Fix the visibility check for sdk_sandbox processes

For some cases (e.g. WebView), the visibility is implicitly granted to
the calling uid. Right now the visibility rules for sdk sandbox uids
only take into account the forceQueryable apks, which means that WebView
will never be visible to sdk sandbox uids.

This change adds the implicitly queryable apps to the app visibility
check for the sdk sandbox uids.

Test: run SdkSandboxClientWebView
Test: atest CtsSdkSandboxInprocessTests
Test: atest AppsFilterImplTest
Bug: 238871061
Merged-In: Icfeb8e48151e1675d7b85c9714238f4a499ec6ea
Change-Id: Icfeb8e48151e1675d7b85c9714238f4a499ec6ea
(cherry picked from commit 5a1cba22d1e6a4cc9fd549ef1f9216f38bfdc601)
(cherry picked from commit a9d522f43ce64f66de149ec3b9cf43aa2bf9dfc8)
Merged-In: Icfeb8e48151e1675d7b85c9714238f4a499ec6ea

2 files changed, 35 insertions, 1 deletions

diff --git a/services/core/java/com/android/server/pm/AppsFilterBase.java b/services/core/java/com/android/server/pm/AppsFilterBase.java
index 7ca1978b2031..5de7674a7422 100644
--- a/services/core/java/com/android/server/pm/AppsFilterBase.java
+++ b/services/core/java/com/android/server/pm/AppsFilterBase.java
@@ -323,7 +323,8 @@ public abstract class AppsFilterBase implements AppsFilterSnapshot {
                 return false;
             } else if (Process.isSdkSandboxUid(callingAppId)) {
                 // we only allow sdk sandbox processes access to forcequeryable packages
-                return !isForceQueryable(targetPkgSetting.getAppId());
+                return !isForceQueryable(targetPkgSetting.getAppId())
+                      && !isImplicitlyQueryable(callingAppId, targetPkgSetting.getAppId());
             }
             if (mCacheReady) { // use cache
                 if (!shouldFilterApplicationUsingCache(callingUid,
diff --git a/services/tests/servicestests/src/com/android/server/pm/AppsFilterImplTest.java b/services/tests/servicestests/src/com/android/server/pm/AppsFilterImplTest.java
index facbe80bde67..92443c51b37d 100644
--- a/services/tests/servicestests/src/com/android/server/pm/AppsFilterImplTest.java
+++ b/services/tests/servicestests/src/com/android/server/pm/AppsFilterImplTest.java
@@ -1376,6 +1376,39 @@ public class AppsFilterImplTest {
                         null /* callingSetting */, target, SYSTEM_USER));
     }
 
+    @Test
+    public void testSdkSandbox_implicitAccessGranted_canSeePackage() throws Exception {
+        final AppsFilterImpl appsFilter =
+                new AppsFilterImpl(mFeatureConfigMock, new String[]{}, false, null,
+                        mMockHandler);
+        final WatchableTester watcher = new WatchableTester(appsFilter, "onChange");
+        watcher.register();
+        simulateAddBasicAndroid(appsFilter);
+        watcher.verifyChangeReported("addBasic");
+        appsFilter.onSystemReady(mPmInternal);
+        watcher.verifyChangeReported("systemReady");
+
+        PackageSetting target = simulateAddPackage(appsFilter,
+                pkg("com.some.package"), DUMMY_TARGET_APPID,
+                setting -> setting.setPkgFlags(ApplicationInfo.FLAG_SYSTEM));
+
+        int callingUid = 20123;
+        assertTrue(Process.isSdkSandboxUid(callingUid));
+
+        // Without granting the implicit access the app shouldn't be visible to the sdk sandbox uid.
+        assertTrue(
+                appsFilter.shouldFilterApplication(mSnapshot, callingUid,
+                        null /* callingSetting */, target, SYSTEM_USER));
+
+        appsFilter.grantImplicitAccess(callingUid, target.getAppId(), false /* retainOnUpdate */);
+        watcher.verifyChangeReported("grantImplicitAccess");
+
+        // After implicit access was granted the app should be visible to the sdk sandbox uid.
+        assertFalse(
+                appsFilter.shouldFilterApplication(mSnapshot, callingUid,
+                        null /* callingSetting */, target, SYSTEM_USER));
+    }
+
     private List<Integer> toList(int[] array) {
         ArrayList<Integer> ret = new ArrayList<>(array.length);
         for (int i = 0; i < array.length; i++) {