rework integration of Google's eUICC LPA package (EuiccGoogle)

- isolate EuiccGoogle from all non-system package via AppsFilter, which stops it from sending data
to Google through GmsCore. EuiccGoogle doesn't send data to Google directly
- keep EuiccGoogle disabled by default, but do not disable it after each reboot
- remove a misleading "device information will be sent to Google" message that appears before eSIM
download

core/java/android/content/res/Resources.java

@@ -449,6 +449,11 @@ public ConfigurationBoundResourceCache<StateListAnimator> getStateListAnimatorCa
     @NonNull public CharSequence getText(@StringRes int id) throws NotFoundException {
         CharSequence res = mResourcesImpl.getAssets().getResourceText(id);
         if (res != null) {
+            if (android.app.AppGlobals.getInitialPackageId() == android.ext.PackageId.G_EUICC_LPA) {
+                if (res.toString().contains("Google")) {
+                    return "";
+                }
+            }
             return res;
         }
         throw new NotFoundException("String resource ID #0x"

services/core/java/com/android/server/ext/PackageManagerHooks.java

@@ -17,7 +17,6 @@
 import android.util.Slog;
 
 import com.android.internal.app.ContactScopes;
-import com.android.internal.util.GoogleEuicc;
 import com.android.server.pm.GosPackageStatePmHooks;
 import com.android.server.pm.PackageManagerService;
 import com.android.server.pm.ext.PackageHooks;
@@ -44,9 +43,6 @@ public static Integer maybeOverrideSystemPackageEnabledSetting(String pkgName, @
                     // one of the previous OS versions enabled EuiccSupportPixel in all users
                     return PackageManager.COMPONENT_ENABLED_STATE_DISABLED;
                 }
-            case GoogleEuicc.LPA_PKG_NAME:
-                // Google's LPA should be always disabled after reboot
-                return PackageManager.COMPONENT_ENABLED_STATE_DISABLED;
             default:
                 return null;
         }

services/core/java/com/android/server/ext/SystemServerExt.java

@@ -30,8 +30,6 @@ public static void init(Context systemContext, PackageManagerService pm) {
         SystemServerExt sse = new SystemServerExt(systemContext, pm);
         sse.bgHandler.post(sse::initBgThread);
 
-        new GoogleEuiccLpaDisabler(sse);
-
         AppCompatConf.init(systemContext);
     }
 

services/core/java/com/android/server/pm/ext/EuiccGoogleHooks.java

@@ -1,9 +1,10 @@
 package com.android.server.pm.ext;
 
+import android.Manifest;
 import android.content.pm.PackageManager;
 
 import com.android.server.pm.pkg.PackageStateInternal;
-import com.android.server.pm.pkg.PackageUserStateInternal;
+import com.android.server.pm.pkg.component.ParsedUsesPermission;
 
 class EuiccGoogleHooks extends PackageHooks {
 
@@ -13,5 +14,27 @@ static class ParsingHooks extends PackageParsingHooks {
         public int overrideDefaultPackageEnabledState() {
             return PackageManager.COMPONENT_ENABLED_STATE_DISABLED;
         }
+
+        @Override
+        public boolean shouldSkipUsesPermission(ParsedUsesPermission p) {
+            switch (p.getName()) {
+                // Carrier apps aren't shipped on GrapheneOS, these permissions are needed only to
+                // install/enable them
+                case Manifest.permission.INSTALL_EXISTING_PACKAGES:
+                case Manifest.permission.CHANGE_COMPONENT_ENABLED_STATE:
+                    return true;
+            }
+
+            return false;
+        }
+    }
+
+    @Override
+    public boolean shouldBlockPackageVisibility(int userId, PackageStateInternal otherPkg) {
+        // Block EuiccGoogle from interacting with GmsCore, which is used for feature flags, logging,
+        // perf data reporting etc.
+        //
+        // Block visibility for the rest of non-system packages to reduce the attack surface.
+        return !otherPkg.isSystem();
     }
 }