Merge "Prevent modification of system fixed permissions" into mnc-dev

1 files changed, 12 insertions, 0 deletions

diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 28a786a..74e8e4d 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -3183,6 +3183,12 @@ public class PackageManagerService extends IPackageManager.Stub {
 
             final PermissionsState permissionsState = sb.getPermissionsState();
 
+            final int flags = permissionsState.getPermissionFlags(name, userId);
+            if ((flags & PackageManager.FLAG_PERMISSION_SYSTEM_FIXED) != 0) {
+                throw new SecurityException("Cannot grant system fixed permission: "
+                        + name + " for package: " + packageName);
+            }
+
             final int result = permissionsState.grantRuntimePermission(bp, userId);
             switch (result) {
                 case PermissionsState.PERMISSION_OPERATION_FAILURE: {
@@ -3240,6 +3246,12 @@ public class PackageManagerService extends IPackageManager.Stub {
 
             final PermissionsState permissionsState = sb.getPermissionsState();
 
+            final int flags = permissionsState.getPermissionFlags(name, userId);
+            if ((flags & PackageManager.FLAG_PERMISSION_SYSTEM_FIXED) != 0) {
+                throw new SecurityException("Cannot revoke system fixed permission: "
+                        + name + " for package: " + packageName);
+            }
+
             if (permissionsState.revokeRuntimePermission(bp, userId) ==
                     PermissionsState.PERMISSION_OPERATION_FAILURE) {
                 return;