1 From b49dd21cff01d7aeffab3a4815cfe980ab3530de Mon Sep 17 00:00:00 2001
2 From: bigrushdog <randall.rushing@gmail.com>
3 Date: Mon, 19 Dec 2016 04:33:31 -0800
4 Subject: [PATCH 30/43] OMS: Introduce MODIFY_OVERLAYS permission for user apps
6 This permission will grant the app read and write permissions
7 to access OverlayManagerService. If caller does not posess
8 this permissions, OMS falls back to default permission checks
10 Change-Id: Ib6b10b516577f338aee31e759bfd16278f902c20
11 (cherry picked from commit 8e59c96513c573a4912492c005b076cb2a972332)
13 core/res/AndroidManifest.xml | 6 +++++
14 core/res/res/values/strings.xml | 5 +++++
15 .../android/server/om/OverlayManagerService.java | 26 +++++++++++++++-------
16 3 files changed, 29 insertions(+), 8 deletions(-)
18 diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
19 index 6a5bd3946db..3ceb17ba568 100644
20 --- a/core/res/AndroidManifest.xml
21 +++ b/core/res/AndroidManifest.xml
22 @@ -3162,6 +3162,12 @@
23 <permission android:name="android.permission.SUBSTITUTE_NOTIFICATION_APP_NAME"
24 android:protectionLevel="signature|privileged" />
26 + <!-- Allows an application to make calls to OverlayManagerService.-->
27 + <permission android:name="android.permission.MODIFY_OVERLAYS"
28 + android:label="@string/permlab_modifyOverlays"
29 + android:description="@string/permdesc_modifyOverlays"
30 + android:protectionLevel="normal" />
32 <application android:process="system"
33 android:persistent="true"
34 android:hasCode="false"
35 diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
36 index 8f5f8cfa0de..8313d5d0b9c 100755
37 --- a/core/res/res/values/strings.xml
38 +++ b/core/res/res/values/strings.xml
39 @@ -1411,6 +1411,11 @@
40 <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
41 <string name="permdesc_access_notification_policy">Allows the app to read and write Do Not Disturb configuration.</string>
43 + <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
44 + <string name="permlab_modifyOverlays">modify theme overlays</string>
45 + <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
46 + <string name="permdesc_modifyOverlays">Allows the app to make modifications to theme overlays using OverlayManagerService</string>
48 <!-- Policy administration -->
50 <!-- Title of policy access to limiting the user's password choices -->
51 diff --git a/services/core/java/com/android/server/om/OverlayManagerService.java b/services/core/java/com/android/server/om/OverlayManagerService.java
52 index deb9046a2d4..e205ce1d030 100644
53 --- a/services/core/java/com/android/server/om/OverlayManagerService.java
54 +++ b/services/core/java/com/android/server/om/OverlayManagerService.java
55 @@ -36,6 +36,7 @@ import android.content.om.IOverlayManager;
56 import android.content.om.OverlayInfo;
57 import android.content.pm.IPackageManager;
58 import android.content.pm.PackageInfo;
59 +import android.content.pm.PackageManager;
60 import android.content.pm.PackageManagerInternal;
61 import android.content.pm.UserInfo;
62 import android.net.Uri;
63 @@ -114,7 +115,8 @@ import java.util.concurrent.atomic.AtomicBoolean;
64 * the caller runs as, or if the caller holds the
65 * INTERACT_ACROSS_USERS_FULL permission. Write-access is granted if the
66 * caller is granted read-access and additionaly holds the
67 - * CHANGE_CONFIGURATION permission.</li>
68 + * CHANGE_CONFIGURATION permission. Additionally, read and write access
69 + * is granted by the MODIFY_OVERLAYS permission.</li>
72 * <p>The AIDL interface works with String package names, int user IDs, and
73 @@ -549,19 +551,24 @@ public final class OverlayManagerService extends SystemService {
75 * Ensure that the caller has permission to interact with the given userId.
76 * If the calling user is not the same as the provided user, the caller needs
77 - * to hold the INTERACT_ACROSS_USERS_FULL permission (or be system uid or
78 + * to hold the INTERACT_ACROSS_USERS_FULL permission or MODIFY_OVERLAYS permission (or be system uid or
81 * @param userId the user to interact with
82 * @param message message for any SecurityException
84 private int handleIncomingUser(final int userId, @NonNull final String message) {
85 - return ActivityManager.handleIncomingUser(Binder.getCallingPid(),
86 - Binder.getCallingUid(), userId, false, true, message, null);
87 + if (getContext().checkCallingOrSelfPermission(
88 + android.Manifest.permission.MODIFY_OVERLAYS) == PackageManager.PERMISSION_GRANTED) {
91 + return ActivityManager.handleIncomingUser(Binder.getCallingPid(),
92 + Binder.getCallingUid(), userId, false, true, message, null);
97 - * Enforce that the caller holds the CHANGE_CONFIGURATION permission (or is
98 + * Enforce that the caller holds the CHANGE_CONFIGURATION permission or MODIFY_OVERLAYS permission (or is
101 * @param message used as message if SecurityException is thrown
102 @@ -570,9 +577,12 @@ public final class OverlayManagerService extends SystemService {
103 private void enforceChangeConfigurationPermission(@NonNull final String message) {
104 final int callingUid = Binder.getCallingUid();
106 - if (callingUid != Process.SYSTEM_UID && callingUid != 0) {
107 - getContext().enforceCallingOrSelfPermission(
108 - android.Manifest.permission.CHANGE_CONFIGURATION, message);
109 + if (getContext().checkCallingOrSelfPermission(
110 + android.Manifest.permission.MODIFY_OVERLAYS) != PackageManager.PERMISSION_GRANTED) {
111 + if (callingUid != Process.SYSTEM_UID && callingUid != 0) {
112 + getContext().enforceCallingOrSelfPermission(
113 + android.Manifest.permission.CHANGE_CONFIGURATION, message);
projects / GitHub / Stricted / android_vendor_extra.git / blob