Access to all users' external storage.

jsharkey · jsharkey · commit e217ee4d7a82 · 2012-08-30T10:37:51.000-07:00
System services holding this permission have external storage bound
one level higher, giving them access to all users' files.

Bug: 7003520
Change-Id: Ib2bcb8455740c713ebd01f71c9a2b89b4e642832
diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java
@@ -584,6 +584,8 @@ private static ProcessStartResult startViaZygote(final String processClass,
             }
             if (mountExternal == Zygote.MOUNT_EXTERNAL_MULTIUSER) {
                 argsForZygote.add("--mount-external-multiuser");
+            } else if (mountExternal == Zygote.MOUNT_EXTERNAL_MULTIUSER_ALL) {
+                argsForZygote.add("--mount-external-multiuser-all");
             }
             argsForZygote.add("--target-sdk-version=" + targetSdkVersion);
 
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -529,6 +529,8 @@ private void parseArgs(String args[])
                     niceName = arg.substring(arg.indexOf('=') + 1);
                 } else if (arg.equals("--mount-external-multiuser")) {
                     mountExternal = Zygote.MOUNT_EXTERNAL_MULTIUSER;
+                } else if (arg.equals("--mount-external-multiuser-all")) {
+                    mountExternal = Zygote.MOUNT_EXTERNAL_MULTIUSER_ALL;
                 } else {
                     break;
                 }
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
@@ -725,6 +725,13 @@
         android:description="@string/permdesc_mediaStorageWrite"
         android:protectionLevel="signature|system" />
 
+    <!-- Allows an application to access all multi-user external storage @hide -->
+    <permission android:name="android.permission.ACCESS_ALL_EXTERNAL_STORAGE"
+        android:permissionGroup="android.permission-group.DEVELOPMENT_TOOLS"
+        android:label="@string/permlab_sdcardAccessAll"
+        android:description="@string/permdesc_sdcardAccessAll"
+        android:protectionLevel="signature" />
+
     <!-- ============================================ -->
     <!-- Permissions for low-level system interaction -->
     <!-- ============================================ -->
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
@@ -1616,6 +1616,11 @@
     <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. [CHAR LIMIT=NONE] -->
     <string name="permdesc_mediaStorageWrite" product="default">Allows the app to modify the contents of the internal media storage.</string>
 
+    <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. [CHAR LIMIT=30] -->
+    <string name="permlab_sdcardAccessAll">access external storage of all users</string>
+    <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permdesc_sdcardAccessAll">Allows the app to access external storage for all users.</string>
+
     <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
     <string name="permlab_cache_filesystem">access the cache filesystem</string>
     <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
diff --git a/services/java/com/android/server/am/ActivityManagerService.java b/services/java/com/android/server/am/ActivityManagerService.java
@@ -1991,13 +1991,19 @@ private final void startProcessLocked(ProcessRecord app,
                 try {
                     final PackageManager pm = mContext.getPackageManager();
                     gids = pm.getPackageGids(app.info.packageName);
+
+                    if (Environment.isExternalStorageEmulated()) {
+                        if (pm.checkPermission(
+                                android.Manifest.permission.ACCESS_ALL_EXTERNAL_STORAGE,
+                                app.info.packageName) == PERMISSION_GRANTED) {
+                            mountExternal = Zygote.MOUNT_EXTERNAL_MULTIUSER_ALL;
+                        } else {
+                            mountExternal = Zygote.MOUNT_EXTERNAL_MULTIUSER;
+                        }
+                    }
                 } catch (PackageManager.NameNotFoundException e) {
                     Slog.w(TAG, "Unable to retrieve gids", e);
                 }
-
-                if (Environment.isExternalStorageEmulated()) {
-                    mountExternal = Zygote.MOUNT_EXTERNAL_MULTIUSER;
-                }
             }
             if (mFactoryTest != SystemServer.FACTORY_TEST_OFF) {
                 if (mFactoryTest == SystemServer.FACTORY_TEST_LOW_LEVEL

Original file line number	Diff line number	Diff line change
`@@ -584,6 +584,8 @@ private static ProcessStartResult startViaZygote(final String processClass,`
`584`	`584`	`}`
`585`	`585`	`if (mountExternal == Zygote.MOUNT_EXTERNAL_MULTIUSER) {`
`586`	`586`	`argsForZygote.add("--mount-external-multiuser");`
	`587`	`+ } else if (mountExternal == Zygote.MOUNT_EXTERNAL_MULTIUSER_ALL) {`
	`588`	`+ argsForZygote.add("--mount-external-multiuser-all");`
`587`	`589`	`}`
`588`	`590`	`argsForZygote.add("--target-sdk-version=" + targetSdkVersion);`
`589`	`591`
Original file line number	Diff line number	Diff line change
`@@ -529,6 +529,8 @@ private void parseArgs(String args[])`
`529`	`529`	`niceName = arg.substring(arg.indexOf('=') + 1);`
`530`	`530`	`} else if (arg.equals("--mount-external-multiuser")) {`
`531`	`531`	`mountExternal = Zygote.MOUNT_EXTERNAL_MULTIUSER;`
	`532`	`+ } else if (arg.equals("--mount-external-multiuser-all")) {`
	`533`	`+ mountExternal = Zygote.MOUNT_EXTERNAL_MULTIUSER_ALL;`
`532`	`534`	`} else {`
`533`	`535`	`break;`
`534`	`536`	`}`