Properly handle system app permissions.

System apps targeting SDK grater than Lollipop MR1 get runtime
permissions and when a new user is added we update the permissions
for all packages to ensure that the new user gets the runtime
permissions.

Change-Id: Ic7dc5b5a94b034e00d715a60b12f613803524c3b

diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index ad51457..5d3b0f1 100644 (file)
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -339,7 +339,7 @@ public class PackageManagerService extends IPackageManager.Stub {
     /** Permission grant: grant the permission as an install permission. */
     private static final int GRANT_INSTALL = 2;
 
-    /** Permission grant: grant the permission as a runtime permission. */
+    /** Permission grant: grant the permission as a runtime one. */
     private static final int GRANT_RUNTIME = 3;
 
     /** Permission grant: grant as runtime a permission that was granted as an install time one. */
@@ -7022,8 +7022,8 @@ public class PackageManagerService extends IPackageManager.Stub {
                         // For legacy apps dangerous permissions are install time ones.
                         grant = GRANT_INSTALL;
                     } else if ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
-                        // For modern system apps dangerous permissions are install time ones.
-                        grant = GRANT_INSTALL;
+                        // For modern system apps dangerous permissions are runtime ones.
+                        grant = GRANT_UPGRADE;
                     } else {
                         if (origPermissions.hasInstallPermission(bp.name)) {
                             // For legacy apps that became modern, install becomes runtime.
@@ -13358,6 +13358,11 @@ public class PackageManagerService extends IPackageManager.Stub {
         }
     }
 
+    void newUserCreatedLILPw(int userHandle) {
+        // Adding a user requires updating runtime permissions for system apps.
+        updatePermissionsLPw(null, null, UPDATE_PERMISSIONS_ALL);
+    }
+
     @Override
     public VerifierDeviceIdentity getVerifierDeviceIdentity() throws RemoteException {
         mContext.enforceCallingOrSelfPermission(

diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index 26ecb72..8cc9d19 100644 (file)
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -1219,6 +1219,7 @@ public class UserManagerService extends IUserManager.Stub {
                     updateUserIdsLocked();
                     Bundle restrictions = new Bundle();
                     mUserRestrictions.append(userId, restrictions);
+                    mPm.newUserCreatedLILPw(userId);
                 }
             }
             if (userInfo != null) {