DO NOT MERGE. Retain DownloadManager Uri grants when clearing.

As part of fixing a recent security issue, DownloadManager now needs
to issue Uri permission grants for all downloads.  However, if an app
that requested a download is upgraded or otherwise force-stopped,
the required permission grants are removed.

We could tell DownloadManager about the app being stopped, but that
would be racy (due to background broadcast), and waking it up would
degrade system health.  Instead, as a special case we now only
consider clearing DownloadManager permission grants when app data
is being cleared.

Bug: 32172542, 30537115
Test: builds, boots, app upgrade doesn't clear grants
Change-Id: I7e3d4546fd12bfe5f81b9fb9857ece58d574a6b9
(cherry picked from commit 23ec811266fb728cf159a90ce4882b3c9bac1887)
(cherry picked from commit fbf395c220ab07d0596426ea3e7f596e9015ee63)

diff --git a/core/java/android/provider/Downloads.java b/core/java/android/provider/Downloads.java
index b2d9b93..dc874bb 100644 (file)
--- a/core/java/android/provider/Downloads.java
+++ b/core/java/android/provider/Downloads.java
@@ -41,6 +41,8 @@ public final class Downloads {
     public static final class Impl implements BaseColumns {
         private Impl() {}
 
+        public static final String AUTHORITY = "downloads";
+
         /**
          * The permission to access the download manager
          */

diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index a093bf5..948efdc 100644 (file)
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -212,6 +212,7 @@ import android.os.SystemProperties;
 import android.os.UpdateLock;
 import android.os.UserHandle;
 import android.os.UserManager;
+import android.provider.Downloads;
 import android.provider.Settings;
 import android.telecom.TelecomManager;
 import android.text.format.DateUtils;
@@ -7890,6 +7891,12 @@ public final class ActivityManagerService extends ActivityManagerNative
                     // Only inspect grants matching package
                     if (packageName == null || perm.sourcePkg.equals(packageName)
                             || perm.targetPkg.equals(packageName)) {
+                        // Hacky solution as part of fixing a security bug; ignore
+                        // grants associated with DownloadManager so we don't have
+                        // to immediately launch it to regrant the permissions
+                        if (Downloads.Impl.AUTHORITY.equals(perm.uri.uri.getAuthority())
+                                && !persistable) continue;
+
                         persistChanged |= perm.revokeModes(persistable
                                 ? ~0 : ~Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION, true);