Method for pre-authorizing permissions by preset App in Android system

Source code path: AOSP/frameworks/base/services/core/java/com/android/server/pm/DefaultPermissionGrantPolicy.java

    public void grantDefaultPermissions(int userId) {
    
    
        // 1
        if (mService.hasSystemFeature(PackageManager.FEATURE_EMBEDDED, 0)) {
    
    
            grantAllRuntimePermissions(userId);
        } else {
    
    
            // 2
            grantPermissionsToSysComponentsAndPrivApps(userId);
            // 3
            grantDefaultSystemHandlerPermissions(userId);
            // 4
            grantDefaultPermissionExceptions(userId);
        }
    }

1. For IoT embedded devices (generally no display interface), pre-authorize all runtime permissions.

2、

    private boolean isSysComponentOrPersistentPlatformSignedPrivAppLPr(PackageParser.Package pkg) {
    
    
        // 2.1
        if (UserHandle.getAppId(pkg.applicationInfo.uid) < FIRST_APPLICATION_UID) {
    
    
            return true;
        }
        // 2.2
        if (!pkg.isPrivilegedApp()) {
    
    
            return false;
        }
        PackageSetting sysPkg = mService.mSettings.getDisabledSystemPkgLPr(pkg.packageName);
        if (sysPkg != null && sysPkg.pkg != null) {
    
    
            if ((sysPkg.pkg.applicationInfo.flags & ApplicationInfo.FLAG_PERSISTENT) == 0) {
    
    
                return false;
            }
        } else if ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_PERSISTENT) == 0) {
    
    
            return false;
        }
        return PackageManagerService.compareSignatures(mService.mPlatformPackage.mSignatures,
                pkg.mSignatures) == PackageManager.SIGNATURE_MATCH;
    }

2.1. For apps with uid <FIRST_APPLICATION_UID (such as system uid, phone uid, media uid), pre-authorize runtime permissions.
2.2. For apps that have privileged privileges and declare android:persistent="true" in AndroidManifest.xml and use system signatures, pre-authorize runtime permissions.

3、对 Installer、Verifier、SetupWizard、Camera、Media provider、Downloads provider、Downloads UI、Storage provider、CertInstaller、Dialer、Sim call manager、SMS、Cell Broadcast Receiver、Carrier Provisioning Service、Calendar、Calendar provider、Calendar provider sync adapters、Contacts、Contacts provider sync adapters、Contacts provider、Device provisioning、Maps、Gallery、Email、Browser、Voice interaction、Voice recognition、Location、Music、Home、Watches、Print Spooler、EmergencyInfo、NFC Tag viewer、Storage Manager、Companion devices、Ringtone Picker 等 App 进行部分权限预授权。

4. According to the description of /system/etc/default-permissions/xxx.xml and other files, pre-authorize the runtime permissions of the App.
The format is as follows:

<exceptions>
    <exception package="foo.bar.permission">
      <permission name="android.permission.READ_CONTACTS" fixed="true"/>
      <permission name="android.permission.READ_CALENDAR" fixed="false"/>
    </exception>
</exceptions>

If fixed is true, the user can no longer modify this permission.
There is a pit here, see the pit encountered by Android default-permissions

You can use adb shell dumpsys package com.android.examplethe command to view the authority authorization result.

Another : the use of privileged permissions (protectionLevel is privileged) whitelist, see https://source.android.google.cn/devices/tech/config/perms-whitelist