3 files changed, 55 insertions, 5 deletions

diff --git a/src/tools/androidtestrunner/main.cpp b/src/tools/androidtestrunner/main.cpp
index 0e04d10e692..b517d85c5fb 100644
--- a/src/tools/androidtestrunner/main.cpp
+++ b/src/tools/androidtestrunner/main.cpp
@@ -328,6 +328,53 @@ static bool processAndroidManifest()
     return true;
 }
 
+static QStringList queryDangerousPermissions()
+{
+    QByteArray output;
+    const QStringList args({ "shell"_L1, "dumpsys"_L1, "package"_L1, "permissions"_L1 });
+    if (!execAdbCommand(args, &output, false)) {
+        qWarning("Failed to query permissions via dumpsys");
+        return {};
+    }
+
+    /*
+     * Permissions section from this command look like:
+     *
+     * Permission [android.permission.INTERNET] (c8cafdc):
+     *     sourcePackage=android
+     *     uid=1000 gids=[3003] type=0 prot=normal|instant
+     *     perm=PermissionInfo{5f5bfbb android.permission.INTERNET}
+     *     flags=0x0
+     */
+     const static QRegularExpression regex("^\\s*Permission\\s+\\[([^\\]]+)\\]\\s+\\(([^)]+)\\):"_L1);
+    QStringList dangerousPermissions;
+    QString currentPerm;
+
+    const QStringList lines = QString::fromUtf8(output).split(u'\n');
+    for (const QString &line : lines) {
+        QRegularExpressionMatch match = regex.match(line);
+        if (match.hasMatch()) {
+            currentPerm = match.captured(1);
+            continue;
+        }
+
+        if (currentPerm.isEmpty())
+            continue;
+
+        int protIndex = line.indexOf("prot="_L1);
+        if (protIndex == -1)
+            continue;
+
+        QString protectionTypes = line.mid(protIndex + 5).trimmed();
+        if (protectionTypes.contains("dangerous"_L1, Qt::CaseInsensitive)) {
+            dangerousPermissions.append(currentPerm);
+            currentPerm.clear();
+        }
+    }
+
+    return dangerousPermissions;
+}
+
 static void setOutputFile(QString file, QString format)
 {
     if (format.isEmpty())
@@ -938,7 +985,11 @@ int main(int argc, char *argv[])
             return EXIT_ERROR;
     }
 
+    const QStringList dangerousPermisisons = queryDangerousPermissions();
     for (const auto &permission : g_options.permissions) {
+        if (!dangerousPermisisons.contains(permission))
+            continue;
+
         if (!execAdbCommand({ "shell"_L1, "pm"_L1, "grant"_L1, g_options.package, permission },
                             nullptr)) {
             qWarning("Unable to grant '%s' to '%s'. Probably the Android version mismatch.",
diff --git a/src/tools/macdeployqt/macdeployqt/main.cpp b/src/tools/macdeployqt/macdeployqt/main.cpp
index f5e6ab8f31a..ecbccdef2b3 100644
--- a/src/tools/macdeployqt/macdeployqt/main.cpp
+++ b/src/tools/macdeployqt/macdeployqt/main.cpp
@@ -77,7 +77,7 @@ int main(int argc, char **argv)
     QStringList qmlDirs;
     QStringList qmlImportPaths;
     extern bool runCodesign;
-    extern QString codesignIdentiy;
+    QString codesignIdentity = QStringLiteral("-");
     extern bool hardenedRuntime;
     bool noCodesignExplicit = false;
     extern bool appstoreCompliant;
@@ -166,7 +166,7 @@ int main(int argc, char **argv)
                 return 1;
             } else {
                 runCodesign = true;
-                codesignIdentiy = argument.mid(index+1);
+                codesignIdentity = argument.mid(index + 1);
             }
         } else if (argument.startsWith(QByteArray("-sign-for-notarization"))) {
             LogDebug() << "Argument found:" << argument;
@@ -182,7 +182,7 @@ int main(int argc, char **argv)
                 runCodesign = true;
                 hardenedRuntime = true;
                 secureTimestamp = true;
-                codesignIdentiy = argument.mid(index+1);
+                codesignIdentity = argument.mid(index + 1);
             }
         } else if (argument.startsWith(QByteArray("-hardened-runtime"))) {
             LogDebug() << "Argument found:" << argument;
@@ -273,7 +273,7 @@ int main(int argc, char **argv)
         stripAppBinary(appBundlePath);
 
     if (runCodesign)
-        codesign(codesignIdentiy, appBundlePath);
+        codesign(codesignIdentity, appBundlePath);
 
     if (dmg) {
         LogNormal();
diff --git a/src/tools/macdeployqt/shared/shared.cpp b/src/tools/macdeployqt/shared/shared.cpp
index 4e81229ebf5..bd7f4fba854 100644
--- a/src/tools/macdeployqt/shared/shared.cpp
+++ b/src/tools/macdeployqt/shared/shared.cpp
@@ -30,7 +30,6 @@ bool runStripEnabled = true;
 bool alwaysOwerwriteEnabled = false;
 bool runCodesign = true;
 QStringList librarySearchPath;
-QString codesignIdentiy = "-";
 QString extraEntitlements;
 bool hardenedRuntime = false;
 bool secureTimestamp = false;