commit dab68dcd4d9aa1886c300c73c02d4bc5ad524ec9
author Joanne <joannechung@google.com> Wed Jan 11 19:14:58 2023 +0800
committer Joanne <joannechung@google.com> Fri Jan 13 12:20:09 2023 +0800
tree ef743ec9413e109b7f7be7abb300295cfa6b678d
parent 8b0fad3c9a4bfb6e82c734afca06c7df26fddf0b

Define a new permission to guard role-based application executing action

The system would like to enable Assistant to perform actions on
behalf of users inside of applications. We introduce a permission
that will be automatically granted to the assistant role. The
application exposes some services that allow only the assistant to
use the service, so application can use this permission to check the
caller that calls app’s service is the Assistant

Bug: 264324827
Test: atest PermissionPolicyTest#platformPermissionPolicyIsUnaltered
Change-Id: Ib0ad7a865e2bd89a32b4b2df955baeea293ff7dc

core/api/current.txt

diff --git a/core/api/current.txt b/core/api/current.txt
index 3cc5631..0627709 100644
--- a/core/api/current.txt
+++ b/core/api/current.txt
@@ -89,6 +89,7 @@
     field public static final String DISABLE_KEYGUARD = "android.permission.DISABLE_KEYGUARD";
     field public static final String DUMP = "android.permission.DUMP";
     field public static final String ENFORCE_UPDATE_OWNERSHIP = "android.permission.ENFORCE_UPDATE_OWNERSHIP";
+    field public static final String EXECUTE_APP_ACTION = "android.permission.EXECUTE_APP_ACTION";
     field public static final String EXPAND_STATUS_BAR = "android.permission.EXPAND_STATUS_BAR";
     field public static final String FACTORY_TEST = "android.permission.FACTORY_TEST";
     field public static final String FOREGROUND_SERVICE = "android.permission.FOREGROUND_SERVICE";

core/res/AndroidManifest.xml

diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 81b3af0..7d5be48 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -6862,6 +6862,15 @@
     <permission android:name="android.permission.READ_HOME_APP_SEARCH_DATA"
         android:protectionLevel="internal|role" />
 
+    <!-- Allows an assistive application to perform actions on behalf of users inside of
+         applications.
+         <p>For now, this permission is only granted to system applications fulfilling the
+         ASSISTANT role.
+         <p>Protection level: internal|role
+    -->
+    <permission android:name="android.permission.EXECUTE_APP_ACTION"
+                android:protectionLevel="internal|role" />
+
     <!-- @SystemApi Allows an application to create virtual devices in VirtualDeviceManager.
          @hide -->
     <permission android:name="android.permission.CREATE_VIRTUAL_DEVICE"