Enforce READ_EXTERNAL on non-user builds.

Enable default enforcement of READ_EXTERNAL_STORAGE on non-user
builds. Users can still explicitly enable enforcement in Settings.

Bug: 6131916
Change-Id: I7dc66b624ad252ed2a2ad3647f3ea85dda7f8e82

Author: jsharkey

core/java/android/content/pm/IPackageManager.aidl

@@ -373,6 +373,6 @@ interface IPackageManager {
     List<UserInfo> getUsers();
     UserInfo getUser(int userId);
 
-    void setPermissionEnforcement(String permission, int enforcement);
-    int getPermissionEnforcement(String permission);
+    void setPermissionEnforced(String permission, boolean enforced);
+    boolean isPermissionEnforced(String permission);
 }

core/java/android/content/pm/PackageManager.java

@@ -28,6 +28,7 @@
 import android.content.res.XmlResourceParser;
 import android.graphics.drawable.Drawable;
 import android.net.Uri;
+import android.os.Build;
 import android.os.Environment;
 import android.util.AndroidException;
 import android.util.DisplayMetrics;
@@ -1091,21 +1092,7 @@ public NameNotFoundException(String name) {
             = "android.content.pm.extra.VERIFICATION_INSTALL_FLAGS";
 
     /** {@hide} */
-    public static final int ENFORCEMENT_DEFAULT = 0;
-    /** {@hide} */
-    public static final int ENFORCEMENT_YES = 1;
-
-    /** {@hide} */
-    public static String enforcementToString(int enforcement) {
-        switch (enforcement) {
-            case ENFORCEMENT_DEFAULT:
-                return "DEFAULT";
-            case ENFORCEMENT_YES:
-                return "YES";
-            default:
-                return Integer.toString(enforcement);
-        }
-    }
+    public static final boolean DEFAULT_ENFORCE_READ_EXTERNAL_STORAGE = !"user".equals(Build.TYPE);
 
     /**
      * Retrieve overall information about an application package that is

services/java/com/android/server/pm/PackageManagerService.java

@@ -20,8 +20,6 @@
 import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DISABLED;
 import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DISABLED_USER;
 import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_ENABLED;
-import static android.content.pm.PackageManager.ENFORCEMENT_DEFAULT;
-import static android.content.pm.PackageManager.ENFORCEMENT_YES;
 import static android.Manifest.permission.READ_EXTERNAL_STORAGE;
 import static android.Manifest.permission.GRANT_REVOKE_PERMISSIONS;
 import static libcore.io.OsConstants.S_ISLNK;
@@ -9030,12 +9028,12 @@ public void updateUserName(int userId, String name) {
     }
 
     @Override
-    public void setPermissionEnforcement(String permission, int enforcement) {
+    public void setPermissionEnforced(String permission, boolean enforced) {
         mContext.enforceCallingOrSelfPermission(GRANT_REVOKE_PERMISSIONS, null);
         if (READ_EXTERNAL_STORAGE.equals(permission)) {
             synchronized (mPackages) {
-                if (mSettings.mReadExternalStorageEnforcement != enforcement) {
-                    mSettings.mReadExternalStorageEnforcement = enforcement;
+                if (mSettings.mReadExternalStorageEnforced != enforced) {
+                    mSettings.mReadExternalStorageEnforced = enforced;
                     mSettings.writeLPr();
 
                     // kill any non-foreground processes so we restart them and
@@ -9058,27 +9056,18 @@ public void setPermissionEnforcement(String permission, int enforcement) {
     }
 
     @Override
-    public int getPermissionEnforcement(String permission) {
+    public boolean isPermissionEnforced(String permission) {
         mContext.enforceCallingOrSelfPermission(GRANT_REVOKE_PERMISSIONS, null);
-        if (READ_EXTERNAL_STORAGE.equals(permission)) {
-            synchronized (mPackages) {
-                return mSettings.mReadExternalStorageEnforcement;
-            }
-        } else {
-            throw new IllegalArgumentException("No selective enforcement for " + permission);
+        synchronized (mPackages) {
+            return isPermissionEnforcedLocked(permission);
         }
     }
 
     private boolean isPermissionEnforcedLocked(String permission) {
         if (READ_EXTERNAL_STORAGE.equals(permission)) {
-            switch (mSettings.mReadExternalStorageEnforcement) {
-                case ENFORCEMENT_DEFAULT:
-                    return false;
-                case ENFORCEMENT_YES:
-                    return true;
-            }
+            return mSettings.mReadExternalStorageEnforced;
+        } else {
+            return true;
         }
-
-        return true;
     }
 }

services/java/com/android/server/pm/Settings.java

@@ -20,7 +20,6 @@
 import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DISABLED;
 import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DISABLED_USER;
 import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_ENABLED;
-import static android.content.pm.PackageManager.ENFORCEMENT_DEFAULT;
 import static android.Manifest.permission.READ_EXTERNAL_STORAGE;
 
 import com.android.internal.util.FastXmlSerializer;
@@ -112,7 +111,7 @@ final class Settings {
     int mInternalSdkPlatform;
     int mExternalSdkPlatform;
 
-    int mReadExternalStorageEnforcement = ENFORCEMENT_DEFAULT;
+    boolean mReadExternalStorageEnforced = PackageManager.DEFAULT_ENFORCE_READ_EXTERNAL_STORAGE;
 
     /** Device identity for the purpose of package verification. */
     private VerifierDeviceIdentity mVerifierDeviceIdentity;
@@ -1140,10 +1139,11 @@ void writeLPr() {
                 serializer.endTag(null, "verifier");
             }
 
-            if (mReadExternalStorageEnforcement != ENFORCEMENT_DEFAULT) {
+            if (mReadExternalStorageEnforced
+                    != PackageManager.DEFAULT_ENFORCE_READ_EXTERNAL_STORAGE) {
                 serializer.startTag(null, TAG_READ_EXTERNAL_STORAGE);
                 serializer.attribute(
-                        null, ATTR_ENFORCEMENT, Integer.toString(mReadExternalStorageEnforcement));
+                        null, ATTR_ENFORCEMENT, mReadExternalStorageEnforced ? "1" : "0");
                 serializer.endTag(null, TAG_READ_EXTERNAL_STORAGE);
             }
 
@@ -1548,10 +1548,7 @@ boolean readLPw(List<UserInfo> users) {
                     }
                 } else if (TAG_READ_EXTERNAL_STORAGE.equals(tagName)) {
                     final String enforcement = parser.getAttributeValue(null, ATTR_ENFORCEMENT);
-                    try {
-                        mReadExternalStorageEnforcement = Integer.parseInt(enforcement);
-                    } catch (NumberFormatException e) {
-                    }
+                    mReadExternalStorageEnforced = "1".equals(enforcement);
                 } else {
                     Slog.w(PackageManagerService.TAG, "Unknown element under <packages>: "
                             + parser.getName());
@@ -2560,8 +2557,8 @@ void dumpPermissionsLPr(PrintWriter pw, String packageName, DumpState dumpState)
                 pw.print("    perm="); pw.println(p.perm);
             }
             if (READ_EXTERNAL_STORAGE.equals(p.name)) {
-                pw.print("    enforcement=");
-                pw.println(PackageManager.enforcementToString(mReadExternalStorageEnforcement));
+                pw.print("    enforced=");
+                pw.println(mReadExternalStorageEnforced);
             }
         }
     }