From 32e80d7588720bdc9f8a3e961ac4566d7c80b2b9 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Mon, 6 Jul 2015 09:45:55 -0700
Subject: Permission to view shared storage for all users.

Typical apps are restricted so they can only view shared storage
belonging to the user they're running as.  However, a handful of
system components need access to shared storage across all users,
such as DefaultContainerService and SystemUI.

Since WRITE_MEDIA_STORAGE already offers this functionality by
bypassing any FUSE emulation, reuse it to grant the "sdcard_rw" GID
which is no longer handed out to third-party apps.  Then we change
the FUSE daemon to allow the "sdcard_rw" GID to see shared storage
of all users.

Bug: 19995822
Change-Id: I504c2a179ba74f142ed0d32da5baa69f4212cd82
---
 core/res/AndroidManifest.xml                                        | 4 ----
 data/etc/platform.xml                                               | 1 +
 packages/DefaultContainerService/AndroidManifest.xml                | 4 ++--
 packages/SystemUI/AndroidManifest.xml                               | 3 ++-
 services/core/java/com/android/server/pm/PackageManagerService.java | 5 ++++-
 5 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 4c1626a..8c868c9 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1517,10 +1517,6 @@
     <permission android:name="android.permission.SET_SCREEN_COMPATIBILITY"
         android:protectionLevel="signature" />
 
-    <!-- Allows an application to access all multi-user external storage @hide -->
-    <permission android:name="android.permission.ACCESS_ALL_EXTERNAL_STORAGE"
-        android:protectionLevel="signature" />
-
     <!-- @SystemApi Allows an application to modify the current configuration, such
          as locale. -->
     <permission android:name="android.permission.CHANGE_CONFIGURATION"
diff --git a/data/etc/platform.xml b/data/etc/platform.xml
index 377e6a16..579d2df 100644
--- a/data/etc/platform.xml
+++ b/data/etc/platform.xml
@@ -60,6 +60,7 @@
 
     <permission name="android.permission.WRITE_MEDIA_STORAGE" >
         <group gid="media_rw" />
+        <group gid="sdcard_rw" />
     </permission>
 
     <permission name="android.permission.ACCESS_MTP" >
diff --git a/packages/DefaultContainerService/AndroidManifest.xml b/packages/DefaultContainerService/AndroidManifest.xml
index 14777a9..6a72d83 100644
--- a/packages/DefaultContainerService/AndroidManifest.xml
+++ b/packages/DefaultContainerService/AndroidManifest.xml
@@ -5,10 +5,10 @@
     <uses-permission android:name="android.permission.ASEC_DESTROY"/>
     <uses-permission android:name="android.permission.ASEC_MOUNT_UNMOUNT"/>
     <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
-    <!-- Used to improve MeasureUtils performance on emulated storage -->
+    <!-- Used to improve MeasureUtils performance on emulated storage, and to
+         view storage for all users -->
     <uses-permission android:name="android.permission.WRITE_MEDIA_STORAGE" />
     <uses-permission android:name="android.permission.ACCESS_CACHE_FILESYSTEM" />
-    <uses-permission android:name="android.permission.ACCESS_ALL_EXTERNAL_STORAGE" />
 
     <application android:label="@string/service_name"
                  android:allowBackup="false">
diff --git a/packages/SystemUI/AndroidManifest.xml b/packages/SystemUI/AndroidManifest.xml
index 7c56d63..ea032b3 100644
--- a/packages/SystemUI/AndroidManifest.xml
+++ b/packages/SystemUI/AndroidManifest.xml
@@ -25,7 +25,8 @@
     <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
     <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
     <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
-    <uses-permission android:name="android.permission.ACCESS_ALL_EXTERNAL_STORAGE" />
+    <!-- Used to read storage for all users -->
+    <uses-permission android:name="android.permission.WRITE_MEDIA_STORAGE" />
     <uses-permission android:name="android.permission.WAKE_LOCK" />
 
     <uses-permission android:name="android.permission.INJECT_EVENTS" />
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 9a11397..9d35254 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -19,6 +19,7 @@ package com.android.server.pm;
 import static android.Manifest.permission.GRANT_REVOKE_PERMISSIONS;
 import static android.Manifest.permission.READ_EXTERNAL_STORAGE;
 import static android.Manifest.permission.WRITE_EXTERNAL_STORAGE;
+import static android.Manifest.permission.WRITE_MEDIA_STORAGE;
 import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DEFAULT;
 import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DISABLED;
 import static android.content.pm.PackageManager.COMPONENT_ENABLED_STATE_DISABLED_UNTIL_USED;
@@ -2679,7 +2680,9 @@ public class PackageManagerService extends IPackageManager.Stub {
         if (Process.isIsolated(uid)) {
             return Zygote.MOUNT_EXTERNAL_NONE;
         } else {
-            if (checkUidPermission(WRITE_EXTERNAL_STORAGE, uid) == PERMISSION_GRANTED) {
+            if (checkUidPermission(WRITE_MEDIA_STORAGE, uid) == PERMISSION_GRANTED) {
+                return Zygote.MOUNT_EXTERNAL_DEFAULT;
+            } else if (checkUidPermission(WRITE_EXTERNAL_STORAGE, uid) == PERMISSION_GRANTED) {
                 return Zygote.MOUNT_EXTERNAL_WRITE;
             } else if (checkUidPermission(READ_EXTERNAL_STORAGE, uid) == PERMISSION_GRANTED) {
                 return Zygote.MOUNT_EXTERNAL_READ;
-- 
cgit v1.1