Moving permission and flag changes out of root identity for AppCloning
IntentRedirection
Earlier the permission was being checked with system server's pid and
uid as we were clearing binder identity for finding the values of
AppCloningBuildingBlocks flag. Because of this the check was moot,
moving the check out, so that it uses callers pd and uid.
Bug: 281738146
Test: atest com.android.cts.appcloning.IntentRedirectionTest
Change-Id: I62642d2c7cd76912ae800b02688cdc91d1a78214
diff --git a/data/etc/privapp-permissions-platform.xml b/data/etc/privapp-permissions-platform.xml
index ead5fd4..a044602 100644
--- a/data/etc/privapp-permissions-platform.xml
+++ b/data/etc/privapp-permissions-platform.xml
@@ -525,6 +525,8 @@
<permission name="android.permission.USE_ATTESTATION_VERIFICATION_SERVICE" />
<!-- Permission required for GTS test - GtsCredentialsTestCases -->
<permission name="android.permission.LAUNCH_CREDENTIAL_SELECTOR"/>
+ <!-- Permission required for CTS test IntentRedirectionTest -->
+ <permission name="android.permission.QUERY_CLONED_APPS"/>
</privapp-permissions>
<privapp-permissions package="com.android.statementservice">
diff --git a/packages/Shell/AndroidManifest.xml b/packages/Shell/AndroidManifest.xml
index 8b3fd41..43f98c3 100644
--- a/packages/Shell/AndroidManifest.xml
+++ b/packages/Shell/AndroidManifest.xml
@@ -837,6 +837,8 @@
<uses-permission android:name="android.permission.USE_ATTESTATION_VERIFICATION_SERVICE" />
<!-- Permission required for GTS test - GtsCredentialsTestCases -->
<uses-permission android:name="android.permission.LAUNCH_CREDENTIAL_SELECTOR" />
+ <!-- Permission required for CTS test IntentRedirectionTest -->
+ <uses-permission android:name="android.permission.QUERY_CLONED_APPS" />
<application
android:label="@string/app_label"
diff --git a/services/core/java/com/android/server/pm/NoFilteringResolver.java b/services/core/java/com/android/server/pm/NoFilteringResolver.java
index ccd5b0e..b87256d 100644
--- a/services/core/java/com/android/server/pm/NoFilteringResolver.java
+++ b/services/core/java/com/android/server/pm/NoFilteringResolver.java
@@ -60,15 +60,9 @@
public static boolean isIntentRedirectionAllowed(Context context,
AppCloningDeviceConfigHelper appCloningDeviceConfigHelper, boolean resolveForStart,
long flags) {
- final long token = Binder.clearCallingIdentity();
- try {
- return context.getResources().getBoolean(R.bool.config_enableAppCloningBuildingBlocks)
- && appCloningDeviceConfigHelper.getEnableAppCloningBuildingBlocks()
+ return isAppCloningBuildingBlocksEnabled(context, appCloningDeviceConfigHelper)
&& (resolveForStart || (((flags & PackageManager.MATCH_CLONE_PROFILE) != 0)
&& hasPermission(context, Manifest.permission.QUERY_CLONED_APPS)));
- } finally {
- Binder.restoreCallingIdentity(token);
- }
}
public NoFilteringResolver(ComponentResolverApi componentResolver,
@@ -146,4 +140,18 @@
return context.checkCallingOrSelfPermission(permission)
== PackageManager.PERMISSION_GRANTED;
}
+
+ /**
+ * Checks if the AppCloningBuildingBlocks flag is enabled.
+ */
+ private static boolean isAppCloningBuildingBlocksEnabled(Context context,
+ AppCloningDeviceConfigHelper appCloningDeviceConfigHelper) {
+ final long token = Binder.clearCallingIdentity();
+ try {
+ return context.getResources().getBoolean(R.bool.config_enableAppCloningBuildingBlocks)
+ && appCloningDeviceConfigHelper.getEnableAppCloningBuildingBlocks();
+ } finally {
+ Binder.restoreCallingIdentity(token);
+ }
+ }
}