DPC should not be allowed to grant development permission

Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t  com.android.cts.devicepolicy.MixedDeviceOwnerTest#testPermissionGrant_developmentPermission
Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t  com.android.cts.devicepolicy.MixedProfileOwnerTest#testPermissionGrant_developmentPermission
Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t  com.android.cts.devicepolicy.MixedDeviceOwnerTest#testPermissionGrant
Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t  com.android.cts.devicepolicy.MixedProfileOwnerTest#testPermissionGrant
Test: Run "Permissions lockdown" test in CtsVerifier

Bug: 62623498

Merged-In: If83d8edd0eea99145421e967ae47fdc264a5cf7c

Change-Id: I129bfe850981cf0b3646b7c1cf19c8a3ec69f512
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 911bb2a..55a1a45 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -98,6 +98,7 @@
 import android.content.pm.PackageManager.NameNotFoundException;
 import android.content.pm.PackageManagerInternal;
 import android.content.pm.ParceledListSlice;
+import android.content.pm.PermissionInfo;
 import android.content.pm.ResolveInfo;
 import android.content.pm.ServiceInfo;
 import android.content.pm.StringParceledListSlice;
@@ -151,6 +152,7 @@
 import android.text.TextUtils;
 import android.util.ArrayMap;
 import android.util.ArraySet;
+import android.util.EventLog;
 import android.util.Log;
 import android.util.Pair;
 import android.util.Slog;
@@ -9543,6 +9545,10 @@
                         < android.os.Build.VERSION_CODES.M) {
                     return false;
                 }
+                if (!isRuntimePermission(permission)) {
+                    EventLog.writeEvent(0x534e4554, "62623498", user.getIdentifier(), "");
+                    return false;
+                }
                 final PackageManager packageManager = mInjector.getPackageManager();
                 switch (grantState) {
                     case DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED: {
@@ -9569,6 +9575,8 @@
                 return true;
             } catch (SecurityException se) {
                 return false;
+            } catch (NameNotFoundException e) {
+                return false;
             } finally {
                 mInjector.binderRestoreCallingIdentity(ident);
             }
@@ -9618,6 +9626,13 @@
         }
     }
 
+    public boolean isRuntimePermission(String permissionName) throws NameNotFoundException {
+        final PackageManager packageManager = mInjector.getPackageManager();
+        PermissionInfo permissionInfo = packageManager.getPermissionInfo(permissionName, 0);
+        return (permissionInfo.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE)
+                == PermissionInfo.PROTECTION_DANGEROUS;
+    }
+
     @Override
     public boolean isProvisioningAllowed(String action, String packageName) {
         Preconditions.checkNotNull(packageName);