Enforce READ_EXTERNAL through Settings.Secure.

Always defers to user-defined setting, when present.

Bug: 6389556
Change-Id: I079d2a41b772facfdac74eefc4c8072fc9284f97

4 files changed, 16 insertions, 11 deletions

diff --git a/core/java/android/content/pm/PackageManager.java b/core/java/android/content/pm/PackageManager.java
index a48924e..2baad62 100644
--- a/core/java/android/content/pm/PackageManager.java
+++ b/core/java/android/content/pm/PackageManager.java
@@ -23,7 +23,6 @@ import android.content.Context;
 import android.content.Intent;
 import android.content.IntentFilter;
 import android.content.IntentSender;
-import android.content.pm.ManifestDigest;
 import android.content.res.Resources;
 import android.content.res.XmlResourceParser;
 import android.graphics.drawable.Drawable;
@@ -1090,10 +1089,6 @@ public abstract class PackageManager {
     public static final String EXTRA_VERIFICATION_INSTALL_FLAGS
             = "android.content.pm.extra.VERIFICATION_INSTALL_FLAGS";
 
-    /** {@hide} */
-    // TODO: enable this for userdebug and eng builds; see 6389556
-    public static final boolean DEFAULT_ENFORCE_READ_EXTERNAL_STORAGE = false;
-
     /**
      * Retrieve overall information about an application package that is
      * installed on the system.
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
index 497e66e8..ea3cab4 100644
--- a/core/java/android/provider/Settings.java
+++ b/core/java/android/provider/Settings.java
@@ -4253,6 +4253,10 @@ public final class Settings {
         /** Timeout for package verification. {@hide} */
         public static final String PACKAGE_VERIFIER_TIMEOUT = "verifier_timeout";
 
+        /** {@hide} */
+        public static final String
+                READ_EXTERNAL_STORAGE_ENFORCED_DEFAULT = "read_external_storage_enforced_default";
+
         /**
          * Duration in milliseconds before pre-authorized URIs for the contacts
          * provider should expire.
diff --git a/services/java/com/android/server/pm/PackageManagerService.java b/services/java/com/android/server/pm/PackageManagerService.java
index d41cd5a..d7c5eea 100644
--- a/services/java/com/android/server/pm/PackageManagerService.java
+++ b/services/java/com/android/server/pm/PackageManagerService.java
@@ -98,6 +98,7 @@ import android.os.ServiceManager;
 import android.os.SystemClock;
 import android.os.SystemProperties;
 import android.os.UserId;
+import android.provider.Settings.Secure;
 import android.security.SystemKeyStore;
 import android.util.DisplayMetrics;
 import android.util.EventLog;
@@ -9259,7 +9260,8 @@ public class PackageManagerService extends IPackageManager.Stub {
         mContext.enforceCallingOrSelfPermission(GRANT_REVOKE_PERMISSIONS, null);
         if (READ_EXTERNAL_STORAGE.equals(permission)) {
             synchronized (mPackages) {
-                if (mSettings.mReadExternalStorageEnforced != enforced) {
+                if (mSettings.mReadExternalStorageEnforced == null
+                        || mSettings.mReadExternalStorageEnforced != enforced) {
                     mSettings.mReadExternalStorageEnforced = enforced;
                     mSettings.writeLPr();
 
@@ -9284,7 +9286,6 @@ public class PackageManagerService extends IPackageManager.Stub {
 
     @Override
     public boolean isPermissionEnforced(String permission) {
-        mContext.enforceCallingOrSelfPermission(GRANT_REVOKE_PERMISSIONS, null);
         synchronized (mPackages) {
             return isPermissionEnforcedLocked(permission);
         }
@@ -9292,7 +9293,13 @@ public class PackageManagerService extends IPackageManager.Stub {
 
     private boolean isPermissionEnforcedLocked(String permission) {
         if (READ_EXTERNAL_STORAGE.equals(permission)) {
-            return mSettings.mReadExternalStorageEnforced;
+            if (mSettings.mReadExternalStorageEnforced != null) {
+                return mSettings.mReadExternalStorageEnforced;
+            } else {
+                // if user hasn't defined, fall back to secure default
+                return Secure.getInt(mContext.getContentResolver(),
+                        Secure.READ_EXTERNAL_STORAGE_ENFORCED_DEFAULT, 0) != 0;
+            }
         } else {
             return true;
         }
diff --git a/services/java/com/android/server/pm/Settings.java b/services/java/com/android/server/pm/Settings.java
index d0eda2d..ffb69fa 100644
--- a/services/java/com/android/server/pm/Settings.java
+++ b/services/java/com/android/server/pm/Settings.java
@@ -111,7 +111,7 @@ final class Settings {
     int mInternalSdkPlatform;
     int mExternalSdkPlatform;
 
-    boolean mReadExternalStorageEnforced = PackageManager.DEFAULT_ENFORCE_READ_EXTERNAL_STORAGE;
+    Boolean mReadExternalStorageEnforced;
 
     /** Device identity for the purpose of package verification. */
     private VerifierDeviceIdentity mVerifierDeviceIdentity;
@@ -1147,8 +1147,7 @@ final class Settings {
                 serializer.endTag(null, "verifier");
             }
 
-            if (mReadExternalStorageEnforced
-                    != PackageManager.DEFAULT_ENFORCE_READ_EXTERNAL_STORAGE) {
+            if (mReadExternalStorageEnforced != null) {
                 serializer.startTag(null, TAG_READ_EXTERNAL_STORAGE);
                 serializer.attribute(
                         null, ATTR_ENFORCEMENT, mReadExternalStorageEnforced ? "1" : "0");