Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_base / 29a9ab42f62210f402aee1dba666a12413f04165^! / .
commit29a9ab42f62210f402aee1dba666a12413f04165[log] [tgz]
authorMichael Groover <mpgroover@google.com>Wed Nov 13 16:56:52 2024 -0600
committerMichael Groover <mpgroover@google.com>Wed Nov 13 23:07:26 2024 +0000
tree4a6e5c73aebc4e015927b719b55aa03594899cca
parent255746a3c5fd28cdd8106954a38291be460d9949 [diff]
Allow AMS fgs notification rate limit with ALLOWLIST permission

Android 16 limits the shell user to only modify the DeviceConfig
flags that have been allowlisted; to support this, the
WRITE_DEVICE_CONFIG permission will be removed from the shell user.
Some CTS tests adopt the shell permission identity to invoke the AMS
service method enableFgsNotificationRateLimit which is currently
guarded with the WRITE_DEVICE_CONFIG permission. To support these
tests, this commit updates this method to also allow the action if
the caller has the WRITE_ALLOWLISTED_DEVICE_CONFIG permission.

Bug: 364083026
Flag: android.security.protect_device_config_flags
Test: atest ServiceTest
Change-Id: I7ac4d3d92a73bc60546bbfcb9c9d5469004f76ce

diff --git a/core/java/android/app/IActivityManager.aidl b/core/java/android/app/IActivityManager.aidl
index 34a3ad1..97bcea2 100644
--- a/core/java/android/app/IActivityManager.aidl
+++ b/core/java/android/app/IActivityManager.aidl

@@ -864,7 +864,8 @@
 
     /**
      * Suppress or reenable the rate limit on foreground service notification deferral.
-     * This is for use within CTS and is protected by android.permission.WRITE_DEVICE_CONFIG.
+     * This is for use within CTS and is protected by android.permission.WRITE_DEVICE_CONFIG
+     * and WRITE_ALLOWLISTED_DEVICE_CONFIG.
      *
      * @param enable false to suppress rate-limit policy; true to reenable it.
      */

diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 1c3569d..daf0561 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java

@@ -19066,8 +19066,13 @@
      */
     @Override
     public boolean enableFgsNotificationRateLimit(boolean enable) {
-        enforceCallingPermission(permission.WRITE_DEVICE_CONFIG,
-                "enableFgsNotificationRateLimit");
+        if (android.security.Flags.protectDeviceConfigFlags()) {
+            enforceCallingHasAtLeastOnePermission("enableFgsNotificationRateLimit",
+                    permission.WRITE_DEVICE_CONFIG, permission.WRITE_ALLOWLISTED_DEVICE_CONFIG);
+        } else {
+            enforceCallingPermission(permission.WRITE_DEVICE_CONFIG,
+                    "enableFgsNotificationRateLimit");
+        }
         synchronized (this) {
             return mServices.enableFgsNotificationRateLimitLocked(enable);
         }