Whitelist all perms on installExistingPackage

The code allows to also whitelist only a select set of permissions, but this is not yet exposed in the API. Also: Fix up shell commands for restricted permissions Fixes: 132368462 Test: - Enabled app via device admin in secondary profile -> verified that permissions were whitelisted - Installed existing and new app using --restrictpermissions and not -> verified that permissions were whitelisted or not atest AppRestrictionsHelperTest RestrictedPermissionsTest Change-Id: I9787e63d8beb8f6b1ba2d15532d4c0f69dbdf863
author: Philip P. Moltmann <moltmann@google.com> 2019-05-13 17:10:46 -0700
committer: Philip P. Moltmann <moltmann@google.com> 2019-05-15 11:12:47 -0700
commit: bfcffa085140f27883367e34e308a6bafc5d6015 (patch)
tree: ee5627e74c30e14ae3ef2a15740a71bb7e5c9d35
parent: ed16de4cdb722800978c0442697488ec13b7e0ea (diff)
11 files changed, 60 insertions, 30 deletions
diff --git a/apct-tests/perftests/multiuser/src/android/multiuser/UserLifecycleTests.java b/apct-tests/perftests/multiuser/src/android/multiuser/UserLifecycleTests.java
index 6b09a9f150cf..ee4e1e43c8e6 100644
--- a/apct-tests/perftests/multiuser/src/android/multiuser/UserLifecycleTests.java
+++ b/apct-tests/perftests/multiuser/src/android/multiuser/UserLifecycleTests.java
@@ -485,8 +485,9 @@ public class UserLifecycleTests {
         });
 
         final IPackageInstaller installer = AppGlobals.getPackageManager().getPackageInstaller();
-        installer.installExistingPackage(packageName, 0, PackageManager.INSTALL_REASON_UNKNOWN,
-                sender, userId);
+        installer.installExistingPackage(packageName,
+                PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS,
+                PackageManager.INSTALL_REASON_UNKNOWN, sender, userId, null);
 
         try {
             latch.await(TIMEOUT_IN_SECOND, TimeUnit.SECONDS);
diff --git a/core/java/android/app/ApplicationPackageManager.java b/core/java/android/app/ApplicationPackageManager.java
index fcb5312af042..e785739d2752 100644
--- a/core/java/android/app/ApplicationPackageManager.java
+++ b/core/java/android/app/ApplicationPackageManager.java
@@ -1953,8 +1953,8 @@ public class ApplicationPackageManager extends PackageManager {
     private int installExistingPackageAsUser(String packageName, int installReason, int userId)
             throws NameNotFoundException {
         try {
-            int res = mPM.installExistingPackageAsUser(packageName, userId, 0 /*installFlags*/,
-                    installReason);
+            int res = mPM.installExistingPackageAsUser(packageName, userId,
+                    INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS, installReason, null);
             if (res == INSTALL_FAILED_INVALID_URI) {
                 throw new NameNotFoundException("Package " + packageName + " doesn't exist");
             }
diff --git a/core/java/android/content/pm/IPackageInstaller.aidl b/core/java/android/content/pm/IPackageInstaller.aidl
index 8e840796e953..b0b2c33e0ddd 100644
--- a/core/java/android/content/pm/IPackageInstaller.aidl
+++ b/core/java/android/content/pm/IPackageInstaller.aidl
@@ -52,7 +52,7 @@ interface IPackageInstaller {
             in IntentSender statusReceiver, int userId);
 
     void installExistingPackage(String packageName, int installFlags, int installReason,
-            in IntentSender statusReceiver, int userId);
+            in IntentSender statusReceiver, int userId, in List<String> whiteListedPermissions);
 
     void setPermissionsResult(int sessionId, boolean accepted);
 }
diff --git a/core/java/android/content/pm/IPackageManager.aidl b/core/java/android/content/pm/IPackageManager.aidl
index 6ab4657d727d..a7eecd7f4306 100644
--- a/core/java/android/content/pm/IPackageManager.aidl
+++ b/core/java/android/content/pm/IPackageManager.aidl
@@ -634,7 +634,7 @@ interface IPackageManager {
     int getInstallLocation();
 
     int installExistingPackageAsUser(String packageName, int userId, int installFlags,
-            int installReason);
+            int installReason, in List<String> whiteListedPermissions);
 
     void verifyPendingInstall(int id, int verificationCode);
     void extendVerificationTimeout(int id, int verificationCodeAtTimeout, long millisecondsToDelay);
diff --git a/core/java/android/content/pm/PackageInstaller.java b/core/java/android/content/pm/PackageInstaller.java
index 89eabc285e38..3cecd7f88045 100644
--- a/core/java/android/content/pm/PackageInstaller.java
+++ b/core/java/android/content/pm/PackageInstaller.java
@@ -627,6 +627,10 @@ public class PackageInstaller {
      * Install the given package, which already exists on the device, for the user for which this
      * installer was created.
      *
+     * <p>This will
+     * {@link PackageInstaller.SessionParams#setWhitelistedRestrictedPermissions(Set) whitelist
+     * all restricted permissions}.
+     *
      * @param packageName The package to install.
      * @param installReason Reason for install.
      * @param statusReceiver Where to deliver the result.
@@ -639,8 +643,9 @@ public class PackageInstaller {
             @Nullable IntentSender statusReceiver) {
         Preconditions.checkNotNull(packageName, "packageName cannot be null");
         try {
-            mInstaller.installExistingPackage(packageName, 0, installReason, statusReceiver,
-                    mUserId);
+            mInstaller.installExistingPackage(packageName,
+                    PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS, installReason,
+                    statusReceiver, mUserId, null);
         } catch (RemoteException e) {
             throw e.rethrowFromSystemServer();
         }
diff --git a/packages/SettingsLib/src/com/android/settingslib/users/AppRestrictionsHelper.java b/packages/SettingsLib/src/com/android/settingslib/users/AppRestrictionsHelper.java
index ec8bb80bee13..4941f7e42bf6 100644
--- a/packages/SettingsLib/src/com/android/settingslib/users/AppRestrictionsHelper.java
+++ b/packages/SettingsLib/src/com/android/settingslib/users/AppRestrictionsHelper.java
@@ -117,7 +117,8 @@ public class AppRestrictionsHelper {
                 if (info == null || !info.enabled
                         || (info.flags&ApplicationInfo.FLAG_INSTALLED) == 0) {
                     mIPm.installExistingPackageAsUser(packageName, mUser.getIdentifier(),
-                            0 /*installFlags*/, PackageManager.INSTALL_REASON_UNKNOWN);
+                            PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS,
+                            PackageManager.INSTALL_REASON_UNKNOWN, null);
                     if (DEBUG) {
                         Log.d(TAG, "Installing " + packageName);
                     }
diff --git a/packages/SettingsLib/tests/integ/src/com/android/settingslib/users/AppRestrictionsHelperTest.java b/packages/SettingsLib/tests/integ/src/com/android/settingslib/users/AppRestrictionsHelperTest.java
index e840a4be8b80..b216a2a3fb78 100644
--- a/packages/SettingsLib/tests/integ/src/com/android/settingslib/users/AppRestrictionsHelperTest.java
+++ b/packages/SettingsLib/tests/integ/src/com/android/settingslib/users/AppRestrictionsHelperTest.java
@@ -16,15 +16,14 @@
 
 package com.android.settingslib.users;
 
-import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyInt;
 import static org.mockito.Matchers.argThat;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Matchers.nullable;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.when;
 import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
 
 import android.appwidget.AppWidgetManager;
 import android.content.Context;
@@ -43,6 +42,7 @@ import android.os.UserHandle;
 import android.os.UserManager;
 import android.test.suitebuilder.annotation.SmallTest;
 import android.view.inputmethod.InputMethodInfo;
+
 import com.android.settingslib.BaseTest;
 
 import org.mockito.ArgumentMatcher;
@@ -146,7 +146,8 @@ public class AppRestrictionsHelperTest extends BaseTest {
         mHelper.applyUserAppsStates(mockListener);
 
         verify(mIpm, times(1)).installExistingPackageAsUser("app1", testUserId,
-                0 /*installFlags*/, PackageManager.INSTALL_REASON_UNKNOWN);
+                PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS,
+                PackageManager.INSTALL_REASON_UNKNOWN, null);
         verify(mIpm, times(1)).setApplicationHiddenSettingAsUser("app2", false, testUserId);
         verify(mockListener).onDisableUiForPackage("app2");
         verify(mPm, times(1)).deletePackageAsUser(eq("app3"),
diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java
index 35f21496f2cc..bd8859401856 100644
--- a/services/core/java/com/android/server/pm/PackageInstallerService.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerService.java
@@ -854,9 +854,9 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements
 
     @Override
     public void installExistingPackage(String packageName, int installFlags, int installReason,
-            IntentSender statusReceiver, int userId) {
+            IntentSender statusReceiver, int userId, List<String> whiteListedPermissions) {
         mPm.installExistingPackageAsUser(packageName, userId, installFlags, installReason,
-                statusReceiver);
+                whiteListedPermissions, statusReceiver);
     }
 
     @Override
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index aae146cdae91..06cff0a3eb3c 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -13386,8 +13386,9 @@ public class PackageManagerService extends IPackageManager.Stub
                 installExistingPackageAsUser(
                         packageName,
                         userId,
-                        0 /*installFlags*/,
-                        PackageManager.INSTALL_REASON_DEVICE_SETUP);
+                        PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS,
+                        PackageManager.INSTALL_REASON_DEVICE_SETUP,
+                        null);
                 return true;
             }
 
@@ -13475,15 +13476,19 @@ public class PackageManagerService extends IPackageManager.Stub
      */
     @Override
     public int installExistingPackageAsUser(String packageName, int userId, int installFlags,
-            int installReason) {
-        return installExistingPackageAsUser(packageName, userId, installFlags, installReason, null);
+            int installReason, List<String> whiteListedPermissions) {
+        return installExistingPackageAsUser(packageName, userId, installFlags, installReason,
+                whiteListedPermissions, null);
     }
 
-    int installExistingPackageAsUser(String packageName, int userId, int installFlags,
-            int installReason, IntentSender intentSender) {
+    int installExistingPackageAsUser(@Nullable String packageName, @UserIdInt int userId,
+            @PackageManager.InstallFlags int installFlags,
+            @PackageManager.InstallReason int installReason,
+            @Nullable List<String> whiteListedPermissions, @Nullable IntentSender intentSender) {
         if (DEBUG_INSTALL) {
             Log.v(TAG, "installExistingPackageAsUser package=" + packageName + " userId=" + userId
-                    + " installFlags=" + installFlags + " installReason=" + installReason);
+                    + " installFlags=" + installFlags + " installReason=" + installReason
+                    + " whiteListedPermissions=" + whiteListedPermissions);
         }
 
         final int callingUid = Binder.getCallingUid();
@@ -13546,6 +13551,13 @@ public class PackageManagerService extends IPackageManager.Stub
             }
 
             if (installed) {
+                if ((installFlags & PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS)
+                        != 0 && pkgSetting.pkg != null) {
+                    whiteListedPermissions = pkgSetting.pkg.requestedPermissions;
+                }
+                setWhitelistedRestrictedPermissions(packageName, whiteListedPermissions,
+                        PackageManager.FLAG_PERMISSION_WHITELIST_INSTALLER, userId);
+
                 if (pkgSetting.pkg != null) {
                     synchronized (mInstallLock) {
                         // We don't need to freeze for a brand new install
diff --git a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
index fbf074e3ba15..8bfcf47833a4 100644
--- a/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
+++ b/services/core/java/com/android/server/pm/PackageManagerShellCommand.java
@@ -1116,7 +1116,7 @@ class PackageManagerShellCommand extends ShellCommand {
     private int runInstallExisting() throws RemoteException {
         final PrintWriter pw = getOutPrintWriter();
         int userId = UserHandle.USER_SYSTEM;
-        int installFlags = 0;
+        int installFlags = PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS;
         String opt;
         boolean waitTillComplete = false;
         while ((opt = getNextOption()) != null) {
@@ -1136,6 +1136,9 @@ class PackageManagerShellCommand extends ShellCommand {
                 case "--wait":
                     waitTillComplete = true;
                     break;
+                case "--restrict-permissions":
+                    installFlags &= ~PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS;
+                    break;
                 default:
                     pw.println("Error: Unknown option: " + opt);
                     return 1;
@@ -1155,7 +1158,7 @@ class PackageManagerShellCommand extends ShellCommand {
                 final IPackageInstaller installer = mInterface.getPackageInstaller();
                 pw.println("Installing package " + packageName + " for user: " + userId);
                 installer.installExistingPackage(packageName, installFlags, installReason,
-                        receiver.getIntentSender(), userId);
+                        receiver.getIntentSender(), userId, null);
                 final Intent result = receiver.getResult();
                 final int status = result.getIntExtra(PackageInstaller.EXTRA_STATUS,
                         PackageInstaller.STATUS_FAILURE);
@@ -1164,7 +1167,7 @@ class PackageManagerShellCommand extends ShellCommand {
             }
 
             final int res = mInterface.installExistingPackageAsUser(packageName, userId,
-                    installFlags, installReason);
+                    installFlags, installReason, null);
             if (res == PackageManager.INSTALL_FAILED_INVALID_URI) {
                 throw new NameNotFoundException("Package " + packageName + " doesn't exist");
             }
@@ -2324,7 +2327,11 @@ class PackageManagerShellCommand extends ShellCommand {
     private InstallParams makeInstallParams() {
         final SessionParams sessionParams = new SessionParams(SessionParams.MODE_FULL_INSTALL);
         final InstallParams params = new InstallParams();
+
         params.sessionParams = sessionParams;
+        // Whitelist all permissions by default
+        sessionParams.installFlags |= PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS;
+
         String opt;
         boolean replaceExisting = true;
         while ((opt = getNextOption()) != null) {
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 22231c0ab09b..e2e9c420a046 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -9680,7 +9680,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
                 // Install the profile owner if not present.
                 if (!mIPackageManager.isPackageAvailable(adminPkg, userHandle)) {
                     mIPackageManager.installExistingPackageAsUser(adminPkg, userHandle,
-                            0 /*installFlags*/, PackageManager.INSTALL_REASON_POLICY);
+                            PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS,
+                            PackageManager.INSTALL_REASON_POLICY, null);
                 }
             } catch (RemoteException e) {
                 // Does not happen, same process
@@ -10176,7 +10177,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
 
                 // Install the app.
                 mIPackageManager.installExistingPackageAsUser(packageName, userId,
-                        0 /*installFlags*/, PackageManager.INSTALL_REASON_POLICY);
+                        PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS,
+                        PackageManager.INSTALL_REASON_POLICY, null);
                 if (isDemo) {
                     // Ensure the app is also ENABLED for demo users.
                     mIPackageManager.setApplicationEnabledSetting(packageName,
@@ -10230,7 +10232,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
                             if (isSystemApp(mIPackageManager, packageName, parentUserId)) {
                                 numberOfAppsInstalled++;
                                 mIPackageManager.installExistingPackageAsUser(packageName, userId,
-                                        0 /*installFlags*/, PackageManager.INSTALL_REASON_POLICY);
+                                        PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS,
+                                        PackageManager.INSTALL_REASON_POLICY, null);
                             } else {
                                 Slog.d(LOG_TAG, "Not enabling " + packageName + " since is not a"
                                         + " system app");
@@ -10289,9 +10292,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
                 }
 
                 // Install the package.
-                result = mIPackageManager
-                        .installExistingPackageAsUser(packageName, callingUserId,
-                        0 /*installFlags*/, PackageManager.INSTALL_REASON_POLICY)
+                result = mIPackageManager.installExistingPackageAsUser(packageName, callingUserId,
+                        PackageManager.INSTALL_ALL_WHITELIST_RESTRICTED_PERMISSIONS,
+                        PackageManager.INSTALL_REASON_POLICY, null)
                         == PackageManager.INSTALL_SUCCEEDED;
             } catch (RemoteException re) {
                 // shouldn't happen
author	Philip P. Moltmann <moltmann@google.com>	2019-05-13 17:10:46 -0700
committer	Philip P. Moltmann <moltmann@google.com>	2019-05-15 11:12:47 -0700
commit	bfcffa085140f27883367e34e308a6bafc5d6015 (patch)
tree	ee5627e74c30e14ae3ef2a15740a71bb7e5c9d35
parent	ed16de4cdb722800978c0442697488ec13b7e0ea (diff)