Avoid auto-granting special permissions when existing state is present

chenxiaolong · chenxiaolong · commit 6c7af8f9a7a6 · 2025-04-15T20:45:14.000-04:00
From PermissionService's point of view, installing a new app and restoring an archived app are the same. The only difference is in the PackageInstalledParams.mPermissionStates map: * For a new app install, the INTERNET permission is present in the map and its value corresponds to what the user picked for the network toggle in the installation dialog. * For an archived app restore, the map is always empty. Any permission managed by SpecialRuntimePermUtils, but was not included in the installation request, would be set to the default auto-grant value (eg. global default for OTHER_SENSORS). This is fine for new app installs, but when restoring an app, this would overwrite the existing permission state from when the app was originally archived. This commit fixes the issue by skipping the auto-grant logic when the permission is already present in state. There is no change in behavior for new app installs since that starts off with no state. Fixes: GrapheneOS/os-issue-tracker#5256 Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
diff --git a/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt b/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt
@@ -2443,8 +2443,22 @@ class PermissionService(private val service: AccessCheckingService) :
             )
             val permissionStates = ArrayMap(params.permissionStates)
             if (params.isNewlyInstalledInUserId(userId)) {
+                // Despite the method name, this is reached both during initial app installation and
+                // when archived apps are restored. For the latter scenario, avoid auto-granting
+                // permissions if the permissions already exist in the persisted permissions state
+                // since it would overwrite the user's previously set preferences.
                 SpecialRuntimePermUtils.getAll().forEach { perm ->
-                    if (!permissionStates.contains(perm)) {
+                    val oldFlags = service.getState {
+                        getPermissionFlagsWithPolicy(
+                            packageState.appId,
+                            userId,
+                            perm,
+                            // Same as setRequestedPermissionStates() below.
+                            VirtualDeviceManager.PERSISTENT_DEVICE_ID_DEFAULT,
+                        )
+                    }
+
+                    if (!permissionStates.contains(perm) && !oldFlags.hasBits(PermissionFlags.USER_SET)) {
                         if (SpecialRuntimePermUtils.shouldAutoGrant(context, androidPackage.packageName, userId, perm)) {
                             permissionStates.set(perm, PackageInstaller.SessionParams.PERMISSION_STATE_GRANTED)
                         }
