1 /* 2 * Copyright (C) 2022 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.app; 18 19 import static android.app.AppOpsManager.MODE_ALLOWED; 20 import static android.app.AppOpsManager.MODE_DEFAULT; 21 import static android.app.AppOpsManager.MODE_FOREGROUND; 22 import static android.app.AppOpsManager.MODE_IGNORED; 23 import static android.content.pm.PackageManager.PERMISSION_DENIED; 24 import static android.content.pm.PackageManager.PERMISSION_GRANTED; 25 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_CAMERA; 26 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE; 27 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_DATA_SYNC; 28 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_FILE_MANAGEMENT; 29 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_HEALTH; 30 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_LOCATION; 31 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_MANIFEST; 32 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_MEDIA_PLAYBACK; 33 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_MEDIA_PROCESSING; 34 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_MEDIA_PROJECTION; 35 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_MICROPHONE; 36 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_NONE; 37 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_PHONE_CALL; 38 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_REMOTE_MESSAGING; 39 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_SHORT_SERVICE; 40 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_SPECIAL_USE; 41 import static android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_SYSTEM_EXEMPTED; 42 import static android.permission.PermissionCheckerManager.PERMISSION_HARD_DENIED; 43 import static android.permission.PermissionCheckerManager.PERMISSION_SOFT_DENIED; 44 45 import android.Manifest; 46 import android.annotation.IntDef; 47 import android.annotation.NonNull; 48 import android.annotation.Nullable; 49 import android.annotation.SuppressLint; 50 import android.app.compat.CompatChanges; 51 import android.app.role.RoleManager; 52 import android.companion.virtual.VirtualDevice; 53 import android.companion.virtual.VirtualDeviceManager; 54 import android.compat.Compatibility; 55 import android.compat.annotation.ChangeId; 56 import android.compat.annotation.Disabled; 57 import android.compat.annotation.EnabledAfter; 58 import android.compat.annotation.Overridable; 59 import android.content.AttributionSource; 60 import android.content.Context; 61 import android.content.PermissionChecker; 62 import android.content.pm.PackageManager; 63 import android.content.pm.ServiceInfo; 64 import android.content.pm.ServiceInfo.ForegroundServiceType; 65 import android.hardware.usb.UsbAccessory; 66 import android.hardware.usb.UsbDevice; 67 import android.hardware.usb.UsbManager; 68 import android.health.connect.HealthPermissions; 69 import android.os.RemoteException; 70 import android.os.ServiceManager; 71 import android.os.UserHandle; 72 import android.permission.PermissionCheckerManager; 73 import android.permission.PermissionManager; 74 import android.provider.DeviceConfig; 75 import android.text.TextUtils; 76 import android.util.ArrayMap; 77 import android.util.ArraySet; 78 import android.util.SparseArray; 79 80 import com.android.internal.annotations.GuardedBy; 81 import com.android.internal.compat.CompatibilityChangeConfig; 82 import com.android.internal.compat.IPlatformCompat; 83 import com.android.internal.util.ArrayUtils; 84 85 import java.lang.annotation.Retention; 86 import java.lang.annotation.RetentionPolicy; 87 import java.util.ArrayList; 88 import java.util.HashMap; 89 import java.util.List; 90 import java.util.Optional; 91 92 /** 93 * This class enforces the policies around the foreground service types. 94 * 95 * @hide 96 */ 97 public abstract class ForegroundServiceTypePolicy { 98 static final String TAG = "ForegroundServiceTypePolicy"; 99 static final boolean DEBUG_FOREGROUND_SERVICE_TYPE_POLICY = false; 100 101 /** 102 * The FGS type enforcement: 103 * deprecating the {@link android.content.pm.ServiceInfo#FOREGROUND_SERVICE_TYPE_NONE}. 104 * 105 * <p>Starting a FGS with this type (equivalent of no type) from apps with 106 * targetSdkVersion {@link android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE} or later will 107 * result in a warning in the log.</p> 108 * 109 * @hide 110 */ 111 @ChangeId 112 @EnabledAfter(targetSdkVersion = android.os.Build.VERSION_CODES.TIRAMISU) 113 @Overridable 114 public static final long FGS_TYPE_NONE_DEPRECATION_CHANGE_ID = 255042465L; 115 116 /** 117 * The FGS type enforcement: 118 * disabling the {@link android.content.pm.ServiceInfo#FOREGROUND_SERVICE_TYPE_NONE}. 119 * 120 * <p>Starting a FGS with this type (equivalent of no type) from apps with 121 * targetSdkVersion {@link android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE} or later will 122 * result in an exception.</p> 123 * 124 * @hide 125 */ 126 @ChangeId 127 @EnabledAfter(targetSdkVersion = android.os.Build.VERSION_CODES.TIRAMISU) 128 @Overridable 129 public static final long FGS_TYPE_NONE_DISABLED_CHANGE_ID = 255038118L; 130 131 /** 132 * The FGS type enforcement: 133 * deprecating the {@link android.content.pm.ServiceInfo#FOREGROUND_SERVICE_TYPE_DATA_SYNC}. 134 * 135 * @hide 136 */ 137 @ChangeId 138 @Disabled 139 @Overridable 140 public static final long FGS_TYPE_DATA_SYNC_DEPRECATION_CHANGE_ID = 255039210L; 141 142 /** 143 * The FGS type enforcement: 144 * disabling the {@link android.content.pm.ServiceInfo#FOREGROUND_SERVICE_TYPE_DATA_SYNC}. 145 * 146 * @hide 147 */ 148 @ChangeId 149 @Disabled 150 @Overridable 151 public static final long FGS_TYPE_DATA_SYNC_DISABLED_CHANGE_ID = 255659651L; 152 153 /** 154 * The FGS type enforcement: Starting a FGS from apps with targetSdkVersion 155 * {@link android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE} or later but without the required 156 * permissions associated with the FGS type will result in a SecurityException. 157 * 158 * @hide 159 */ 160 @ChangeId 161 @EnabledAfter(targetSdkVersion = android.os.Build.VERSION_CODES.TIRAMISU) 162 @Overridable 163 public static final long FGS_TYPE_PERMISSION_CHANGE_ID = 254662522L; 164 165 /** 166 * The prefix for the feature flags of the permission enforcement. 167 */ 168 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX = 169 "fgs_type_perm_enforcement_flag_"; 170 171 /** 172 * The feature flag of the permission enforcement for 173 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_DATA_SYNC}, 174 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 175 */ 176 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_DATA_SYNC = 177 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "data_sync"; 178 179 /** 180 * The feature flag of the permission enforcement for 181 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_MEDIA_PLAYBACK}, 182 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 183 */ 184 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_MEDIA_PLAYBACK = 185 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "media_playback"; 186 187 /** 188 * The feature flag of the permission enforcement for 189 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_PHONE_CALL}, 190 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 191 */ 192 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_PHONE_CALL = 193 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "phone_call"; 194 195 /** 196 * The feature flag of the permission enforcement for 197 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_LOCATION}, 198 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 199 */ 200 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_LOCATION = 201 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "location"; 202 203 /** 204 * The feature flag of the permission enforcement for 205 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE}, 206 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 207 */ 208 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_CONNECTED_DEVICE = 209 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "connected_device"; 210 211 /** 212 * The feature flag of the permission enforcement for 213 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_MEDIA_PROJECTION}, 214 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 215 */ 216 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_MEDIA_PROJECTION = 217 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "media_projection"; 218 219 /** 220 * The feature flag of the permission enforcement for 221 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_CAMERA}, 222 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 223 */ 224 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_CAMERA = 225 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "camera"; 226 227 /** 228 * The feature flag of the permission enforcement for 229 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_MICROPHONE}, 230 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 231 */ 232 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_MICROPHONE = 233 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "microphone"; 234 235 /** 236 * The feature flag of the permission enforcement for 237 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_HEALTH}, 238 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 239 */ 240 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_HEALTH = 241 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "health"; 242 243 /** 244 * The feature flag of the permission enforcement for 245 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_REMOTE_MESSAGING}, 246 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 247 */ 248 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_REMOTE_MESSAGING = 249 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "remote_messaging"; 250 251 /** 252 * The feature flag of the permission enforcement for 253 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_SYSTEM_EXEMPTED}, 254 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 255 */ 256 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_SYSTEM_EXEMPTED = 257 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "system_exempted"; 258 259 /** 260 * The feature flag of the permission enforcement for 261 * {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_SPECIAL_USE}, 262 * in the namespace of {@link DeviceConfig#NAMESPACE_ACTIVITY_MANAGER}. 263 */ 264 private static final String FGS_TYPE_PERM_ENFORCEMENT_FLAG_SPECIAL_USE = 265 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PREFIX + "special_use"; 266 267 /** 268 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_MANIFEST}. 269 * 270 * @hide 271 */ 272 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_MANIFEST = 273 new ForegroundServiceTypePolicyInfo( 274 FOREGROUND_SERVICE_TYPE_MANIFEST, 275 FGS_TYPE_NONE_DEPRECATION_CHANGE_ID, 276 FGS_TYPE_NONE_DISABLED_CHANGE_ID, 277 null /* allOfPermissions */, 278 null /* anyOfPermissions */, 279 null /* permissionEnforcementFlag */, 280 false /* permissionEnforcementFlagDefaultValue */, 281 false /* foregroundOnlyPermission */ 282 ); 283 284 /** 285 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_NONE}. 286 * 287 * @hide 288 */ 289 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_NONE = 290 new ForegroundServiceTypePolicyInfo( 291 FOREGROUND_SERVICE_TYPE_NONE, 292 FGS_TYPE_NONE_DEPRECATION_CHANGE_ID, 293 FGS_TYPE_NONE_DISABLED_CHANGE_ID, 294 null /* allOfPermissions */, 295 null /* anyOfPermissions */, 296 null /* permissionEnforcementFlag */, 297 false /* permissionEnforcementFlagDefaultValue */, 298 false /* foregroundOnlyPermission */ 299 ); 300 301 /** 302 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_DATA_SYNC}. 303 * 304 * @hide 305 */ 306 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_DATA_SYNC = 307 new ForegroundServiceTypePolicyInfo( 308 FOREGROUND_SERVICE_TYPE_DATA_SYNC, 309 FGS_TYPE_DATA_SYNC_DEPRECATION_CHANGE_ID, 310 FGS_TYPE_DATA_SYNC_DISABLED_CHANGE_ID, 311 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 312 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_DATA_SYNC) 313 }, true), 314 null /* anyOfPermissions */, 315 FGS_TYPE_PERM_ENFORCEMENT_FLAG_DATA_SYNC /* permissionEnforcementFlag */, 316 true /* permissionEnforcementFlagDefaultValue */, 317 false /* foregroundOnlyPermission */ 318 ); 319 320 /** 321 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_MEDIA_PLAYBACK}. 322 * 323 * @hide 324 */ 325 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_MEDIA_PLAYBACK = 326 new ForegroundServiceTypePolicyInfo( 327 FOREGROUND_SERVICE_TYPE_MEDIA_PLAYBACK, 328 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 329 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 330 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 331 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_MEDIA_PLAYBACK) 332 }, true), 333 null /* anyOfPermissions */, 334 FGS_TYPE_PERM_ENFORCEMENT_FLAG_MEDIA_PLAYBACK /* permissionEnforcementFlag */, 335 true /* permissionEnforcementFlagDefaultValue */, 336 false /* foregroundOnlyPermission */ 337 ); 338 339 /** 340 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_PHONE_CALL}. 341 * 342 * @hide 343 */ 344 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_PHONE_CALL = 345 new ForegroundServiceTypePolicyInfo( 346 FOREGROUND_SERVICE_TYPE_PHONE_CALL, 347 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 348 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 349 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 350 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_PHONE_CALL) 351 }, true), 352 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 353 new RegularPermission(Manifest.permission.MANAGE_OWN_CALLS), 354 new RolePermission(RoleManager.ROLE_DIALER) 355 }, false), 356 FGS_TYPE_PERM_ENFORCEMENT_FLAG_PHONE_CALL /* permissionEnforcementFlag */, 357 true /* permissionEnforcementFlagDefaultValue */, 358 false /* foregroundOnlyPermission */ 359 ); 360 361 /** 362 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_LOCATION}. 363 * 364 * @hide 365 */ 366 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_LOCATION = 367 new ForegroundServiceTypePolicyInfo( 368 FOREGROUND_SERVICE_TYPE_LOCATION, 369 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 370 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 371 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 372 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_LOCATION) 373 }, true), 374 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 375 new RegularPermission(Manifest.permission.ACCESS_COARSE_LOCATION), 376 new RegularPermission(Manifest.permission.ACCESS_FINE_LOCATION), 377 }, false), 378 FGS_TYPE_PERM_ENFORCEMENT_FLAG_LOCATION /* permissionEnforcementFlag */, 379 true /* permissionEnforcementFlagDefaultValue */, 380 true /* foregroundOnlyPermission */ 381 ); 382 383 /** 384 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE}. 385 * 386 * @hide 387 */ 388 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_CONNECTED_DEVICE = 389 new ForegroundServiceTypePolicyInfo( 390 FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE, 391 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 392 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 393 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 394 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_CONNECTED_DEVICE) 395 }, true), 396 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 397 new RegularPermission(Manifest.permission.BLUETOOTH_ADVERTISE), 398 new RegularPermission(Manifest.permission.BLUETOOTH_CONNECT), 399 new RegularPermission(Manifest.permission.BLUETOOTH_SCAN), 400 new RegularPermission(Manifest.permission.CHANGE_NETWORK_STATE), 401 new RegularPermission(Manifest.permission.CHANGE_WIFI_STATE), 402 new RegularPermission(Manifest.permission.CHANGE_WIFI_MULTICAST_STATE), 403 new RegularPermission(Manifest.permission.NFC), 404 new RegularPermission(Manifest.permission.TRANSMIT_IR), 405 new RegularPermission(Manifest.permission.UWB_RANGING), 406 new RegularPermission(Manifest.permission.RANGING), 407 new UsbDevicePermission(), 408 new UsbAccessoryPermission(), 409 }, false), 410 FGS_TYPE_PERM_ENFORCEMENT_FLAG_CONNECTED_DEVICE /* permissionEnforcementFlag */, 411 true /* permissionEnforcementFlagDefaultValue */, 412 false /* foregroundOnlyPermission */ 413 ); 414 415 /** 416 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_MEDIA_PROJECTION}. 417 * 418 * @hide 419 */ 420 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_MEDIA_PROJECTION = 421 new ForegroundServiceTypePolicyInfo( 422 FOREGROUND_SERVICE_TYPE_MEDIA_PROJECTION, 423 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 424 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 425 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 426 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_MEDIA_PROJECTION) 427 }, true), 428 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 429 new RegularPermission(Manifest.permission.CAPTURE_VIDEO_OUTPUT), 430 new AppOpPermission(AppOpsManager.OP_PROJECT_MEDIA) 431 }, false), 432 FGS_TYPE_PERM_ENFORCEMENT_FLAG_MEDIA_PROJECTION /* permissionEnforcementFlag */, 433 true /* permissionEnforcementFlagDefaultValue */, 434 false /* foregroundOnlyPermission */ 435 ); 436 437 /** 438 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_CAMERA}. 439 * 440 * @hide 441 */ 442 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_CAMERA = 443 new ForegroundServiceTypePolicyInfo( 444 FOREGROUND_SERVICE_TYPE_CAMERA, 445 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 446 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 447 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 448 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_CAMERA) 449 }, true), 450 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 451 new RegularPermission(Manifest.permission.CAMERA), 452 new RegularPermission(Manifest.permission.SYSTEM_CAMERA), 453 }, false), 454 FGS_TYPE_PERM_ENFORCEMENT_FLAG_CAMERA /* permissionEnforcementFlag */, 455 true /* permissionEnforcementFlagDefaultValue */, 456 true /* foregroundOnlyPermission */ 457 ); 458 459 /** 460 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_MICROPHONE}. 461 * 462 * @hide 463 */ 464 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_MICROPHONE = 465 new ForegroundServiceTypePolicyInfo( 466 FOREGROUND_SERVICE_TYPE_MICROPHONE, 467 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 468 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 469 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 470 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_MICROPHONE) 471 }, true), 472 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 473 new RegularPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD), 474 new RegularPermission(Manifest.permission.CAPTURE_AUDIO_OUTPUT), 475 new RegularPermission(Manifest.permission.CAPTURE_MEDIA_OUTPUT), 476 new RegularPermission(Manifest.permission.CAPTURE_TUNER_AUDIO_INPUT), 477 new RegularPermission(Manifest.permission.CAPTURE_VOICE_COMMUNICATION_OUTPUT), 478 new RegularPermission(Manifest.permission.RECORD_AUDIO), 479 }, false), 480 FGS_TYPE_PERM_ENFORCEMENT_FLAG_MICROPHONE /* permissionEnforcementFlag */, 481 true /* permissionEnforcementFlagDefaultValue */, 482 true /* foregroundOnlyPermission */ 483 ); 484 485 /** 486 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_HEALTH}. 487 * 488 * @hide 489 */ 490 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_HEALTH = 491 new ForegroundServiceTypePolicyInfo( 492 FOREGROUND_SERVICE_TYPE_HEALTH, 493 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 494 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 495 new ForegroundServiceTypePermissions( 496 new ForegroundServiceTypePermission[] { 497 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_HEALTH) 498 }, 499 true), 500 new ForegroundServiceTypePermissions(getAllowedHealthPermissions(), false), 501 FGS_TYPE_PERM_ENFORCEMENT_FLAG_HEALTH /* permissionEnforcementFlag */, 502 true /* permissionEnforcementFlagDefaultValue */, 503 false /* foregroundOnlyPermission */); 504 505 /** Returns the permissions needed for the policy of the health foreground service type. */ getAllowedHealthPermissions()506 private static ForegroundServiceTypePermission[] getAllowedHealthPermissions() { 507 final ArrayList<ForegroundServiceTypePermission> permissions = new ArrayList<>(); 508 permissions.add(new RegularPermission(Manifest.permission.ACTIVITY_RECOGNITION)); 509 permissions.add(new RegularPermission(Manifest.permission.HIGH_SAMPLING_RATE_SENSORS)); 510 511 if (android.permission.flags.Flags.replaceBodySensorPermissionEnabled()) { 512 permissions.add(new RegularPermission(HealthPermissions.READ_HEART_RATE)); 513 permissions.add(new RegularPermission(HealthPermissions.READ_SKIN_TEMPERATURE)); 514 permissions.add(new RegularPermission(HealthPermissions.READ_OXYGEN_SATURATION)); 515 } else { 516 permissions.add(new RegularPermission(Manifest.permission.BODY_SENSORS)); 517 } 518 519 return permissions.toArray(new ForegroundServiceTypePermission[permissions.size()]); 520 } 521 522 /** 523 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_REMOTE_MESSAGING}. 524 * 525 * @hide 526 */ 527 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_REMOTE_MESSAGING = 528 new ForegroundServiceTypePolicyInfo( 529 FOREGROUND_SERVICE_TYPE_REMOTE_MESSAGING, 530 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 531 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 532 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 533 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_REMOTE_MESSAGING) 534 }, true), 535 null /* anyOfPermissions */, 536 FGS_TYPE_PERM_ENFORCEMENT_FLAG_REMOTE_MESSAGING /* permissionEnforcementFlag */, 537 true /* permissionEnforcementFlagDefaultValue */, 538 false /* foregroundOnlyPermission */ 539 ); 540 541 /** 542 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_SYSTEM_EXEMPTED}. 543 * 544 * @hide 545 */ 546 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_SYSTEM_EXEMPTED = 547 new ForegroundServiceTypePolicyInfo( 548 FOREGROUND_SERVICE_TYPE_SYSTEM_EXEMPTED, 549 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 550 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 551 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 552 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_SYSTEM_EXEMPTED) 553 }, true), 554 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 555 new RegularPermission(Manifest.permission.SCHEDULE_EXACT_ALARM), 556 new RegularPermission(Manifest.permission.USE_EXACT_ALARM), 557 new AppOpPermission(AppOpsManager.OP_ACTIVATE_VPN), 558 }, false), 559 FGS_TYPE_PERM_ENFORCEMENT_FLAG_SYSTEM_EXEMPTED /* permissionEnforcementFlag */, 560 true /* permissionEnforcementFlagDefaultValue */, 561 false /* foregroundOnlyPermission */ 562 ); 563 564 /** 565 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_SHORT_SERVICE}. 566 * 567 * @hide 568 */ 569 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_SHORT_SERVICE = 570 new ForegroundServiceTypePolicyInfo( 571 FOREGROUND_SERVICE_TYPE_SHORT_SERVICE, 572 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 573 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 574 null /* allOfPermissions */, 575 null /* anyOfPermissions */, 576 null /* permissionEnforcementFlag */, 577 false /* permissionEnforcementFlagDefaultValue */, 578 false /* foregroundOnlyPermission */ 579 ); 580 581 /** 582 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_FILE_MANAGEMENT}. 583 * 584 * @hide 585 */ 586 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_FILE_MANAGEMENT = 587 new ForegroundServiceTypePolicyInfo( 588 FOREGROUND_SERVICE_TYPE_FILE_MANAGEMENT, 589 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 590 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 591 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 592 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_FILE_MANAGEMENT) 593 }, true), 594 null /* anyOfPermissions */, 595 null /* permissionEnforcementFlag */, 596 false /* permissionEnforcementFlagDefaultValue */, 597 false /* foregroundOnlyPermission */ 598 ); 599 600 /** 601 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_MEDIA_PROCESSING}. 602 * 603 * @hide 604 */ 605 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_MEDIA_PROCESSING = 606 new ForegroundServiceTypePolicyInfo( 607 FOREGROUND_SERVICE_TYPE_MEDIA_PROCESSING, 608 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 609 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 610 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 611 new RegularPermission( 612 Manifest.permission.FOREGROUND_SERVICE_MEDIA_PROCESSING) 613 }, true), 614 null /* anyOfPermissions */, 615 null /* permissionEnforcementFlag */, 616 true /* permissionEnforcementFlagDefaultValue */, 617 false /* foregroundOnlyPermission */ 618 ); 619 620 /** 621 * The policy for the {@link ServiceInfo#FOREGROUND_SERVICE_TYPE_SPECIAL_USE}. 622 * 623 * @hide 624 */ 625 public static final @NonNull ForegroundServiceTypePolicyInfo FGS_TYPE_POLICY_SPECIAL_USE = 626 new ForegroundServiceTypePolicyInfo( 627 FOREGROUND_SERVICE_TYPE_SPECIAL_USE, 628 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 629 ForegroundServiceTypePolicyInfo.INVALID_CHANGE_ID, 630 new ForegroundServiceTypePermissions(new ForegroundServiceTypePermission[] { 631 new RegularPermission(Manifest.permission.FOREGROUND_SERVICE_SPECIAL_USE) 632 }, true), 633 null /* anyOfPermissions */, 634 FGS_TYPE_PERM_ENFORCEMENT_FLAG_SPECIAL_USE /* permissionEnforcementFlag */, 635 true /* permissionEnforcementFlagDefaultValue */, 636 false /* foregroundOnlyPermission */ 637 ); 638 639 /** 640 * Foreground service policy check result code: this one is not actually being used. 641 * 642 * @hide 643 */ 644 public static final int FGS_TYPE_POLICY_CHECK_UNKNOWN = 645 AppProtoEnums.FGS_TYPE_POLICY_CHECK_UNKNOWN; 646 647 /** 648 * Foreground service policy check result code: okay to go. 649 * 650 * @hide 651 */ 652 public static final int FGS_TYPE_POLICY_CHECK_OK = 653 AppProtoEnums.FGS_TYPE_POLICY_CHECK_OK; 654 655 /** 656 * Foreground service policy check result code: this foreground service type is deprecated. 657 * 658 * @hide 659 */ 660 public static final int FGS_TYPE_POLICY_CHECK_DEPRECATED = 661 AppProtoEnums.FGS_TYPE_POLICY_CHECK_DEPRECATED; 662 663 /** 664 * Foreground service policy check result code: this foreground service type is disabled. 665 * 666 * @hide 667 */ 668 public static final int FGS_TYPE_POLICY_CHECK_DISABLED = 669 AppProtoEnums.FGS_TYPE_POLICY_CHECK_DISABLED; 670 671 /** 672 * Foreground service policy check result code: the caller doesn't have permission to start 673 * foreground service with this type, but the policy is permissive. 674 * 675 * @hide 676 */ 677 public static final int FGS_TYPE_POLICY_CHECK_PERMISSION_DENIED_PERMISSIVE = 678 AppProtoEnums.FGS_TYPE_POLICY_CHECK_PERMISSION_DENIED_PERMISSIVE; 679 680 /** 681 * Foreground service policy check result code: the caller doesn't have permission to start 682 * foreground service with this type, and the policy is enforced. 683 * 684 * @hide 685 */ 686 public static final int FGS_TYPE_POLICY_CHECK_PERMISSION_DENIED_ENFORCED = 687 AppProtoEnums.FGS_TYPE_POLICY_CHECK_PERMISSION_DENIED_ENFORCED; 688 689 /** 690 * @hide 691 */ 692 @IntDef(flag = true, prefix = { "FGS_TYPE_POLICY_CHECK_" }, value = { 693 FGS_TYPE_POLICY_CHECK_UNKNOWN, 694 FGS_TYPE_POLICY_CHECK_OK, 695 FGS_TYPE_POLICY_CHECK_DEPRECATED, 696 FGS_TYPE_POLICY_CHECK_DISABLED, 697 FGS_TYPE_POLICY_CHECK_PERMISSION_DENIED_PERMISSIVE, 698 FGS_TYPE_POLICY_CHECK_PERMISSION_DENIED_ENFORCED, 699 }) 700 @Retention(RetentionPolicy.SOURCE) 701 public @interface ForegroundServicePolicyCheckCode{} 702 703 /** 704 * Whether or not to require that app to have actual access to certain foreground only 705 * permissions before starting the foreground service. 706 * 707 * <p> 708 * Examples here are microphone, camera and fg location related permissions. 709 * When the user grants the permission, its permission state is set to "granted", 710 * but the actual capability to access these sensors, is to be evaluated according to 711 * its process state. The Android {@link android.os.Build.VERSION_CODES#R} introduced 712 * the while-in-use permission, basically the background-started FGS will not have access 713 * to these sensors. In this context, there is no legitimate reasons to start a FGS from 714 * the background with these types. This flag controls the behavior of the enforcement, 715 * when it's enabled, in the aforementioned case, the FGS start will result in 716 * a SecurityException. </p> 717 */ 718 private static final String FGS_TYPE_FG_PERM_ENFORCEMENT_FLAG = 719 "fgs_type_fg_perm_enforcement_flag"; 720 721 /** 722 * The default value to the {@link #FGS_TYPE_FG_PERM_ENFORCEMENT_FLAG}. 723 */ 724 private static final boolean DEFAULT_FGS_TYPE_FG_PERM_ENFORCEMENT_FLAG_VALUE = true; 725 726 /** 727 * @return The policy info for the given type. 728 */ 729 @NonNull getForegroundServiceTypePolicyInfo( @oregroundServiceType int type, @ForegroundServiceType int defaultToType)730 public abstract ForegroundServiceTypePolicyInfo getForegroundServiceTypePolicyInfo( 731 @ForegroundServiceType int type, @ForegroundServiceType int defaultToType); 732 733 /** 734 * Run check on the foreground service type policy for the given uid/pid 735 * 736 * @hide 737 */ 738 @ForegroundServicePolicyCheckCode checkForegroundServiceTypePolicy(@onNull Context context, @NonNull String packageName, int callerUid, int callerPid, boolean allowWhileInUse, @NonNull ForegroundServiceTypePolicyInfo policy)739 public abstract int checkForegroundServiceTypePolicy(@NonNull Context context, 740 @NonNull String packageName, int callerUid, int callerPid, boolean allowWhileInUse, 741 @NonNull ForegroundServiceTypePolicyInfo policy); 742 743 /** 744 * Run the given {@code policyFunctor} on the matching policy, if the flag is known 745 * to the policy. 746 * 747 * @hide 748 */ updatePermissionEnforcementFlagIfNecessary(@onNull String flag)749 public abstract void updatePermissionEnforcementFlagIfNecessary(@NonNull String flag); 750 751 @GuardedBy("sLock") 752 private static ForegroundServiceTypePolicy sDefaultForegroundServiceTypePolicy = null; 753 754 private static final Object sLock = new Object(); 755 756 /** 757 * Return the default policy for FGS type. 758 */ getDefaultPolicy()759 public static @NonNull ForegroundServiceTypePolicy getDefaultPolicy() { 760 synchronized (sLock) { 761 if (sDefaultForegroundServiceTypePolicy == null) { 762 sDefaultForegroundServiceTypePolicy = new DefaultForegroundServiceTypePolicy(); 763 } 764 return sDefaultForegroundServiceTypePolicy; 765 } 766 } 767 isFgsTypeFgPermissionEnforcementEnabled()768 private static boolean isFgsTypeFgPermissionEnforcementEnabled() { 769 return DeviceConfig.getBoolean(DeviceConfig.NAMESPACE_ACTIVITY_MANAGER, 770 FGS_TYPE_FG_PERM_ENFORCEMENT_FLAG, DEFAULT_FGS_TYPE_FG_PERM_ENFORCEMENT_FLAG_VALUE); 771 } 772 773 /** 774 * Constructor. 775 * 776 * @hide 777 */ ForegroundServiceTypePolicy()778 public ForegroundServiceTypePolicy() { 779 } 780 781 /** 782 * This class represents the policy for a specific FGS service type. 783 * 784 * @hide 785 */ 786 public static final class ForegroundServiceTypePolicyInfo { 787 /** 788 * The foreground service type. 789 */ 790 final @ForegroundServiceType int mType; 791 792 /** 793 * The change id to tell if this FGS type is deprecated. 794 * 795 * <p>A 0 indicates it's not deprecated.</p> 796 */ 797 final long mDeprecationChangeId; 798 799 /** 800 * The change id to tell if this FGS type is disabled. 801 * 802 * <p>A 0 indicates it's not disabled.</p> 803 */ 804 final long mDisabledChangeId; 805 806 /** 807 * The required permissions to start a foreground with this type, all of them 808 * MUST have been granted. 809 */ 810 final @Nullable ForegroundServiceTypePermissions mAllOfPermissions; 811 812 /** 813 * The required permissions to start a foreground with this type, any one of them 814 * being granted is sufficient. 815 */ 816 final @Nullable ForegroundServiceTypePermissions mAnyOfPermissions; 817 818 /** 819 * A permission enforcement flag, unlike the {@link #FGS_TYPE_PERMISSION_CHANGE_ID}, 820 * here it applies to all apps using this FGS type. 821 */ 822 final @Nullable String mPermissionEnforcementFlag; 823 824 /** 825 * The default value to {@link #mPermissionEnforcementFlag}. 826 */ 827 final boolean mPermissionEnforcementFlagDefaultValue; 828 829 /** 830 * Whether or not the permissions here are limited to foreground only. 831 * Typical examples are microphone/camera/location. 832 */ 833 final boolean mForegroundOnlyPermission; 834 835 /** 836 * A customized check for the permissions. 837 */ 838 @Nullable ForegroundServiceTypePermission mCustomPermission; 839 840 /** 841 * The value of the permission enforcement flag, will be updated by the system. 842 * If the value is {@code false}, the FGS permission check will be ignored. 843 * 844 * <p>This value could be updated via the DeviceConfig flag specified 845 * in the {@link #mPermissionEnforcementFlag}.</p> 846 */ 847 volatile boolean mPermissionEnforcementFlagValue; 848 849 /** 850 * Not a real change id, but a place holder. 851 */ 852 private static final long INVALID_CHANGE_ID = 0L; 853 854 /** 855 * @return {@code true} if the given change id is valid. 856 */ isValidChangeId(long changeId)857 private static boolean isValidChangeId(long changeId) { 858 return changeId != INVALID_CHANGE_ID; 859 } 860 861 /** 862 * Construct a new instance. 863 * 864 * @hide 865 */ ForegroundServiceTypePolicyInfo(@oregroundServiceType int type, long deprecationChangeId, long disabledChangeId, @Nullable ForegroundServiceTypePermissions allOfPermissions, @Nullable ForegroundServiceTypePermissions anyOfPermissions, @Nullable String permissionEnforcementFlag, boolean permissionEnforcementFlagDefaultValue, boolean foregroundOnlyPermission)866 public ForegroundServiceTypePolicyInfo(@ForegroundServiceType int type, 867 long deprecationChangeId, long disabledChangeId, 868 @Nullable ForegroundServiceTypePermissions allOfPermissions, 869 @Nullable ForegroundServiceTypePermissions anyOfPermissions, 870 @Nullable String permissionEnforcementFlag, 871 boolean permissionEnforcementFlagDefaultValue, 872 boolean foregroundOnlyPermission) { 873 mType = type; 874 mDeprecationChangeId = deprecationChangeId; 875 mDisabledChangeId = disabledChangeId; 876 mAllOfPermissions = allOfPermissions; 877 mAnyOfPermissions = anyOfPermissions; 878 mPermissionEnforcementFlag = permissionEnforcementFlag; 879 mPermissionEnforcementFlagDefaultValue = permissionEnforcementFlagDefaultValue; 880 mPermissionEnforcementFlagValue = permissionEnforcementFlagDefaultValue; 881 mForegroundOnlyPermission = foregroundOnlyPermission; 882 } 883 884 /** 885 * @return The foreground service type. 886 */ 887 @ForegroundServiceType getForegroundServiceType()888 public int getForegroundServiceType() { 889 return mType; 890 } 891 892 @Override toString()893 public String toString() { 894 final StringBuilder sb = toPermissionString(new StringBuilder()); 895 sb.append("type=0x"); 896 sb.append(Integer.toHexString(mType)); 897 sb.append(" deprecationChangeId="); 898 sb.append(mDeprecationChangeId); 899 sb.append(" disabledChangeId="); 900 sb.append(mDisabledChangeId); 901 sb.append(" customPermission="); 902 sb.append(mCustomPermission); 903 return sb.toString(); 904 } 905 906 /** 907 * @return The required permissions. 908 */ toPermissionString()909 public String toPermissionString() { 910 return toPermissionString(new StringBuilder()).toString(); 911 } 912 toPermissionString(StringBuilder sb)913 private StringBuilder toPermissionString(StringBuilder sb) { 914 if (mAllOfPermissions != null) { 915 sb.append("all of the permissions "); 916 sb.append(mAllOfPermissions.toString()); 917 sb.append(' '); 918 } 919 if (mAnyOfPermissions != null) { 920 sb.append("any of the permissions "); 921 sb.append(mAnyOfPermissions.toString()); 922 sb.append(' '); 923 } 924 return sb; 925 } 926 updatePermissionEnforcementFlagIfNecessary(@onNull String flagName)927 private void updatePermissionEnforcementFlagIfNecessary(@NonNull String flagName) { 928 if (mPermissionEnforcementFlag == null 929 || !TextUtils.equals(flagName, mPermissionEnforcementFlag)) { 930 return; 931 } 932 mPermissionEnforcementFlagValue = DeviceConfig.getBoolean( 933 DeviceConfig.NAMESPACE_ACTIVITY_MANAGER, 934 mPermissionEnforcementFlag, 935 mPermissionEnforcementFlagDefaultValue); 936 } 937 938 /** 939 * @hide 940 */ setCustomPermission( @ullable ForegroundServiceTypePermission customPermission)941 public void setCustomPermission( 942 @Nullable ForegroundServiceTypePermission customPermission) { 943 mCustomPermission = customPermission; 944 } 945 946 /** 947 * @return The name of the permissions which are all required. 948 * It may contain app op names. 949 * 950 * For test only. 951 */ getRequiredAllOfPermissionsForTest( @onNull Context context)952 public @NonNull Optional<String[]> getRequiredAllOfPermissionsForTest( 953 @NonNull Context context) { 954 if (mAllOfPermissions == null) { 955 return Optional.empty(); 956 } 957 return Optional.of(mAllOfPermissions.toStringArray(context)); 958 } 959 960 /** 961 * @return The name of the permissions where any of the is granted is sufficient. 962 * It may contain app op names. 963 * 964 * For test only. 965 */ getRequiredAnyOfPermissionsForTest( @onNull Context context)966 public @NonNull Optional<String[]> getRequiredAnyOfPermissionsForTest( 967 @NonNull Context context) { 968 if (mAnyOfPermissions == null) { 969 return Optional.empty(); 970 } 971 return Optional.of(mAnyOfPermissions.toStringArray(context)); 972 } 973 974 /** 975 * Whether or not this type is disabled. 976 */ 977 @SuppressLint("AndroidFrameworkRequiresPermission") isTypeDisabled(int callerUid)978 public boolean isTypeDisabled(int callerUid) { 979 return isValidChangeId(mDisabledChangeId) 980 && CompatChanges.isChangeEnabled(mDisabledChangeId, callerUid); 981 } 982 983 /** 984 * Whether or not the permissions here are limited to foreground only. 985 * Typical examples are microphone/camera/location. 986 */ hasForegroundOnlyPermission()987 public boolean hasForegroundOnlyPermission() { 988 return mForegroundOnlyPermission; 989 } 990 991 /** 992 * Override the type disabling change Id. 993 * 994 * For test only. 995 */ setTypeDisabledForTest(boolean disabled, @NonNull String packageName)996 public void setTypeDisabledForTest(boolean disabled, @NonNull String packageName) 997 throws RemoteException { 998 overrideChangeIdForTest(mDisabledChangeId, disabled, packageName); 999 } 1000 1001 /** 1002 * clear the type disabling change Id. 1003 * 1004 * For test only. 1005 */ clearTypeDisabledForTest(@onNull String packageName)1006 public void clearTypeDisabledForTest(@NonNull String packageName) throws RemoteException { 1007 clearOverrideForTest(mDisabledChangeId, packageName); 1008 } 1009 1010 @SuppressLint("AndroidFrameworkRequiresPermission") isTypeDeprecated(int callerUid)1011 boolean isTypeDeprecated(int callerUid) { 1012 return isValidChangeId(mDeprecationChangeId) 1013 && CompatChanges.isChangeEnabled(mDeprecationChangeId, callerUid); 1014 } 1015 overrideChangeIdForTest(long changeId, boolean enable, String packageName)1016 private void overrideChangeIdForTest(long changeId, boolean enable, String packageName) 1017 throws RemoteException { 1018 if (!isValidChangeId(changeId)) { 1019 return; 1020 } 1021 final ArraySet<Long> enabled = new ArraySet<>(); 1022 final ArraySet<Long> disabled = new ArraySet<>(); 1023 if (enable) { 1024 enabled.add(changeId); 1025 } else { 1026 disabled.add(changeId); 1027 } 1028 final CompatibilityChangeConfig overrides = new CompatibilityChangeConfig( 1029 new Compatibility.ChangeConfig(enabled, disabled)); 1030 IPlatformCompat platformCompat = IPlatformCompat.Stub.asInterface( 1031 ServiceManager.getService(Context.PLATFORM_COMPAT_SERVICE)); 1032 platformCompat.setOverridesForTest(overrides, packageName); 1033 } 1034 clearOverrideForTest(long changeId, @NonNull String packageName)1035 private void clearOverrideForTest(long changeId, @NonNull String packageName) 1036 throws RemoteException { 1037 IPlatformCompat platformCompat = IPlatformCompat.Stub.asInterface( 1038 ServiceManager.getService(Context.PLATFORM_COMPAT_SERVICE)); 1039 platformCompat.clearOverrideForTest(changeId, packageName); 1040 } 1041 1042 /** 1043 * For test only. 1044 * 1045 * @return The permission enforcement flag. 1046 */ getPermissionEnforcementFlagForTest()1047 public @Nullable String getPermissionEnforcementFlagForTest() { 1048 return mPermissionEnforcementFlag; 1049 } 1050 } 1051 1052 /** 1053 * This represents the set of permissions that's going to be required 1054 * for a specific service type. 1055 * 1056 * @hide 1057 */ 1058 public static class ForegroundServiceTypePermissions { 1059 /** 1060 * The set of the permissions to be required. 1061 */ 1062 final @NonNull ForegroundServiceTypePermission[] mPermissions; 1063 1064 /** 1065 * Are we requiring all of the permissions to be granted or any of them. 1066 */ 1067 final boolean mAllOf; 1068 1069 /** 1070 * Constructor. 1071 */ ForegroundServiceTypePermissions( @onNull ForegroundServiceTypePermission[] permissions, boolean allOf)1072 public ForegroundServiceTypePermissions( 1073 @NonNull ForegroundServiceTypePermission[] permissions, boolean allOf) { 1074 mPermissions = permissions; 1075 mAllOf = allOf; 1076 } 1077 1078 /** 1079 * Check the permissions. 1080 */ 1081 @PackageManager.PermissionResult checkPermissions(@onNull Context context, int callerUid, int callerPid, @NonNull String packageName, boolean allowWhileInUse)1082 public int checkPermissions(@NonNull Context context, int callerUid, int callerPid, 1083 @NonNull String packageName, boolean allowWhileInUse) { 1084 if (mAllOf) { 1085 for (ForegroundServiceTypePermission perm : mPermissions) { 1086 final int result = perm.checkPermission(context, callerUid, callerPid, 1087 packageName, allowWhileInUse); 1088 if (result != PERMISSION_GRANTED) { 1089 return PERMISSION_DENIED; 1090 } 1091 } 1092 return PERMISSION_GRANTED; 1093 } else { 1094 boolean anyOfGranted = false; 1095 for (ForegroundServiceTypePermission perm : mPermissions) { 1096 final int result = perm.checkPermission(context, callerUid, callerPid, 1097 packageName, allowWhileInUse); 1098 if (result == PERMISSION_GRANTED) { 1099 anyOfGranted = true; 1100 break; 1101 } 1102 } 1103 return anyOfGranted ? PERMISSION_GRANTED : PERMISSION_DENIED; 1104 } 1105 } 1106 1107 @Override toString()1108 public String toString() { 1109 final StringBuilder sb = new StringBuilder(); 1110 sb.append("allOf="); 1111 sb.append(mAllOf); 1112 sb.append(' '); 1113 sb.append('['); 1114 for (int i = 0; i < mPermissions.length; i++) { 1115 if (i > 0) { 1116 sb.append(", "); 1117 } 1118 sb.append(mPermissions[i].toString()); 1119 } 1120 sb.append(']'); 1121 return sb.toString(); 1122 } 1123 toStringArray(Context context)1124 @NonNull String[] toStringArray(Context context) { 1125 final ArrayList<String> list = new ArrayList<>(); 1126 for (int i = 0; i < mPermissions.length; i++) { 1127 mPermissions[i].addToList(context, list); 1128 } 1129 return list.toArray(new String[list.size()]); 1130 } 1131 } 1132 1133 /** 1134 * This represents a permission that's going to be required for a specific service type. 1135 * 1136 * @hide 1137 */ 1138 public abstract static class ForegroundServiceTypePermission { 1139 /** 1140 * The name of this permission. 1141 */ 1142 protected final @NonNull String mName; 1143 1144 /** 1145 * Constructor. 1146 */ ForegroundServiceTypePermission(@onNull String name)1147 public ForegroundServiceTypePermission(@NonNull String name) { 1148 mName = name; 1149 } 1150 1151 /** 1152 * Check if the given uid/pid/package has the access to the permission. 1153 */ 1154 @PackageManager.PermissionResult checkPermission(@onNull Context context, int callerUid, int callerPid, @NonNull String packageName, boolean allowWhileInUse)1155 public abstract int checkPermission(@NonNull Context context, int callerUid, int callerPid, 1156 @NonNull String packageName, boolean allowWhileInUse); 1157 1158 @Override toString()1159 public String toString() { 1160 return mName; 1161 } 1162 addToList(@onNull Context context, @NonNull ArrayList<String> list)1163 void addToList(@NonNull Context context, @NonNull ArrayList<String> list) { 1164 list.add(mName); 1165 } 1166 } 1167 1168 /** 1169 * This represents a regular Android permission to be required for a specific service type. 1170 */ 1171 static class RegularPermission extends ForegroundServiceTypePermission { RegularPermission(@onNull String name)1172 RegularPermission(@NonNull String name) { 1173 super(name); 1174 } 1175 1176 @Override 1177 @SuppressLint("AndroidFrameworkRequiresPermission") 1178 @PackageManager.PermissionResult checkPermission(@onNull Context context, int callerUid, int callerPid, String packageName, boolean allowWhileInUse)1179 public int checkPermission(@NonNull Context context, int callerUid, int callerPid, 1180 String packageName, boolean allowWhileInUse) { 1181 int permissionResult = checkPermission(context, mName, callerUid, callerPid, 1182 packageName, allowWhileInUse, Context.DEVICE_ID_DEFAULT); 1183 1184 if (permissionResult == PERMISSION_GRANTED 1185 || !PermissionManager.DEVICE_AWARE_PERMISSIONS.contains(mName)) { 1186 return permissionResult; 1187 } 1188 1189 // For device aware permissions, check if the permission is granted on any other 1190 // active virtual device 1191 VirtualDeviceManager vdm = context.getSystemService(VirtualDeviceManager.class); 1192 if (vdm == null) { 1193 return permissionResult; 1194 } 1195 1196 final List<VirtualDevice> virtualDevices = vdm.getVirtualDevices(); 1197 for (int i = 0, size = virtualDevices.size(); i < size; i++) { 1198 final VirtualDevice virtualDevice = virtualDevices.get(i); 1199 int resolvedDeviceId = PermissionManager.resolveDeviceIdForPermissionCheck( 1200 context, virtualDevice.getDeviceId(), mName); 1201 // we already checked on the default device context 1202 if (resolvedDeviceId == Context.DEVICE_ID_DEFAULT) { 1203 continue; 1204 } 1205 permissionResult = checkPermission(context, mName, callerUid, callerPid, 1206 packageName, allowWhileInUse, resolvedDeviceId); 1207 if (permissionResult == PERMISSION_GRANTED) { 1208 break; 1209 } 1210 } 1211 1212 return permissionResult; 1213 } 1214 1215 @SuppressLint("AndroidFrameworkRequiresPermission") 1216 @PackageManager.PermissionResult checkPermission(@onNull Context context, @NonNull String name, int callerUid, int callerPid, String packageName, boolean allowWhileInUse, int deviceId)1217 int checkPermission(@NonNull Context context, @NonNull String name, int callerUid, 1218 int callerPid, String packageName, boolean allowWhileInUse, int deviceId) { 1219 final AttributionSource attributionSource = new AttributionSource(callerUid, 1220 packageName, null /*attributionTag*/, deviceId); 1221 @PermissionCheckerManager.PermissionResult final int result = 1222 PermissionChecker.checkPermissionForPreflight(context, name, attributionSource); 1223 if (result == PERMISSION_HARD_DENIED) { 1224 // If the user didn't grant this permission at all. 1225 return PERMISSION_DENIED; 1226 } 1227 final int opCode = AppOpsManager.permissionToOpCode(name); 1228 if (opCode == AppOpsManager.OP_NONE) { 1229 // Simple case, check if it's already granted. 1230 return result == PermissionCheckerManager.PERMISSION_GRANTED 1231 ? PERMISSION_GRANTED : PERMISSION_DENIED; 1232 } 1233 final AppOpsManager appOpsManager = context.getSystemService(AppOpsManager.class); 1234 final int mode = appOpsManager.unsafeCheckOpRawNoThrow(opCode, attributionSource); 1235 switch (mode) { 1236 case MODE_ALLOWED: 1237 // The appop is just allowed, plain and simple. 1238 return PERMISSION_GRANTED; 1239 case MODE_DEFAULT: 1240 // Follow the permission check result. 1241 return result == PermissionCheckerManager.PERMISSION_GRANTED 1242 ? PERMISSION_GRANTED : PERMISSION_DENIED; 1243 case MODE_FOREGROUND: 1244 // If the enforcement flag is OFF, we silently allow it. Or, if it's in 1245 // the foreground only mode and we're allowing while-in-use, allow it. 1246 return !isFgsTypeFgPermissionEnforcementEnabled() || allowWhileInUse 1247 ? PERMISSION_GRANTED : PERMISSION_DENIED; 1248 case MODE_IGNORED: 1249 // If it's soft denied with the mode "ignore", semantically it's a silent 1250 // failure and no exception should be thrown, we might not want to allow 1251 // the FGS. However, since the user has agreed with this permission 1252 // (otherwise it's going to be a hard denial), and we're allowing 1253 // while-in-use here, it's safe to allow the FGS run here. 1254 return allowWhileInUse && result == PERMISSION_SOFT_DENIED 1255 ? PERMISSION_GRANTED : PERMISSION_DENIED; 1256 default: 1257 return PERMISSION_DENIED; 1258 } 1259 } 1260 } 1261 1262 /** 1263 * This represents an app op permission to be required for a specific service type. 1264 */ 1265 static class AppOpPermission extends ForegroundServiceTypePermission { 1266 final int mOpCode; 1267 AppOpPermission(int opCode)1268 AppOpPermission(int opCode) { 1269 super(AppOpsManager.opToPublicName(opCode)); 1270 mOpCode = opCode; 1271 } 1272 1273 @Override 1274 @PackageManager.PermissionResult checkPermission(@onNull Context context, int callerUid, int callerPid, String packageName, boolean allowWhileInUse)1275 public int checkPermission(@NonNull Context context, int callerUid, int callerPid, 1276 String packageName, boolean allowWhileInUse) { 1277 final AppOpsManager appOpsManager = context.getSystemService(AppOpsManager.class); 1278 final int mode = appOpsManager.unsafeCheckOpRawNoThrow(mOpCode, callerUid, packageName); 1279 return (mode == MODE_ALLOWED || (allowWhileInUse && mode == MODE_FOREGROUND)) 1280 ? PERMISSION_GRANTED : PERMISSION_DENIED; 1281 } 1282 } 1283 1284 /** 1285 * This represents a particular role an app needs to hold for a specific service type. 1286 */ 1287 static class RolePermission extends ForegroundServiceTypePermission { 1288 final String mRole; 1289 RolePermission(@onNull String role)1290 RolePermission(@NonNull String role) { 1291 super(role); 1292 mRole = role; 1293 } 1294 1295 @Override 1296 @PackageManager.PermissionResult checkPermission(@onNull Context context, int callerUid, int callerPid, String packageName, boolean allowWhileInUse)1297 public int checkPermission(@NonNull Context context, int callerUid, int callerPid, 1298 String packageName, boolean allowWhileInUse) { 1299 final RoleManager rm = context.getSystemService(RoleManager.class); 1300 final List<String> holders = rm.getRoleHoldersAsUser(mRole, 1301 UserHandle.getUserHandleForUid(callerUid)); 1302 return holders != null && holders.contains(packageName) 1303 ? PERMISSION_GRANTED : PERMISSION_DENIED; 1304 } 1305 } 1306 1307 /** 1308 * This represents a special Android permission to be required for accessing usb devices. 1309 */ 1310 static class UsbDevicePermission extends ForegroundServiceTypePermission { UsbDevicePermission()1311 UsbDevicePermission() { 1312 super("USB Device"); 1313 } 1314 1315 @Override 1316 @SuppressLint("AndroidFrameworkRequiresPermission") 1317 @PackageManager.PermissionResult checkPermission(@onNull Context context, int callerUid, int callerPid, String packageName, boolean allowWhileInUse)1318 public int checkPermission(@NonNull Context context, int callerUid, int callerPid, 1319 String packageName, boolean allowWhileInUse) { 1320 final UsbManager usbManager = context.getSystemService(UsbManager.class); 1321 final HashMap<String, UsbDevice> devices = usbManager.getDeviceList(); 1322 if (!ArrayUtils.isEmpty(devices)) { 1323 for (UsbDevice device : devices.values()) { 1324 if (usbManager.hasPermission(device, packageName, callerPid, callerUid)) { 1325 return PERMISSION_GRANTED; 1326 } 1327 } 1328 } 1329 return PERMISSION_DENIED; 1330 } 1331 } 1332 1333 /** 1334 * This represents a special Android permission to be required for accessing usb accessories. 1335 */ 1336 static class UsbAccessoryPermission extends ForegroundServiceTypePermission { UsbAccessoryPermission()1337 UsbAccessoryPermission() { 1338 super("USB Accessory"); 1339 } 1340 1341 @Override 1342 @SuppressLint("AndroidFrameworkRequiresPermission") 1343 @PackageManager.PermissionResult checkPermission(@onNull Context context, int callerUid, int callerPid, String packageName, boolean allowWhileInUse)1344 public int checkPermission(@NonNull Context context, int callerUid, int callerPid, 1345 String packageName, boolean allowWhileInUse) { 1346 final UsbManager usbManager = context.getSystemService(UsbManager.class); 1347 final UsbAccessory[] accessories = usbManager.getAccessoryList(); 1348 if (!ArrayUtils.isEmpty(accessories)) { 1349 for (UsbAccessory accessory: accessories) { 1350 if (usbManager.hasPermission(accessory, callerPid, callerUid)) { 1351 return PERMISSION_GRANTED; 1352 } 1353 } 1354 } 1355 return PERMISSION_DENIED; 1356 } 1357 } 1358 1359 /** 1360 * The default policy for the foreground service types. 1361 * 1362 * @hide 1363 */ 1364 public static class DefaultForegroundServiceTypePolicy extends ForegroundServiceTypePolicy { 1365 private final SparseArray<ForegroundServiceTypePolicyInfo> mForegroundServiceTypePolicies = 1366 new SparseArray<>(); 1367 1368 /** 1369 * The map between permission enforcement flag to its permission policy info. 1370 */ 1371 private final ArrayMap<String, ForegroundServiceTypePolicyInfo> 1372 mPermissionEnforcementToPolicyInfoMap = new ArrayMap<>(); 1373 1374 /** 1375 * Constructor 1376 */ DefaultForegroundServiceTypePolicy()1377 public DefaultForegroundServiceTypePolicy() { 1378 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_MANIFEST, 1379 FGS_TYPE_POLICY_MANIFEST); 1380 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_NONE, 1381 FGS_TYPE_POLICY_NONE); 1382 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_DATA_SYNC, 1383 FGS_TYPE_POLICY_DATA_SYNC); 1384 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_MEDIA_PLAYBACK, 1385 FGS_TYPE_POLICY_MEDIA_PLAYBACK); 1386 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_PHONE_CALL, 1387 FGS_TYPE_POLICY_PHONE_CALL); 1388 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_LOCATION, 1389 FGS_TYPE_POLICY_LOCATION); 1390 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE, 1391 FGS_TYPE_POLICY_CONNECTED_DEVICE); 1392 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_MEDIA_PROJECTION, 1393 FGS_TYPE_POLICY_MEDIA_PROJECTION); 1394 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_CAMERA, 1395 FGS_TYPE_POLICY_CAMERA); 1396 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_MICROPHONE, 1397 FGS_TYPE_POLICY_MICROPHONE); 1398 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_HEALTH, 1399 FGS_TYPE_POLICY_HEALTH); 1400 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_REMOTE_MESSAGING, 1401 FGS_TYPE_POLICY_REMOTE_MESSAGING); 1402 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_SYSTEM_EXEMPTED, 1403 FGS_TYPE_POLICY_SYSTEM_EXEMPTED); 1404 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_SHORT_SERVICE, 1405 FGS_TYPE_POLICY_SHORT_SERVICE); 1406 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_MEDIA_PROCESSING, 1407 FGS_TYPE_POLICY_MEDIA_PROCESSING); 1408 // TODO (b/271950506): revisit it in the next release. 1409 // Hide the file management type for now. If anyone uses it, will default to "none". 1410 mForegroundServiceTypePolicies.put(FOREGROUND_SERVICE_TYPE_SPECIAL_USE, 1411 FGS_TYPE_POLICY_SPECIAL_USE); 1412 for (int i = 0, size = mForegroundServiceTypePolicies.size(); i < size; i++) { 1413 final ForegroundServiceTypePolicyInfo info = 1414 mForegroundServiceTypePolicies.valueAt(i); 1415 mPermissionEnforcementToPolicyInfoMap.put(info.mPermissionEnforcementFlag, info); 1416 } 1417 } 1418 1419 @Override getForegroundServiceTypePolicyInfo( @oregroundServiceType int type, @ForegroundServiceType int defaultToType)1420 public ForegroundServiceTypePolicyInfo getForegroundServiceTypePolicyInfo( 1421 @ForegroundServiceType int type, @ForegroundServiceType int defaultToType) { 1422 ForegroundServiceTypePolicyInfo info = mForegroundServiceTypePolicies.get(type); 1423 if (info == null) { 1424 // Unknown type, fallback to the defaultToType 1425 info = mForegroundServiceTypePolicies.get(defaultToType); 1426 if (info == null) { 1427 // It shouldn't happen. 1428 throw new IllegalArgumentException("Invalid default fgs type " + defaultToType); 1429 } 1430 } 1431 return info; 1432 } 1433 1434 @Override 1435 @SuppressLint("AndroidFrameworkRequiresPermission") 1436 @ForegroundServicePolicyCheckCode checkForegroundServiceTypePolicy(Context context, String packageName, int callerUid, int callerPid, boolean allowWhileInUse, @NonNull ForegroundServiceTypePolicyInfo policy)1437 public int checkForegroundServiceTypePolicy(Context context, String packageName, 1438 int callerUid, int callerPid, boolean allowWhileInUse, 1439 @NonNull ForegroundServiceTypePolicyInfo policy) { 1440 // Has this FGS type been disabled and not allowed to use anymore? 1441 if (policy.isTypeDisabled(callerUid)) { 1442 return FGS_TYPE_POLICY_CHECK_DISABLED; 1443 } 1444 int permissionResult = PERMISSION_GRANTED; 1445 // Do we have the permission to start FGS with this type. 1446 if (policy.mAllOfPermissions != null) { 1447 permissionResult = policy.mAllOfPermissions.checkPermissions(context, 1448 callerUid, callerPid, packageName, allowWhileInUse); 1449 } 1450 // If it has the "all of" permissions granted, check the "any of" ones. 1451 if (permissionResult == PERMISSION_GRANTED) { 1452 boolean checkCustomPermission = true; 1453 // Check the "any of" permissions. 1454 if (policy.mAnyOfPermissions != null) { 1455 permissionResult = policy.mAnyOfPermissions.checkPermissions(context, 1456 callerUid, callerPid, packageName, allowWhileInUse); 1457 if (permissionResult == PERMISSION_GRANTED) { 1458 // We have one of them granted, no need to check custom permissions. 1459 checkCustomPermission = false; 1460 } 1461 } 1462 // If we have a customized permission checker, also call it now. 1463 if (checkCustomPermission && policy.mCustomPermission != null) { 1464 permissionResult = policy.mCustomPermission.checkPermission(context, 1465 callerUid, callerPid, packageName, allowWhileInUse); 1466 } 1467 } 1468 if (permissionResult != PERMISSION_GRANTED) { 1469 return policy.mPermissionEnforcementFlagValue 1470 && (CompatChanges.isChangeEnabled(FGS_TYPE_PERMISSION_CHANGE_ID, callerUid)) 1471 ? FGS_TYPE_POLICY_CHECK_PERMISSION_DENIED_ENFORCED 1472 : FGS_TYPE_POLICY_CHECK_PERMISSION_DENIED_PERMISSIVE; 1473 } 1474 // Has this FGS type been deprecated? 1475 if (policy.isTypeDeprecated(callerUid)) { 1476 return FGS_TYPE_POLICY_CHECK_DEPRECATED; 1477 } 1478 return FGS_TYPE_POLICY_CHECK_OK; 1479 } 1480 1481 @Override updatePermissionEnforcementFlagIfNecessary(@onNull String flagName)1482 public void updatePermissionEnforcementFlagIfNecessary(@NonNull String flagName) { 1483 final ForegroundServiceTypePolicyInfo info = 1484 mPermissionEnforcementToPolicyInfoMap.get(flagName); 1485 if (info != null) { 1486 info.updatePermissionEnforcementFlagIfNecessary(flagName); 1487 } 1488 } 1489 } 1490 } 1491