commit 9b820ef5eaf8f3c6f3802540cbbd709791e903ad
author Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu Jan 12 19:08:01 2023 +0000
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu Jan 12 19:08:01 2023 +0000
tree a4ac4ee4afa526802e86f7fa7e2bdbb2f1d18e13
parent 033965a2525dfc8d64c8ac12403230f60ff5fe2c
parent fead6f2d7549e57baa120c15a797e41712b85cf5

Merge cherrypicks of ['ag/19946225'] into security-aosp-rvc-release.

Change-Id: I93fbba34663ce7c31efb8f7d5a77a55f992631c4

src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java

diff --git a/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java b/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java
index b4a79b4..8d082c0 100644
--- a/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java
+++ b/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java
@@ -36,6 +36,7 @@
 import android.os.Looper;
 import android.os.Process;
 import android.os.UserHandle;
+import android.os.UserManager;
 import android.permission.PermissionManager;
 import android.permission.RuntimePermissionPresentationInfo;
 import android.permission.RuntimePermissionUsageInfo;
@@ -56,6 +57,7 @@
 import com.android.permissioncontroller.permission.model.livedatatypes.AppPermGroupUiInfo.PermGrantState;
 import com.android.permissioncontroller.permission.ui.AutoGrantPermissionsNotifier;
 import com.android.permissioncontroller.permission.utils.ArrayUtils;
+import com.android.permissioncontroller.permission.utils.AdminRestrictedPermissionsUtils;
 import com.android.permissioncontroller.permission.utils.KotlinUtils;
 import com.android.permissioncontroller.permission.utils.UserSensitiveFlagsUtils;
 import com.android.permissioncontroller.permission.utils.Utils;
@@ -518,6 +520,8 @@
         AutoGrantPermissionsNotifier autoGrantPermissionsNotifier =
                 new AutoGrantPermissionsNotifier(this, pkgInfo);
 
+        final boolean isManagedProfile = getSystemService(UserManager.class).isManagedProfile();
+
         int numPerms = expandedPermissions.size();
         for (int i = 0; i < numPerms; i++) {
             String permName = expandedPermissions.get(i);
@@ -533,9 +537,15 @@
 
             switch (grantState) {
                 case PERMISSION_GRANT_STATE_GRANTED:
-                    perm.setPolicyFixed(true);
-                    group.grantRuntimePermissions(false, false, new String[]{permName});
-                    autoGrantPermissionsNotifier.onPermissionAutoGranted(permName);
+                    if (AdminRestrictedPermissionsUtils.mayAdminGrantPermission(perm.getName(),
+                            isManagedProfile)) {
+                        perm.setPolicyFixed(true);
+                        group.grantRuntimePermissions(false, false, new String[]{permName});
+                        autoGrantPermissionsNotifier.onPermissionAutoGranted(permName);
+                    } else {
+                        // similar to PERMISSION_GRANT_STATE_DEFAULT
+                        perm.setPolicyFixed(false);
+                    }
                     break;
                 case PERMISSION_GRANT_STATE_DENIED:
                     perm.setPolicyFixed(true);

src/com/android/permissioncontroller/permission/utils/AdminRestrictedPermissionsUtils.java

diff --git a/src/com/android/permissioncontroller/permission/utils/AdminRestrictedPermissionsUtils.java b/src/com/android/permissioncontroller/permission/utils/AdminRestrictedPermissionsUtils.java
new file mode 100644
index 0000000..917c633
--- /dev/null
+++ b/src/com/android/permissioncontroller/permission/utils/AdminRestrictedPermissionsUtils.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.permissioncontroller.permission.utils;
+
+import android.Manifest;
+import android.util.ArraySet;
+
+/**
+ * A class for dealing with permissions that the admin may not grant in certain configurations.
+ */
+public final class AdminRestrictedPermissionsUtils {
+
+    /**
+     * A set of permissions that the managed Profile Owner cannot grant.
+     */
+    private static final ArraySet<String> MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS =
+            new ArraySet<>();
+
+    static {
+        MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.add(Manifest.permission.READ_SMS);
+    }
+
+    /**
+     * Returns true if the admin may grant this permission, false otherwise.
+     */
+    public static boolean mayAdminGrantPermission(String permission, boolean isManagedProfile) {
+        return !isManagedProfile
+                || !MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission);
+    }
+}