default-permissions for permissive signature spoofing

FakeStore/Android.mk

@@ -8,6 +8,13 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT_ETC)/permissions
 LOCAL_SRC_FILES := $(LOCAL_MODULE)
 include $(BUILD_PREBUILT)
 
+include $(CLEAR_VARS)
+LOCAL_MODULE := default-permissions-com.android.vending.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT_ETC)/default-permissions
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+include $(BUILD_PREBUILT)
+
 include $(CLEAR_VARS)
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE := FakeStore
@@ -16,7 +23,7 @@ LOCAL_MODULE_CLASS := APPS
 LOCAL_PRIVILEGED_MODULE := true
 LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)
 LOCAL_CERTIFICATE := PRESIGNED
-LOCAL_REQUIRED_MODULES := privapp-permissions-com.android.vending.xml
+LOCAL_REQUIRED_MODULES := privapp-permissions-com.android.vending.xml default-permissions-com.android.vending.xml
 LOCAL_PRODUCT_MODULE := true
 include $(BUILD_PREBUILT)
 

FakeStore/default-permissions-com.android.vending.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<exceptions>
+    <exception package="com.android.vending">
+        <!-- for permissive signature spoofing, where the permission is "dangerous" -->
+        <permission name="android.permission.FAKE_PACKAGE_SIGNATURE" fixed="false"/>
+    </exception>
+</exceptions>

FakeStore/privapp-permissions-com.android.vending.xml

@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <permissions>
     <privapp-permissions package="com.android.vending">
+        <!-- for restrictive signature spoofing, where the permission is "signature|privileged" -->
         <permission name="android.permission.FAKE_PACKAGE_SIGNATURE"/>
     </privapp-permissions>
 </permissions>

GmsCore/Android.mk

@@ -8,6 +8,13 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT_ETC)/permissions
 LOCAL_SRC_FILES := $(LOCAL_MODULE)
 include $(BUILD_PREBUILT)
 
+include $(CLEAR_VARS)
+LOCAL_MODULE := default-permissions-com.google.android.gms.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT_ETC)/default-permissions
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+include $(BUILD_PREBUILT)
+
 include $(CLEAR_VARS)
 LOCAL_MODULE := sysconfig-com.google.android.gms.xml
 LOCAL_MODULE_TAGS := optional
@@ -25,7 +32,7 @@ LOCAL_PRIVILEGED_MODULE := true
 LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)
 LOCAL_CERTIFICATE := PRESIGNED
 LOCAL_OVERRIDES_PACKAGES := com.qualcomm.location
-LOCAL_REQUIRED_MODULES := privapp-permissions-com.google.android.gms.xml sysconfig-com.google.android.gms.xml
+LOCAL_REQUIRED_MODULES := privapp-permissions-com.google.android.gms.xml default-permissions-com.google.android.gms.xml sysconfig-com.google.android.gms.xml
 LOCAL_PRODUCT_MODULE := true
 include $(BUILD_PREBUILT)
 

GmsCore/default-permissions-com.google.android.gms.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<exceptions>
+    <exception package="com.google.android.gms">
+        <!-- for permissive signature spoofing, where the permission is "dangerous" -->
+        <permission name="android.permission.FAKE_PACKAGE_SIGNATURE" fixed="false"/>
+        
+        <!-- work around https://source.android.google.cn/setup/start/android-12-release?hl=en#system-alert-window-restrictions ? -->
+        <permission name="android.permission.SYSTEM_ALERT_WINDOW" fixed="false"/>
+    </exception>
+</exceptions>

GmsCore/privapp-permissions-com.google.android.gms.xml

@@ -1,9 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <permissions>
     <privapp-permissions package="com.google.android.gms">
+        <!-- for restrictive signature spoofing, where the permission is "signature|privileged" -->
         <permission name="android.permission.FAKE_PACKAGE_SIGNATURE"/>
+
         <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
         <permission name="android.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST"/>
         <permission name="android.permission.UPDATE_APP_OPS_STATS"/>
-</privapp-permissions>
+    </privapp-permissions>
 </permissions>