Permissions: Don't autogrant all permissions on Android Things
Currently, we're auto granting all requested permissions on Android
Things devices. This cl moves us away from that and allows OEMs to use
the default-permissions flow to explicitly decide which dangerous
permissions they want each app in the OEM partition to have.
Bug: 73007742
Test: manual test
Change-Id: I0c33933c414ccd7b6f766790f2f7ebfebb1ddc4f
diff --git a/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java b/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
index 83fe1c9..ad32ed3 100644
--- a/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
+++ b/services/core/java/com/android/server/pm/permission/DefaultPermissionGrantPolicy.java
@@ -264,13 +264,9 @@
}
public void grantDefaultPermissions(int userId) {
- if (mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_EMBEDDED, 0)) {
- grantAllRuntimePermissions(userId);
- } else {
- grantPermissionsToSysComponentsAndPrivApps(userId);
- grantDefaultSystemHandlerPermissions(userId);
- grantDefaultPermissionExceptions(userId);
- }
+ grantPermissionsToSysComponentsAndPrivApps(userId);
+ grantDefaultSystemHandlerPermissions(userId);
+ grantDefaultPermissionExceptions(userId);
}
private void grantRuntimePermissionsForPackage(int userId, PackageParser.Package pkg) {
@@ -1247,6 +1243,13 @@
if (dir.isDirectory() && dir.canRead()) {
Collections.addAll(ret, dir.listFiles());
}
+ // For IoT devices, we check the oem partition for default permissions for each app.
+ if (mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_EMBEDDED, 0)) {
+ dir = new File(Environment.getOemDirectory(), "etc/default-permissions");
+ if (dir.isDirectory() && dir.canRead()) {
+ Collections.addAll(ret, dir.listFiles());
+ }
+ }
return ret.isEmpty() ? null : ret.toArray(new File[0]);
}