Merge "Remove unreachable code now that we no longer cache protected buffers" into sc-dev
diff --git a/include/android/imagedecoder.h b/include/android/imagedecoder.h
index c3d3a4b..fb7d09c 100644
--- a/include/android/imagedecoder.h
+++ b/include/android/imagedecoder.h
@@ -837,9 +837,11 @@
* is the current frame.
*
* If the image only has one frame, this will fill the {@link
- * AImageDecoderFrameInfo} with the encoded info, if any, or reasonable
+ * AImageDecoderFrameInfo} with the encoded info and reasonable
* defaults.
*
+ * If {@link AImageDecoder_advanceFrame} succeeded, this will succeed as well.
+ *
* @param decoder Opaque object representing the decoder.
* @param info Opaque object to hold frame information. On success, will be
* filled with information regarding the current frame.
@@ -861,7 +863,7 @@
* Introduced in API 31.
*
* Errors:
- * - returns 0 if |info| is null.
+ * - returns {@link ANDROID_IMAGE_DECODER_BAD_PARAMETER} if |info| is null.
*/
int64_t AImageDecoderFrameInfo_getDuration(
const AImageDecoderFrameInfo* _Nonnull info) __INTRODUCED_IN(31);
@@ -896,19 +898,25 @@
*
* Introduced in API 31.
*
- * Note that this may differ from whether the composed frame has
- * alpha. If this frame does not fill the entire image dimensions
- * (see {@link AImageDecoderFrameInfo_getFrameRect}) or it blends
- * with an opaque frame, for example, the composed frame’s alpha
- * may not match. It is also conservative; for example, if a color
- * index-based frame has a color with alpha but does not use it,
- * this will still return true.
+ * Unless this frame is independent (see {@link AImageDecoder_decodeImage}),
+ * a single call to {@link AImageDecoder_decodeImage} will decode an updated
+ * rectangle of pixels and then blend it with the existing pixels in the
+ * |pixels| buffer according to {@link AImageDecoderFrameInfo_getBlendOp}. This
+ * method returns whether the updated rectangle has alpha, prior to blending.
+ * The return value is conservative; for example, if a color-index-based frame
+ * has a color with alpha but does not use it, this will still return true.
*
* This, along with other information in AImageDecoderFrameInfo,
* can be useful for determining whether a frame is independent, but
* the decoder handles blending frames, so a simple
* sequential client does not need this.
*
+ * Note that this may differ from whether the composed frame (that is, the
+ * resulting image after blending) has alpha. If this frame does not fill the
+ * entire image dimensions (see {@link AImageDecoderFrameInfo_getFrameRect})
+ * or it blends with an opaque frame, for example, the composed frame’s alpha
+ * may not match.
+ *
* Errors:
* - returns false if |info| is null.
*/
diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp
index 6fb1227..ef7fd44 100644
--- a/libs/binder/IPCThreadState.cpp
+++ b/libs/binder/IPCThreadState.cpp
@@ -29,8 +29,6 @@
#include <utils/SystemClock.h>
#include <utils/threads.h>
-#include <private/binder/binder_module.h>
-
#include <atomic>
#include <errno.h>
#include <inttypes.h>
@@ -43,6 +41,7 @@
#include <unistd.h>
#include "Static.h"
+#include "binder_module.h"
#if LOG_NDEBUG
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index cbe590f..5627a78 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -48,10 +48,10 @@
#include <utils/String8.h>
#include <utils/misc.h>
-#include <private/binder/binder_module.h>
#include "RpcState.h"
#include "Static.h"
#include "Utils.h"
+#include "binder_module.h"
#define LOG_REFS(...)
//#define LOG_REFS(...) ALOG(LOG_DEBUG, LOG_TAG, __VA_ARGS__)
diff --git a/libs/binder/ProcessState.cpp b/libs/binder/ProcessState.cpp
index 1d3beb4..4fd0dc7 100644
--- a/libs/binder/ProcessState.cpp
+++ b/libs/binder/ProcessState.cpp
@@ -27,8 +27,8 @@
#include <utils/String8.h>
#include <utils/threads.h>
-#include <private/binder/binder_module.h>
#include "Static.h"
+#include "binder_module.h"
#include <errno.h>
#include <fcntl.h>
diff --git a/libs/binder/RpcServer.cpp b/libs/binder/RpcServer.cpp
index 4df12ce..de7160e 100644
--- a/libs/binder/RpcServer.cpp
+++ b/libs/binder/RpcServer.cpp
@@ -184,6 +184,8 @@
}
bool RpcServer::setupSocketServer(const RpcSocketAddress& addr) {
+ LOG_RPC_DETAIL("Setting up socket server %s", addr.toString().c_str());
+
{
std::lock_guard<std::mutex> _l(mLock);
LOG_ALWAYS_FATAL_IF(mServer.get() != -1, "Each RpcServer can only have one server.");
@@ -208,6 +210,8 @@
return false;
}
+ LOG_RPC_DETAIL("Successfully setup socket server %s", addr.toString().c_str());
+
mServer = std::move(serverFd);
return true;
}
diff --git a/libs/binder/include/private/binder/binder_module.h b/libs/binder/binder_module.h
similarity index 85%
rename from libs/binder/include/private/binder/binder_module.h
rename to libs/binder/binder_module.h
index 151235c..9dea3b4 100644
--- a/libs/binder/include/private/binder/binder_module.h
+++ b/libs/binder/binder_module.h
@@ -29,14 +29,14 @@
#undef B_PACK_CHARS
#endif
-#include <sys/ioctl.h>
#include <linux/android/binder.h>
+#include <sys/ioctl.h>
#ifndef BR_FROZEN_REPLY
// Temporary definition of BR_FROZEN_REPLY. For production
// this will come from UAPI binder.h
#define BR_FROZEN_REPLY _IO('r', 18)
-#endif //BR_FROZEN_REPLY
+#endif // BR_FROZEN_REPLY
#ifndef BINDER_FREEZE
/*
@@ -49,46 +49,46 @@
//
// Group-leader PID of process to be frozen
//
- uint32_t pid;
+ uint32_t pid;
//
// Enable(1) / Disable(0) freeze for given PID
//
- uint32_t enable;
+ uint32_t enable;
//
// Timeout to wait for transactions to drain.
// 0: don't wait (ioctl will return EAGAIN if not drained)
// N: number of ms to wait
- uint32_t timeout_ms;
+ uint32_t timeout_ms;
};
-#endif //BINDER_FREEZE
+#endif // BINDER_FREEZE
#ifndef BINDER_GET_FROZEN_INFO
-#define BINDER_GET_FROZEN_INFO _IOWR('b', 15, struct binder_frozen_status_info)
+#define BINDER_GET_FROZEN_INFO _IOWR('b', 15, struct binder_frozen_status_info)
struct binder_frozen_status_info {
//
// Group-leader PID of process to be queried
//
- __u32 pid;
+ __u32 pid;
//
// Indicates whether the process has received any sync calls since last
// freeze (cleared at freeze/unfreeze)
//
- __u32 sync_recv;
+ __u32 sync_recv;
//
// Indicates whether the process has received any async calls since last
// freeze (cleared at freeze/unfreeze)
//
- __u32 async_recv;
+ __u32 async_recv;
};
-#endif //BINDER_GET_FROZEN_INFO
+#endif // BINDER_GET_FROZEN_INFO
#ifndef BR_ONEWAY_SPAM_SUSPECT
// Temporary definition of BR_ONEWAY_SPAM_SUSPECT. For production
// this will come from UAPI binder.h
#define BR_ONEWAY_SPAM_SUSPECT _IO('r', 19)
-#endif //BR_ONEWAY_SPAM_SUSPECT
+#endif // BR_ONEWAY_SPAM_SUSPECT
#ifndef BINDER_ENABLE_ONEWAY_SPAM_DETECTION
/*
@@ -96,6 +96,6 @@
* these will be defined in the UAPI binder.h file from upstream kernel.
*/
#define BINDER_ENABLE_ONEWAY_SPAM_DETECTION _IOW('b', 16, __u32)
-#endif //BINDER_ENABLE_ONEWAY_SPAM_DETECTION
+#endif // BINDER_ENABLE_ONEWAY_SPAM_DETECTION
#endif // _BINDER_MODULE_H_
diff --git a/libs/binder/tests/binderLibTest.cpp b/libs/binder/tests/binderLibTest.cpp
index dc8c0f1..5676bd1 100644
--- a/libs/binder/tests/binderLibTest.cpp
+++ b/libs/binder/tests/binderLibTest.cpp
@@ -31,11 +31,11 @@
#include <binder/IServiceManager.h>
#include <binder/ParcelRef.h>
-#include <private/binder/binder_module.h>
#include <linux/sched.h>
#include <sys/epoll.h>
#include <sys/prctl.h>
+#include "../binder_module.h"
#include "binderAbiHelper.h"
#define ARRAY_SIZE(array) (sizeof array / sizeof array[0])
diff --git a/libs/binder/tests/binderRpcBenchmark.cpp b/libs/binder/tests/binderRpcBenchmark.cpp
index ce47c0d..f64bc5b 100644
--- a/libs/binder/tests/binderRpcBenchmark.cpp
+++ b/libs/binder/tests/binderRpcBenchmark.cpp
@@ -134,4 +134,5 @@
success:
::benchmark::RunSpecifiedBenchmarks();
+ return 0;
}
diff --git a/libs/dumputils/dump_utils.cpp b/libs/dumputils/dump_utils.cpp
index 8a82c2a..29c788b 100644
--- a/libs/dumputils/dump_utils.cpp
+++ b/libs/dumputils/dump_utils.cpp
@@ -47,6 +47,7 @@
// Native processes to dump on debuggable builds.
static const char* debuggable_native_processes_to_dump[] = {
+ "/system/bin/keystore2",
"/system/bin/vold",
NULL,
};
diff --git a/libs/gui/BLASTBufferQueue.cpp b/libs/gui/BLASTBufferQueue.cpp
index 3d854c2..37fb844 100644
--- a/libs/gui/BLASTBufferQueue.cpp
+++ b/libs/gui/BLASTBufferQueue.cpp
@@ -666,12 +666,12 @@
void run() {
std::unique_lock<std::mutex> lock(mMutex);
while (!mDone) {
- mCv.wait(lock);
while (!mRunnables.empty()) {
std::function<void()> runnable = mRunnables.front();
mRunnables.pop_front();
runnable();
}
+ mCv.wait(lock);
}
}
diff --git a/libs/input/InputTransport.cpp b/libs/input/InputTransport.cpp
index de75691..dd1c462 100644
--- a/libs/input/InputTransport.cpp
+++ b/libs/input/InputTransport.cpp
@@ -96,28 +96,42 @@
// --- InputMessage ---
bool InputMessage::isValid(size_t actualSize) const {
- if (size() == actualSize) {
- switch (header.type) {
- case Type::KEY:
- return true;
- case Type::MOTION:
- return body.motion.pointerCount > 0 && body.motion.pointerCount <= MAX_POINTERS;
- case Type::FINISHED:
- return true;
- case Type::FOCUS:
- return true;
- case Type::CAPTURE:
- return true;
- case Type::DRAG:
- return true;
- case Type::TIMELINE:
- const nsecs_t gpuCompletedTime =
- body.timeline.graphicsTimeline[GraphicsTimeline::GPU_COMPLETED_TIME];
- const nsecs_t presentTime =
- body.timeline.graphicsTimeline[GraphicsTimeline::PRESENT_TIME];
- return presentTime > gpuCompletedTime;
+ if (size() != actualSize) {
+ ALOGE("Received message of incorrect size %zu (expected %zu)", actualSize, size());
+ return false;
+ }
+
+ switch (header.type) {
+ case Type::KEY:
+ return true;
+ case Type::MOTION: {
+ const bool valid =
+ body.motion.pointerCount > 0 && body.motion.pointerCount <= MAX_POINTERS;
+ if (!valid) {
+ ALOGE("Received invalid MOTION: pointerCount = %" PRIu32, body.motion.pointerCount);
+ }
+ return valid;
+ }
+ case Type::FINISHED:
+ case Type::FOCUS:
+ case Type::CAPTURE:
+ case Type::DRAG:
+ return true;
+ case Type::TIMELINE: {
+ const nsecs_t gpuCompletedTime =
+ body.timeline.graphicsTimeline[GraphicsTimeline::GPU_COMPLETED_TIME];
+ const nsecs_t presentTime =
+ body.timeline.graphicsTimeline[GraphicsTimeline::PRESENT_TIME];
+ const bool valid = presentTime > gpuCompletedTime;
+ if (!valid) {
+ ALOGE("Received invalid TIMELINE: gpuCompletedTime = %" PRId64
+ " presentTime = %" PRId64,
+ gpuCompletedTime, presentTime);
+ }
+ return valid;
}
}
+ ALOGE("Invalid message type: %" PRIu32, header.type);
return false;
}
@@ -404,9 +418,7 @@
}
if (!msg->isValid(nRead)) {
-#if DEBUG_CHANNEL_MESSAGES
- ALOGD("channel '%s' ~ received invalid message", mName.c_str());
-#endif
+ ALOGE("channel '%s' ~ received invalid message of size %zd", mName.c_str(), nRead);
return BAD_VALUE;
}
diff --git a/libs/input/tests/Android.bp b/libs/input/tests/Android.bp
index fe8a567..767878b 100644
--- a/libs/input/tests/Android.bp
+++ b/libs/input/tests/Android.bp
@@ -49,8 +49,8 @@
cc_library_static {
name: "StructLayout_test",
srcs: ["StructLayout_test.cpp"],
+ compile_multilib: "both",
cflags: [
- "-O0",
"-Wall",
"-Werror",
"-Wextra",
diff --git a/libs/permission/Android.bp b/libs/permission/Android.bp
index a5712b3..3243a6b 100644
--- a/libs/permission/Android.bp
+++ b/libs/permission/Android.bp
@@ -7,17 +7,43 @@
default_applicable_licenses: ["frameworks_native_license"],
}
+aidl_interface {
+ name: "framework-permission-aidl",
+ unstable: true,
+ local_include_dir: "aidl",
+ backend: {
+ ndk: {
+ enabled: false
+ }
+ },
+ srcs: [
+ "aidl/android/content/AttributionSourceState.aidl",
+ "aidl/android/permission/IPermissionChecker.aidl",
+ ],
+}
+
cc_library_shared {
name: "libpermission",
+ cflags: [
+ "-Wall",
+ "-Wextra",
+ "-Werror",
+ ],
srcs: [
"AppOpsManager.cpp",
"IAppOpsCallback.cpp",
"IAppOpsService.cpp",
+ "android/permission/PermissionChecker.cpp",
],
export_include_dirs: ["include"],
shared_libs: [
- "libbinder",
- "liblog",
"libutils",
+ "libbinder",
+ "libcutils",
+ "liblog",
],
+ static_libs: [
+ "framework-permission-aidl-cpp",
+ ],
+ export_static_lib_headers: ["framework-permission-aidl-cpp"],
}
diff --git a/libs/permission/aidl/android/content/AttributionSourceState.aidl b/libs/permission/aidl/android/content/AttributionSourceState.aidl
new file mode 100644
index 0000000..b6e54bf
--- /dev/null
+++ b/libs/permission/aidl/android/content/AttributionSourceState.aidl
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.content;
+
+/**
+ * Payload for the {@link AttributionSource} class needed to interoperate
+ * with different languages.
+ *
+ * {@hide}
+ */
+parcelable AttributionSourceState {
+ /** The UID that is accessing the permission protected data. */
+ int uid;
+ /** The package that is accessing the permission protected data. */
+ @nullable @utf8InCpp String packageName;
+ /** The attribution tag of the app accessing the permission protected data. */
+ @nullable @utf8InCpp String attributionTag;
+ /** Unique token for that source. */
+ @nullable IBinder token;
+ /** Permissions that should be considered revoked regardless if granted. */
+ @nullable @utf8InCpp String[] renouncedPermissions;
+ /** The next app to receive the permission protected data. */
+ // TODO: We use an array as a workaround - the C++ backend doesn't
+ // support referring to the parcelable as it expects ctor/dtor
+ @nullable AttributionSourceState[] next;
+}
diff --git a/libs/permission/aidl/android/permission/IPermissionChecker.aidl b/libs/permission/aidl/android/permission/IPermissionChecker.aidl
new file mode 100644
index 0000000..1f0e32d
--- /dev/null
+++ b/libs/permission/aidl/android/permission/IPermissionChecker.aidl
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.permission;
+
+import android.content.AttributionSourceState;
+
+/**
+ * Interface to communicate directly with the permission checker service.
+ */
+interface IPermissionChecker {
+ const int PERMISSION_GRANTED = 0;
+ const int PERMISSION_SOFT_DENIED = 1;
+ const int PERMISSION_HARD_DENIED = 2;
+
+ int checkPermission(String permission, in AttributionSourceState attributionSource,
+ @nullable String message, boolean forDataDelivery, boolean startDataDelivery,
+ boolean fromDatasource);
+
+ void finishDataDelivery(String op, in AttributionSourceState attributionSource);
+
+ int checkOp(int op, in AttributionSourceState attributionSource,
+ String message, boolean forDataDelivery, boolean startDataDelivery);
+}
diff --git a/libs/permission/android/permission/PermissionChecker.cpp b/libs/permission/android/permission/PermissionChecker.cpp
new file mode 100644
index 0000000..a8083ee
--- /dev/null
+++ b/libs/permission/android/permission/PermissionChecker.cpp
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <mutex>
+#include <include/android/permission/PermissionChecker.h>
+#include <binder/Binder.h>
+#include <binder/IServiceManager.h>
+
+#include <utils/SystemClock.h>
+
+#include <sys/types.h>
+#include <private/android_filesystem_config.h>
+
+#ifdef LOG_TAG
+#undef LOG_TAG
+#endif
+#define LOG_TAG "PermissionChecker"
+
+namespace android {
+
+using android::content::AttributionSourceState;
+
+PermissionChecker::PermissionChecker()
+{
+}
+
+sp<IPermissionChecker> PermissionChecker::getService()
+{
+ static String16 permission_checker("permission_checker");
+
+ std::lock_guard<Mutex> scoped_lock(mLock);
+ int64_t startTime = 0;
+ sp<IPermissionChecker> service = mService;
+ while (service == nullptr || !IInterface::asBinder(service)->isBinderAlive()) {
+ sp<IBinder> binder = defaultServiceManager()->checkService(permission_checker);
+ if (binder == nullptr) {
+ // Wait for the permission checker service to come back...
+ if (startTime == 0) {
+ startTime = uptimeMillis();
+ ALOGW("Waiting for permission checker service");
+ } else if ((uptimeMillis() - startTime) > 10000) {
+ ALOGE("Waiting too long for permission checker service, giving up");
+ service = nullptr;
+ break;
+ }
+ sleep(1);
+ } else {
+ mService = interface_cast<IPermissionChecker>(binder);
+ }
+ }
+ return mService;
+}
+
+PermissionChecker::PermissionResult
+ PermissionChecker::checkPermissionForDataDeliveryFromDatasource(
+ const String16& permission, AttributionSourceState& attributionSource,
+ const String16& message)
+{
+ return static_cast<PermissionResult>(checkPermission(permission, attributionSource, message,
+ /*forDataDelivery*/ true, /*startDataDelivery*/ false,/*fromDatasource*/ true));
+}
+
+PermissionChecker::PermissionResult
+ PermissionChecker::checkPermissionForStartDataDeliveryFromDatasource(
+ const String16& permission, AttributionSourceState& attributionSource,
+ const String16& message)
+{
+ return static_cast<PermissionResult>(checkPermission(permission, attributionSource, message,
+ /*forDataDelivery*/ true, /*startDataDelivery*/ true, /*fromDatasource*/ true));
+}
+
+void PermissionChecker::finishDataDelivery(const String16& op,
+ AttributionSourceState& attributionSource)
+{
+ sp<IPermissionChecker> service = getService();
+ if (service != nullptr) {
+ binder::Status status = service->finishDataDelivery(op, attributionSource);
+ if (!status.isOk()) {
+ ALOGE("finishDataDelivery failed: %s", status.exceptionMessage().c_str());
+ }
+ }
+}
+
+int32_t PermissionChecker::checkPermission(const String16& permission,
+ AttributionSourceState& attributionSource, const String16& message,
+ bool forDataDelivery, bool startDataDelivery, bool fromDatasource)
+{
+ sp<IPermissionChecker> service = getService();
+ if (service != nullptr) {
+ int32_t result;
+ binder::Status status = service->checkPermission(permission, attributionSource, message,
+ forDataDelivery, startDataDelivery, fromDatasource, &result);
+ if (status.isOk()) {
+ return result;
+ }
+ ALOGE("checkPermission failed: %s", status.exceptionMessage().c_str());
+ }
+ return PERMISSION_DENIED;
+}
+
+} // namespace android
diff --git a/libs/permission/include/android/permission/PermissionChecker.h b/libs/permission/include/android/permission/PermissionChecker.h
new file mode 100644
index 0000000..20ab51f
--- /dev/null
+++ b/libs/permission/include/android/permission/PermissionChecker.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <android/content/AttributionSourceState.h>
+#include <android/permission/IPermissionChecker.h>
+
+#include <utils/threads.h>
+
+#include <optional>
+
+#ifdef __ANDROID_VNDK__
+#error "This header is not visible to vendors"
+#endif
+
+// ---------------------------------------------------------------------------
+namespace android {
+
+using android::content::AttributionSourceState;
+using android::permission::IPermissionChecker;
+
+class PermissionChecker
+{
+public:
+
+ enum PermissionResult {
+
+ /**
+ * The permission is granted.
+ */
+ PERMISSION_GRANTED = IPermissionChecker::PERMISSION_GRANTED,
+
+ /**
+ * The permission is denied. Applicable only to runtime and app op permissions.
+ *
+ * Returned when:
+ * - the runtime permission is granted, but the corresponding app op is denied
+ * for runtime permissions.
+ * - the app ops is ignored for app op permissions.
+ *
+ */
+ PERMISSION_SOFT_DENIED = IPermissionChecker::PERMISSION_SOFT_DENIED,
+
+ /**
+ * The permission is denied.
+ *
+ * Returned when:
+ * - the permission is denied for non app op permissions.
+ * - the app op is denied or app op is AppOpsManager#MODE_DEFAULT and permission is denied.
+ */
+ PERMISSION_HARD_DENIED = IPermissionChecker::PERMISSION_HARD_DENIED
+ };
+
+ PermissionChecker();
+
+ /**
+ * Checks whether a given data access chain described by the given attribution source
+ * has a given permission and whether the app op that corresponds to this permission
+ * is allowed. Call this method if you are the datasource which would not blame you for
+ * access to the data since you are the data. Note that the attribution source chain
+ *
+ * NOTE: The attribution source should be for yourself with its next attribution
+ * source being the app that would receive the data from you.
+ *
+ * NOTE: Use this method only for permission checks at the point where you will deliver
+ * the permission protected data to clients.
+ *
+ * @param permission The permission to check.
+ * @param attributionSource The attribution chain to check.
+ * @param message A message describing the reason the permission was checked.
+ * @return The permission check result which is either PERMISSION_GRANTED,
+ * or PERMISSION_SOFT_DENIED or PERMISSION_HARD_DENIED.
+ */
+ PermissionChecker::PermissionResult checkPermissionForDataDeliveryFromDatasource(
+ const String16& permission, AttributionSourceState& attributionSource,
+ const String16& message);
+
+ /**
+ * Checks whether a given data access chain described by the given attribution source
+ * has a given permission and whether the app op that corresponds to this permission
+ * is allowed. The app ops are also marked as started. This is useful for long running
+ * permissions like camera and microphone.
+ *
+ * NOTE: The attribution source should be for yourself with its next attribution
+ * source being the app that would receive the data from you.
+ *
+ * NOTE: Use this method only for permission checks at the point where you will deliver
+ * the permission protected data to clients.
+ *
+ * @param permission The permission to check.
+ * @param attributionSource The attribution chain to check.
+ * @param message A message describing the reason the permission was checked.
+ * @return The permission check result which is either PERMISSION_GRANTED,
+ * or PERMISSION_SOFT_DENIED or PERMISSION_HARD_DENIED.
+ */
+ PermissionResult checkPermissionForStartDataDeliveryFromDatasource(
+ const String16& permission, AttributionSourceState& attributionSource,
+ const String16& message);
+
+ /**
+ * Finishes an ongoing op for data access chain described by the given
+ * attribution source.
+ *
+ * @param op The op to finish.
+ * @param attributionSource The attribution chain for which to finish data delivery.
+ */
+ void finishDataDelivery(const String16& op, AttributionSourceState& attributionSource);
+
+private:
+ Mutex mLock;
+ sp<IPermissionChecker> mService;
+ sp<IPermissionChecker> getService();
+
+ int32_t checkPermission(const String16& permission, AttributionSourceState& attributionSource,
+ const String16& message, bool forDataDelivery, bool startDataDelivery,
+ bool fromDatasource);
+};
+
+
+} // namespace android
+
+// ---------------------------------------------------------------------------