOpsManager {
public static final int OP_DATA_CONNECT_CHANGE = 81;
/** @hide SU access */
public static final int OP_SU = 82;
+ /** @hide Motion Sensors */
+ public static final int OP_MOTION_SENSORS = 83;
+ /** @hide Other Sensors */
+ public static final int OP_OTHER_SENSORS = 84;
/** @hide */
- public static final int _NUM_OP = 83;
+ public static final int _NUM_OP = 85;
/** Access to coarse location information. */
public static final String OPSTR_COARSE_LOCATION = "android:coarse_location";
@@ -628,6 +632,11 @@ public class AppOpsManager {
/** @hide */
public static final String OPSTR_SU = "android:su";
+ public static final String OPSTR_MOTION_SENSORS =
+ "android:motion_sensors";
+ public static final String OPSTR_OTHER_SENSORS =
+ "android:other_sensors";
+
// Warning: If an permission is added here it also has to be added to
// com.android.packageinstaller.permission.utils.EventLogger
private static final int[] RUNTIME_AND_APPOP_PERMISSIONS_OPS = {
@@ -676,7 +685,9 @@ public class AppOpsManager {
OP_WRITE_SETTINGS,
OP_REQUEST_INSTALL_PACKAGES,
OP_START_FOREGROUND,
- OP_SU
+ OP_SU,
+ OP_MOTION_SENSORS,
+ OP_OTHER_SENSORS
};
/**
@@ -771,6 +782,8 @@ public class AppOpsManager {
OP_NFC_CHANGE, // NFC_CHANGE
OP_DATA_CONNECT_CHANGE, // DATA_CONNECT_CHANGE
OP_SU, // SU
+ OP_MOTION_SENSORS, // MOTION_SENSORS
+ OP_OTHER_SENSORS // OTHER_SENSORS
};
/**
@@ -860,6 +873,8 @@ public class AppOpsManager {
OPSTR_NFC_CHANGE,
OPSTR_DATA_CONNECT_CHANGE,
OPSTR_SU,
+ OPSTR_MOTION_SENSORS,
+ OPSTR_OTHER_SENSORS,
};
/**
@@ -950,6 +965,8 @@ public class AppOpsManager {
"NFC_CHANGE",
"DATA_CONNECT_CHANGE",
"SU",
+ "MOTION_SENSORS",
+ "OTHER_SENSORS",
};
/**
@@ -1040,6 +1057,8 @@ public class AppOpsManager {
Manifest.permission.NFC,
null,
null, // no permission for OP_SU
+ null, // no permission for OP_MOTION_SENSORS
+ null, // no permission for OP_OTHER_SENSORS
};
/**
@@ -1131,6 +1150,8 @@ public class AppOpsManager {
null, // NFC_CHANGE
null, // DATA_CONNECT_CHANGE
UserManager.DISALLOW_SU, // SU TODO: this should really be investigated.
+ null, //MOTION_SENSORS
+ null, //OTHER_SENSORS
};
/**
@@ -1221,6 +1242,8 @@ public class AppOpsManager {
true, // NFC_CHANGE
true, // DATA_CONNECT_CHANGE
false, // SU
+ false, //MOTION_SENSORS
+ false, //OTHER_SENSORS
};
/**
@@ -1310,6 +1333,8 @@ public class AppOpsManager {
AppOpsManager.MODE_ALLOWED, // OP_NFC_CHANGE
AppOpsManager.MODE_ALLOWED, // OP_DATA_CONNECT_CHANGE
AppOpsManager.MODE_ASK, // OP_SU
+ AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS
+ AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
};
/**
@@ -1400,6 +1425,8 @@ public class AppOpsManager {
AppOpsManager.MODE_ASK, // OP_NFC_CHANGE
AppOpsManager.MODE_ASK, // OP_DATA_CONNECT_CHANGE
AppOpsManager.MODE_ASK, // OP_SU
+ AppOpsManager.MODE_ALLOWED, // OP_MOTION_SENSORS
+ AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
};
/**
@@ -1489,6 +1516,8 @@ public class AppOpsManager {
true, // NFC_CHANGE
true, // DATA_CONNECT_CHANGE
true, // SU
+ true, // OP_MOTION_SENSORS
+ false, // OP_OTHER_SENSORS
};
/**
@@ -1582,6 +1611,8 @@ public class AppOpsManager {
false, // OP_NFC_CHANGE
false, // OP_DATA_CONNECT_CHANGE
false, // OP_SU
+ false, // OP_MOTION_SENSORS
+ false, // OP_OTHER_SENSORS
};
/**
diff --git a/core/res/res/values-de/cm_strings.xml b/core/res/res/values-de/cm_strings.xml
index 8248b4d50731..e0f1b79882f7 100644
--- a/core/res/res/values-de/cm_strings.xml
+++ b/core/res/res/values-de/cm_strings.xml
@@ -51,7 +51,9 @@
<string name="app_ops_modify_clipboard">die Zwischenablage zu ändern</string>
<string name="app_ops_modify_contacts">Kontakte zu ändern</string>
<string name="app_ops_modify_settings">Einstellungen zu ändern</string>
+ <string name="app_ops_motion_sensors">Bewegungssensoren zu nutzen</string>
<string name="app_ops_mute_unmute_microphone">das Mikrofon zu aktivieren/deaktivieren</string>
+ <string name="app_ops_other_sensors">sonstige Sensoren zu nutzen</string>
<string name="app_ops_phone_calls">Anrufe zu beantworten</string>
<string name="app_ops_picture_in_picture">Bild im Bild zu verwenden</string>
<string name="app_ops_play_audio">Audio wiederzugeben</string>
diff --git a/core/res/res/values-fr/cm_strings.xml b/core/res/res/values-fr/cm_strings.xml
index 38cfd54ec910..027f79c607c2 100644
--- a/core/res/res/values-fr/cm_strings.xml
+++ b/core/res/res/values-fr/cm_strings.xml
@@ -51,7 +51,9 @@
<string name="app_ops_modify_clipboard">modifier le presse-papiers</string>
<string name="app_ops_modify_contacts">mettre à jour vos contacts</string>
<string name="app_ops_modify_settings">mettre à jour les paramètres du système</string>
+ <string name="app_ops_motion_sensors">utiliser les capteurs de mouvement</string>
<string name="app_ops_mute_unmute_microphone">activer/désactiver le microphone</string>
+ <string name="app_ops_other_sensors">utiliser d\'autres capteurs</string>
<string name="app_ops_phone_calls">répondre aux appels téléphoniques</string>
<string name="app_ops_picture_in_picture">utiliser le mode Picture-in-Picture</string>
<string name="app_ops_play_audio">lecture audio</string>
diff --git a/core/res/res/values/cm_strings.xml b/core/res/res/values/cm_strings.xml
index 301131e2663d..5939cae77b8e 100644
--- a/core/res/res/values/cm_strings.xml
+++ b/core/res/res/values/cm_strings.xml
@@ -57,7 +57,9 @@
<string name="app_ops_modify_clipboard">modify the clipboard</string>
<string name="app_ops_modify_contacts">update your contacts</string>
<string name="app_ops_modify_settings">update system settings</string>
+ <string name="app_ops_motion_sensors">use the motion sensors</string>
<string name="app_ops_mute_unmute_microphone">mute/unmute the microphone</string>
+ <string name="app_ops_other_sensors">use other sensors</string>
<string name="app_ops_phone_calls">answer phone calls</string>
<string name="app_ops_picture_in_picture">use picture in picture</string>
<string name="app_ops_play_audio">play audio</string>
diff --git a/core/res/res/values/lineage_arrays.xml b/core/res/res/values/lineage_arrays.xml
index 58567d1c8bd1..11a7d99b8d48 100644
--- a/core/res/res/values/lineage_arrays.xml
+++ b/core/res/res/values/lineage_arrays.xml
@@ -184,6 +184,10 @@
<item>@string/app_ops_toggle_mobile_data</item>
<!-- OP_SU -->
<item>@string/app_ops_su</item>
+ <!-- OP_MOTION_SENSORS -->
+ <item>@string/app_ops_motion_sensors</item>
+ <!-- OP_OTHER_SENSORS -->
+ <item>@string/app_ops_other_sensors</item>
</string-array>
</resources>

View File

@ -1,116 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 21 Jul 2017 08:42:55 -0400
Subject: [PATCH] support new special runtime permissions
Date: Sun, 17 Mar 2019 11:59:15 -0400
Subject: [PATCH] make INTERNET into a special runtime permission
These are treated as a runtime permission even for legacy apps. They
need to be granted by default for all apps to maintain compatibility.
---
.../server/pm/PackageManagerService.java | 3 +-
.../permission/PermissionManagerService.java | 30 ++++++++++++++-----
2 files changed, 25 insertions(+), 8 deletions(-)
core/res/AndroidManifest.xml | 2 +-
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index dc44fe17722d..e9fd656478dc 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -19704,7 +19704,8 @@ public class PackageManagerService extends IPackageManager.Stub
}
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index af1a6fa9e3c5..873162098247 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1361,7 +1361,7 @@
<permission android:name="android.permission.INTERNET"
android:description="@string/permdesc_createNetworkSockets"
android:label="@string/permlab_createNetworkSockets"
- android:protectionLevel="normal|instant" />
+ android:protectionLevel="dangerous|instant" />
// If this permission was granted by default, make sure it is.
- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) {
+ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
+ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) {
if (permissionsState.grantRuntimePermission(bp, userId)
!= PERMISSION_OPERATION_FAILURE) {
writeRuntimePermissions = true;
<!-- Allows applications to access information about networks.
<p>Protection level: normal
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 79b2636481b3..9f1fe8a6414a 100644
index 9f1fe8a6414a..f16f671a51dd 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -730,6 +730,10 @@ public class PermissionManagerService {
}
@@ -731,7 +731,7 @@ public class PermissionManagerService {
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return false;
+ return Manifest.permission.INTERNET.equals(permission);
}
+ public static boolean isSpecialRuntimePermission(final String permission) {
+ return false;
+ }
+
private void grantPermissions(PackageParser.Package pkg, boolean replace,
String packageOfInterest, PermissionCallback callback) {
// IMPORTANT: There are two types of permissions: install and runtime.
@@ -838,7 +842,8 @@ public class PermissionManagerService {
// their permissions as always granted runtime ones since we need
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
- if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired) {
+ if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired &&
+ !isSpecialRuntimePermission(bp.getName())) {
// For legacy apps dangerous permissions are install time ones.
grant = GRANT_INSTALL;
} else if (origPermissions.hasInstallPermission(bp.getName())) {
@@ -948,7 +953,8 @@ public class PermissionManagerService {
updatedUserIds, userId);
}
} else if (mSettings.mPermissionReviewRequired
- && !appSupportsRuntimePermissions) {
+ && !appSupportsRuntimePermissions
+ && !isSpecialRuntimePermission(bp.getName())) {
// For legacy apps that need a permission review, every new
// runtime permission is granted but it is pending a review.
// We also need to review only platform defined runtime
@@ -969,7 +975,15 @@ public class PermissionManagerService {
updatedUserIds = ArrayUtils.appendInt(
updatedUserIds, userId);
}
- }
+ } else if (isSpecialRuntimePermission(bp.name) &&
+ origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
+ if (permissionsState.grantRuntimePermission(bp, userId)
+ != PermissionsState.PERMISSION_OPERATION_FAILURE) {
+ // We changed the permission, hence have to write.
+ updatedUserIds = ArrayUtils.appendInt(
+ updatedUserIds, userId);
+ }
+ }
// Propagate the permission flags.
permissionsState.updatePermissionFlags(bp, userId, flags, flags);
}
@@ -1421,7 +1435,7 @@ public class PermissionManagerService {
&& (grantedPermissions == null
|| ArrayUtils.contains(grantedPermissions, permission))) {
final int flags = permissionsState.getPermissionFlags(permission, userId);
- if (supportsRuntimePermissions) {
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
// Installer cannot change immutable permissions.
if ((flags & immutableFlags) == 0) {
grantRuntimePermission(permission, pkg.packageName, false, callingUid,
@@ -1480,7 +1494,7 @@ public class PermissionManagerService {
// install permission's state is shared across all users.
if (mSettings.mPermissionReviewRequired
&& pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
return;
}
@@ -1516,7 +1530,8 @@ public class PermissionManagerService {
+ permName + " for package " + packageName);
}
- if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) {
+ if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+ && !isSpecialRuntimePermission(permName)) {
Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
return;
}
@@ -1601,7 +1616,8 @@ public class PermissionManagerService {
// install permission's state is shared across all users.
if (mSettings.mPermissionReviewRequired
&& pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime()
+ && !isSpecialRuntimePermission(permName)) {
return;
}

View File

@ -1,36 +1,51 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 17 Mar 2019 11:59:15 -0400
Subject: [PATCH] make INTERNET into a special runtime permission
Date: Fri, 21 Jul 2017 11:23:07 -0400
Subject: [PATCH] add a NETWORK permission group for INTERNET
---
core/res/AndroidManifest.xml | 2 +-
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
core/res/AndroidManifest.xml | 10 ++++++++++
core/res/res/values/strings.xml | 5 +++++
2 files changed, 15 insertions(+)
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index af1a6fa9e3c5..873162098247 100644
index 873162098247..8efe5474dfea 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1361,7 +1361,7 @@
@@ -1355,10 +1355,20 @@
<!-- ======================================= -->
<eat-comment />
+ <!-- Network access
+ @hide
+ -->
+ <permission-group android:name="android.permission-group.NETWORK"
+ android:icon="@drawable/perm_group_network"
+ android:label="@string/permgrouplab_network"
+ android:description="@string/permgroupdesc_network"
+ android:priority="900" />
+
<!-- Allows applications to open network sockets.
<p>Protection level: normal
-->
<permission android:name="android.permission.INTERNET"
+ android:permissionGroup="android.permission-group.NETWORK"
android:description="@string/permdesc_createNetworkSockets"
android:label="@string/permlab_createNetworkSockets"
- android:protectionLevel="normal|instant" />
+ android:protectionLevel="dangerous|instant" />
android:protectionLevel="dangerous|instant" />
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index 29af7d71914f..fd30d719b996 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -747,6 +747,11 @@
<string name="permgrouprequest_sensors">Allow
&lt;b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g>&lt;/b> to access sensor data about your vital signs?</string>
<!-- Allows applications to access information about networks.
<p>Protection level: normal
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 9f1fe8a6414a..f16f671a51dd 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -731,7 +731,7 @@ public class PermissionManagerService {
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return false;
+ return Manifest.permission.INTERNET.equals(permission);
}
private void grantPermissions(PackageParser.Package pkg, boolean replace,
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_network">Network</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_network">network access</string>
+
<!-- Title for the capability of an accessibility service to retrieve window content. -->
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
<!-- Description for the capability of an accessibility service to retrieve window content. -->

View File

@ -1,51 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 21 Jul 2017 11:23:07 -0400
Subject: [PATCH] add a NETWORK permission group for INTERNET
---
core/res/AndroidManifest.xml | 10 ++++++++++
core/res/res/values/strings.xml | 5 +++++
2 files changed, 15 insertions(+)
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 873162098247..8efe5474dfea 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1355,10 +1355,20 @@
<!-- ======================================= -->
<eat-comment />
+ <!-- Network access
+ @hide
+ -->
+ <permission-group android:name="android.permission-group.NETWORK"
+ android:icon="@drawable/perm_group_network"
+ android:label="@string/permgrouplab_network"
+ android:description="@string/permgroupdesc_network"
+ android:priority="900" />
+
<!-- Allows applications to open network sockets.
<p>Protection level: normal
-->
<permission android:name="android.permission.INTERNET"
+ android:permissionGroup="android.permission-group.NETWORK"
android:description="@string/permdesc_createNetworkSockets"
android:label="@string/permlab_createNetworkSockets"
android:protectionLevel="dangerous|instant" />
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index 29af7d71914f..fd30d719b996 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -747,6 +747,11 @@
<string name="permgrouprequest_sensors">Allow
&lt;b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g>&lt;/b> to access sensor data about your vital signs?</string>
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_network">Network</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_network">network access</string>
+
<!-- Title for the capability of an accessibility service to retrieve window content. -->
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
<!-- Description for the capability of an accessibility service to retrieve window content. -->

View File

@ -0,0 +1,95 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 15:54:42 -0400
Subject: [PATCH] add special runtime permission for other sensors
This covers sensors not included in the existing runtime permission for
body sensors.
---
core/java/android/content/pm/PackageParser.java | 2 ++
core/res/AndroidManifest.xml | 14 ++++++++++++++
core/res/res/values/strings.xml | 12 ++++++++++++
.../pm/permission/PermissionManagerService.java | 2 +-
4 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index e0c2d2dc6dde..b89c46132b26 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -280,6 +280,8 @@ public class PackageParser {
*/
public static final PackageParser.NewPermissionInfo NEW_PERMISSIONS[] =
new PackageParser.NewPermissionInfo[] {
+ new PackageParser.NewPermissionInfo(android.Manifest.permission.OTHER_SENSORS,
+ android.os.Build.VERSION_CODES.CUR_DEVELOPMENT + 1, 0),
new PackageParser.NewPermissionInfo(android.Manifest.permission.WRITE_EXTERNAL_STORAGE,
android.os.Build.VERSION_CODES.DONUT, 0),
new PackageParser.NewPermissionInfo(android.Manifest.permission.READ_PHONE_STATE,
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 8efe5474dfea..69ddf1d37a7f 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1148,6 +1148,20 @@
android:description="@string/permdesc_useBiometric"
android:protectionLevel="normal" />
+ <!-- @hide -->
+ <permission-group android:name="android.permission-group.OTHER_SENSORS"
+ android:icon="@drawable/perm_group_location"
+ android:label="@string/permgrouplab_otherSensors"
+ android:description="@string/permgroupdesc_otherSensors"
+ android:priority="1000" />
+
+ <!-- @hide -->
+ <permission android:name="android.permission.OTHER_SENSORS"
+ android:permissionGroup="android.permission-group.OTHER_SENSORS"
+ android:label="@string/permlab_otherSensors"
+ android:description="@string/permdesc_otherSensors"
+ android:protectionLevel="dangerous" />
+
<!-- ====================================================================== -->
<!-- REMOVED PERMISSIONS -->
<!-- ====================================================================== -->
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index fd30d719b996..1a64ae235456 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -747,6 +747,11 @@
<string name="permgrouprequest_sensors">Allow
&lt;b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g>&lt;/b> to access sensor data about your vital signs?</string>
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_otherSensors">Sensors</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_otherSensors">access sensor data about orientation, movement, etc.</string>
+
<!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permgrouplab_network">Network</string>
<!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
@@ -1061,6 +1066,13 @@
<string name="permdesc_bodySensors" product="default">Allows the app to access data from sensors
that monitor your physical condition, such as your heart rate.</string>
+ <!-- Title of the sensors permission, listed so the user can decide whether to allow the application to access sensor data. [CHAR LIMIT=80] -->
+ <string name="permlab_otherSensors">access sensors (like the compass)
+ </string>
+ <!-- Description of the sensors permission, listed so the user can decide whether to allow the application to access data from sensors. [CHAR LIMIT=NONE] -->
+ <string name="permdesc_otherSensors" product="default">Allows the app to access data from sensors
+ monitoring orientation, movement, vibration (including low frequency sound) and environmental data</string>
+
<!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permlab_readCalendar">Read calendar events and details</string>
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index f16f671a51dd..4a60c12e9823 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -731,7 +731,7 @@ public class PermissionManagerService {
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return Manifest.permission.INTERNET.equals(permission);
+ return Manifest.permission.INTERNET.equals(permission) || Manifest.permission.OTHER_SENSORS.equals(permission);
}
private void grantPermissions(PackageParser.Package pkg, boolean replace,

View File

@ -0,0 +1,116 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 21 Jul 2017 08:42:55 -0400
Subject: [PATCH] support new special runtime permissions
These are treated as a runtime permission even for legacy apps. They
need to be granted by default for all apps to maintain compatibility.
---
.../server/pm/PackageManagerService.java | 3 +-
.../permission/PermissionManagerService.java | 30 ++++++++++++++-----
2 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index dc44fe17722d..e9fd656478dc 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -19704,7 +19704,8 @@ public class PackageManagerService extends IPackageManager.Stub
}
// If this permission was granted by default, make sure it is.
- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) {
+ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
+ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) {
if (permissionsState.grantRuntimePermission(bp, userId)
!= PERMISSION_OPERATION_FAILURE) {
writeRuntimePermissions = true;
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 79b2636481b3..9f1fe8a6414a 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -730,6 +730,10 @@ public class PermissionManagerService {
}
}
+ public static boolean isSpecialRuntimePermission(final String permission) {
+ return false;
+ }
+
private void grantPermissions(PackageParser.Package pkg, boolean replace,
String packageOfInterest, PermissionCallback callback) {
// IMPORTANT: There are two types of permissions: install and runtime.
@@ -838,7 +842,8 @@ public class PermissionManagerService {
// their permissions as always granted runtime ones since we need
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
- if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired) {
+ if (!appSupportsRuntimePermissions && !mSettings.mPermissionReviewRequired &&
+ !isSpecialRuntimePermission(bp.getName())) {
// For legacy apps dangerous permissions are install time ones.
grant = GRANT_INSTALL;
} else if (origPermissions.hasInstallPermission(bp.getName())) {
@@ -948,7 +953,8 @@ public class PermissionManagerService {
updatedUserIds, userId);
}
} else if (mSettings.mPermissionReviewRequired
- && !appSupportsRuntimePermissions) {
+ && !appSupportsRuntimePermissions
+ && !isSpecialRuntimePermission(bp.getName())) {
// For legacy apps that need a permission review, every new
// runtime permission is granted but it is pending a review.
// We also need to review only platform defined runtime
@@ -969,7 +975,15 @@ public class PermissionManagerService {
updatedUserIds = ArrayUtils.appendInt(
updatedUserIds, userId);
}
- }
+ } else if (isSpecialRuntimePermission(bp.name) &&
+ origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
+ if (permissionsState.grantRuntimePermission(bp, userId)
+ != PermissionsState.PERMISSION_OPERATION_FAILURE) {
+ // We changed the permission, hence have to write.
+ updatedUserIds = ArrayUtils.appendInt(
+ updatedUserIds, userId);
+ }
+ }
// Propagate the permission flags.
permissionsState.updatePermissionFlags(bp, userId, flags, flags);
}
@@ -1421,7 +1435,7 @@ public class PermissionManagerService {
&& (grantedPermissions == null
|| ArrayUtils.contains(grantedPermissions, permission))) {
final int flags = permissionsState.getPermissionFlags(permission, userId);
- if (supportsRuntimePermissions) {
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
// Installer cannot change immutable permissions.
if ((flags & immutableFlags) == 0) {
grantRuntimePermission(permission, pkg.packageName, false, callingUid,
@@ -1480,7 +1494,7 @@ public class PermissionManagerService {
// install permission's state is shared across all users.
if (mSettings.mPermissionReviewRequired
&& pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
return;
}
@@ -1516,7 +1530,8 @@ public class PermissionManagerService {
+ permName + " for package " + packageName);
}
- if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) {
+ if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+ && !isSpecialRuntimePermission(permName)) {
Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
return;
}
@@ -1601,7 +1616,8 @@ public class PermissionManagerService {
// install permission's state is shared across all users.
if (mSettings.mPermissionReviewRequired
&& pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime()
+ && !isSpecialRuntimePermission(permName)) {
return;
}

View File

@ -1,156 +1,21 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MSe1969 <mse1969@posteo.de>
Date: Fri, 15 Mar 2019 22:14:54 +0100
Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [native]
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 16:28:57 -0400
Subject: [PATCH] require OTHER_SENSORS permission for sensors
Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: allow, strict)
- OP_OTHER_SENSORS (default: allow)
This change updated the AppOPs binder for the newly defined Ops,
implements the logic for the sensors and adapts the logic for
checking the Ops, if an Op is not linked to a permission.
Change-Id: Ic56e7bd48acda8790d6ab917a07cd7b747d4de87
---
libs/binder/include/binder/AppOpsManager.h | 4 +++-
libs/sensor/Sensor.cpp | 10 +++++++++
services/sensorservice/SensorService.cpp | 25 ++++++++++++----------
3 files changed, 27 insertions(+), 12 deletions(-)
libs/sensor/Sensor.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/libs/binder/include/binder/AppOpsManager.h b/libs/binder/include/binder/AppOpsManager.h
index fb682ecde7..83887787c9 100644
--- a/libs/binder/include/binder/AppOpsManager.h
+++ b/libs/binder/include/binder/AppOpsManager.h
@@ -119,7 +119,9 @@ public:
OP_BOOT_COMPLETED = 79,
OP_NFC_CHANGE = 80,
OP_DATA_CONNECT_CHANGE = 81,
- OP_SU = 82
+ OP_SU = 82,
+ OP_MOTION_SENSORS = 83,
+ OP_OTHER_SENSORS = 84
};
AppOpsManager();
diff --git a/libs/sensor/Sensor.cpp b/libs/sensor/Sensor.cpp
index 2383516c95..835794b1bd 100644
index 2383516c95..054596b83a 100644
--- a/libs/sensor/Sensor.cpp
+++ b/libs/sensor/Sensor.cpp
@@ -52,6 +52,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
mMinDelay = hwSensor.minDelay;
mFlags = 0;
mUuid = uuid;
+ mRequiredAppOp = AppOpsManager::OP_OTHER_SENSORS; //default, other values are explicitly set
+ mRequiredPermission = "android.permission.OTHER_SENSORS";
// Set fifo event count zero for older devices which do not support batching. Fused
// sensors also have their fifo counts set to zero.
@@ -86,6 +87,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
switch (mType) {
case SENSOR_TYPE_ACCELEROMETER:
mStringType = SENSOR_STRING_TYPE_ACCELEROMETER;
+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS;
mFlags |= SENSOR_FLAG_CONTINUOUS_MODE;
break;
case SENSOR_TYPE_AMBIENT_TEMPERATURE:
@@ -106,10 +108,12 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
break;
case SENSOR_TYPE_GYROSCOPE:
mStringType = SENSOR_STRING_TYPE_GYROSCOPE;
+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS;
mFlags |= SENSOR_FLAG_CONTINUOUS_MODE;
break;
case SENSOR_TYPE_GYROSCOPE_UNCALIBRATED:
mStringType = SENSOR_STRING_TYPE_GYROSCOPE_UNCALIBRATED;
+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS;
mFlags |= SENSOR_FLAG_CONTINUOUS_MODE;
break;
case SENSOR_TYPE_HEART_RATE: {
@@ -125,6 +129,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
break;
case SENSOR_TYPE_LINEAR_ACCELERATION:
mStringType = SENSOR_STRING_TYPE_LINEAR_ACCELERATION;
+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS;
mFlags |= SENSOR_FLAG_CONTINUOUS_MODE;
break;
case SENSOR_TYPE_MAGNETIC_FIELD:
@@ -160,6 +165,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
break;
case SENSOR_TYPE_SIGNIFICANT_MOTION:
mStringType = SENSOR_STRING_TYPE_SIGNIFICANT_MOTION;
+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS;
mFlags |= SENSOR_FLAG_ONE_SHOT_MODE;
if (halVersion < SENSORS_DEVICE_API_VERSION_1_3) {
mFlags |= SENSOR_FLAG_WAKE_UP;
@@ -167,10 +173,12 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
break;
case SENSOR_TYPE_STEP_COUNTER:
mStringType = SENSOR_STRING_TYPE_STEP_COUNTER;
+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS;
mFlags |= SENSOR_FLAG_ON_CHANGE_MODE;
break;
case SENSOR_TYPE_STEP_DETECTOR:
mStringType = SENSOR_STRING_TYPE_STEP_DETECTOR;
+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS;
mFlags |= SENSOR_FLAG_SPECIAL_REPORTING_MODE;
break;
case SENSOR_TYPE_TEMPERATURE:
@@ -236,6 +244,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
break;
case SENSOR_TYPE_MOTION_DETECT:
mStringType = SENSOR_STRING_TYPE_MOTION_DETECT;
+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS;
mFlags |= SENSOR_FLAG_ONE_SHOT_MODE;
if (halVersion < SENSORS_DEVICE_API_VERSION_1_3) {
mFlags |= SENSOR_FLAG_WAKE_UP;
@@ -251,6 +260,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
case SENSOR_TYPE_ACCELEROMETER_UNCALIBRATED:
mStringType = SENSOR_STRING_TYPE_ACCELEROMETER_UNCALIBRATED;
+ mRequiredAppOp = AppOpsManager::OP_MOTION_SENSORS;
mFlags |= SENSOR_FLAG_CONTINUOUS_MODE;
break;
default:
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index 1c3e943543..142c5a274e 100644
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -1545,6 +1545,20 @@ status_t SensorService::flushSensor(const sp<SensorEventConnection>& connection,
bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
const String16& opPackageName) {
+
+ // Due to the new SENSOR AppOps, which do not correspond to any permission,
+ // we need to check for the AppOp BEFORE checking any permission
+ const int32_t opCode = sensor.getRequiredAppOp();
+ if (opCode >= 0) {
+ AppOpsManager appOps;
+ if (appOps.noteOp(opCode, IPCThreadState::self()->getCallingUid(), opPackageName)
+ != AppOpsManager::MODE_ALLOWED) {
+ ALOGE("%s a sensor (%s) without enabled required app op: %d",
+ operation, sensor.getName().string(), opCode);
+ return false;
+ }
+ }
+
const String8& requiredPermission = sensor.getRequiredPermission();
if (requiredPermission.length() <= 0) {
@@ -1567,17 +1581,6 @@ bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
return false;
}
- const int32_t opCode = sensor.getRequiredAppOp();
- if (opCode >= 0) {
- AppOpsManager appOps;
- if (appOps.noteOp(opCode, IPCThreadState::self()->getCallingUid(), opPackageName)
- != AppOpsManager::MODE_ALLOWED) {
- ALOGE("%s a sensor (%s) without enabled required app op: %d",
- operation, sensor.getName().string(), opCode);
- return false;
- }
- }
-
return true;
}

View File

@ -0,0 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 15:56:35 -0400
Subject: [PATCH] add OTHER_SENSORS permission group
---
src/com/android/packageinstaller/permission/utils/Utils.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/com/android/packageinstaller/permission/utils/Utils.java
index 423b319ee..d22a399bc 100644
--- a/src/com/android/packageinstaller/permission/utils/Utils.java
+++ b/src/com/android/packageinstaller/permission/utils/Utils.java
@@ -52,7 +52,8 @@ public final class Utils {
Manifest.permission_group.PHONE,
Manifest.permission_group.MICROPHONE,
Manifest.permission_group.STORAGE,
- Manifest.permission_group.NETWORK
+ Manifest.permission_group.NETWORK,
+ Manifest.permission_group.OTHER_SENSORS
};
private static final Intent LAUNCHER_INTENT = new Intent(Intent.ACTION_MAIN, null)

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 15:55:58 -0400
Subject: [PATCH] always treat OTHER_SENSORS as a runtime permission
---
.../permission/model/AppPermissionGroup.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
index e6087de4c..617309963 100644
--- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
+++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
@@ -339,7 +339,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
&& !ArrayUtils.contains(filterPermissions, permission.getName())) {
continue;
}
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) {
if (permission.isGranted()) {
return true;
}
@@ -372,7 +372,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
continue;
}
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) {
// Do not touch permissions fixed by the system.
if (permission.isSystemFixed()) {
return false;
@@ -474,7 +474,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
continue;
}
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) {
// Do not touch permissions fixed by the system.
if (permission.isSystemFixed()) {
return false;

View File

@ -1,200 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MSe1969 <mse1969@posteo.de>
Date: Fri, 15 Mar 2019 22:29:43 +0100
Subject: [PATCH] AppOps/PrivacyGuard: New Sensor checks [Settings]
Add two AppOps for sensor access:
- OP_MOTION_SENSORS (default: allow, strict)
- OP_OTHER_SENSORS (default: allow)
Add new Sensor template, relocate BODY_SENSORS into it
Change-Id: I9b51c47e27a330823ecb4472b9a7818718ef4209
---
res/values-de/cm_strings.xml | 5 +++++
res/values-fr/cm_strings.xml | 5 +++++
res/values/cm_strings.xml | 5 +++++
res/values/lineage_arrays.xml | 9 +++++++++
.../settings/applications/appops/AppOpsState.java | 13 ++++++++++---
5 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml
index dee07db2b4..02cafb1b05 100644
--- a/res/values-de/cm_strings.xml
+++ b/res/values-de/cm_strings.xml
@@ -39,6 +39,7 @@
<string name="app_ops_categories_device">Gerät</string>
<string name="app_ops_categories_run_in_background">Im Hintergrund ausführen</string>
<string name="app_ops_categories_bootup">Systemstart</string>
+ <string name="app_ops_categories_sensors">Sensoren</string>
<string name="app_ops_categories_su">Root-Zugriff</string>
<string name="app_ops_categories_other">Andere</string>
<string name="app_ops_summaries_accept_handover">Anrufeübergabe aus einer anderen App anzunehmen</string>
@@ -76,8 +77,10 @@
<string name="app_ops_summaries_modify_settings">Einstellungen ändern</string>
<string name="app_ops_summaries_monitor_high_power_location">Standort mit hohem Stromverbrauch beobachten</string>
<string name="app_ops_summaries_monitor_location">Standort beobachten</string>
+ <string name="app_ops_summaries_motion_sensors">Nutzung Bewegungssensoren</string>
<string name="app_ops_summaries_mute_unmute_microphone">Mikrofon ein-/ausschalten</string>
<string name="app_ops_summaries_neighboring_cells">Benachbarte Netze</string>
+ <string name="app_ops_summaries_other_sensors">Sonstige Sensoren</string>
<string name="app_ops_summaries_phone_calls">Anrufe beantworten</string>
<string name="app_ops_summaries_picture_in_picture">Bild im Bild verwenden</string>
<string name="app_ops_summaries_play_audio">Audio wiedergeben</string>
@@ -162,8 +165,10 @@
<string name="app_ops_labels_modify_settings">Einstellungen ändern</string>
<string name="app_ops_labels_monitor_high_power_location">Standort mit hohem Stromverbrauch beobachten</string>
<string name="app_ops_labels_monitor_location">Standort beobachten</string>
+ <string name="app_ops_labels_motion_sensors">Bewegungssensoren</string>
<string name="app_ops_labels_mute_unmute_microphone">Mikrofon ein-/ausschalten</string>
<string name="app_ops_labels_neighboring_cells">Benachbarte Zellen</string>
+ <string name="app_ops_labels_other_sensors">sonstige Sensoren</string>
<string name="app_ops_labels_phone_calls">Anrufe beantworten</string>
<string name="app_ops_labels_picture_in_picture">Bild im Bild verwenden</string>
<string name="app_ops_labels_play_audio">Audio wiedergeben</string>
diff --git a/res/values-fr/cm_strings.xml b/res/values-fr/cm_strings.xml
index 523d87d673..3133e8d4bf 100644
--- a/res/values-fr/cm_strings.xml
+++ b/res/values-fr/cm_strings.xml
@@ -39,6 +39,7 @@
<string name="app_ops_categories_device">Appareil</string>
<string name="app_ops_categories_run_in_background">Exécuter en arrière plan</string>
<string name="app_ops_categories_bootup">Démarrage</string>
+ <string name="app_ops_categories_sensors">Capteurs</string>
<string name="app_ops_categories_su">Accès root</string>
<string name="app_ops_categories_other">Autre</string>
<string name="app_ops_summaries_accept_handover">transférer un appel d\'une autre application</string>
@@ -76,8 +77,10 @@
<string name="app_ops_summaries_modify_settings">modifier les paramètres</string>
<string name="app_ops_summaries_monitor_high_power_location">surveiller la position (à puissance élevée)</string>
<string name="app_ops_summaries_monitor_location">surveiller la position</string>
+ <string name="app_ops_summaries_motion_sensors">utiliser les capteurs de mouvement</string>
<string name="app_ops_summaries_mute_unmute_microphone">activer/désactiver le microphone</string>
<string name="app_ops_summaries_neighboring_cells">nœuds environnants</string>
+ <string name="app_ops_summaries_other_sensors">utiliser d\'autres capteurs</string>
<string name="app_ops_summaries_phone_calls">répondre aux appels téléphoniques</string>
<string name="app_ops_summaries_picture_in_picture">utiliser le mode Picture-in-Picture</string>
<string name="app_ops_summaries_play_audio">lecture audio</string>
@@ -162,8 +165,10 @@
<string name="app_ops_labels_modify_settings">Modifier les paramètres</string>
<string name="app_ops_labels_monitor_high_power_location">Surveiller la position (à puissance élevée)</string>
<string name="app_ops_labels_monitor_location">Surveiller la position</string>
+ <string name="app_ops_labels_motion_sensors">Capteur de mouvement</string>
<string name="app_ops_labels_mute_unmute_microphone">Activer/désactiver le microphone</string>
<string name="app_ops_labels_neighboring_cells">Noeuds environnants</string>
+ <string name="app_ops_labels_other_sensors">autres Capteurs</string>
<string name="app_ops_labels_phone_calls">Répondre aux appels téléphoniques</string>
<string name="app_ops_labels_picture_in_picture">Utiliser le mode Picture-in-Picture</string>
<string name="app_ops_labels_play_audio">Lecture audio</string>
diff --git a/res/values/cm_strings.xml b/res/values/cm_strings.xml
index c4a0aaa915..1150011970 100644
--- a/res/values/cm_strings.xml
+++ b/res/values/cm_strings.xml
@@ -50,6 +50,7 @@
<string name="app_ops_categories_device">Device</string>
<string name="app_ops_categories_run_in_background">Run in background</string>
<string name="app_ops_categories_bootup">Bootup</string>
+ <string name="app_ops_categories_sensors">Sensors</string>
<string name="app_ops_categories_su">Root access</string>
<string name="app_ops_categories_other">Other</string>
@@ -89,7 +90,9 @@
<string name="app_ops_summaries_modify_settings">modify settings</string>
<string name="app_ops_summaries_monitor_high_power_location">monitor high power location</string>
<string name="app_ops_summaries_monitor_location">monitor location</string>
+ <string name="app_ops_summaries_motion_sensors">Motion Sensor usage</string>
<string name="app_ops_summaries_mute_unmute_microphone">mute/unmute microphone</string>
+ <string name="app_ops_summaries_other_sensors">Other Sensor usage</string>
<string name="app_ops_summaries_neighboring_cells">neighboring cells</string>
<string name="app_ops_summaries_phone_calls">answer phone calls</string>
<string name="app_ops_summaries_picture_in_picture">use picture in picture</string>
@@ -177,8 +180,10 @@
<string name="app_ops_labels_modify_settings">Modify settings</string>
<string name="app_ops_labels_monitor_high_power_location">Monitor high power location</string>
<string name="app_ops_labels_monitor_location">Monitor location</string>
+ <string name="app_ops_labels_motion_sensors">Motion Sensors</string>
<string name="app_ops_labels_mute_unmute_microphone">Mute/unmute microphone</string>
<string name="app_ops_labels_neighboring_cells">Neighboring cells</string>
+ <string name="app_ops_labels_other_sensors">Other Sensors</string>
<string name="app_ops_labels_phone_calls">Answer phone calls</string>
<string name="app_ops_labels_picture_in_picture">Use picture in picture</string>
<string name="app_ops_labels_play_audio">Play audio</string>
diff --git a/res/values/lineage_arrays.xml b/res/values/lineage_arrays.xml
index 0145438148..40fea7be2d 100644
--- a/res/values/lineage_arrays.xml
+++ b/res/values/lineage_arrays.xml
@@ -51,6 +51,7 @@
<item>@string/app_ops_categories_run_in_background</item>
<item>@string/app_ops_categories_bootup</item>
<item>@string/app_ops_categories_su</item>
+ <item>@string/app_ops_categories_sensors</item>
<item>@string/app_ops_categories_other</item>
</string-array>
@@ -222,6 +223,10 @@
<item>@string/app_ops_summaries_toggle_mobile_data</item>
<!-- OP_SU -->
<item>@string/app_ops_summaries_su</item>
+ <!-- OP_MOTION_SENSORS -->
+ <item>@string/app_ops_summaries_motion_sensors</item>
+ <!-- OP_OTHER_SENSORS -->
+ <item>@string/app_ops_summaries_other_sensors</item>
</string-array>
<!-- User display names for app ops codes - extension of AOSP -->
@@ -392,6 +397,10 @@
<item>@string/app_ops_labels_toggle_mobile_data</item>
<!-- OP_SU -->
<item>@string/app_ops_labels_su</item>
+ <!-- OP_MOTION_SENSORS -->
+ <item>@string/app_ops_labels_motion_sensors</item>
+ <!-- OP_OTHER_SENSORS -->
+ <item>@string/app_ops_labels_other_sensors</item>
</string-array>
<!-- App ops permissions -->
diff --git a/src/com/android/settings/applications/appops/AppOpsState.java b/src/com/android/settings/applications/appops/AppOpsState.java
index eeb1b2d302..8c8d2283ba 100644
--- a/src/com/android/settings/applications/appops/AppOpsState.java
+++ b/src/com/android/settings/applications/appops/AppOpsState.java
@@ -236,6 +236,15 @@ public class AppOpsState {
new boolean[] { true }
);
+ public static final OpsTemplate SENSOR_TEMPLATE = new OpsTemplate(
+ new int[] { AppOpsManager.OP_BODY_SENSORS,
+ AppOpsManager.OP_MOTION_SENSORS,
+ AppOpsManager.OP_OTHER_SENSORS },
+ new boolean[] { true,
+ false,
+ false }
+ );
+
public static final OpsTemplate SU_TEMPLATE = new OpsTemplate(
new int[] { AppOpsManager.OP_SU },
new boolean[] { false }
@@ -252,7 +261,6 @@ public class AppOpsState {
AppOpsManager.OP_USE_SIP,
AppOpsManager.OP_PROCESS_OUTGOING_CALLS,
AppOpsManager.OP_USE_FINGERPRINT,
- AppOpsManager.OP_BODY_SENSORS,
AppOpsManager.OP_READ_CELL_BROADCASTS,
AppOpsManager.OP_MOCK_LOCATION,
AppOpsManager.OP_READ_EXTERNAL_STORAGE,
@@ -272,7 +280,6 @@ public class AppOpsState {
true,
true,
true,
- true,
true }
);
@@ -286,7 +293,7 @@ public class AppOpsState {
public static final OpsTemplate[] ALL_PERMS_TEMPLATES = new OpsTemplate[] {
LOCATION_TEMPLATE, PERSONAL_TEMPLATE, MESSAGING_TEMPLATE,
MEDIA_TEMPLATE, DEVICE_TEMPLATE, RUN_IN_BACKGROUND_TEMPLATE,
- BOOTUP_TEMPLATE, SU_TEMPLATE, REMAINING_TEMPLATE
+ BOOTUP_TEMPLATE, SU_TEMPLATE, SENSOR_TEMPLATE, REMAINING_TEMPLATE
};
/**

View File

@ -1,33 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MSe1969 <mse1969@posteo.de>
Date: Tue, 19 Mar 2019 22:35:38 +0100
Subject: [PATCH] AppOps details: Add permission icons for new Sensor AppOps
Change-Id: Ifc337517818dcc929a406ed455fb76e6533507ab
---
.../android/settings/applications/appops/AppOpsDetails.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/com/android/settings/applications/appops/AppOpsDetails.java b/src/com/android/settings/applications/appops/AppOpsDetails.java
index 2f210435e8..4f01ceabda 100644
--- a/src/com/android/settings/applications/appops/AppOpsDetails.java
+++ b/src/com/android/settings/applications/appops/AppOpsDetails.java
@@ -115,6 +115,7 @@ public class AppOpsDetails extends SettingsPreferenceFragment {
OP_ICONS.put(AppOpsManager.OP_GPS, R.drawable.ic_perm_location);
OP_ICONS.put(AppOpsManager.OP_MUTE_MICROPHONE, R.drawable.ic_perm_microphone);
OP_ICONS.put(AppOpsManager.OP_NFC_CHANGE, R.drawable.ic_perm_nfc);
+ OP_ICONS.put(AppOpsManager.OP_OTHER_SENSORS, R.drawable.ic_phone_info);
OP_ICONS.put(AppOpsManager.OP_POST_NOTIFICATION, R.drawable.ic_perm_notifications);
OP_ICONS.put(AppOpsManager.OP_READ_CLIPBOARD, R.drawable.ic_perm_clipboard);
OP_ICONS.put(AppOpsManager.OP_RUN_IN_BACKGROUND, R.drawable.ic_perm_background);
@@ -213,6 +214,10 @@ public class AppOpsDetails extends SettingsPreferenceFragment {
if (icon == null && op != -1 && OP_ICONS.containsKey(op)) {
icon = getActivity().getDrawable(OP_ICONS.get(op));
}
+ if (icon == null && op == AppOpsManager.OP_MOTION_SENSORS) {
+ icon = getIconByPermission(AppOpsManager.opToPermission(
+ AppOpsManager.OP_USE_FINGERPRINT));
+ }
if (icon == null) {
Log.e(TAG, "Failed to retrieve icon for permission: " + perm);
} else {

View File

@ -1,103 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MSe1969 <mse1969@posteo.de>
Date: Sat, 14 Nov 2020 13:04:05 +0100
Subject: [PATCH] AppOps: Add further Op for accessing Sensors
Change-Id: Id7d84d910b849cc4f781aac2a6c21278e08bdeec
---
core/java/android/app/AppOpsManager.java | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
index 77875354d732..af535f62c10b 100644
--- a/core/java/android/app/AppOpsManager.java
+++ b/core/java/android/app/AppOpsManager.java
@@ -836,10 +836,12 @@ public class AppOpsManager {
public static final int OP_READ_DEVICE_IDENTIFIERS = 89;
/** @hide Read location metadata from media */
public static final int OP_ACCESS_MEDIA_LOCATION = 90;
+ /** @hide Access other Sensors */
+ public static final int OP_OTHER_SENSORS = 91;
/** @hide */
@UnsupportedAppUsage
- public static final int _NUM_OP = 91;
+ public static final int _NUM_OP = 92;
/** Access to coarse location information. */
public static final String OPSTR_COARSE_LOCATION = "android:coarse_location";
@@ -1119,6 +1121,10 @@ public class AppOpsManager {
/** @hide Read device identifiers */
public static final String OPSTR_READ_DEVICE_IDENTIFIERS = "android:read_device_identifiers";
+ /** @hide Other Sensors */
+ public static final String OPSTR_OTHER_SENSORS = "android:other_sensors";
+
+
// Warning: If an permission is added here it also has to be added to
// com.android.packageinstaller.permission.utils.EventLogger
private static final int[] RUNTIME_AND_APPOP_PERMISSIONS_OPS = {
@@ -1281,6 +1287,7 @@ public class AppOpsManager {
OP_ACCESS_ACCESSIBILITY, // ACCESS_ACCESSIBILITY
OP_READ_DEVICE_IDENTIFIERS, // READ_DEVICE_IDENTIFIERS
OP_ACCESS_MEDIA_LOCATION, // ACCESS_MEDIA_LOCATION
+ OP_OTHER_SENSORS, // OTHER_SENSORS
};
/**
@@ -1378,6 +1385,7 @@ public class AppOpsManager {
OPSTR_ACCESS_ACCESSIBILITY,
OPSTR_READ_DEVICE_IDENTIFIERS,
OPSTR_ACCESS_MEDIA_LOCATION,
+ OPSTR_OTHER_SENSORS,
};
/**
@@ -1476,6 +1484,7 @@ public class AppOpsManager {
"ACCESS_ACCESSIBILITY",
"READ_DEVICE_IDENTIFIERS",
"ACCESS_MEDIA_LOCATION",
+ "OTHER_SENSORS",
};
/**
@@ -1575,6 +1584,7 @@ public class AppOpsManager {
null, // no permission for OP_ACCESS_ACCESSIBILITY
null, // no direct permission for OP_READ_DEVICE_IDENTIFIERS
Manifest.permission.ACCESS_MEDIA_LOCATION,
+ null, // no direct permission for OP_OTHER_SENSORS
};
/**
@@ -1674,6 +1684,7 @@ public class AppOpsManager {
null, // ACCESS_ACCESSIBILITY
null, // READ_DEVICE_IDENTIFIERS
null, // ACCESS_MEDIA_LOCATION
+ null, // OTHER_SENSORS
};
/**
@@ -1772,6 +1783,7 @@ public class AppOpsManager {
false, // ACCESS_ACCESSIBILITY
false, // READ_DEVICE_IDENTIFIERS
false, // ACCESS_MEDIA_LOCATION
+ false, // OTHER_SENSORS
};
/**
@@ -1869,6 +1881,7 @@ public class AppOpsManager {
AppOpsManager.MODE_ALLOWED, // ACCESS_ACCESSIBILITY
AppOpsManager.MODE_ERRORED, // READ_DEVICE_IDENTIFIERS
AppOpsManager.MODE_ALLOWED, // ALLOW_MEDIA_LOCATION
+ AppOpsManager.MODE_ALLOWED, // OTHER_SENSORS
};
/**
@@ -1970,6 +1983,7 @@ public class AppOpsManager {
false, // ACCESS_ACCESSIBILITY
false, // READ_DEVICE_IDENTIFIERS
false, // ACCESS_MEDIA_LOCATION
+ false, // OTHER_SENSORS
};
/**

View File

@ -1,102 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 21 Jul 2017 08:42:55 -0400
Subject: [PATCH] support new special runtime permissions
Date: Sun, 17 Mar 2019 11:59:15 -0400
Subject: [PATCH] make INTERNET into a special runtime permission
These are treated as a runtime permission even for legacy apps. They
need to be granted by default for all apps to maintain compatibility.
---
.../server/pm/PackageManagerService.java | 3 ++-
.../permission/PermissionManagerService.java | 23 +++++++++++++++----
2 files changed, 20 insertions(+), 6 deletions(-)
core/res/AndroidManifest.xml | 2 +-
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index edaa60f4b09e..834a6b0d5260 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -20162,7 +20162,8 @@ public class PackageManagerService extends IPackageManager.Stub
}
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 7bcd7a048db4..571099f059c8 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1539,7 +1539,7 @@
<permission android:name="android.permission.INTERNET"
android:description="@string/permdesc_createNetworkSockets"
android:label="@string/permlab_createNetworkSockets"
- android:protectionLevel="normal|instant" />
+ android:protectionLevel="dangerous|instant" />
// If this permission was granted by default, make sure it is.
- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) {
+ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
+ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) {
mPermissionManager.grantRuntimePermission(permName, packageName, false,
Process.SYSTEM_UID, userId, delayingPermCallback);
// Allow app op later as we are holding mPackages
<!-- Allows applications to access information about networks.
<p>Protection level: normal
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 82f963e1df2a..293bdc7ba197 100644
index 293bdc7ba197..3a71bc8d015b 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -984,6 +984,10 @@ public class PermissionManagerService {
}
@@ -985,7 +985,7 @@ public class PermissionManagerService {
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return false;
+ return Manifest.permission.INTERNET.equals(permission);
}
+ public static boolean isSpecialRuntimePermission(final String permission) {
+ return false;
+ }
+
/**
* Restore the permission state for a package.
*
@@ -1277,6 +1281,14 @@ public class PermissionManagerService {
}
}
}
+
+ if (isSpecialRuntimePermission(bp.name) &&
+ origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
+ if (permissionsState.grantRuntimePermission(bp, userId)
+ != PERMISSION_OPERATION_FAILURE) {
+ wasChanged = true;
+ }
+ }
} else {
if (permState == null) {
// New permission
@@ -1410,7 +1422,7 @@ public class PermissionManagerService {
wasChanged = true;
}
}
- } else {
+ } else {
if (!permissionsState.hasRuntimePermission(bp.name, userId)
&& permissionsState.grantRuntimePermission(bp,
userId) != PERMISSION_OPERATION_FAILURE) {
@@ -2183,7 +2195,7 @@ public class PermissionManagerService {
&& (grantedPermissions == null
|| ArrayUtils.contains(grantedPermissions, permission))) {
final int flags = permissionsState.getPermissionFlags(permission, userId);
- if (supportsRuntimePermissions) {
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
// Installer cannot change immutable permissions.
if ((flags & immutableFlags) == 0) {
grantRuntimePermission(permission, pkg.packageName, false, callingUid,
@@ -2242,7 +2254,7 @@ public class PermissionManagerService {
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
return;
}
@@ -2294,7 +2306,8 @@ public class PermissionManagerService {
+ permName + " for package " + packageName);
}
- if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) {
+ if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+ && !isSpecialRuntimePermission(permName)) {
Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
return;
}
@@ -2381,7 +2394,7 @@ public class PermissionManagerService {
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime() && !isSpecialRuntimePermission(permName)) {
return;
}

View File

@ -1,36 +1,62 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 17 Mar 2019 11:59:15 -0400
Subject: [PATCH] make INTERNET into a special runtime permission
Date: Fri, 21 Jul 2017 11:23:07 -0400
Subject: [PATCH] add a NETWORK permission group for INTERNET
---
core/res/AndroidManifest.xml | 2 +-
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
api/current.txt | 1 +
core/res/AndroidManifest.xml | 8 ++++++++
core/res/res/values/strings.xml | 5 +++++
3 files changed, 14 insertions(+)
diff --git a/api/current.txt b/api/current.txt
index cd78602d9cd9..b99634c11742 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -176,6 +176,7 @@ package android {
field public static final String CONTACTS = "android.permission-group.CONTACTS";
field public static final String LOCATION = "android.permission-group.LOCATION";
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
+ field public static final String NETWORK = "android.permission-group.NETWORK";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String SENSORS = "android.permission-group.SENSORS";
field public static final String SMS = "android.permission-group.SMS";
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 7bcd7a048db4..571099f059c8 100644
index 571099f059c8..b51e4f21454b 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1539,7 +1539,7 @@
@@ -1533,10 +1533,18 @@
<!-- ======================================= -->
<eat-comment />
+ <!-- Network access -->
+ <permission-group android:name="android.permission-group.NETWORK"
+ android:icon="@drawable/perm_group_network"
+ android:label="@string/permgrouplab_network"
+ android:description="@string/permgroupdesc_network"
+ android:priority="900" />
+
<!-- Allows applications to open network sockets.
<p>Protection level: normal
-->
<permission android:name="android.permission.INTERNET"
+ android:permissionGroup="android.permission-group.UNDEFINED"
android:description="@string/permdesc_createNetworkSockets"
android:label="@string/permlab_createNetworkSockets"
- android:protectionLevel="normal|instant" />
+ android:protectionLevel="dangerous|instant" />
android:protectionLevel="dangerous|instant" />
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index e2afd1e1e0cc..2cf2b923ef90 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -792,6 +792,11 @@
<string name="permgrouprequest_sensors">Allow
&lt;b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g>&lt;/b> to access sensor data about your vital signs?</string>
<!-- Allows applications to access information about networks.
<p>Protection level: normal
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 293bdc7ba197..3a71bc8d015b 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -985,7 +985,7 @@ public class PermissionManagerService {
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return false;
+ return Manifest.permission.INTERNET.equals(permission);
}
/**
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_network">Network</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_network">access the network</string>
+
<!-- Title for the capability of an accessibility service to retrieve window content. -->
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
<!-- Description for the capability of an accessibility service to retrieve window content. -->

View File

@ -1,62 +1,111 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 21 Jul 2017 11:23:07 -0400
Subject: [PATCH] add a NETWORK permission group for INTERNET
From: Zoraver Kang <zkang@wpi.edu>
Date: Mon, 16 Sep 2019 16:41:30 -0400
Subject: [PATCH] Enforce INTERNET as a runtime permission.
---
api/current.txt | 1 +
core/res/AndroidManifest.xml | 8 ++++++++
core/res/res/values/strings.xml | 5 +++++
3 files changed, 14 insertions(+)
.../connectivity/PermissionMonitor.java | 59 ++++++++++++-------
1 file changed, 39 insertions(+), 20 deletions(-)
diff --git a/api/current.txt b/api/current.txt
index cd78602d9cd9..b99634c11742 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -176,6 +176,7 @@ package android {
field public static final String CONTACTS = "android.permission-group.CONTACTS";
field public static final String LOCATION = "android.permission-group.LOCATION";
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
+ field public static final String NETWORK = "android.permission-group.NETWORK";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String SENSORS = "android.permission-group.SENSORS";
field public static final String SMS = "android.permission-group.SMS";
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 571099f059c8..b51e4f21454b 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1533,10 +1533,18 @@
<!-- ======================================= -->
<eat-comment />
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index 56f4959a9714..0b2012fa759a 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID;
import static android.os.Process.SYSTEM_UID;
+ <!-- Network access -->
+ <permission-group android:name="android.permission-group.NETWORK"
+ android:icon="@drawable/perm_group_network"
+ android:label="@string/permgrouplab_network"
+ android:description="@string/permgroupdesc_network"
+ android:priority="900" />
import android.annotation.NonNull;
+import android.annotation.UserIdInt;
import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageInfo;
@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils;
import com.android.internal.util.IndentingPrintWriter;
import com.android.server.LocalServices;
import com.android.server.SystemConfig;
+import com.android.server.pm.permission.PermissionManagerServiceInternal;
import java.util.ArrayList;
import java.util.Collection;
@@ -80,6 +82,7 @@ public class PermissionMonitor {
private static final int VERSION_Q = Build.VERSION_CODES.Q;
private final PackageManager mPackageManager;
+ private final PackageManagerInternal mPackageManagerInternal;
private final UserManager mUserManager;
private final INetd mNetd;
@@ -104,26 +107,6 @@ public class PermissionMonitor {
private class PackageListObserver implements PackageManagerInternal.PackageListObserver {
- private int getPermissionForUid(int uid) {
- int permission = 0;
- // Check all the packages for this UID. The UID has the permission if any of the
- // packages in it has the permission.
- String[] packages = mPackageManager.getPackagesForUid(uid);
- if (packages != null && packages.length > 0) {
- for (String name : packages) {
- final PackageInfo app = getPackageInfo(name);
- if (app != null && app.requestedPermissions != null) {
- permission |= getNetdPermissionMask(app.requestedPermissions,
- app.requestedPermissionsFlags);
- }
- }
- } else {
- // The last package of this uid is removed from device. Clean the package up.
- permission = INetd.PERMISSION_UNINSTALLED;
- }
- return permission;
- }
-
@Override
public void onPackageAdded(String packageName, int uid) {
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
@@ -140,10 +123,46 @@ public class PermissionMonitor {
}
}
+ private int getPermissionForUid(int uid) {
+ int permission = 0;
+ // Check all the packages for this UID. The UID has the permission if any of the
+ // packages in it has the permission.
+ String[] packages = mPackageManager.getPackagesForUid(uid);
+ if (packages != null && packages.length > 0) {
+ for (String name : packages) {
+ final PackageInfo app = getPackageInfo(name);
+ if (app != null && app.requestedPermissions != null) {
+ permission |= getNetdPermissionMask(app.requestedPermissions,
+ app.requestedPermissionsFlags);
+ }
+ }
+ } else {
+ // The last package of this uid is removed from device. Clean the package up.
+ permission = INetd.PERMISSION_UNINSTALLED;
+ }
+ return permission;
+ }
+
<!-- Allows applications to open network sockets.
<p>Protection level: normal
-->
<permission android:name="android.permission.INTERNET"
+ android:permissionGroup="android.permission-group.UNDEFINED"
android:description="@string/permdesc_createNetworkSockets"
android:label="@string/permlab_createNetworkSockets"
android:protectionLevel="dangerous|instant" />
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index e2afd1e1e0cc..2cf2b923ef90 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -792,6 +792,11 @@
<string name="permgrouprequest_sensors">Allow
&lt;b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g>&lt;/b> to access sensor data about your vital signs?</string>
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_network">Network</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_network">access the network</string>
+ // implements OnRuntimePermissionStateChangedListener
+ private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
+ @UserIdInt int userId) {
+ // userId is _not_ uid
+ int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+ sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+ }
+
<!-- Title for the capability of an accessibility service to retrieve window content. -->
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
<!-- Description for the capability of an accessibility service to retrieve window content. -->
public PermissionMonitor(Context context, INetd netd) {
mPackageManager = context.getPackageManager();
mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
mNetd = netd;
+
+ mPackageManagerInternal = LocalServices.getService(
+ PackageManagerInternal.class);
+
+ final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService(
+ PermissionManagerServiceInternal.class);
+ permManagerInternal.addOnRuntimePermissionStateChangedListener(
+ this::enforceINTERNETAsRuntimePermission);
}
// Intended to be called only once at startup, after the system is ready. Installs a broadcast

View File

@ -1,111 +1,82 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Zoraver Kang <zkang@wpi.edu>
Date: Mon, 16 Sep 2019 16:41:30 -0400
Subject: [PATCH] Enforce INTERNET as a runtime permission.
From: pratyush <codelab@pratyush.dev>
Date: Sun, 25 Apr 2021 07:04:03 +0530
Subject: [PATCH] fix INTERNET enforcement for secondary users
This code was not specifying the profile for the app so it wasn't
working properly with INTERNET as a runtime permission.
---
.../connectivity/PermissionMonitor.java | 59 ++++++++++++-------
1 file changed, 39 insertions(+), 20 deletions(-)
.../connectivity/PermissionMonitor.java | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index 56f4959a9714..0b2012fa759a 100644
index 0b2012fa759a..3187d4ba1491 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID;
import static android.os.Process.SYSTEM_UID;
@@ -130,7 +130,8 @@ public class PermissionMonitor {
String[] packages = mPackageManager.getPackagesForUid(uid);
if (packages != null && packages.length > 0) {
for (String name : packages) {
- final PackageInfo app = getPackageInfo(name);
+ int userId = UserHandle.getUserId(uid);
+ final PackageInfo app = getPackageInfo(name, userId);
if (app != null && app.requestedPermissions != null) {
permission |= getNetdPermissionMask(app.requestedPermissions,
app.requestedPermissionsFlags);
@@ -147,7 +148,7 @@ public class PermissionMonitor {
private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
@UserIdInt int userId) {
// userId is _not_ uid
- int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+ int uid = mPackageManagerInternal.getPackageUid( packageName, GET_PERMISSIONS, userId);
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
}
import android.annotation.NonNull;
+import android.annotation.UserIdInt;
import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageInfo;
@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils;
import com.android.internal.util.IndentingPrintWriter;
import com.android.server.LocalServices;
import com.android.server.SystemConfig;
+import com.android.server.pm.permission.PermissionManagerServiceInternal;
@@ -363,12 +364,13 @@ public class PermissionMonitor {
}
import java.util.ArrayList;
import java.util.Collection;
@@ -80,6 +82,7 @@ public class PermissionMonitor {
private static final int VERSION_Q = Build.VERSION_CODES.Q;
private final PackageManager mPackageManager;
+ private final PackageManagerInternal mPackageManagerInternal;
private final UserManager mUserManager;
private final INetd mNetd;
@@ -104,26 +107,6 @@ public class PermissionMonitor {
private class PackageListObserver implements PackageManagerInternal.PackageListObserver {
- private int getPermissionForUid(int uid) {
- int permission = 0;
- // Check all the packages for this UID. The UID has the permission if any of the
- // packages in it has the permission.
- String[] packages = mPackageManager.getPackagesForUid(uid);
- if (packages != null && packages.length > 0) {
- for (String name : packages) {
- final PackageInfo app = getPackageInfo(name);
- if (app != null && app.requestedPermissions != null) {
- permission |= getNetdPermissionMask(app.requestedPermissions,
- app.requestedPermissionsFlags);
- }
- }
- } else {
- // The last package of this uid is removed from device. Clean the package up.
- permission = INetd.PERMISSION_UNINSTALLED;
- }
- return permission;
- }
-
@Override
public void onPackageAdded(String packageName, int uid) {
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
@@ -140,10 +123,46 @@ public class PermissionMonitor {
@VisibleForTesting
- protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
+ protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) {
if (currentPermission == SYSTEM) {
return currentPermission;
}
try {
- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
+ final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS,
+ UserHandle.getUserId(uid));
final boolean isNetwork = hasNetworkPermission(app);
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
if (isNetwork || hasRestrictedPermission) {
@@ -392,7 +394,7 @@ public class PermissionMonitor {
public synchronized void onPackageAdded(String packageName, int uid) {
// If multiple packages share a UID (cf: android:sharedUserId) and ask for different
// permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
- final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName);
+ final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid);
if (permission != mApps.get(uid)) {
mApps.put(uid, permission);
@@ -444,7 +446,7 @@ public class PermissionMonitor {
String[] packages = mPackageManager.getPackagesForUid(uid);
if (packages != null && packages.length > 0) {
for (String name : packages) {
- permission = highestPermissionForUid(permission, name);
+ permission = highestPermissionForUid(permission, name, uid);
if (permission == SYSTEM) {
// An app with this UID still has the SYSTEM permission.
// Therefore, this UID must already have the SYSTEM permission.
@@ -484,11 +486,9 @@ public class PermissionMonitor {
return permissions;
}
+ private int getPermissionForUid(int uid) {
+ int permission = 0;
+ // Check all the packages for this UID. The UID has the permission if any of the
+ // packages in it has the permission.
+ String[] packages = mPackageManager.getPackagesForUid(uid);
+ if (packages != null && packages.length > 0) {
+ for (String name : packages) {
+ final PackageInfo app = getPackageInfo(name);
+ if (app != null && app.requestedPermissions != null) {
+ permission |= getNetdPermissionMask(app.requestedPermissions,
+ app.requestedPermissionsFlags);
+ }
+ }
+ } else {
+ // The last package of this uid is removed from device. Clean the package up.
+ permission = INetd.PERMISSION_UNINSTALLED;
+ }
+ return permission;
+ }
+
+ // implements OnRuntimePermissionStateChangedListener
+ private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
+ @UserIdInt int userId) {
+ // userId is _not_ uid
+ int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+ sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+ }
+
public PermissionMonitor(Context context, INetd netd) {
mPackageManager = context.getPackageManager();
mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
mNetd = netd;
+
+ mPackageManagerInternal = LocalServices.getService(
+ PackageManagerInternal.class);
+
+ final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService(
+ PermissionManagerServiceInternal.class);
+ permManagerInternal.addOnRuntimePermissionStateChangedListener(
+ this::enforceINTERNETAsRuntimePermission);
}
// Intended to be called only once at startup, after the system is ready. Installs a broadcast
- private PackageInfo getPackageInfo(String packageName) {
+ private PackageInfo getPackageInfo(String packageName, int userId) {
try {
- PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS
- | MATCH_ANY_USER);
- return app;
+ return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId);
} catch (NameNotFoundException e) {
return null;
}

View File

@ -1,82 +1,125 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: pratyush <codelab@pratyush.dev>
Date: Sun, 25 Apr 2021 07:04:03 +0530
Subject: [PATCH] fix INTERNET enforcement for secondary users
From: Pratyush <codelab@pratyush.dev>
Date: Thu, 12 Aug 2021 03:44:41 +0530
Subject: [PATCH] send uid for each user instead of just owner/admin user
This code was not specifying the profile for the app so it wasn't
working properly with INTERNET as a runtime permission.
---
.../connectivity/PermissionMonitor.java | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
.../connectivity/PermissionMonitor.java | 83 +++++++++++--------
1 file changed, 49 insertions(+), 34 deletions(-)
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index 0b2012fa759a..3187d4ba1491 100644
index 3187d4ba1491..0a9b8b6a6e94 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -130,7 +130,8 @@ public class PermissionMonitor {
String[] packages = mPackageManager.getPackagesForUid(uid);
if (packages != null && packages.length > 0) {
@@ -132,7 +132,7 @@ public class PermissionMonitor {
for (String name : packages) {
- final PackageInfo app = getPackageInfo(name);
+ int userId = UserHandle.getUserId(uid);
+ final PackageInfo app = getPackageInfo(name, userId);
if (app != null && app.requestedPermissions != null) {
int userId = UserHandle.getUserId(uid);
final PackageInfo app = getPackageInfo(name, userId);
- if (app != null && app.requestedPermissions != null) {
+ if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) {
permission |= getNetdPermissionMask(app.requestedPermissions,
app.requestedPermissionsFlags);
@@ -147,7 +148,7 @@ public class PermissionMonitor {
private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
@UserIdInt int userId) {
// userId is _not_ uid
- int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+ int uid = mPackageManagerInternal.getPackageUid( packageName, GET_PERMISSIONS, userId);
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
}
}
@@ -177,44 +177,45 @@ public class PermissionMonitor {
} else {
loge("failed to get the PackageManagerInternal service");
}
- List<PackageInfo> apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS
- | MATCH_ANY_USER);
- if (apps == null) {
- loge("No apps");
- return;
- }
@@ -363,12 +364,13 @@ public class PermissionMonitor {
}
SparseIntArray netdPermsUids = new SparseIntArray();
@VisibleForTesting
- protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
+ protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) {
if (currentPermission == SYSTEM) {
return currentPermission;
- for (PackageInfo app : apps) {
- int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
- if (uid < 0) {
- continue;
- }
- mAllApps.add(UserHandle.getAppId(uid));
-
- boolean isNetwork = hasNetworkPermission(app);
- boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
-
- if (isNetwork || hasRestrictedPermission) {
- Boolean permission = mApps.get(uid);
- // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
- // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
- if (permission == null || permission == NETWORK) {
- mApps.put(uid, hasRestrictedPermission);
- }
- }
-
- //TODO: unify the management of the permissions into one codepath.
- int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
- app.requestedPermissionsFlags);
- netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
- }
-
List<UserInfo> users = mUserManager.getUsers(true); // exclude dying users
if (users != null) {
for (UserInfo user : users) {
mUsers.add(user.id);
+
+ List<PackageInfo> apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id);
+ if (apps == null) {
+ loge("No apps");
+ continue;
+ }
+
+ for (PackageInfo app : apps) {
+ int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
+ if (uid < 0) {
+ continue;
+ }
+ mAllApps.add(UserHandle.getAppId(uid));
+
+ boolean isNetwork = hasNetworkPermission(app);
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+
+ if (isNetwork || hasRestrictedPermission) {
+ Boolean permission = mApps.get(uid);
+ // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+ // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+ if (permission == null || permission == NETWORK) {
+ mApps.put(uid, hasRestrictedPermission);
+ }
+ }
+
+ //TODO: unify the management of the permissions into one codepath.
+ int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
+ app.requestedPermissionsFlags);
+ netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
+ }
+
}
}
@@ -307,9 +308,23 @@ public class PermissionMonitor {
List<Integer> network = new ArrayList<>();
List<Integer> system = new ArrayList<>();
for (Entry<Integer, Boolean> app : apps.entrySet()) {
- List<Integer> list = app.getValue() ? system : network;
for (int user : users) {
- list.add(UserHandle.getUid(user, app.getKey()));
+ int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey()));
+ if (uid < 0) continue;
+ String[] packages = mPackageManager.getPackagesForUid(uid);
+ if (packages == null) continue;
+ for (String pkg : packages) {
+ PackageInfo info = getPackageInfo(pkg, user);
+ if (info != null && info.applicationInfo.uid == uid) {
+ boolean isNetwork = hasNetworkPermission(info);
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info);
+
+ if (isNetwork || hasRestrictedPermission) {
+ List<Integer> list = hasRestrictedPermission ? system : network;
+ list.add(UserHandle.getUid(user, app.getKey()));
+ }
+ }
+ }
}
}
try {
- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
+ final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS,
+ UserHandle.getUserId(uid));
final boolean isNetwork = hasNetworkPermission(app);
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
if (isNetwork || hasRestrictedPermission) {
@@ -392,7 +394,7 @@ public class PermissionMonitor {
public synchronized void onPackageAdded(String packageName, int uid) {
// If multiple packages share a UID (cf: android:sharedUserId) and ask for different
// permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
- final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName);
+ final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid);
if (permission != mApps.get(uid)) {
mApps.put(uid, permission);
@@ -444,7 +446,7 @@ public class PermissionMonitor {
String[] packages = mPackageManager.getPackagesForUid(uid);
if (packages != null && packages.length > 0) {
for (String name : packages) {
- permission = highestPermissionForUid(permission, name);
+ permission = highestPermissionForUid(permission, name, uid);
if (permission == SYSTEM) {
// An app with this UID still has the SYSTEM permission.
// Therefore, this UID must already have the SYSTEM permission.
@@ -484,11 +486,9 @@ public class PermissionMonitor {
return permissions;
}
- private PackageInfo getPackageInfo(String packageName) {
+ private PackageInfo getPackageInfo(String packageName, int userId) {
try {
- PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS
- | MATCH_ANY_USER);
- return app;
+ return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId);
} catch (NameNotFoundException e) {
return null;
}

View File

@ -1,125 +1,42 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pratyush <codelab@pratyush.dev>
Date: Thu, 12 Aug 2021 03:44:41 +0530
Subject: [PATCH] send uid for each user instead of just owner/admin user
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 14 Dec 2021 18:17:11 +0200
Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
---
.../connectivity/PermissionMonitor.java | 83 +++++++++++--------
1 file changed, 49 insertions(+), 34 deletions(-)
core/java/android/net/ConnectivityManager.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index 3187d4ba1491..0a9b8b6a6e94 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -132,7 +132,7 @@ public class PermissionMonitor {
for (String name : packages) {
int userId = UserHandle.getUserId(uid);
final PackageInfo app = getPackageInfo(name, userId);
- if (app != null && app.requestedPermissions != null) {
+ if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) {
permission |= getNetdPermissionMask(app.requestedPermissions,
app.requestedPermissionsFlags);
}
@@ -177,44 +177,45 @@ public class PermissionMonitor {
} else {
loge("failed to get the PackageManagerInternal service");
}
- List<PackageInfo> apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS
- | MATCH_ANY_USER);
- if (apps == null) {
- loge("No apps");
- return;
- }
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index 12102a140947..21661609ff72 100644
--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
@@ -17,6 +17,7 @@ package android.net;
SparseIntArray netdPermsUids = new SparseIntArray();
import static android.net.IpSecManager.INVALID_RESOURCE_ID;
- for (PackageInfo app : apps) {
- int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
- if (uid < 0) {
- continue;
- }
- mAllApps.add(UserHandle.getAppId(uid));
-
- boolean isNetwork = hasNetworkPermission(app);
- boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
-
- if (isNetwork || hasRestrictedPermission) {
- Boolean permission = mApps.get(uid);
- // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
- // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
- if (permission == null || permission == NETWORK) {
- mApps.put(uid, hasRestrictedPermission);
- }
- }
-
- //TODO: unify the management of the permissions into one codepath.
- int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
- app.requestedPermissionsFlags);
- netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
- }
-
List<UserInfo> users = mUserManager.getUsers(true); // exclude dying users
if (users != null) {
for (UserInfo user : users) {
mUsers.add(user.id);
+
+ List<PackageInfo> apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id);
+ if (apps == null) {
+ loge("No apps");
+ continue;
+ }
+
+ for (PackageInfo app : apps) {
+ int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
+ if (uid < 0) {
+ continue;
+ }
+ mAllApps.add(UserHandle.getAppId(uid));
+
+ boolean isNetwork = hasNetworkPermission(app);
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+
+ if (isNetwork || hasRestrictedPermission) {
+ Boolean permission = mApps.get(uid);
+ // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+ // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+ if (permission == null || permission == NETWORK) {
+ mApps.put(uid, hasRestrictedPermission);
+ }
+ }
+
+ //TODO: unify the management of the permissions into one codepath.
+ int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
+ app.requestedPermissionsFlags);
+ netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
+ }
+
}
}
@@ -307,9 +308,23 @@ public class PermissionMonitor {
List<Integer> network = new ArrayList<>();
List<Integer> system = new ArrayList<>();
for (Entry<Integer, Boolean> app : apps.entrySet()) {
- List<Integer> list = app.getValue() ? system : network;
for (int user : users) {
- list.add(UserHandle.getUid(user, app.getKey()));
+ int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey()));
+ if (uid < 0) continue;
+ String[] packages = mPackageManager.getPackagesForUid(uid);
+ if (packages == null) continue;
+ for (String pkg : packages) {
+ PackageInfo info = getPackageInfo(pkg, user);
+ if (info != null && info.applicationInfo.uid == uid) {
+ boolean isNetwork = hasNetworkPermission(info);
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info);
+
+ if (isNetwork || hasRestrictedPermission) {
+ List<Integer> list = hasRestrictedPermission ? system : network;
+ list.add(UserHandle.getUid(user, app.getKey()));
+ }
+ }
+ }
}
}
+import android.Manifest;
import android.annotation.CallbackExecutor;
import android.annotation.IntDef;
import android.annotation.NonNull;
@@ -31,6 +32,7 @@ import android.annotation.UnsupportedAppUsage;
import android.app.PendingIntent;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.PackageManager;
import android.net.IpSecManager.UdpEncapsulationSocket;
import android.net.SocketKeepalive.Callback;
import android.os.Binder;
@@ -3054,6 +3056,12 @@ public class ConnectivityManager {
*/
public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
printStackTrace();
+ if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
+ // ConnectivityService enforces this by throwing an unexpected SecurityException,
+ // which puts GMS into a crash loop. Also useful for other apps that don't expect that
+ // INTERNET permission might get revoked.
+ return;
+ }
try {
mService.reportNetworkConnectivity(network, hasConnectivity);
} catch (RemoteException e) {

View File

@ -1,42 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 14 Dec 2021 18:17:11 +0200
Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
---
core/java/android/net/ConnectivityManager.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index 12102a140947..21661609ff72 100644
--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
@@ -17,6 +17,7 @@ package android.net;
import static android.net.IpSecManager.INVALID_RESOURCE_ID;
+import android.Manifest;
import android.annotation.CallbackExecutor;
import android.annotation.IntDef;
import android.annotation.NonNull;
@@ -31,6 +32,7 @@ import android.annotation.UnsupportedAppUsage;
import android.app.PendingIntent;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.PackageManager;
import android.net.IpSecManager.UdpEncapsulationSocket;
import android.net.SocketKeepalive.Callback;
import android.os.Binder;
@@ -3054,6 +3056,12 @@ public class ConnectivityManager {
*/
public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
printStackTrace();
+ if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
+ // ConnectivityService enforces this by throwing an unexpected SecurityException,
+ // which puts GMS into a crash loop. Also useful for other apps that don't expect that
+ // INTERNET permission might get revoked.
+ return;
+ }
try {
mService.reportNetworkConnectivity(network, hasConnectivity);
} catch (RemoteException e) {

View File

@ -0,0 +1,114 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 15:54:42 -0400
Subject: [PATCH] add special runtime permission for other sensors
This covers sensors not included in the existing runtime permission for
body sensors.
---
api/current.txt | 2 ++
core/java/android/content/pm/PackageParser.java | 2 ++
core/res/AndroidManifest.xml | 12 ++++++++++++
core/res/res/values/strings.xml | 12 ++++++++++++
.../pm/permission/PermissionManagerService.java | 2 +-
5 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/api/current.txt b/api/current.txt
index b99634c11742..d74627f45dbd 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -100,6 +100,7 @@ package android {
field public static final String MOUNT_UNMOUNT_FILESYSTEMS = "android.permission.MOUNT_UNMOUNT_FILESYSTEMS";
field public static final String NFC = "android.permission.NFC";
field public static final String NFC_TRANSACTION_EVENT = "android.permission.NFC_TRANSACTION_EVENT";
+ field public static final String OTHER_SENSORS = "android.permission.OTHER_SENSORS";
field public static final String PACKAGE_USAGE_STATS = "android.permission.PACKAGE_USAGE_STATS";
field @Deprecated public static final String PERSISTENT_ACTIVITY = "android.permission.PERSISTENT_ACTIVITY";
field @Deprecated public static final String PROCESS_OUTGOING_CALLS = "android.permission.PROCESS_OUTGOING_CALLS";
@@ -177,6 +178,7 @@ package android {
field public static final String LOCATION = "android.permission-group.LOCATION";
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
field public static final String NETWORK = "android.permission-group.NETWORK";
+ field public static final String OTHER_SENSORS = "android.permission-group.OTHER_SENSORS";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String SENSORS = "android.permission-group.SENSORS";
field public static final String SMS = "android.permission-group.SMS";
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index 861b0d922d32..e9a0696ebaff 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -286,6 +286,8 @@ public class PackageParser {
@UnsupportedAppUsage
public static final PackageParser.NewPermissionInfo NEW_PERMISSIONS[] =
new PackageParser.NewPermissionInfo[] {
+ new PackageParser.NewPermissionInfo(android.Manifest.permission.OTHER_SENSORS,
+ android.os.Build.VERSION_CODES.CUR_DEVELOPMENT + 1, 0),
new PackageParser.NewPermissionInfo(android.Manifest.permission.WRITE_EXTERNAL_STORAGE,
android.os.Build.VERSION_CODES.DONUT, 0),
new PackageParser.NewPermissionInfo(android.Manifest.permission.READ_PHONE_STATE,
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index b51e4f21454b..d5bc3cd38c07 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1331,6 +1331,18 @@
android:description="@string/permdesc_useBiometric"
android:protectionLevel="normal" />
+ <permission-group android:name="android.permission-group.OTHER_SENSORS"
+ android:icon="@drawable/perm_group_location"
+ android:label="@string/permgrouplab_otherSensors"
+ android:description="@string/permgroupdesc_otherSensors"
+ android:priority="1000" />
+
+ <permission android:name="android.permission.OTHER_SENSORS"
+ android:permissionGroup="android.permission-group.UNDEFINED"
+ android:label="@string/permlab_otherSensors"
+ android:description="@string/permdesc_otherSensors"
+ android:protectionLevel="dangerous" />
+
<!-- ====================================================================== -->
<!-- REMOVED PERMISSIONS -->
<!-- ====================================================================== -->
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index 2cf2b923ef90..ae206c1f5872 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -792,6 +792,11 @@
<string name="permgrouprequest_sensors">Allow
&lt;b><xliff:g id="app_name" example="Gmail">%1$s</xliff:g>&lt;/b> to access sensor data about your vital signs?</string>
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_otherSensors">Sensors</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_otherSensors">access sensor data about orientation, movement, etc.</string>
+
<!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permgrouplab_network">Network</string>
<!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
@@ -1085,6 +1090,13 @@
<string name="permdesc_bodySensors" product="default">Allows the app to access data from sensors
that monitor your physical condition, such as your heart rate.</string>
+ <!-- Title of the sensors permission, listed so the user can decide whether to allow the application to access sensor data. [CHAR LIMIT=80] -->
+ <string name="permlab_otherSensors">access sensors (like the compass)
+ </string>
+ <!-- Description of the sensors permission, listed so the user can decide whether to allow the application to access data from sensors. [CHAR LIMIT=NONE] -->
+ <string name="permdesc_otherSensors" product="default">Allows the app to access data from sensors
+ monitoring orientation, movement, vibration (including low frequency sound) and environmental data</string>
+
<!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permlab_readCalendar">Read calendar events and details</string>
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 3a71bc8d015b..3eb4262ba634 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -985,7 +985,7 @@ public class PermissionManagerService {
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return Manifest.permission.INTERNET.equals(permission);
+ return Manifest.permission.INTERNET.equals(permission) || Manifest.permission.OTHER_SENSORS.equals(permission);
}
/**

View File

@ -0,0 +1,102 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 21 Jul 2017 08:42:55 -0400
Subject: [PATCH] support new special runtime permissions
These are treated as a runtime permission even for legacy apps. They
need to be granted by default for all apps to maintain compatibility.
---
.../server/pm/PackageManagerService.java | 3 ++-
.../permission/PermissionManagerService.java | 23 +++++++++++++++----
2 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index edaa60f4b09e..834a6b0d5260 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -20162,7 +20162,8 @@ public class PackageManagerService extends IPackageManager.Stub
}
// If this permission was granted by default, make sure it is.
- if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0) {
+ if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
+ || PermissionManagerService.isSpecialRuntimePermission(bp.getName())) {
mPermissionManager.grantRuntimePermission(permName, packageName, false,
Process.SYSTEM_UID, userId, delayingPermCallback);
// Allow app op later as we are holding mPackages
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 82f963e1df2a..293bdc7ba197 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -984,6 +984,10 @@ public class PermissionManagerService {
}
}
+ public static boolean isSpecialRuntimePermission(final String permission) {
+ return false;
+ }
+
/**
* Restore the permission state for a package.
*
@@ -1277,6 +1281,14 @@ public class PermissionManagerService {
}
}
}
+
+ if (isSpecialRuntimePermission(bp.name) &&
+ origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
+ if (permissionsState.grantRuntimePermission(bp, userId)
+ != PERMISSION_OPERATION_FAILURE) {
+ wasChanged = true;
+ }
+ }
} else {
if (permState == null) {
// New permission
@@ -1410,7 +1422,7 @@ public class PermissionManagerService {
wasChanged = true;
}
}
- } else {
+ } else {
if (!permissionsState.hasRuntimePermission(bp.name, userId)
&& permissionsState.grantRuntimePermission(bp,
userId) != PERMISSION_OPERATION_FAILURE) {
@@ -2183,7 +2195,7 @@ public class PermissionManagerService {
&& (grantedPermissions == null
|| ArrayUtils.contains(grantedPermissions, permission))) {
final int flags = permissionsState.getPermissionFlags(permission, userId);
- if (supportsRuntimePermissions) {
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
// Installer cannot change immutable permissions.
if ((flags & immutableFlags) == 0) {
grantRuntimePermission(permission, pkg.packageName, false, callingUid,
@@ -2242,7 +2254,7 @@ public class PermissionManagerService {
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
return;
}
@@ -2294,7 +2306,8 @@ public class PermissionManagerService {
+ permName + " for package " + packageName);
}
- if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M) {
+ if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
+ && !isSpecialRuntimePermission(permName)) {
Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
return;
}
@@ -2381,7 +2394,7 @@ public class PermissionManagerService {
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime() && !isSpecialRuntimePermission(permName)) {
return;
}

View File

@ -1,81 +1,21 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MSe1969 <mse1969@posteo.de>
Date: Sat, 14 Nov 2020 13:21:18 +0100
Subject: [PATCH] AppOps: New Op for (Other) sensors access
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 16:28:57 -0400
Subject: [PATCH] require OTHER_SENSORS permission for sensors
* Add missing Ops to the enum, as pre-requisite to add new sensor op
* Add new sensor op to enum
* Invoke OP_OTHER_SENSORS as default
* Adapt logic for checking the Ops, if no permission is linked
Change-Id: If4011566a391314afed9a26e1dcf6e4bc838e4f7
---
libs/binder/include/binder/AppOpsManager.h | 13 +++++++++++++
libs/sensor/Sensor.cpp | 1 +
services/sensorservice/SensorService.cpp | 9 +++++----
3 files changed, 19 insertions(+), 4 deletions(-)
libs/sensor/Sensor.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/libs/binder/include/binder/AppOpsManager.h b/libs/binder/include/binder/AppOpsManager.h
index 17493b4252..89c0eacb8a 100644
--- a/libs/binder/include/binder/AppOpsManager.h
+++ b/libs/binder/include/binder/AppOpsManager.h
@@ -109,6 +109,19 @@ public:
OP_START_FOREGROUND = 76,
OP_BLUETOOTH_SCAN = 77,
OP_USE_BIOMETRIC = 78,
+ OP_ACTIVITY_RECOGNITION = 79,
+ OP_SMS_FINANCIAL_TRANSACTIONS = 80,
+ OP_READ_MEDIA_AUDIO = 81,
+ OP_WRITE_MEDIA_AUDIO = 82,
+ OP_READ_MEDIA_VIDEO = 83,
+ OP_WRITE_MEDIA_VIDEO = 84,
+ OP_READ_MEDIA_IMAGES = 85,
+ OP_WRITE_MEDIA_IMAGES = 86,
+ OP_LEGACY_STORAGE = 87,
+ OP_ACCESS_ACCESSIBILITY = 88,
+ OP_READ_DEVICE_IDENTIFIERS = 89,
+ OP_ACCESS_MEDIA_LOCATION = 90,
+ OP_OTHER_SENSORS = 91,
};
AppOpsManager();
diff --git a/libs/sensor/Sensor.cpp b/libs/sensor/Sensor.cpp
index abc910302c..8a318543a7 100644
index abc910302c..8b6e96aef6 100644
--- a/libs/sensor/Sensor.cpp
+++ b/libs/sensor/Sensor.cpp
@@ -59,6 +59,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
mMinDelay = hwSensor.minDelay;
mFlags = 0;
mUuid = uuid;
+ mRequiredAppOp = AppOpsManager::OP_OTHER_SENSORS; //default, other values are explicitly set
+ mRequiredPermission = "android.permission.OTHER_SENSORS";
// Set fifo event count zero for older devices which do not support batching. Fused
// sensors also have their fifo counts set to zero.
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index 6bb250e7bb..58297122a5 100644
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -1643,10 +1643,9 @@ status_t SensorService::flushSensor(const sp<SensorEventConnection>& connection,
bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
const String16& opPackageName) {
+
// Check if a permission is required for this sensor
- if (sensor.getRequiredPermission().length() <= 0) {
- return true;
- }
+ bool noAssociatedPermission = (sensor.getRequiredPermission().length() <= 0);
const int32_t opCode = sensor.getRequiredAppOp();
const int32_t appOpMode = sAppOpsManager.checkOp(opCode,
@@ -1654,7 +1653,9 @@ bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
bool appOpAllowed = appOpMode == AppOpsManager::MODE_ALLOWED;
bool canAccess = false;
- if (hasPermissionForSensor(sensor)) {
+ if (noAssociatedPermission) {
+ canAccess = appOpAllowed;
+ } else if (hasPermissionForSensor(sensor)) {
// Ensure that the AppOp is allowed, or that there is no necessary app op for the sensor
if (opCode < 0 || appOpAllowed) {
canAccess = true;

View File

@ -0,0 +1,45 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 15:55:58 -0400
Subject: [PATCH] always treat OTHER_SENSORS as a runtime permission
---
.../packageinstaller/permission/model/AppPermissionGroup.java | 4 ++--
.../android/packageinstaller/permission/model/Permission.java | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
index c9fa2ca3e..7930b46ce 100644
--- a/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
+++ b/src/com/android/packageinstaller/permission/model/AppPermissionGroup.java
@@ -786,7 +786,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
boolean wasGranted = permission.isGrantedIncludingAppOp();
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) {
// Do not touch permissions fixed by the system.
if (permission.isSystemFixed()) {
wasAllGranted = false;
@@ -963,7 +963,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
break;
}
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) {
// Revoke the permission if needed.
if (permission.isGranted()) {
permission.setGranted(false);
diff --git a/src/com/android/packageinstaller/permission/model/Permission.java b/src/com/android/packageinstaller/permission/model/Permission.java
index c2ec88902..4cd2a7349 100644
--- a/src/com/android/packageinstaller/permission/model/Permission.java
+++ b/src/com/android/packageinstaller/permission/model/Permission.java
@@ -137,7 +137,7 @@ public final class Permission {
* @return {@code true} if the permission (and the app-op) is granted.
*/
public boolean isGrantedIncludingAppOp() {
- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName));
+ return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName) || Manifest.permission.OTHER_SENSORS.equals(mName));
}
public boolean isReviewRequired() {

View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 15:56:35 -0400
Subject: [PATCH] add OTHER_SENSORS permission group
---
src/com/android/packageinstaller/permission/utils/Utils.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/com/android/packageinstaller/permission/utils/Utils.java b/src/com/android/packageinstaller/permission/utils/Utils.java
index 162b15f37..d1a19200b 100644
--- a/src/com/android/packageinstaller/permission/utils/Utils.java
+++ b/src/com/android/packageinstaller/permission/utils/Utils.java
@@ -25,6 +25,7 @@ import static android.Manifest.permission_group.CONTACTS;
import static android.Manifest.permission_group.LOCATION;
import static android.Manifest.permission_group.MICROPHONE;
import static android.Manifest.permission_group.NETWORK;
+import static android.Manifest.permission_group.OTHER_SENSORS;
import static android.Manifest.permission_group.PHONE;
import static android.Manifest.permission_group.SENSORS;
import static android.Manifest.permission_group.SMS;
@@ -175,6 +176,7 @@ public final class Utils {
PLATFORM_PERMISSIONS.put(Manifest.permission.BODY_SENSORS, SENSORS);
PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
+ PLATFORM_PERMISSIONS.put(Manifest.permission.OTHER_SENSORS, OTHER_SENSORS);
PLATFORM_PERMISSION_GROUPS = new ArrayMap<>();
int numPlatformPermissions = PLATFORM_PERMISSIONS.size();

View File

@ -1,263 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MSe1969 <mse1969@posteo.de>
Date: Sat, 14 Nov 2020 15:17:37 +0100
Subject: [PATCH] Special Access: Add an option to administer Sensor access
Accesses the added AppOp for OP_OTHER_SENSORS
Change-Id: I79c0ed4ab97494434edc6c308a8a54bd123c02ee
---
res/values-de/strings.xml | 3 +
res/values-fr/strings.xml | 3 +
res/values/strings.xml | 5 +
res/xml/special_access.xml | 7 +
.../specialaccess/sensor/SensorAccess.java | 178 ++++++++++++++++++
5 files changed, 196 insertions(+)
create mode 100644 src/com/android/settings/applications/specialaccess/sensor/SensorAccess.java
diff --git a/res/values-de/strings.xml b/res/values-de/strings.xml
index e0b5bebaec..e4df5eb84f 100644
--- a/res/values-de/strings.xml
+++ b/res/values-de/strings.xml
@@ -4667,6 +4667,9 @@
<string name="dual_cdma_sim_warning_notification_channel_title" msgid="1049161096896074364">"SIM-Kombination"</string>
<string name="work_policy_privacy_settings" msgid="2702644843505242596">"Informationen zu den Arbeitsrichtlinien"</string>
<string name="work_policy_privacy_settings_summary" msgid="690118670737638405">"Einstellungen, die von deinem IT-Administrator verwaltet werden"</string>
+ <string name="sensor_access_summary">Sensorzugriff von Benutzer-Apps kontrollieren</string>
+ <string name="sensor_access_title">Zugriff auf Sensoren</string>
+ <string name="sensor_access_title_empty_text">Keine installierte App hat Sensorzugriff angefordert.</string>
<string name="rtt_settings_title" msgid="7049259598645966354"></string>
<string name="rtt_settings_no_visible" msgid="7440356831140948382"></string>
<string name="rtt_settings_visible_during_call" msgid="7866181103286073700"></string>
diff --git a/res/values-fr/strings.xml b/res/values-fr/strings.xml
index fe92e77035..7834851bd9 100644
--- a/res/values-fr/strings.xml
+++ b/res/values-fr/strings.xml
@@ -4666,6 +4666,9 @@
<string name="dual_cdma_sim_warning_notification_channel_title" msgid="1049161096896074364">"Combinaison de cartes SIM"</string>
<string name="work_policy_privacy_settings" msgid="2702644843505242596">"Informations sur les règles professionnelles"</string>
<string name="work_policy_privacy_settings_summary" msgid="690118670737638405">"Paramètres gérés par votre administrateur informatique"</string>
+ <string name="sensor_access_summary">Contrôler l\'accès des applications utilisateurs aux capteurs</string>
+ <string name="sensor_access_title">Access aux Capteurs</string>
+ <string name="sensor_access_title_empty_text">Aucune app installée n\'a demandé de l\'accès aux capteurs.</string>
<string name="rtt_settings_title" msgid="7049259598645966354"></string>
<string name="rtt_settings_no_visible" msgid="7440356831140948382"></string>
<string name="rtt_settings_visible_during_call" msgid="7866181103286073700"></string>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 2180ea45f6..6f48171135 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -11426,6 +11426,11 @@
<!-- Subtext for showing the option of RTT setting. [CHAR LIMIT=NONE] -->
<string name="rtt_settings_always_visible"></string>
+ <!-- Sensor AppOps -->
+ <string name="sensor_access_summary">Control sensor access for user apps</string>
+ <string name="sensor_access_title">Access to Sensors</string>
+ <string name="sensor_access_title_empty_text">No installed apps have requested sensors access.</string>
+
<!-- Bluetooth message permission alert for notification content [CHAR LIMIT=none] -->
<string name="bluetooth_message_access_notification_content">A device wants to access your messages. Tap for details.</string>
<!-- Bluetooth message permission alert for dialog title [CHAR LIMIT=none] -->
diff --git a/res/xml/special_access.xml b/res/xml/special_access.xml
index f846298341..bee9d6e2eb 100644
--- a/res/xml/special_access.xml
+++ b/res/xml/special_access.xml
@@ -145,6 +145,13 @@
android:value="com.android.settings.Settings$ChangeWifiStateActivity" />
</Preference>
+ <Preference
+ android:key="sensor_access"
+ android:title="@string/sensor_access_title"
+ android:summary="@string/sensor_access_summary"
+ android:fragment="com.android.settings.applications.specialaccess.sensor.SensorAccess">
+ </Preference>
+
<Preference
android:key="special_access_more"
android:title="@string/special_access_more"
diff --git a/src/com/android/settings/applications/specialaccess/sensor/SensorAccess.java b/src/com/android/settings/applications/specialaccess/sensor/SensorAccess.java
new file mode 100644
index 0000000000..2c29f3abfd
--- /dev/null
+++ b/src/com/android/settings/applications/specialaccess/sensor/SensorAccess.java
@@ -0,0 +1,178 @@
+package com.android.settings.applications.specialaccess.sensor;
+
+import android.annotation.Nullable;
+import android.app.AlertDialog;
+import android.app.Dialog;
+import android.app.DialogFragment;
+import android.app.AppOpsManager;
+import android.content.Context;
+import android.content.DialogInterface;
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageInfo;
+import android.content.pm.PackageItemInfo;
+import android.content.pm.PackageManager;
+import android.database.ContentObserver;
+import android.net.Uri;
+import android.os.Bundle;
+import android.os.Handler;
+import android.os.Looper;
+import android.text.TextUtils;
+import android.util.ArraySet;
+import android.util.Log;
+import android.util.TypedValue;
+import android.view.Gravity;
+import android.view.View;
+import android.view.ViewGroup;
+import android.view.ViewGroup.LayoutParams;
+import android.widget.TextView;
+import android.widget.Toast;
+
+import androidx.preference.Preference;
+import androidx.preference.Preference.OnPreferenceChangeListener;
+import androidx.preference.PreferenceScreen;
+import androidx.preference.SwitchPreference;
+
+import com.android.settings.R;
+import com.android.settings.core.instrumentation.InstrumentedDialogFragment;
+import com.android.internal.logging.nano.MetricsProto.MetricsEvent;
+import com.android.settings.SettingsPreferenceFragment;
+
+import java.util.Arrays;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+public class SensorAccess extends SettingsPreferenceFragment {
+
+ private final SettingObserver mObserver = new SettingObserver();
+
+ static final String TAG = "SensorAccess";
+
+ private Context mContext;
+ private PackageManager mPackageManager;
+ private AppOpsManager mAppOpsManager;
+ private TextView mEmpty;
+
+ @Override
+ public int getMetricsCategory() {
+ return MetricsEvent.VIEW_UNKNOWN;
+ }
+
+ @Override
+ public void onCreate(Bundle icicle) {
+ super.onCreate(icicle);
+
+ mContext = getActivity();
+ mPackageManager = mContext.getPackageManager();
+ mAppOpsManager = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE);
+ setPreferenceScreen(getPreferenceManager().createPreferenceScreen(mContext));
+ }
+
+ @Override
+ public void onViewCreated(View view, @Nullable Bundle savedInstanceState) {
+ super.onViewCreated(view, savedInstanceState);
+ mEmpty = new TextView(getContext());
+ mEmpty.setGravity(Gravity.CENTER);
+ mEmpty.setText(R.string.sensor_access_title_empty_text);
+ TypedValue value = new TypedValue();
+ getContext().getTheme().resolveAttribute(android.R.attr.textAppearanceMedium, value, true);
+ mEmpty.setTextAppearance(value.resourceId);
+ ((ViewGroup) view.findViewById(android.R.id.list_container)).addView(mEmpty,
+ new LayoutParams(LayoutParams.MATCH_PARENT, LayoutParams.MATCH_PARENT));
+ setEmptyView(mEmpty);
+ reloadList();
+ }
+
+ @Override
+ public void onResume() {
+ super.onResume();
+ getActivity().getActionBar().setTitle(R.string.sensor_access_title);
+ reloadList();
+ }
+
+ private void reloadList() {
+ final PreferenceScreen screen = getPreferenceScreen();
+ screen.removeAll();
+
+ final ArrayList<ApplicationInfo> apps = new ArrayList<>();
+ final List<ApplicationInfo> installed = mPackageManager.getInstalledApplications(0);
+ if (installed != null) {
+ for (ApplicationInfo app : installed) {
+ // Skip system apps
+ if (isUserApp(app.packageName)) {
+ // Only apps effectively having the Op OTHER_SENSORS
+ if (mAppOpsManager.getOpsForPackage(getPackageUid(app.packageName),
+ app.packageName, new int[]{AppOpsManager.OP_OTHER_SENSORS}) != null)
+ apps.add(app);
+ }
+ }
+ }
+ Collections.sort(apps, new PackageItemInfo.DisplayNameComparator(mPackageManager));
+ for (ApplicationInfo app : apps) {
+ final String pkg = app.packageName;
+ final CharSequence label = app.loadLabel(mPackageManager);
+ final SwitchPreference pref = new SwitchPreference(getPrefContext());
+ pref.setPersistent(false);
+ pref.setIcon(app.loadIcon(mPackageManager));
+ pref.setTitle(label);
+ updateState(pref, pkg);
+ pref.setOnPreferenceChangeListener(new OnPreferenceChangeListener() {
+ @Override
+ public boolean onPreferenceChange(Preference preference, Object newValue) {
+ boolean switchOn = (Boolean) newValue;
+ mAppOpsManager.setMode(AppOpsManager.OP_OTHER_SENSORS, getPackageUid(pkg), pkg,
+ switchOn ? AppOpsManager.MODE_ALLOWED : AppOpsManager.MODE_IGNORED);
+ pref.setChecked(switchOn);
+ return false;
+ }
+ });
+ screen.addPreference(pref);
+ }
+ }
+
+ public void updateState(SwitchPreference preference, String pkg) {
+ final int mode = mAppOpsManager
+ .checkOpNoThrow(AppOpsManager.OP_OTHER_SENSORS, getPackageUid(pkg), pkg);
+ if (mode == AppOpsManager.MODE_ERRORED) {
+ preference.setChecked(false);
+ } else {
+ final boolean checked = mode != AppOpsManager.MODE_IGNORED;
+ preference.setChecked(checked);
+ }
+ }
+
+ private boolean isUserApp(String pkg) {
+ ApplicationInfo appInfo;
+ try {
+ appInfo = mPackageManager.getApplicationInfo(pkg,
+ PackageManager.GET_DISABLED_COMPONENTS
+ | PackageManager.GET_UNINSTALLED_PACKAGES);
+ } catch (PackageManager.NameNotFoundException e) {
+ Log.w(TAG, "Unable to find info for package " + pkg);
+ return false;
+ }
+ return ((appInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 0);
+ }
+
+ private int getPackageUid(String pkg) {
+ int uid;
+ try {
+ uid = mPackageManager.getPackageUid(pkg, 0);
+ } catch (PackageManager.NameNotFoundException e) {
+ // We shouldn't hit this, ever. What can we even do after this?
+ uid = -1;
+ }
+ return uid;
+ }
+
+ private final class SettingObserver extends ContentObserver {
+ public SettingObserver() {
+ super(new Handler(Looper.getMainLooper()));
+ }
+
+ @Override
+ public void onChange(boolean selfChange, Uri uri) {
+ reloadList();
+ }
+ }
+}

View File

@ -55,7 +55,7 @@ index b983f467df..5813bb18db 100644
<item msgid="6490061470416867723">Small</item>
<item msgid="3579015730662088893">Default</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 6f48171135..e2469b4734 100644
index 2180ea45f6..eeee1c039f 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -810,6 +810,9 @@

View File

@ -67,7 +67,7 @@ index 5813bb18db..40d01907a4 100644
<string-array name="screen_timeout_entries">
<item>15 seconds</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index e2469b4734..288dca24e0 100644
index eeee1c039f..c5287c4489 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -25,6 +25,25 @@

View File

@ -67,7 +67,7 @@ index 40d01907a4..0a9a9a31e8 100644
<string-array name="screen_timeout_entries">
<item>15 seconds</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 288dca24e0..dde0923463 100644
index c5287c4489..0f254706ff 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -44,6 +44,25 @@

View File

@ -12,7 +12,7 @@ Subject: [PATCH] add native debugging setting
create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml
index dde0923463..fd3d1cde64 100644
index 0f254706ff..fcac812417 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -11316,6 +11316,9 @@

View File

@ -12,7 +12,7 @@ Subject: [PATCH] add exec spawning toggle
create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml
index fd3d1cde64..4b9b109d89 100644
index fcac812417..197882d66e 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -11316,6 +11316,8 @@

View File

@ -1,104 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MSe1969 <mse1969@posteo.de>
Date: Sat, 14 Nov 2020 13:04:05 +0100
Subject: [PATCH] AppOps: Add further Op for accessing Sensors
(Adapted for R)
Change-Id: Id7d84d910b849cc4f781aac2a6c21278e08bdeec
---
core/java/android/app/AppOpsManager.java | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
index 6baabb69e028..fb685b57e0a6 100644
--- a/core/java/android/app/AppOpsManager.java
+++ b/core/java/android/app/AppOpsManager.java
@@ -1150,9 +1150,12 @@ public class AppOpsManager {
// TODO: Add as AppProtoEnums
public static final int OP_RECORD_AUDIO_HOTWORD = 102;
+ /** @hide Access to other Sensors **/
+ public static final int OP_OTHER_SENSORS = 103;
+
/** @hide */
@UnsupportedAppUsage
- public static final int _NUM_OP = 103;
+ public static final int _NUM_OP = 104;
/** Access to coarse location information. */
public static final String OPSTR_COARSE_LOCATION = "android:coarse_location";
@@ -1490,6 +1493,9 @@ public class AppOpsManager {
*/
public static final String OPSTR_RECORD_AUDIO_HOTWORD = "android:record_audio_hotword";
+ /** @hide Other Sensors */
+ public static final String OPSTR_OTHER_SENSORS = "android:other_sensors";
+
/** {@link #sAppOpsToNote} not initialized yet for this op */
private static final byte SHOULD_COLLECT_NOTE_OP_NOT_INITIALIZED = 0;
/** Should not collect noting of this app-op in {@link #sAppOpsToNote} */
@@ -1682,6 +1688,7 @@ public class AppOpsManager {
OP_PHONE_CALL_MICROPHONE, // OP_PHONE_CALL_MICROPHONE
OP_PHONE_CALL_CAMERA, // OP_PHONE_CALL_CAMERA
OP_RECORD_AUDIO_HOTWORD, // RECORD_AUDIO_HOTWORD
+ OP_OTHER_SENSORS, // OTHER SENSORS
};
/**
@@ -1791,6 +1798,7 @@ public class AppOpsManager {
OPSTR_PHONE_CALL_MICROPHONE,
OPSTR_PHONE_CALL_CAMERA,
OPSTR_RECORD_AUDIO_HOTWORD,
+ OPSTR_OTHER_SENSORS,
};
/**
@@ -1901,6 +1909,7 @@ public class AppOpsManager {
"PHONE_CALL_MICROPHONE",
"PHONE_CALL_CAMERA",
"RECORD_AUDIO_HOTWORD",
+ "OTHER_SENSORS",
};
/**
@@ -2012,6 +2021,7 @@ public class AppOpsManager {
null, // no permission for OP_PHONE_CALL_MICROPHONE
null, // no permission for OP_PHONE_CALL_CAMERA
null, // no permission for OP_RECORD_AUDIO_HOTWORD
+ null, // no permission for OP_OTHER_SENSORS
};
/**
@@ -2123,6 +2133,7 @@ public class AppOpsManager {
null, // PHONE_CALL_MICROPHONE
null, // PHONE_CALL_MICROPHONE
null, // RECORD_AUDIO_HOTWORD
+ null, // OTHER SENSORS
};
/**
@@ -2233,6 +2244,7 @@ public class AppOpsManager {
null, // PHONE_CALL_MICROPHONE
null, // PHONE_CALL_CAMERA
null, // RECORD_AUDIO_HOTWORD
+ null, // OTHER SENSORS
};
/**
@@ -2342,6 +2354,7 @@ public class AppOpsManager {
AppOpsManager.MODE_ALLOWED, // PHONE_CALL_MICROPHONE
AppOpsManager.MODE_ALLOWED, // PHONE_CALL_CAMERA
AppOpsManager.MODE_ALLOWED, // OP_RECORD_AUDIO_HOTWORD
+ AppOpsManager.MODE_ALLOWED, // OP_OTHER_SENSORS
};
/**
@@ -2455,6 +2468,7 @@ public class AppOpsManager {
false, // PHONE_CALL_MICROPHONE
false, // PHONE_CALL_CAMERA
false, // RECORD_AUDIO_HOTWORD
+ false, // OTHER SENSORS
};
/**

View File

@ -1,95 +1,37 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: inthewaves <inthewaves@pm.me>
Date: Sat, 12 Sep 2020 12:28:34 -0700
Subject: [PATCH] support new special runtime permissions
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 17 Mar 2019 11:59:15 -0400
Subject: [PATCH] make INTERNET into a special runtime permission
These are treated as a runtime permission even for legacy apps. They
need to be granted by default for all apps to maintain compatibility.
Ported from 10: 4d5d82f4e2fb9ff68158bf30f3944591bb74dd04
Changes from 10:
- It seems like parts of PackageManagerService#resetUserChangesToRuntimePermissionsAndFlagsLPw
were refactored into PermissionManagerService#resetRuntimePermissionsInternal.
As a result, PackageManagerService is no longer modified.
Ported from 10: 5e2898e9d21dd6802bb0b0139e7e496c41e1cd80
---
.../permission/PermissionManagerService.java | 24 +++++++++++++++----
1 file changed, 19 insertions(+), 5 deletions(-)
core/res/AndroidManifest.xml | 2 +-
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 26fd27b7b5ff..2a79c6019fc1 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1607,7 +1607,7 @@
<permission android:name="android.permission.INTERNET"
android:description="@string/permdesc_createNetworkSockets"
android:label="@string/permlab_createNetworkSockets"
- android:protectionLevel="normal|instant" />
+ android:protectionLevel="dangerous|instant" />
<!-- Allows applications to access information about networks.
<p>Protection level: normal
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 8d2363b6e831..26b959879084 100644
index 26b959879084..9e6ecc739ffe 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1461,7 +1461,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime() && !isSpecialRuntimePermission(permName)) {
return;
}
@@ -1513,7 +1513,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {
+ permName + " for package " + packageName);
}
- if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M) {
+ if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
+ && !isSpecialRuntimePermission(permName)) {
Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
return;
}
@@ -1623,7 +1624,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
return;
}
@@ -1847,7 +1848,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {
// If this permission was granted by default or role, make sure it is.
if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
- || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0) {
+ || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0
+ || isSpecialRuntimePermission(bp.getName())) {
// PermissionPolicyService will handle the app op for runtime permissions later.
grantRuntimePermissionInternal(permName, packageName, false,
Process.SYSTEM_UID, userId, delayingPermCallback);
@@ -2606,6 +2608,10 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
@@ -2609,7 +2609,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return false;
+ return Manifest.permission.INTERNET.equals(permission);
}
+ public static boolean isSpecialRuntimePermission(final String permission) {
+ return false;
+ }
+
/**
* Restore the permission state for a package.
*
@@ -2952,6 +2958,14 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
}
}
+
+ if (isSpecialRuntimePermission(bp.name) &&
+ origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
+ if (permissionsState.grantRuntimePermission(bp, userId)
+ != PERMISSION_OPERATION_FAILURE) {
+ wasChanged = true;
+ }
+ }
} else {
if (permState == null) {
// New permission
@@ -3907,7 +3921,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
&& (grantedPermissions == null
|| ArrayUtils.contains(grantedPermissions, permission))) {
final int flags = permissionsState.getPermissionFlags(permission, userId);
- if (supportsRuntimePermissions) {
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
// Installer cannot change immutable permissions.
if ((flags & immutableFlags) == 0) {
grantRuntimePermissionInternal(permission, pkg.getPackageName(), false,

View File

@ -1,37 +1,81 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 17 Mar 2019 11:59:15 -0400
Subject: [PATCH] make INTERNET into a special runtime permission
Date: Fri, 21 Jul 2017 11:23:07 -0400
Subject: [PATCH] add a NETWORK permission group for INTERNET
Ported from 10: 5e2898e9d21dd6802bb0b0139e7e496c41e1cd80
Ported from 10: b5c9f9407d5f5407686ea8c02fa67573ddc07824
Changes from 10:
- Needed to run `m api-stubs-docs-non-updatable-update-current-api`
to fix the "You have tried to change the API from what has been
previously approved" errors.
---
core/res/AndroidManifest.xml | 2 +-
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
api/current.txt | 1 +
core/res/AndroidManifest.xml | 8 ++++++++
core/res/res/values/strings.xml | 5 +++++
non-updatable-api/current.txt | 1 +
4 files changed, 15 insertions(+)
diff --git a/api/current.txt b/api/current.txt
index 952ccdad992c..728c0e95ca6d 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -184,6 +184,7 @@ package android {
field public static final String CONTACTS = "android.permission-group.CONTACTS";
field public static final String LOCATION = "android.permission-group.LOCATION";
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
+ field public static final String NETWORK = "android.permission-group.NETWORK";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String SENSORS = "android.permission-group.SENSORS";
field public static final String SMS = "android.permission-group.SMS";
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 26fd27b7b5ff..2a79c6019fc1 100644
index 2a79c6019fc1..e70e54b62f61 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1607,7 +1607,7 @@
@@ -1601,10 +1601,18 @@
<!-- ======================================= -->
<eat-comment />
+ <!-- Network access -->
+ <permission-group android:name="android.permission-group.NETWORK"
+ android:icon="@drawable/perm_group_network"
+ android:label="@string/permgrouplab_network"
+ android:description="@string/permgroupdesc_network"
+ android:priority="900" />
+
<!-- Allows applications to open network sockets.
<p>Protection level: normal
-->
<permission android:name="android.permission.INTERNET"
+ android:permissionGroup="android.permission-group.UNDEFINED"
android:description="@string/permdesc_createNetworkSockets"
android:label="@string/permlab_createNetworkSockets"
- android:protectionLevel="normal|instant" />
+ android:protectionLevel="dangerous|instant" />
android:protectionLevel="dangerous|instant" />
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index 5c659123b027..7f114cf9b6b4 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -804,6 +804,11 @@
<!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permgroupdesc_sensors">access sensor data about your vital signs</string>
<!-- Allows applications to access information about networks.
<p>Protection level: normal
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 26b959879084..9e6ecc739ffe 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -2609,7 +2609,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return false;
+ return Manifest.permission.INTERNET.equals(permission);
}
/**
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_network">Network</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_network">access the network</string>
+
<!-- Title for the capability of an accessibility service to retrieve window content. -->
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
<!-- Description for the capability of an accessibility service to retrieve window content. -->
diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt
index 5f15216e8400..189544f98594 100644
--- a/non-updatable-api/current.txt
+++ b/non-updatable-api/current.txt
@@ -184,6 +184,7 @@ package android {
field public static final String CONTACTS = "android.permission-group.CONTACTS";
field public static final String LOCATION = "android.permission-group.LOCATION";
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
+ field public static final String NETWORK = "android.permission-group.NETWORK";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String SENSORS = "android.permission-group.SENSORS";
field public static final String SMS = "android.permission-group.SMS";

View File

@ -1,81 +1,112 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 21 Jul 2017 11:23:07 -0400
Subject: [PATCH] add a NETWORK permission group for INTERNET
From: Zoraver Kang <zkang@wpi.edu>
Date: Mon, 16 Sep 2019 16:41:30 -0400
Subject: [PATCH] Enforce INTERNET as a runtime permission.
Ported from 10: b5c9f9407d5f5407686ea8c02fa67573ddc07824
Changes from 10:
- Needed to run `m api-stubs-docs-non-updatable-update-current-api`
to fix the "You have tried to change the API from what has been
previously approved" errors.
Ported from 10: 69f726bc4219a7acea0319ae8d4b5fda48cd9861
---
api/current.txt | 1 +
core/res/AndroidManifest.xml | 8 ++++++++
core/res/res/values/strings.xml | 5 +++++
non-updatable-api/current.txt | 1 +
4 files changed, 15 insertions(+)
.../connectivity/PermissionMonitor.java | 59 ++++++++++++-------
1 file changed, 39 insertions(+), 20 deletions(-)
diff --git a/api/current.txt b/api/current.txt
index 952ccdad992c..728c0e95ca6d 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -184,6 +184,7 @@ package android {
field public static final String CONTACTS = "android.permission-group.CONTACTS";
field public static final String LOCATION = "android.permission-group.LOCATION";
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
+ field public static final String NETWORK = "android.permission-group.NETWORK";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String SENSORS = "android.permission-group.SENSORS";
field public static final String SMS = "android.permission-group.SMS";
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 2a79c6019fc1..e70e54b62f61 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1601,10 +1601,18 @@
<!-- ======================================= -->
<eat-comment />
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index f0b7150dd84f..41c013b4b197 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID;
import static android.os.Process.SYSTEM_UID;
+ <!-- Network access -->
+ <permission-group android:name="android.permission-group.NETWORK"
+ android:icon="@drawable/perm_group_network"
+ android:label="@string/permgrouplab_network"
+ android:description="@string/permgroupdesc_network"
+ android:priority="900" />
import android.annotation.NonNull;
+import android.annotation.UserIdInt;
import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageInfo;
@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils;
import com.android.internal.util.IndentingPrintWriter;
import com.android.server.LocalServices;
import com.android.server.SystemConfig;
+import com.android.server.pm.permission.PermissionManagerServiceInternal;
import java.util.ArrayList;
import java.util.Collection;
@@ -80,6 +82,7 @@ public class PermissionMonitor {
private static final int VERSION_Q = Build.VERSION_CODES.Q;
private final PackageManager mPackageManager;
+ private final PackageManagerInternal mPackageManagerInternal;
private final UserManager mUserManager;
private final INetd mNetd;
@@ -104,26 +107,6 @@ public class PermissionMonitor {
private class PackageListObserver implements PackageManagerInternal.PackageListObserver {
- private int getPermissionForUid(int uid) {
- int permission = 0;
- // Check all the packages for this UID. The UID has the permission if any of the
- // packages in it has the permission.
- String[] packages = mPackageManager.getPackagesForUid(uid);
- if (packages != null && packages.length > 0) {
- for (String name : packages) {
- final PackageInfo app = getPackageInfo(name);
- if (app != null && app.requestedPermissions != null) {
- permission |= getNetdPermissionMask(app.requestedPermissions,
- app.requestedPermissionsFlags);
- }
- }
- } else {
- // The last package of this uid is removed from device. Clean the package up.
- permission = INetd.PERMISSION_UNINSTALLED;
- }
- return permission;
- }
-
@Override
public void onPackageAdded(String packageName, int uid) {
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
@@ -140,10 +123,46 @@ public class PermissionMonitor {
}
}
+ private int getPermissionForUid(int uid) {
+ int permission = 0;
+ // Check all the packages for this UID. The UID has the permission if any of the
+ // packages in it has the permission.
+ String[] packages = mPackageManager.getPackagesForUid(uid);
+ if (packages != null && packages.length > 0) {
+ for (String name : packages) {
+ final PackageInfo app = getPackageInfo(name);
+ if (app != null && app.requestedPermissions != null) {
+ permission |= getNetdPermissionMask(app.requestedPermissions,
+ app.requestedPermissionsFlags);
+ }
+ }
+ } else {
+ // The last package of this uid is removed from device. Clean the package up.
+ permission = INetd.PERMISSION_UNINSTALLED;
+ }
+ return permission;
+ }
+
<!-- Allows applications to open network sockets.
<p>Protection level: normal
-->
<permission android:name="android.permission.INTERNET"
+ android:permissionGroup="android.permission-group.UNDEFINED"
android:description="@string/permdesc_createNetworkSockets"
android:label="@string/permlab_createNetworkSockets"
android:protectionLevel="dangerous|instant" />
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index 5c659123b027..7f114cf9b6b4 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -804,6 +804,11 @@
<!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permgroupdesc_sensors">access sensor data about your vital signs</string>
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_network">Network</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_network">access the network</string>
+ // implements OnRuntimePermissionStateChangedListener
+ private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
+ @UserIdInt int userId) {
+ // userId is _not_ uid
+ int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+ sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+ }
+
<!-- Title for the capability of an accessibility service to retrieve window content. -->
<string name="capability_title_canRetrieveWindowContent">Retrieve window content</string>
<!-- Description for the capability of an accessibility service to retrieve window content. -->
diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt
index 5f15216e8400..189544f98594 100644
--- a/non-updatable-api/current.txt
+++ b/non-updatable-api/current.txt
@@ -184,6 +184,7 @@ package android {
field public static final String CONTACTS = "android.permission-group.CONTACTS";
field public static final String LOCATION = "android.permission-group.LOCATION";
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
+ field public static final String NETWORK = "android.permission-group.NETWORK";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String SENSORS = "android.permission-group.SENSORS";
field public static final String SMS = "android.permission-group.SMS";
public PermissionMonitor(Context context, INetd netd) {
mPackageManager = context.getPackageManager();
mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
mNetd = netd;
+
+ mPackageManagerInternal = LocalServices.getService(
+ PackageManagerInternal.class);
+
+ final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService(
+ PermissionManagerServiceInternal.class);
+ permManagerInternal.addOnRuntimePermissionStateChangedListener(
+ this::enforceINTERNETAsRuntimePermission);
}
// Intended to be called only once at startup, after the system is ready. Installs a broadcast

View File

@ -1,112 +1,82 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Zoraver Kang <zkang@wpi.edu>
Date: Mon, 16 Sep 2019 16:41:30 -0400
Subject: [PATCH] Enforce INTERNET as a runtime permission.
From: pratyush <codelab@pratyush.dev>
Date: Sun, 25 Apr 2021 07:04:03 +0530
Subject: [PATCH] fix INTERNET enforcement for secondary users
Ported from 10: 69f726bc4219a7acea0319ae8d4b5fda48cd9861
This code was not specifying the profile for the app so it wasn't
working properly with INTERNET as a runtime permission.
---
.../connectivity/PermissionMonitor.java | 59 ++++++++++++-------
1 file changed, 39 insertions(+), 20 deletions(-)
.../connectivity/PermissionMonitor.java | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index f0b7150dd84f..41c013b4b197 100644
index 41c013b4b197..09cd274cbb05 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -29,6 +29,7 @@ import static android.os.Process.INVALID_UID;
import static android.os.Process.SYSTEM_UID;
@@ -130,7 +130,8 @@ public class PermissionMonitor {
String[] packages = mPackageManager.getPackagesForUid(uid);
if (packages != null && packages.length > 0) {
for (String name : packages) {
- final PackageInfo app = getPackageInfo(name);
+ int userId = UserHandle.getUserId(uid);
+ final PackageInfo app = getPackageInfo(name, userId);
if (app != null && app.requestedPermissions != null) {
permission |= getNetdPermissionMask(app.requestedPermissions,
app.requestedPermissionsFlags);
@@ -147,7 +148,7 @@ public class PermissionMonitor {
private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
@UserIdInt int userId) {
// userId is _not_ uid
- int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+ int uid = mPackageManagerInternal.getPackageUidInternal( packageName, GET_PERMISSIONS, userId);
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
}
import android.annotation.NonNull;
+import android.annotation.UserIdInt;
import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageInfo;
@@ -55,6 +56,7 @@ import com.android.internal.util.ArrayUtils;
import com.android.internal.util.IndentingPrintWriter;
import com.android.server.LocalServices;
import com.android.server.SystemConfig;
+import com.android.server.pm.permission.PermissionManagerServiceInternal;
@@ -364,12 +365,13 @@ public class PermissionMonitor {
}
import java.util.ArrayList;
import java.util.Collection;
@@ -80,6 +82,7 @@ public class PermissionMonitor {
private static final int VERSION_Q = Build.VERSION_CODES.Q;
private final PackageManager mPackageManager;
+ private final PackageManagerInternal mPackageManagerInternal;
private final UserManager mUserManager;
private final INetd mNetd;
@@ -104,26 +107,6 @@ public class PermissionMonitor {
private class PackageListObserver implements PackageManagerInternal.PackageListObserver {
- private int getPermissionForUid(int uid) {
- int permission = 0;
- // Check all the packages for this UID. The UID has the permission if any of the
- // packages in it has the permission.
- String[] packages = mPackageManager.getPackagesForUid(uid);
- if (packages != null && packages.length > 0) {
- for (String name : packages) {
- final PackageInfo app = getPackageInfo(name);
- if (app != null && app.requestedPermissions != null) {
- permission |= getNetdPermissionMask(app.requestedPermissions,
- app.requestedPermissionsFlags);
- }
- }
- } else {
- // The last package of this uid is removed from device. Clean the package up.
- permission = INetd.PERMISSION_UNINSTALLED;
- }
- return permission;
- }
-
@Override
public void onPackageAdded(String packageName, int uid) {
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
@@ -140,10 +123,46 @@ public class PermissionMonitor {
@VisibleForTesting
- protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
+ protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) {
if (currentPermission == SYSTEM) {
return currentPermission;
}
try {
- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
+ final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS,
+ UserHandle.getUserId(uid));
final boolean isNetwork = hasNetworkPermission(app);
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
if (isNetwork || hasRestrictedPermission) {
@@ -393,7 +395,7 @@ public class PermissionMonitor {
public synchronized void onPackageAdded(String packageName, int uid) {
// If multiple packages share a UID (cf: android:sharedUserId) and ask for different
// permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
- final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName);
+ final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid);
if (permission != mApps.get(uid)) {
mApps.put(uid, permission);
@@ -445,7 +447,7 @@ public class PermissionMonitor {
String[] packages = mPackageManager.getPackagesForUid(uid);
if (packages != null && packages.length > 0) {
for (String name : packages) {
- permission = highestPermissionForUid(permission, name);
+ permission = highestPermissionForUid(permission, name, uid);
if (permission == SYSTEM) {
// An app with this UID still has the SYSTEM permission.
// Therefore, this UID must already have the SYSTEM permission.
@@ -485,11 +487,9 @@ public class PermissionMonitor {
return permissions;
}
+ private int getPermissionForUid(int uid) {
+ int permission = 0;
+ // Check all the packages for this UID. The UID has the permission if any of the
+ // packages in it has the permission.
+ String[] packages = mPackageManager.getPackagesForUid(uid);
+ if (packages != null && packages.length > 0) {
+ for (String name : packages) {
+ final PackageInfo app = getPackageInfo(name);
+ if (app != null && app.requestedPermissions != null) {
+ permission |= getNetdPermissionMask(app.requestedPermissions,
+ app.requestedPermissionsFlags);
+ }
+ }
+ } else {
+ // The last package of this uid is removed from device. Clean the package up.
+ permission = INetd.PERMISSION_UNINSTALLED;
+ }
+ return permission;
+ }
+
+ // implements OnRuntimePermissionStateChangedListener
+ private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
+ @UserIdInt int userId) {
+ // userId is _not_ uid
+ int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+ sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
+ }
+
public PermissionMonitor(Context context, INetd netd) {
mPackageManager = context.getPackageManager();
mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
mNetd = netd;
+
+ mPackageManagerInternal = LocalServices.getService(
+ PackageManagerInternal.class);
+
+ final PermissionManagerServiceInternal permManagerInternal = LocalServices.getService(
+ PermissionManagerServiceInternal.class);
+ permManagerInternal.addOnRuntimePermissionStateChangedListener(
+ this::enforceINTERNETAsRuntimePermission);
}
// Intended to be called only once at startup, after the system is ready. Installs a broadcast
- private PackageInfo getPackageInfo(String packageName) {
+ private PackageInfo getPackageInfo(String packageName, int userId) {
try {
- PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS
- | MATCH_ANY_USER);
- return app;
+ return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId);
} catch (NameNotFoundException e) {
return null;
}

View File

@ -1,82 +1,125 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: pratyush <codelab@pratyush.dev>
Date: Sun, 25 Apr 2021 07:04:03 +0530
Subject: [PATCH] fix INTERNET enforcement for secondary users
From: Pratyush <codelab@pratyush.dev>
Date: Thu, 12 Aug 2021 03:44:41 +0530
Subject: [PATCH] send uid for each user instead of just owner/admin user
This code was not specifying the profile for the app so it wasn't
working properly with INTERNET as a runtime permission.
---
.../connectivity/PermissionMonitor.java | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
.../connectivity/PermissionMonitor.java | 83 +++++++++++--------
1 file changed, 49 insertions(+), 34 deletions(-)
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index 41c013b4b197..09cd274cbb05 100644
index 09cd274cbb05..ee0c531ef13e 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -130,7 +130,8 @@ public class PermissionMonitor {
String[] packages = mPackageManager.getPackagesForUid(uid);
if (packages != null && packages.length > 0) {
@@ -132,7 +132,7 @@ public class PermissionMonitor {
for (String name : packages) {
- final PackageInfo app = getPackageInfo(name);
+ int userId = UserHandle.getUserId(uid);
+ final PackageInfo app = getPackageInfo(name, userId);
if (app != null && app.requestedPermissions != null) {
int userId = UserHandle.getUserId(uid);
final PackageInfo app = getPackageInfo(name, userId);
- if (app != null && app.requestedPermissions != null) {
+ if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) {
permission |= getNetdPermissionMask(app.requestedPermissions,
app.requestedPermissionsFlags);
@@ -147,7 +148,7 @@ public class PermissionMonitor {
private void enforceINTERNETAsRuntimePermission(@NonNull String packageName,
@UserIdInt int userId) {
// userId is _not_ uid
- int uid = mPackageManagerInternal.getPackageUid(packageName, 0, userId);
+ int uid = mPackageManagerInternal.getPackageUidInternal( packageName, GET_PERMISSIONS, userId);
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
}
}
@@ -177,44 +177,45 @@ public class PermissionMonitor {
} else {
loge("failed to get the PackageManagerInternal service");
}
- List<PackageInfo> apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS
- | MATCH_ANY_USER);
- if (apps == null) {
- loge("No apps");
- return;
- }
@@ -364,12 +365,13 @@ public class PermissionMonitor {
}
SparseIntArray netdPermsUids = new SparseIntArray();
@VisibleForTesting
- protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
+ protected Boolean highestPermissionForUid(Boolean currentPermission, String name, int uid) {
if (currentPermission == SYSTEM) {
return currentPermission;
- for (PackageInfo app : apps) {
- int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
- if (uid < 0) {
- continue;
- }
- mAllApps.add(UserHandle.getAppId(uid));
-
- boolean isNetwork = hasNetworkPermission(app);
- boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
-
- if (isNetwork || hasRestrictedPermission) {
- Boolean permission = mApps.get(uid);
- // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
- // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
- if (permission == null || permission == NETWORK) {
- mApps.put(uid, hasRestrictedPermission);
- }
- }
-
- //TODO: unify the management of the permissions into one codepath.
- int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
- app.requestedPermissionsFlags);
- netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
- }
-
List<UserInfo> users = mUserManager.getUsers(true); // exclude dying users
if (users != null) {
for (UserInfo user : users) {
mUsers.add(user.id);
+
+ List<PackageInfo> apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id);
+ if (apps == null) {
+ loge("No apps");
+ continue;
+ }
+
+ for (PackageInfo app : apps) {
+ int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
+ if (uid < 0) {
+ continue;
+ }
+ mAllApps.add(UserHandle.getAppId(uid));
+
+ boolean isNetwork = hasNetworkPermission(app);
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+
+ if (isNetwork || hasRestrictedPermission) {
+ Boolean permission = mApps.get(uid);
+ // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+ // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+ if (permission == null || permission == NETWORK) {
+ mApps.put(uid, hasRestrictedPermission);
+ }
+ }
+
+ //TODO: unify the management of the permissions into one codepath.
+ int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
+ app.requestedPermissionsFlags);
+ netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
+ }
+
}
}
@@ -308,9 +309,23 @@ public class PermissionMonitor {
List<Integer> network = new ArrayList<>();
List<Integer> system = new ArrayList<>();
for (Entry<Integer, Boolean> app : apps.entrySet()) {
- List<Integer> list = app.getValue() ? system : network;
for (int user : users) {
- list.add(UserHandle.getUid(user, app.getKey()));
+ int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey()));
+ if (uid < 0) continue;
+ String[] packages = mPackageManager.getPackagesForUid(uid);
+ if (packages == null) continue;
+ for (String pkg : packages) {
+ PackageInfo info = getPackageInfo(pkg, user);
+ if (info != null && info.applicationInfo.uid == uid) {
+ boolean isNetwork = hasNetworkPermission(info);
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info);
+
+ if (isNetwork || hasRestrictedPermission) {
+ List<Integer> list = hasRestrictedPermission ? system : network;
+ list.add(UserHandle.getUid(user, app.getKey()));
+ }
+ }
+ }
}
}
try {
- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
+ final PackageInfo app = mPackageManager.getPackageInfoAsUser(name, GET_PERMISSIONS,
+ UserHandle.getUserId(uid));
final boolean isNetwork = hasNetworkPermission(app);
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
if (isNetwork || hasRestrictedPermission) {
@@ -393,7 +395,7 @@ public class PermissionMonitor {
public synchronized void onPackageAdded(String packageName, int uid) {
// If multiple packages share a UID (cf: android:sharedUserId) and ask for different
// permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
- final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName);
+ final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName, uid);
if (permission != mApps.get(uid)) {
mApps.put(uid, permission);
@@ -445,7 +447,7 @@ public class PermissionMonitor {
String[] packages = mPackageManager.getPackagesForUid(uid);
if (packages != null && packages.length > 0) {
for (String name : packages) {
- permission = highestPermissionForUid(permission, name);
+ permission = highestPermissionForUid(permission, name, uid);
if (permission == SYSTEM) {
// An app with this UID still has the SYSTEM permission.
// Therefore, this UID must already have the SYSTEM permission.
@@ -485,11 +487,9 @@ public class PermissionMonitor {
return permissions;
}
- private PackageInfo getPackageInfo(String packageName) {
+ private PackageInfo getPackageInfo(String packageName, int userId) {
try {
- PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS
- | MATCH_ANY_USER);
- return app;
+ return mPackageManager.getPackageInfoAsUser(packageName, GET_PERMISSIONS, userId);
} catch (NameNotFoundException e) {
return null;
}

View File

@ -1,125 +1,42 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pratyush <codelab@pratyush.dev>
Date: Thu, 12 Aug 2021 03:44:41 +0530
Subject: [PATCH] send uid for each user instead of just owner/admin user
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 14 Dec 2021 18:17:11 +0200
Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
---
.../connectivity/PermissionMonitor.java | 83 +++++++++++--------
1 file changed, 49 insertions(+), 34 deletions(-)
core/java/android/net/ConnectivityManager.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index 09cd274cbb05..ee0c531ef13e 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -132,7 +132,7 @@ public class PermissionMonitor {
for (String name : packages) {
int userId = UserHandle.getUserId(uid);
final PackageInfo app = getPackageInfo(name, userId);
- if (app != null && app.requestedPermissions != null) {
+ if (app != null && app.requestedPermissions != null && app.applicationInfo.uid == uid) {
permission |= getNetdPermissionMask(app.requestedPermissions,
app.requestedPermissionsFlags);
}
@@ -177,44 +177,45 @@ public class PermissionMonitor {
} else {
loge("failed to get the PackageManagerInternal service");
}
- List<PackageInfo> apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS
- | MATCH_ANY_USER);
- if (apps == null) {
- loge("No apps");
- return;
- }
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index 7df32c10b16b..a2b04f3e9540 100644
--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
@@ -17,6 +17,7 @@ package android.net;
SparseIntArray netdPermsUids = new SparseIntArray();
import static android.net.IpSecManager.INVALID_RESOURCE_ID;
- for (PackageInfo app : apps) {
- int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
- if (uid < 0) {
- continue;
- }
- mAllApps.add(UserHandle.getAppId(uid));
-
- boolean isNetwork = hasNetworkPermission(app);
- boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
-
- if (isNetwork || hasRestrictedPermission) {
- Boolean permission = mApps.get(uid);
- // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
- // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
- if (permission == null || permission == NETWORK) {
- mApps.put(uid, hasRestrictedPermission);
- }
- }
-
- //TODO: unify the management of the permissions into one codepath.
- int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
- app.requestedPermissionsFlags);
- netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
- }
-
List<UserInfo> users = mUserManager.getUsers(true); // exclude dying users
if (users != null) {
for (UserInfo user : users) {
mUsers.add(user.id);
+
+ List<PackageInfo> apps = mPackageManager.getInstalledPackagesAsUser(GET_PERMISSIONS, user.id);
+ if (apps == null) {
+ loge("No apps");
+ continue;
+ }
+
+ for (PackageInfo app : apps) {
+ int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
+ if (uid < 0) {
+ continue;
+ }
+ mAllApps.add(UserHandle.getAppId(uid));
+
+ boolean isNetwork = hasNetworkPermission(app);
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
+
+ if (isNetwork || hasRestrictedPermission) {
+ Boolean permission = mApps.get(uid);
+ // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
+ // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
+ if (permission == null || permission == NETWORK) {
+ mApps.put(uid, hasRestrictedPermission);
+ }
+ }
+
+ //TODO: unify the management of the permissions into one codepath.
+ int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
+ app.requestedPermissionsFlags);
+ netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
+ }
+
}
}
@@ -308,9 +309,23 @@ public class PermissionMonitor {
List<Integer> network = new ArrayList<>();
List<Integer> system = new ArrayList<>();
for (Entry<Integer, Boolean> app : apps.entrySet()) {
- List<Integer> list = app.getValue() ? system : network;
for (int user : users) {
- list.add(UserHandle.getUid(user, app.getKey()));
+ int uid = UserHandle.getUid(user, UserHandle.getAppId(app.getKey()));
+ if (uid < 0) continue;
+ String[] packages = mPackageManager.getPackagesForUid(uid);
+ if (packages == null) continue;
+ for (String pkg : packages) {
+ PackageInfo info = getPackageInfo(pkg, user);
+ if (info != null && info.applicationInfo.uid == uid) {
+ boolean isNetwork = hasNetworkPermission(info);
+ boolean hasRestrictedPermission = hasRestrictedNetworkPermission(info);
+
+ if (isNetwork || hasRestrictedPermission) {
+ List<Integer> list = hasRestrictedPermission ? system : network;
+ list.add(UserHandle.getUid(user, app.getKey()));
+ }
+ }
+ }
}
}
+import android.Manifest;
import android.annotation.CallbackExecutor;
import android.annotation.IntDef;
import android.annotation.NonNull;
@@ -31,6 +32,7 @@ import android.app.PendingIntent;
import android.compat.annotation.UnsupportedAppUsage;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.PackageManager;
import android.net.IpSecManager.UdpEncapsulationSocket;
import android.net.SocketKeepalive.Callback;
import android.net.TetheringManager.StartTetheringCallback;
@@ -3047,6 +3049,12 @@ public class ConnectivityManager {
*/
public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
printStackTrace();
+ if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
+ // ConnectivityService enforces this by throwing an unexpected SecurityException,
+ // which puts GMS into a crash loop. Also useful for other apps that don't expect that
+ // INTERNET permission might get revoked.
+ return;
+ }
try {
mService.reportNetworkConnectivity(network, hasConnectivity);
} catch (RemoteException e) {

View File

@ -1,42 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Tue, 14 Dec 2021 18:17:11 +0200
Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
---
core/java/android/net/ConnectivityManager.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index 7df32c10b16b..a2b04f3e9540 100644
--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
@@ -17,6 +17,7 @@ package android.net;
import static android.net.IpSecManager.INVALID_RESOURCE_ID;
+import android.Manifest;
import android.annotation.CallbackExecutor;
import android.annotation.IntDef;
import android.annotation.NonNull;
@@ -31,6 +32,7 @@ import android.app.PendingIntent;
import android.compat.annotation.UnsupportedAppUsage;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.PackageManager;
import android.net.IpSecManager.UdpEncapsulationSocket;
import android.net.SocketKeepalive.Callback;
import android.net.TetheringManager.StartTetheringCallback;
@@ -3047,6 +3049,12 @@ public class ConnectivityManager {
*/
public void reportNetworkConnectivity(@Nullable Network network, boolean hasConnectivity) {
printStackTrace();
+ if (mContext.checkSelfPermission(Manifest.permission.INTERNET) != PackageManager.PERMISSION_GRANTED) {
+ // ConnectivityService enforces this by throwing an unexpected SecurityException,
+ // which puts GMS into a crash loop. Also useful for other apps that don't expect that
+ // INTERNET permission might get revoked.
+ return;
+ }
try {
mService.reportNetworkConnectivity(network, hasConnectivity);
} catch (RemoteException e) {

View File

@ -0,0 +1,142 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 15:54:42 -0400
Subject: [PATCH] add special runtime permission for other sensors
This covers sensors not included in the existing runtime permission for
body sensors.
Ported from 10: 9ec9f7f521323552fa658b46862c8408f1a7b41b
Changes from 10:
- Needed to run `m api-stubs-docs-non-updatable-update-current-api`
to fix the "You have tried to change the API from what has been
previously approved" errors.
---
api/current.txt | 2 ++
core/java/android/content/pm/PackageParser.java | 2 ++
core/res/AndroidManifest.xml | 12 ++++++++++++
core/res/res/values/strings.xml | 12 ++++++++++++
non-updatable-api/current.txt | 2 ++
.../pm/permission/PermissionManagerService.java | 2 +-
6 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/api/current.txt b/api/current.txt
index 728c0e95ca6d..4ab72254811f 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -106,6 +106,7 @@ package android {
field public static final String NFC = "android.permission.NFC";
field public static final String NFC_PREFERRED_PAYMENT_INFO = "android.permission.NFC_PREFERRED_PAYMENT_INFO";
field public static final String NFC_TRANSACTION_EVENT = "android.permission.NFC_TRANSACTION_EVENT";
+ field public static final String OTHER_SENSORS = "android.permission.OTHER_SENSORS";
field public static final String PACKAGE_USAGE_STATS = "android.permission.PACKAGE_USAGE_STATS";
field @Deprecated public static final String PERSISTENT_ACTIVITY = "android.permission.PERSISTENT_ACTIVITY";
field @Deprecated public static final String PROCESS_OUTGOING_CALLS = "android.permission.PROCESS_OUTGOING_CALLS";
@@ -185,6 +186,7 @@ package android {
field public static final String LOCATION = "android.permission-group.LOCATION";
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
field public static final String NETWORK = "android.permission-group.NETWORK";
+ field public static final String OTHER_SENSORS = "android.permission-group.OTHER_SENSORS";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String SENSORS = "android.permission-group.SENSORS";
field public static final String SMS = "android.permission-group.SMS";
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index 57f8a713ec13..c63fea6e3e0e 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -280,6 +280,8 @@ public class PackageParser {
@UnsupportedAppUsage
public static final PackageParser.NewPermissionInfo NEW_PERMISSIONS[] =
new PackageParser.NewPermissionInfo[] {
+ new PackageParser.NewPermissionInfo(android.Manifest.permission.OTHER_SENSORS,
+ android.os.Build.VERSION_CODES.CUR_DEVELOPMENT + 1, 0),
new PackageParser.NewPermissionInfo(android.Manifest.permission.WRITE_EXTERNAL_STORAGE,
android.os.Build.VERSION_CODES.DONUT, 0),
new PackageParser.NewPermissionInfo(android.Manifest.permission.READ_PHONE_STATE,
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index e70e54b62f61..5d554d10b056 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1391,6 +1391,18 @@
android:description="@string/permdesc_useBiometric"
android:protectionLevel="normal" />
+ <permission-group android:name="android.permission-group.OTHER_SENSORS"
+ android:icon="@drawable/perm_group_location"
+ android:label="@string/permgrouplab_otherSensors"
+ android:description="@string/permgroupdesc_otherSensors"
+ android:priority="1000" />
+
+ <permission android:name="android.permission.OTHER_SENSORS"
+ android:permissionGroup="android.permission-group.UNDEFINED"
+ android:label="@string/permlab_otherSensors"
+ android:description="@string/permdesc_otherSensors"
+ android:protectionLevel="dangerous" />
+
<!-- ====================================================================== -->
<!-- REMOVED PERMISSIONS -->
<!-- ====================================================================== -->
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index 7f114cf9b6b4..7eaa99ab324f 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -804,6 +804,11 @@
<!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permgroupdesc_sensors">access sensor data about your vital signs</string>
+ <!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgrouplab_otherSensors">Sensors</string>
+ <!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
+ <string name="permgroupdesc_otherSensors">access sensor data about orientation, movement, etc.</string>
+
<!-- Title of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permgrouplab_network">Network</string>
<!-- Description of a category of application permissions, listed so the user can choose whether they want to allow the application to do this. -->
@@ -1118,6 +1123,13 @@
<string name="permdesc_bodySensors" product="default">Allows the app to access data from sensors
that monitor your physical condition, such as your heart rate.</string>
+ <!-- Title of the sensors permission, listed so the user can decide whether to allow the application to access sensor data. [CHAR LIMIT=80] -->
+ <string name="permlab_otherSensors">access sensors (like the compass)
+ </string>
+ <!-- Description of the sensors permission, listed so the user can decide whether to allow the application to access data from sensors. [CHAR LIMIT=NONE] -->
+ <string name="permdesc_otherSensors" product="default">Allows the app to access data from sensors
+ monitoring orientation, movement, vibration (including low frequency sound) and environmental data</string>
+
<!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permlab_readCalendar">Read calendar events and details</string>
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
diff --git a/non-updatable-api/current.txt b/non-updatable-api/current.txt
index 189544f98594..9badc8c4d9c0 100644
--- a/non-updatable-api/current.txt
+++ b/non-updatable-api/current.txt
@@ -106,6 +106,7 @@ package android {
field public static final String NFC = "android.permission.NFC";
field public static final String NFC_PREFERRED_PAYMENT_INFO = "android.permission.NFC_PREFERRED_PAYMENT_INFO";
field public static final String NFC_TRANSACTION_EVENT = "android.permission.NFC_TRANSACTION_EVENT";
+ field public static final String OTHER_SENSORS = "android.permission.OTHER_SENSORS";
field public static final String PACKAGE_USAGE_STATS = "android.permission.PACKAGE_USAGE_STATS";
field @Deprecated public static final String PERSISTENT_ACTIVITY = "android.permission.PERSISTENT_ACTIVITY";
field @Deprecated public static final String PROCESS_OUTGOING_CALLS = "android.permission.PROCESS_OUTGOING_CALLS";
@@ -185,6 +186,7 @@ package android {
field public static final String LOCATION = "android.permission-group.LOCATION";
field public static final String MICROPHONE = "android.permission-group.MICROPHONE";
field public static final String NETWORK = "android.permission-group.NETWORK";
+ field public static final String OTHER_SENSORS = "android.permission-group.OTHER_SENSORS";
field public static final String PHONE = "android.permission-group.PHONE";
field public static final String SENSORS = "android.permission-group.SENSORS";
field public static final String SMS = "android.permission-group.SMS";
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 9e6ecc739ffe..c744a0b5079a 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -2609,7 +2609,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
public static boolean isSpecialRuntimePermission(final String permission) {
- return Manifest.permission.INTERNET.equals(permission);
+ return Manifest.permission.INTERNET.equals(permission) || Manifest.permission.OTHER_SENSORS.equals(permission);
}
/**

View File

@ -0,0 +1,95 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: inthewaves <inthewaves@pm.me>
Date: Sat, 12 Sep 2020 12:28:34 -0700
Subject: [PATCH] support new special runtime permissions
These are treated as a runtime permission even for legacy apps. They
need to be granted by default for all apps to maintain compatibility.
Ported from 10: 4d5d82f4e2fb9ff68158bf30f3944591bb74dd04
Changes from 10:
- It seems like parts of PackageManagerService#resetUserChangesToRuntimePermissionsAndFlagsLPw
were refactored into PermissionManagerService#resetRuntimePermissionsInternal.
As a result, PackageManagerService is no longer modified.
---
.../permission/PermissionManagerService.java | 24 +++++++++++++++----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 8d2363b6e831..26b959879084 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1461,7 +1461,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime() && !isSpecialRuntimePermission(permName)) {
return;
}
@@ -1513,7 +1513,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {
+ permName + " for package " + packageName);
}
- if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M) {
+ if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
+ && !isSpecialRuntimePermission(permName)) {
Slog.w(TAG, "Cannot grant runtime permission to a legacy app");
return;
}
@@ -1623,7 +1624,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
// to keep the review required permission flag per user while an
// install permission's state is shared across all users.
if (pkg.getTargetSdkVersion() < Build.VERSION_CODES.M
- && bp.isRuntime()) {
+ && bp.isRuntime() && !isSpecialRuntimePermission(bp.name)) {
return;
}
@@ -1847,7 +1848,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {
// If this permission was granted by default or role, make sure it is.
if ((oldFlags & FLAG_PERMISSION_GRANTED_BY_DEFAULT) != 0
- || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0) {
+ || (oldFlags & FLAG_PERMISSION_GRANTED_BY_ROLE) != 0
+ || isSpecialRuntimePermission(bp.getName())) {
// PermissionPolicyService will handle the app op for runtime permissions later.
grantRuntimePermissionInternal(permName, packageName, false,
Process.SYSTEM_UID, userId, delayingPermCallback);
@@ -2606,6 +2608,10 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
}
+ public static boolean isSpecialRuntimePermission(final String permission) {
+ return false;
+ }
+
/**
* Restore the permission state for a package.
*
@@ -2952,6 +2958,14 @@ public class PermissionManagerService extends IPermissionManager.Stub {
}
}
}
+
+ if (isSpecialRuntimePermission(bp.name) &&
+ origPermissions.getRuntimePermissionState(bp.name, userId) == null) {
+ if (permissionsState.grantRuntimePermission(bp, userId)
+ != PERMISSION_OPERATION_FAILURE) {
+ wasChanged = true;
+ }
+ }
} else {
if (permState == null) {
// New permission
@@ -3907,7 +3921,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
&& (grantedPermissions == null
|| ArrayUtils.contains(grantedPermissions, permission))) {
final int flags = permissionsState.getPermissionFlags(permission, userId);
- if (supportsRuntimePermissions) {
+ if (supportsRuntimePermissions || isSpecialRuntimePermission(bp.name)) {
// Installer cannot change immutable permissions.
if ((flags & immutableFlags) == 0) {
grantRuntimePermissionInternal(permission, pkg.getPackageName(), false,

View File

@ -1,73 +1,22 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MSe1969 <mse1969@posteo.de>
Date: Sat, 14 Nov 2020 13:21:18 +0100
Subject: [PATCH] AppOps: New Op for (Other) sensors access
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 16:28:57 -0400
Subject: [PATCH] require OTHER_SENSORS permission for sensors
* Add new sensor op to enum
* Invoke OP_OTHER_SENSORS as default
* Adapt logic for checking the Ops, if no permission is linked
cherry-picked from lin17-microG and adapted for R
Change-Id: If4011566a391314afed9a26e1dcf6e4bc838e4f7
Ported from 10: ff005a6b6a38baef95c4a01d7e1fc75aac651a58
---
libs/binder/include/binder/AppOpsManager.h | 3 ++-
libs/sensor/Sensor.cpp | 1 +
services/sensorservice/SensorService.cpp | 10 ++++++----
3 files changed, 9 insertions(+), 5 deletions(-)
libs/sensor/Sensor.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/libs/binder/include/binder/AppOpsManager.h b/libs/binder/include/binder/AppOpsManager.h
index d93935ae5d..4a8c36f5b2 100644
--- a/libs/binder/include/binder/AppOpsManager.h
+++ b/libs/binder/include/binder/AppOpsManager.h
@@ -135,7 +135,8 @@ public:
OP_PHONE_CALL_MICROPHONE = 100,
OP_PHONE_CALL_CAMERA = 101,
OP_RECORD_AUDIO_HOTWORD = 102,
- _NUM_OP = 103
+ OP_OTHER_SENSORS = 103,
+ _NUM_OP = 104
};
AppOpsManager();
diff --git a/libs/sensor/Sensor.cpp b/libs/sensor/Sensor.cpp
index 9d817ae0bd..76d365d5f7 100644
index 9d817ae0bd..91df16e64a 100644
--- a/libs/sensor/Sensor.cpp
+++ b/libs/sensor/Sensor.cpp
@@ -59,6 +59,7 @@ Sensor::Sensor(struct sensor_t const& hwSensor, const uuid_t& uuid, int halVersi
mMinDelay = hwSensor.minDelay;
mFlags = 0;
mUuid = uuid;
+ mRequiredAppOp = AppOpsManager::OP_OTHER_SENSORS; //default, other values are explicitly set
+ mRequiredPermission = "android.permission.OTHER_SENSORS";
// Set fifo event count zero for older devices which do not support batching. Fused
// sensors also have their fifo counts set to zero.
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index 3ca34bba1b..8a62b2bb9c 100644
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -1798,10 +1798,9 @@ status_t SensorService::flushSensor(const sp<SensorEventConnection>& connection,
bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
const String16& opPackageName) {
+
// Check if a permission is required for this sensor
- if (sensor.getRequiredPermission().length() <= 0) {
- return true;
- }
+ bool noAssociatedPermission = (sensor.getRequiredPermission().length() <= 0);
const int32_t opCode = sensor.getRequiredAppOp();
const int32_t appOpMode = sAppOpsManager.checkOp(opCode,
@@ -1816,7 +1815,10 @@ bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
// Allow access to step sensors if the application targets pre-Q, which is before the
// requirement to hold the AR permission to access Step Counter and Step Detector events
// was introduced.
- canAccess = true;
+ // [MSe1969: Of course only, if AppOpAllowed]
+ canAccess = appOpAllowed;
+ } else if (noAssociatedPermission) {
+ canAccess = appOpAllowed;
} else if (hasPermissionForSensor(sensor)) {
// Ensure that the AppOp is allowed, or that there is no necessary app op for the sensor
if (opCode < 0 || appOpAllowed) {

View File

@ -0,0 +1,46 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 15:55:58 -0400
Subject: [PATCH] always treat OTHER_SENSORS as a runtime permission
ported from 10: a1204e6126189810018ff5540858536a1c58ac37
---
.../permission/model/AppPermissionGroup.java | 4 ++--
.../permissioncontroller/permission/model/Permission.java | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
index 0399a1836..4838046ac 100644
--- a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
+++ b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
@@ -873,7 +873,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
boolean wasGranted = permission.isGrantedIncludingAppOp();
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) {
// Do not touch permissions fixed by the system.
if (permission.isSystemFixed()) {
wasAllGranted = false;
@@ -1058,7 +1058,7 @@ public final class AppPermissionGroup implements Comparable<AppPermissionGroup>
break;
}
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
+ if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) {
// Revoke the permission if needed.
if (permission.isGranted()) {
permission.setGranted(false);
diff --git a/src/com/android/permissioncontroller/permission/model/Permission.java b/src/com/android/permissioncontroller/permission/model/Permission.java
index 3af5241af..f65b75a9c 100644
--- a/src/com/android/permissioncontroller/permission/model/Permission.java
+++ b/src/com/android/permissioncontroller/permission/model/Permission.java
@@ -138,7 +138,7 @@ public final class Permission {
* @return {@code true} if the permission (and the app-op) is granted.
*/
public boolean isGrantedIncludingAppOp() {
- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName));
+ return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName) || Manifest.permission.OTHER_SENSORS.equals(mName));
}
public boolean isReviewRequired() {

View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 7 Oct 2017 15:56:35 -0400
Subject: [PATCH] add OTHER_SENSORS permission group
ported from 10: fc8c816e07ce39583774db8fe668e0505b6aa504
---
.../android/permissioncontroller/permission/utils/Utils.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java
index 2f0dc3d21..81d1994bc 100644
--- a/src/com/android/permissioncontroller/permission/utils/Utils.java
+++ b/src/com/android/permissioncontroller/permission/utils/Utils.java
@@ -26,6 +26,7 @@ import static android.Manifest.permission_group.CONTACTS;
import static android.Manifest.permission_group.LOCATION;
import static android.Manifest.permission_group.MICROPHONE;
import static android.Manifest.permission_group.NETWORK;
+import static android.Manifest.permission_group.OTHER_SENSORS;
import static android.Manifest.permission_group.PHONE;
import static android.Manifest.permission_group.SENSORS;
import static android.Manifest.permission_group.SMS;
@@ -211,6 +212,7 @@ public final class Utils {
PLATFORM_PERMISSIONS.put(Manifest.permission.BODY_SENSORS, SENSORS);
PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
+ PLATFORM_PERMISSIONS.put(Manifest.permission.OTHER_SENSORS, OTHER_SENSORS);
PLATFORM_PERMISSION_GROUPS = new ArrayMap<>();
int numPlatformPermissions = PLATFORM_PERMISSIONS.size();

View File

@ -4,13 +4,13 @@ Date: Sat, 12 Sep 2020 15:40:58 -0700
Subject: [PATCH] refactor handling of special runtime permissions
---
.../permission/model/AppPermissionGroup.java | 5 ++---
.../permission/model/Permission.java | 5 +++--
.../permission/utils/Utils.java | 17 +++++++++++++++++
3 files changed, 22 insertions(+), 5 deletions(-)
.../permission/model/AppPermissionGroup.java | 5 ++---
.../permission/model/Permission.java | 5 +++--
.../permission/utils/Utils.java | 18 ++++++++++++++++++
3 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
index 0399a1836..cb4eab9f7 100644
index 4838046ac..cb4eab9f7 100644
--- a/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
+++ b/src/com/android/permissioncontroller/permission/model/AppPermissionGroup.java
@@ -34,7 +34,6 @@ import android.content.pm.PackageManager;
@ -25,7 +25,7 @@ index 0399a1836..cb4eab9f7 100644
boolean wasGranted = permission.isGrantedIncludingAppOp();
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) {
+ if (mAppSupportsRuntimePermissions || Utils.isSpecialRuntimePermission(permission.getName())) {
// Do not touch permissions fixed by the system.
if (permission.isSystemFixed()) {
@ -34,13 +34,13 @@ index 0399a1836..cb4eab9f7 100644
break;
}
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName())) {
- if (mAppSupportsRuntimePermissions || Manifest.permission.INTERNET.equals(permission.getName()) || Manifest.permission.OTHER_SENSORS.equals(permission.getName())) {
+ if (mAppSupportsRuntimePermissions || Utils.isSpecialRuntimePermission(permission.getName())) {
// Revoke the permission if needed.
if (permission.isGranted()) {
permission.setGranted(false);
diff --git a/src/com/android/permissioncontroller/permission/model/Permission.java b/src/com/android/permissioncontroller/permission/model/Permission.java
index 3af5241af..3f17de882 100644
index f65b75a9c..3f17de882 100644
--- a/src/com/android/permissioncontroller/permission/model/Permission.java
+++ b/src/com/android/permissioncontroller/permission/model/Permission.java
@@ -18,10 +18,11 @@ package com.android.permissioncontroller.permission.model;
@ -60,16 +60,16 @@ index 3af5241af..3f17de882 100644
* @return {@code true} if the permission (and the app-op) is granted.
*/
public boolean isGrantedIncludingAppOp() {
- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName));
- return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Manifest.permission.INTERNET.equals(mName) || Manifest.permission.OTHER_SENSORS.equals(mName));
+ return mGranted && (!affectsAppOp() || isAppOpAllowed()) && (!isReviewRequired() || Utils.isSpecialRuntimePermission(mName));
}
public boolean isReviewRequired() {
diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java
index 2f0dc3d21..dab86e734 100644
index 81d1994bc..2c55aed22 100644
--- a/src/com/android/permissioncontroller/permission/utils/Utils.java
+++ b/src/com/android/permissioncontroller/permission/utils/Utils.java
@@ -145,6 +145,9 @@ public final class Utils {
@@ -146,6 +146,9 @@ public final class Utils {
*/
public static final long ONE_TIME_PERMISSIONS_TIMEOUT_MILLIS = 1 * 60 * 1000; // 1 minute
@ -79,17 +79,18 @@ index 2f0dc3d21..dab86e734 100644
/** Mapping permission -> group for all dangerous platform permissions */
private static final ArrayMap<String, String> PLATFORM_PERMISSIONS;
@@ -212,6 +215,9 @@ public final class Utils {
@@ -214,6 +217,10 @@ public final class Utils {
PLATFORM_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
PLATFORM_PERMISSIONS.put(Manifest.permission.OTHER_SENSORS, OTHER_SENSORS);
+ SPECIAL_RUNTIME_PERMISSIONS = new ArrayMap<>();
+ SPECIAL_RUNTIME_PERMISSIONS.put(Manifest.permission.INTERNET, NETWORK);
+ SPECIAL_RUNTIME_PERMISSIONS.put(Manifest.permission.OTHER_SENSORS, OTHER_SENSORS);
+
PLATFORM_PERMISSION_GROUPS = new ArrayMap<>();
int numPlatformPermissions = PLATFORM_PERMISSIONS.size();
for (int i = 0; i < numPlatformPermissions; i++) {
@@ -642,6 +648,17 @@ public final class Utils {
@@ -644,6 +651,17 @@ public final class Utils {
return PLATFORM_PERMISSIONS.containsKey(permission);
}

View File

@ -60,10 +60,10 @@ index 8dd8e8f77..d7f8f229f 100644
val revocablePermissions = group.permissions.keys.toList()
diff --git a/src/com/android/permissioncontroller/permission/utils/Utils.java b/src/com/android/permissioncontroller/permission/utils/Utils.java
index dab86e734..4a7de5416 100644
index 2c55aed22..90acf9223 100644
--- a/src/com/android/permissioncontroller/permission/utils/Utils.java
+++ b/src/com/android/permissioncontroller/permission/utils/Utils.java
@@ -659,6 +659,17 @@ public final class Utils {
@@ -662,6 +662,17 @@ public final class Utils {
return SPECIAL_RUNTIME_PERMISSIONS.containsKey(permission);
}

View File

@ -1,261 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MSe1969 <mse1969@posteo.de>
Date: Sat, 14 Nov 2020 15:17:37 +0100
Subject: [PATCH] Special Access: Add an option to administer Sensor access
Accesses the added AppOp for OP_OTHER_SENSORS
Change-Id: I79c0ed4ab97494434edc6c308a8a54bd123c02ee
---
res/values-de/strings.xml | 3 +
res/values-fr/strings.xml | 3 +
res/values/strings.xml | 5 +
res/xml/special_access.xml | 7 +
.../specialaccess/sensor/SensorAccess.java | 178 ++++++++++++++++++
5 files changed, 196 insertions(+)
create mode 100644 src/com/android/settings/applications/specialaccess/sensor/SensorAccess.java
diff --git a/res/values-de/strings.xml b/res/values-de/strings.xml
index 4edd33d66b..a22b3de82c 100644
--- a/res/values-de/strings.xml
+++ b/res/values-de/strings.xml
@@ -4945,6 +4945,9 @@
<string name="rtt_settings_no_visible" msgid="7440356831140948382"></string>
<string name="rtt_settings_visible_during_call" msgid="7866181103286073700"></string>
<string name="rtt_settings_always_visible" msgid="2364173070088756238"></string>
+ <string name="sensor_access_summary">Sensorzugriff von Benutzer-Apps kontrollieren</string>
+ <string name="sensor_access_title">Zugriff auf Sensoren</string>
+ <string name="sensor_access_title_empty_text">Keine installierte App hat Sensorzugriff angefordert.</string>
<string name="media_output_panel_stop_casting_button" msgid="6094875883164119035">"Streamen beenden"</string>
<string name="volte_5G_limited_title" msgid="5908052268836750629">"VoLTE deaktivieren?"</string>
<string name="volte_5G_limited_text" msgid="7150583768725182345">"Dadurch wird auch deine 5G-Verbindung deaktiviert.\nWährend eines Sprachanrufs kannst du das Internet nicht nutzen und manche Apps funktionieren möglicherweise nicht."</string>
diff --git a/res/values-fr/strings.xml b/res/values-fr/strings.xml
index 005aa05953..7c2ad2eaf3 100644
--- a/res/values-fr/strings.xml
+++ b/res/values-fr/strings.xml
@@ -4944,6 +4944,9 @@
<string name="rtt_settings_no_visible" msgid="7440356831140948382"></string>
<string name="rtt_settings_visible_during_call" msgid="7866181103286073700"></string>
<string name="rtt_settings_always_visible" msgid="2364173070088756238"></string>
+ <string name="sensor_access_summary">Contrôler l\'accès des applications utilisateurs aux capteurs</string>
+ <string name="sensor_access_title">Access aux Capteurs</string>
+ <string name="sensor_access_title_empty_text">Aucune app installée n\'a demandé de l\'accès aux capteurs.</string>
<string name="media_output_panel_stop_casting_button" msgid="6094875883164119035">"Arrêter la diffusion"</string>
<string name="volte_5G_limited_title" msgid="5908052268836750629">"Désactiver VoLTE ?"</string>
<string name="volte_5G_limited_text" msgid="7150583768725182345">"Cela désactive également votre connexion 5G.\nLorsque vous effectuez un appel vocal, vous n\'avez pas accès à Internet et certaines applications peuvent ne pas fonctionner."</string>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 0c6fe1a541..120e82f4dd 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -12237,4 +12237,9 @@
<string name="bluetooth_connect_access_dialog_negative">Don\u2019t connect</string>
<!-- Strings for Dialog connect button -->
<string name="bluetooth_connect_access_dialog_positive">Connect</string>
+
+ <!-- Sensor AppOps -->
+ <string name="sensor_access_summary">Control sensor access for user apps</string>
+ <string name="sensor_access_title">Access to Sensors</string>
+ <string name="sensor_access_title_empty_text">No installed apps have requested sensors access.</string>
</resources>
diff --git a/res/xml/special_access.xml b/res/xml/special_access.xml
index 6ee87f4664..f65ee68f7e 100644
--- a/res/xml/special_access.xml
+++ b/res/xml/special_access.xml
@@ -154,6 +154,13 @@
android:value="com.android.settings.Settings$ChangeWifiStateActivity" />
</Preference>
+ <Preference
+ android:key="sensor_access"
+ android:title="@string/sensor_access_title"
+ android:summary="@string/sensor_access_summary"
+ android:fragment="com.android.settings.applications.specialaccess.sensor.SensorAccess">
+ </Preference>
+
<Preference
android:key="special_access_more"
android:title="@string/special_access_more"
diff --git a/src/com/android/settings/applications/specialaccess/sensor/SensorAccess.java b/src/com/android/settings/applications/specialaccess/sensor/SensorAccess.java
new file mode 100644
index 0000000000..2c29f3abfd
--- /dev/null
+++ b/src/com/android/settings/applications/specialaccess/sensor/SensorAccess.java
@@ -0,0 +1,178 @@
+package com.android.settings.applications.specialaccess.sensor;
+
+import android.annotation.Nullable;
+import android.app.AlertDialog;
+import android.app.Dialog;
+import android.app.DialogFragment;
+import android.app.AppOpsManager;
+import android.content.Context;
+import android.content.DialogInterface;
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageInfo;
+import android.content.pm.PackageItemInfo;
+import android.content.pm.PackageManager;
+import android.database.ContentObserver;
+import android.net.Uri;
+import android.os.Bundle;
+import android.os.Handler;
+import android.os.Looper;
+import android.text.TextUtils;
+import android.util.ArraySet;
+import android.util.Log;
+import android.util.TypedValue;
+import android.view.Gravity;
+import android.view.View;
+import android.view.ViewGroup;
+import android.view.ViewGroup.LayoutParams;
+import android.widget.TextView;
+import android.widget.Toast;
+
+import androidx.preference.Preference;
+import androidx.preference.Preference.OnPreferenceChangeListener;
+import androidx.preference.PreferenceScreen;
+import androidx.preference.SwitchPreference;
+
+import com.android.settings.R;
+import com.android.settings.core.instrumentation.InstrumentedDialogFragment;
+import com.android.internal.logging.nano.MetricsProto.MetricsEvent;
+import com.android.settings.SettingsPreferenceFragment;
+
+import java.util.Arrays;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+public class SensorAccess extends SettingsPreferenceFragment {
+
+ private final SettingObserver mObserver = new SettingObserver();
+
+ static final String TAG = "SensorAccess";
+
+ private Context mContext;
+ private PackageManager mPackageManager;
+ private AppOpsManager mAppOpsManager;
+ private TextView mEmpty;
+
+ @Override
+ public int getMetricsCategory() {
+ return MetricsEvent.VIEW_UNKNOWN;
+ }
+
+ @Override
+ public void onCreate(Bundle icicle) {
+ super.onCreate(icicle);
+
+ mContext = getActivity();
+ mPackageManager = mContext.getPackageManager();
+ mAppOpsManager = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE);
+ setPreferenceScreen(getPreferenceManager().createPreferenceScreen(mContext));
+ }
+
+ @Override
+ public void onViewCreated(View view, @Nullable Bundle savedInstanceState) {
+ super.onViewCreated(view, savedInstanceState);
+ mEmpty = new TextView(getContext());
+ mEmpty.setGravity(Gravity.CENTER);
+ mEmpty.setText(R.string.sensor_access_title_empty_text);
+ TypedValue value = new TypedValue();
+ getContext().getTheme().resolveAttribute(android.R.attr.textAppearanceMedium, value, true);
+ mEmpty.setTextAppearance(value.resourceId);
+ ((ViewGroup) view.findViewById(android.R.id.list_container)).addView(mEmpty,
+ new LayoutParams(LayoutParams.MATCH_PARENT, LayoutParams.MATCH_PARENT));
+ setEmptyView(mEmpty);
+ reloadList();
+ }
+
+ @Override
+ public void onResume() {
+ super.onResume();
+ getActivity().getActionBar().setTitle(R.string.sensor_access_title);
+ reloadList();
+ }
+
+ private void reloadList() {
+ final PreferenceScreen screen = getPreferenceScreen();
+ screen.removeAll();
+
+ final ArrayList<ApplicationInfo> apps = new ArrayList<>();
+ final List<ApplicationInfo> installed = mPackageManager.getInstalledApplications(0);
+ if (installed != null) {
+ for (ApplicationInfo app : installed) {
+ // Skip system apps
+ if (isUserApp(app.packageName)) {
+ // Only apps effectively having the Op OTHER_SENSORS
+ if (mAppOpsManager.getOpsForPackage(getPackageUid(app.packageName),
+ app.packageName, new int[]{AppOpsManager.OP_OTHER_SENSORS}) != null)
+ apps.add(app);
+ }
+ }
+ }
+ Collections.sort(apps, new PackageItemInfo.DisplayNameComparator(mPackageManager));
+ for (ApplicationInfo app : apps) {
+ final String pkg = app.packageName;
+ final CharSequence label = app.loadLabel(mPackageManager);
+ final SwitchPreference pref = new SwitchPreference(getPrefContext());
+ pref.setPersistent(false);
+ pref.setIcon(app.loadIcon(mPackageManager));
+ pref.setTitle(label);
+ updateState(pref, pkg);
+ pref.setOnPreferenceChangeListener(new OnPreferenceChangeListener() {
+ @Override
+ public boolean onPreferenceChange(Preference preference, Object newValue) {
+ boolean switchOn = (Boolean) newValue;
+ mAppOpsManager.setMode(AppOpsManager.OP_OTHER_SENSORS, getPackageUid(pkg), pkg,
+ switchOn ? AppOpsManager.MODE_ALLOWED : AppOpsManager.MODE_IGNORED);
+ pref.setChecked(switchOn);
+ return false;
+ }
+ });
+ screen.addPreference(pref);
+ }
+ }
+
+ public void updateState(SwitchPreference preference, String pkg) {
+ final int mode = mAppOpsManager
+ .checkOpNoThrow(AppOpsManager.OP_OTHER_SENSORS, getPackageUid(pkg), pkg);
+ if (mode == AppOpsManager.MODE_ERRORED) {
+ preference.setChecked(false);
+ } else {
+ final boolean checked = mode != AppOpsManager.MODE_IGNORED;
+ preference.setChecked(checked);
+ }
+ }
+
+ private boolean isUserApp(String pkg) {
+ ApplicationInfo appInfo;
+ try {
+ appInfo = mPackageManager.getApplicationInfo(pkg,
+ PackageManager.GET_DISABLED_COMPONENTS
+ | PackageManager.GET_UNINSTALLED_PACKAGES);
+ } catch (PackageManager.NameNotFoundException e) {
+ Log.w(TAG, "Unable to find info for package " + pkg);
+ return false;
+ }
+ return ((appInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 0);
+ }
+
+ private int getPackageUid(String pkg) {
+ int uid;
+ try {
+ uid = mPackageManager.getPackageUid(pkg, 0);
+ } catch (PackageManager.NameNotFoundException e) {
+ // We shouldn't hit this, ever. What can we even do after this?
+ uid = -1;
+ }
+ return uid;
+ }
+
+ private final class SettingObserver extends ContentObserver {
+ public SettingObserver() {
+ super(new Handler(Looper.getMainLooper()));
+ }
+
+ @Override
+ public void onChange(boolean selfChange, Uri uri) {
+ reloadList();
+ }
+ }
+}

View File

@ -55,7 +55,7 @@ index 617548cadc..9caf926229 100644
<item msgid="6490061470416867723">Small</item>
<item msgid="3579015730662088893">Default</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 120e82f4dd..6ff1f16fdf 100644
index 0c6fe1a541..b9f886d492 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -647,6 +647,9 @@

View File

@ -67,7 +67,7 @@ index 9caf926229..d40e65e536 100644
<string-array name="screen_timeout_entries">
<item>15 seconds</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 6ff1f16fdf..3a7f3878bf 100644
index b9f886d492..e925a30b3e 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -27,6 +27,25 @@

View File

@ -67,7 +67,7 @@ index d40e65e536..6259f4d1a5 100644
<string-array name="screen_timeout_entries">
<item>15 seconds</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 3a7f3878bf..dbbc4ba758 100644
index e925a30b3e..de6d38bcbd 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -46,6 +46,25 @@

View File

@ -12,7 +12,7 @@ Subject: [PATCH] add native debugging setting
create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml
index dbbc4ba758..87ef39ed10 100644
index de6d38bcbd..dc14819f0c 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -11957,6 +11957,9 @@

View File

@ -10,7 +10,7 @@ Subject: [PATCH] UserManager app installation restrictions
3 files changed, 44 insertions(+), 5 deletions(-)
diff --git a/res/values/strings.xml b/res/values/strings.xml
index b33a94d4a6..1cd05427d1 100644
index e612651bfe..c8e830342b 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -7088,6 +7088,8 @@

View File

@ -12,7 +12,7 @@ Subject: [PATCH] add exec spawning toggle
create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 87ef39ed10..b33a94d4a6 100644
index dc14819f0c..e612651bfe 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -11957,6 +11957,8 @@

View File

@ -157,13 +157,11 @@ fi;
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch"; #Allow user logout (GrapheneOS)
if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
#applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch";
fi;
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions.patch"; #Support new special runtime permissions (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Make INTERNET into a special runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch"; #Add a NETWORK permission group for INTERNET (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS)
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0014-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox internal logging service
sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java;
@ -179,7 +177,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta
fi;
if enterAndClear "frameworks/native"; then
if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
fi;
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
@ -234,7 +232,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8
fi;
if enterAndClear "libcore"; then
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0002-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
fi;
@ -265,19 +263,15 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_pa
fi;
if enterAndClear "packages/apps/PackageInstaller"; then
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch";
fi;
applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch"; #Add NETWORK permission group (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Sensors_Permission-1.patch"; #Add OTHER_SENSORS permission group (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Sensors_Permission-2.patch"; #Always treat OTHER_SENSORS as a runtime permission (GrapheneOS)
fi;
if enterAndClear "packages/apps/Settings"; then
git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
if [ "$DOS_SENSORS_PERM" = true ]; then
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors-P1.patch"; #Permission for sensors access (MSe1969)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors-P2.patch";
fi;
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS) #TODO: Needs work
sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase max password length (GrapheneOS)
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
@ -304,7 +298,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disa
fi;
if enterAndClear "packages/providers/DownloadProvider"; then
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
fi;
if enterAndClear "packages/services/Telephony"; then

View File

@ -152,18 +152,16 @@ fi;
applyPatch "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch"; #Allow user logout (GrapheneOS)
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Restore_SensorsOff.patch"; #Restore the Sensors Off tile
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-2.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-3.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-4.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-5.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-6.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-7.patch";
fi;
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Special_Permissions.patch"; #Support new special runtime permissions (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-1.patch"; #Make INTERNET into a special runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-2.patch"; #Add a NETWORK permission group for INTERNET (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-3.patch"; #Enforce INTERNET as a runtime permission. (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-4.patch"; #Fix INTERNET enforcement for secondary users (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-5.patch"; #Send uid for each user instead of just owner/admin user (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Network_Permission-6.patch"; #Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS)
if [ "$DOS_TIMEOUTS" = true ]; then
applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0016-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS)
@ -187,7 +185,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta
fi;
if enterAndClear "frameworks/native"; then
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
fi;
if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
@ -247,7 +245,7 @@ if [ "$DOS_GRAPHENE_EXEC" = true ]; then
applyPatch "$DOS_PATCHES/android_libcore/0001-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS)
applyPatch "$DOS_PATCHES/android_libcore/0001-Exec_Based_Spawning-2.patch";
fi;
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0003-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_libcore/0003-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0004-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
fi;
@ -279,16 +277,15 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_pa
fi;
if enterAndClear "packages/apps/PermissionController"; then
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-2.patch";
fi;
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Network_Permission-2.patch"; #Add INTERNET permission toggle (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Sensors_Permission-1.patch"; #Always treat OTHER_SENSORS as a runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0001-Sensors_Permission-2.patch"; #Add OTHER_SENSORS permission group (GrapheneOS)
fi;
if enterAndClear "packages/apps/Settings"; then
git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
if [ "$DOS_TIMEOUTS" = true ]; then
@ -333,7 +330,7 @@ fi;
#fi;
if enterAndClear "packages/providers/DownloadProvider"; then
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
fi;
#if enterAndClear "packages/services/Telephony"; then
@ -364,7 +361,7 @@ applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #
fi;
if enterAndClear "system/netd"; then
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
fi;
if enterAndClear "system/sepolicy"; then

View File

@ -128,18 +128,16 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Rev
applyPatch "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0005-User_Logout.patch"; #Allow user logout (GrapheneOS)
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0010-Sensors.patch"; fi #Permission for sensors access (MSe1969)
applyPatch "$DOS_PATCHES/android_frameworks_base/0011-Restore_SensorsOff.patch"; #Restore the Sensors Off tile
applyPatch "$DOS_PATCHES/android_frameworks_base/0012-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-6.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-7.patch";
fi;
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Special_Permissions.patch"; #Support new special runtime permissions (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-1.patch"; #Make INTERNET into a special runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-2.patch"; #Add a NETWORK permission group for INTERNET (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-3.patch"; #Enforce INTERNET as a runtime permission. (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-4.patch"; #Fix INTERNET enforcement for secondary users (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-5.patch"; #Send uid for each user instead of just owner/admin user (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Network_Permission-6.patch"; #Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0013-Sensors_Permission.patch"; #Add special runtime permission for other sensors (GrapheneOS)
if [ "$DOS_TIMEOUTS" = true ]; then
applyPatch "$DOS_PATCHES/android_frameworks_base/0014-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0015-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (GrapheneOS)
@ -183,7 +181,7 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_fr
fi;
if enterAndClear "frameworks/native"; then
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_native/0002-fix-uaf.patch"; #Fix use-after-free in adbd_auth (GrapheneOS)
fi;
@ -249,7 +247,7 @@ applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-sm8150.patch";
fi;
if enterAndClear "libcore"; then
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_libcore/0002-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
if [ "$DOS_GRAPHENE_EXEC" = true ]; then
applyPatch "$DOS_PATCHES/android_libcore/0003-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS)
@ -285,18 +283,17 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_pa
fi;
if enterAndClear "packages/apps/PermissionController"; then
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-1.patch"; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-2.patch";
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-3.patch";
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-4.patch";
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-5.patch";
fi;
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Network_Permission-2.patch"; #Add INTERNET permission toggle (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Sensors_Permission-1.patch"; #Add OTHER_SENSORS permission group (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Sensors_Permission-2.patch"; #Always treat OTHER_SENSORS as a runtime permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Special_Permissions-1.patch"; #Refactor handling of special runtime permissions (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Special_Permissions-2.patch"; #Don't auto revoke Network and Sensors (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_PermissionController/0002-Special_Permissions-3.patch"; #UI fix for special runtime permission (GrapheneOS)
fi;
if enterAndClear "packages/apps/Settings"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
if [ "$DOS_SENSORS_PERM_NEW" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0002-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (CalyxOS)
if [ "$DOS_TIMEOUTS" = true ]; then
@ -341,7 +338,7 @@ fi;
fi;
if enterAndClear "packages/providers/DownloadProvider"; then
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
fi;
if enterAndClear "packages/providers/TelephonyProvider"; then
@ -368,7 +365,7 @@ applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #
fi;
if enterAndClear "system/netd"; then
if [ "$DOS_GRAPHENE_NETWORK_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; fi; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
fi;
if enterAndClear "system/sepolicy"; then

View File

@ -62,7 +62,6 @@ export DOS_GRAPHENE_CONSTIFY=true; #Enables 'Constify JNINativeMethod tables' pa
export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1+18.1+19.1
export DOS_GRAPHENE_EXEC=true; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1+19.1
export DOS_GRAPHENE_PTRACE_SCOPE=true; #Enables the GrapheneOS ptrace_scope toggle patchset on 17.1+18.1+19.1
export DOS_GRAPHENE_NETWORK_PERM=true; #Enables use of GrapheneOS' NETWORK permission on 17.1+18.1, 19.1 has no toggle
export DOS_GRAPHENE_RANDOM_MAC=true; #Enables the GrapheneOS always randomize Wi-Fi MAC patchset on 17.1+18.1+19.1
export DOS_TIMEOUTS=true; #Enables the GrapheneOS/CalyxOS patchset for automatic timeouts of reboot/Wi-Fi/Bluetooth on 17.1+18.1+19.1
export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
@ -70,8 +69,7 @@ export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be
export DOS_LOWRAM_ENABLED=false; #Set true to enable low_ram on all devices
export DOS_MICROG_INCLUDED="NONE"; #Determines inclusion of microG. Options: NONE, NLP, FULL (removed)
export DOS_SILENCE_INCLUDED=true; #Set false to disable inclusion of Silence SMS app
export DOS_SENSORS_PERM=false; #Set true to provide a per-app sensors permission for 14.1/15.1/16.0 #XXX: can break things like camera
export DOS_SENSORS_PERM_NEW=true; #For 17.1+18.1
export DOS_SENSORS_PERM=false; #Set true to provide a per-app sensors permission for 14.1/15.1 #XXX: can break things like camera
export DOS_STRONG_ENCRYPTION_ENABLED=false; #Set true to enable AES 256-bit FDE encryption on 14.1+15.1 XXX: THIS WILL **DESTROY** EXISTING INSTALLS!
export DOS_WEBVIEW_LFS=true; #Whether to `git lfs pull` in the WebView repository
#alias DOS_WEBVIEW_CHERRYPICK='git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/00/316600/2';
@ -132,7 +130,7 @@ gpgVerifyGitHead() {
export -f gpgVerifyGitHead;
BUILD_WORKING_DIR=${PWD##*/};
DOS_VERSION=$BUILD_WORKING_DIR;
export DOS_VERSION=$BUILD_WORKING_DIR;
if [ -d ".repo" ]; then
echo "Detected $BUILD_WORKING_DIR";
else