Merge "Cherry-pick from master Doc change: Add API 26 to @since list" into oc-dev
diff --git a/core/java/android/app/ApplicationPackageManager.java b/core/java/android/app/ApplicationPackageManager.java
index e5c4208..4df633f 100644
--- a/core/java/android/app/ApplicationPackageManager.java
+++ b/core/java/android/app/ApplicationPackageManager.java
@@ -281,7 +281,8 @@
public PermissionInfo getPermissionInfo(String name, int flags)
throws NameNotFoundException {
try {
- PermissionInfo pi = mPM.getPermissionInfo(name, flags);
+ PermissionInfo pi = mPM.getPermissionInfo(name,
+ mContext.getOpPackageName(), flags);
if (pi != null) {
return pi;
}
diff --git a/core/java/android/content/pm/IPackageManager.aidl b/core/java/android/content/pm/IPackageManager.aidl
index 2ebfa8f..6e258c1 100644
--- a/core/java/android/content/pm/IPackageManager.aidl
+++ b/core/java/android/content/pm/IPackageManager.aidl
@@ -71,7 +71,7 @@
String[] currentToCanonicalPackageNames(in String[] names);
String[] canonicalToCurrentPackageNames(in String[] names);
- PermissionInfo getPermissionInfo(String name, int flags);
+ PermissionInfo getPermissionInfo(String name, String packageName, int flags);
ParceledListSlice queryPermissionsByGroup(String group, int flags);
diff --git a/core/java/android/os/UserManager.java b/core/java/android/os/UserManager.java
index 79a67fe..de0d5d76 100644
--- a/core/java/android/os/UserManager.java
+++ b/core/java/android/os/UserManager.java
@@ -303,10 +303,12 @@
public static final String DISALLOW_DEBUGGING_FEATURES = "no_debugging_features";
/**
- * Specifies if a user is disallowed from configuring VPN.
- * The default value is <code>false</code>.
- * This restriction has an effect in a managed profile only from
- * {@link android.os.Build.VERSION_CODES#M}
+ * Specifies if a user is disallowed from configuring a VPN. The default value is
+ * <code>false</code>. This restriction has an effect when set by device owners and, in Android
+ * 6.0 ({@linkplain android.os.Build.VERSION_CODES#M API level 23}) or higher, profile owners.
+ * <p>This restriction also prevents VPNs from starting. However, in Android 7.0
+ * ({@linkplain android.os.Build.VERSION_CODES#N API level 24}) or higher, the system does
+ * start always-on VPNs created by the device or profile owner.
*
* <p>Key for user restrictions.
* <p>Type: Boolean
diff --git a/services/core/java/com/android/server/am/BroadcastQueue.java b/services/core/java/com/android/server/am/BroadcastQueue.java
index b3a2c29..2142c94 100644
--- a/services/core/java/com/android/server/am/BroadcastQueue.java
+++ b/services/core/java/com/android/server/am/BroadcastQueue.java
@@ -802,7 +802,7 @@
IPackageManager pm = AppGlobals.getPackageManager();
for (int i = perms.length-1; i >= 0; i--) {
try {
- PermissionInfo pi = pm.getPermissionInfo(perms[i], 0);
+ PermissionInfo pi = pm.getPermissionInfo(perms[i], "android", 0);
if ((pi.protectionLevel & (PermissionInfo.PROTECTION_MASK_BASE
| PermissionInfo.PROTECTION_FLAG_PRIVILEGED))
!= PermissionInfo.PROTECTION_SIGNATURE) {
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 9e4ba8b..c1b98f5 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -3996,20 +3996,64 @@
}
@Override
- public PermissionInfo getPermissionInfo(String name, int flags) {
- if (getInstantAppPackageName(Binder.getCallingUid()) != null) {
+ public PermissionInfo getPermissionInfo(String name, String packageName, int flags) {
+ final int callingUid = Binder.getCallingUid();
+ if (getInstantAppPackageName(callingUid) != null) {
return null;
}
// reader
synchronized (mPackages) {
final BasePermission p = mSettings.mPermissions.get(name);
- if (p != null) {
- return generatePermissionInfo(p, flags);
- }
- return null;
+ // If the caller is an app that targets pre 26 SDK drop protection flags.
+ final PermissionInfo permissionInfo = generatePermissionInfo(p, flags);
+ permissionInfo.protectionLevel = adjustPermissionProtectionFlagsLPr(
+ permissionInfo.protectionLevel, packageName, callingUid);
+ return permissionInfo;
}
}
+ private int adjustPermissionProtectionFlagsLPr(int protectionLevel,
+ String packageName, int uid) {
+ // Signature permission flags area always reported
+ final int protectionLevelMasked = protectionLevel
+ & (PermissionInfo.PROTECTION_NORMAL
+ | PermissionInfo.PROTECTION_DANGEROUS
+ | PermissionInfo.PROTECTION_SIGNATURE);
+ if (protectionLevelMasked == PermissionInfo.PROTECTION_SIGNATURE) {
+ return protectionLevel;
+ }
+
+ // System sees all flags.
+ final int appId = UserHandle.getAppId(uid);
+ if (appId == Process.SYSTEM_UID || appId == Process.ROOT_UID
+ || appId == Process.SHELL_UID) {
+ return protectionLevel;
+ }
+
+ // Normalize package name to handle renamed packages and static libs
+ packageName = resolveInternalPackageNameLPr(packageName,
+ PackageManager.VERSION_CODE_HIGHEST);
+
+ // Apps that target O see flags for all protection levels.
+ final PackageSetting ps = mSettings.mPackages.get(packageName);
+ if (ps == null) {
+ return protectionLevel;
+ }
+ if (ps.appId != appId) {
+ return protectionLevel;
+ }
+
+ final PackageParser.Package pkg = mPackages.get(packageName);
+ if (pkg == null) {
+ return protectionLevel;
+ }
+ if (pkg.applicationInfo.targetSdkVersion < Build.VERSION_CODES.O) {
+ return protectionLevelMasked;
+ }
+
+ return protectionLevel;
+ }
+
@Override
public @Nullable ParceledListSlice<PermissionInfo> queryPermissionsByGroup(String group,
int flags) {