Merge cherrypicks of [19946225] into rvc-platform-release.
Change-Id: Ia798bb216734c39b5054b690640d97b14cdde494
diff --git a/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java b/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java
index b4a79b4..8d082c0 100644
--- a/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java
+++ b/src/com/android/permissioncontroller/permission/service/PermissionControllerServiceImpl.java
@@ -36,6 +36,7 @@
import android.os.Looper;
import android.os.Process;
import android.os.UserHandle;
+import android.os.UserManager;
import android.permission.PermissionManager;
import android.permission.RuntimePermissionPresentationInfo;
import android.permission.RuntimePermissionUsageInfo;
@@ -56,6 +57,7 @@
import com.android.permissioncontroller.permission.model.livedatatypes.AppPermGroupUiInfo.PermGrantState;
import com.android.permissioncontroller.permission.ui.AutoGrantPermissionsNotifier;
import com.android.permissioncontroller.permission.utils.ArrayUtils;
+import com.android.permissioncontroller.permission.utils.AdminRestrictedPermissionsUtils;
import com.android.permissioncontroller.permission.utils.KotlinUtils;
import com.android.permissioncontroller.permission.utils.UserSensitiveFlagsUtils;
import com.android.permissioncontroller.permission.utils.Utils;
@@ -518,6 +520,8 @@
AutoGrantPermissionsNotifier autoGrantPermissionsNotifier =
new AutoGrantPermissionsNotifier(this, pkgInfo);
+ final boolean isManagedProfile = getSystemService(UserManager.class).isManagedProfile();
+
int numPerms = expandedPermissions.size();
for (int i = 0; i < numPerms; i++) {
String permName = expandedPermissions.get(i);
@@ -533,9 +537,15 @@
switch (grantState) {
case PERMISSION_GRANT_STATE_GRANTED:
- perm.setPolicyFixed(true);
- group.grantRuntimePermissions(false, false, new String[]{permName});
- autoGrantPermissionsNotifier.onPermissionAutoGranted(permName);
+ if (AdminRestrictedPermissionsUtils.mayAdminGrantPermission(perm.getName(),
+ isManagedProfile)) {
+ perm.setPolicyFixed(true);
+ group.grantRuntimePermissions(false, false, new String[]{permName});
+ autoGrantPermissionsNotifier.onPermissionAutoGranted(permName);
+ } else {
+ // similar to PERMISSION_GRANT_STATE_DEFAULT
+ perm.setPolicyFixed(false);
+ }
break;
case PERMISSION_GRANT_STATE_DENIED:
perm.setPolicyFixed(true);
diff --git a/src/com/android/permissioncontroller/permission/utils/AdminRestrictedPermissionsUtils.java b/src/com/android/permissioncontroller/permission/utils/AdminRestrictedPermissionsUtils.java
new file mode 100644
index 0000000..917c633
--- /dev/null
+++ b/src/com/android/permissioncontroller/permission/utils/AdminRestrictedPermissionsUtils.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.permissioncontroller.permission.utils;
+
+import android.Manifest;
+import android.util.ArraySet;
+
+/**
+ * A class for dealing with permissions that the admin may not grant in certain configurations.
+ */
+public final class AdminRestrictedPermissionsUtils {
+
+ /**
+ * A set of permissions that the managed Profile Owner cannot grant.
+ */
+ private static final ArraySet<String> MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS =
+ new ArraySet<>();
+
+ static {
+ MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.add(Manifest.permission.READ_SMS);
+ }
+
+ /**
+ * Returns true if the admin may grant this permission, false otherwise.
+ */
+ public static boolean mayAdminGrantPermission(String permission, boolean isManagedProfile) {
+ return !isManagedProfile
+ || !MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission);
+ }
+}