LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix the INTERNET related permissions

Browse Source 
Change the INTERNET permission implementation so it only block socket
creation when non of the packages under the same uid have internet
permission. Fix the UPDATE_DEVICE_STATS permission so only the uid that
own the permission can change it.

Bug: 111560570
Test: CtsNetTestCasesUpdateStatsPermission
      CtsNetTestCasesInternetPermission
Change-Id: I42385526c191d4429f486cde01293b27fcc1374b
This commit is contained in:
Chenbo Feng
2019-03-08 11:55:12 -08:00
parent 67cfb00800
commit 0c4742527b
1 changed files with 28 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
services/core/java/com/android/server/connectivity/PermissionMonitor.java
View File

@@ -22,6 +22,7 @@ import static android.Manifest.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS;
import static android.Manifest.permission.INTERNET; import static android.Manifest.permission.INTERNET;
import static android.Manifest.permission.NETWORK_STACK; import static android.Manifest.permission.NETWORK_STACK;
import static android.Manifest.permission.UPDATE_DEVICE_STATS; import static android.Manifest.permission.UPDATE_DEVICE_STATS;
import static android.content.pm.PackageInfo.REQUESTED_PERMISSION_GRANTED;
import static android.content.pm.PackageManager.GET_PERMISSIONS; import static android.content.pm.PackageManager.GET_PERMISSIONS;
import static android.content.pm.PackageManager.MATCH_ANY_USER; import static android.content.pm.PackageManager.MATCH_ANY_USER;
import static android.os.Process.INVALID_UID; import static android.os.Process.INVALID_UID;
@@ -43,7 +44,6 @@ import android.os.RemoteException;
import android.os.UserHandle; import android.os.UserHandle;
import android.os.UserManager; import android.os.UserManager;
import android.util.Log; import android.util.Log;
import android.util.Slog;
import android.util.SparseIntArray; import android.util.SparseIntArray;
import com.android.internal.annotations.VisibleForTesting; import com.android.internal.annotations.VisibleForTesting;
@@ -83,41 +83,32 @@ public class PermissionMonitor {
private final Map<Integer, Boolean> mApps = new HashMap<>(); private final Map<Integer, Boolean> mApps = new HashMap<>();
private class PackageListObserver implements PackageManagerInternal.PackageListObserver { private class PackageListObserver implements PackageManagerInternal.PackageListObserver {
@Override
public void onPackageAdded(String packageName, int uid) {
final PackageInfo app = getPackageInfo(packageName);
if (app == null) {
Slog.wtf(TAG, "Failed to get information of installed package: " + packageName);
return;
}
if (uid == INVALID_UID) {
Slog.wtf(TAG, "Failed to get the uid of installed package: " + packageName
+ "uid: " + uid);
return;
}
if (app.requestedPermissions == null) {
return;
}
sendPackagePermissionsForUid(uid,
getNetdPermissionMask(app.requestedPermissions));
}
@Override private int getPermissionForUid(int uid) {
public void onPackageRemoved(String packageName, int uid) {
int permission = 0; int permission = 0;
// If there are still packages remain under the same uid, check the permission of the // Check all the packages for this UID. The UID has the permission if any of the
// remaining packages. We only remove the permission for a given uid when all packages // packages in it has the permission.
// for that uid no longer have that permission.
String[] packages = mPackageManager.getPackagesForUid(uid); String[] packages = mPackageManager.getPackagesForUid(uid);
if (packages != null && packages.length > 0) { if (packages != null && packages.length > 0) {
for (String name : packages) { for (String name : packages) {
final PackageInfo app = getPackageInfo(name); final PackageInfo app = getPackageInfo(name);
if (app != null && app.requestedPermissions != null) { if (app != null && app.requestedPermissions != null) {
permission |= getNetdPermissionMask(app.requestedPermissions); permission |= getNetdPermissionMask(app.requestedPermissions,
app.requestedPermissionsFlags);
} }
} }
} }
sendPackagePermissionsForUid(uid, permission); return permission;
}
@Override
public void onPackageAdded(String packageName, int uid) {
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
}
@Override
public void onPackageRemoved(String packageName, int uid) {
sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
} }
} }
@@ -167,12 +158,9 @@ public class PermissionMonitor {
} }
//TODO: unify the management of the permissions into one codepath. //TODO: unify the management of the permissions into one codepath.
if (app.requestedPermissions != null) { int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions); app.requestedPermissionsFlags);
if (otherNetdPerms != 0) { netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
}
}
} }
List<UserInfo> users = mUserManager.getUsers(true); // exclude dying users List<UserInfo> users = mUserManager.getUsers(true); // exclude dying users
@@ -403,13 +391,17 @@ public class PermissionMonitor {
} }
} }
private static int getNetdPermissionMask(String[] requestedPermissions) { private static int getNetdPermissionMask(String[] requestedPermissions,
int[] requestedPermissionsFlags) {
int permissions = 0; int permissions = 0;
for (String permissionName : requestedPermissions) { if (requestedPermissions == null || requestedPermissionsFlags == null) return permissions;
if (permissionName.equals(INTERNET)) { for (int i = 0; i < requestedPermissions.length; i++) {
if (requestedPermissions[i].equals(INTERNET)
&& ((requestedPermissionsFlags[i] & REQUESTED_PERMISSION_GRANTED) != 0)) {
permissions |= INetd.PERMISSION_INTERNET; permissions |= INetd.PERMISSION_INTERNET;
} }
if (permissionName.equals(UPDATE_DEVICE_STATS)) { if (requestedPermissions[i].equals(UPDATE_DEVICE_STATS)
&& ((requestedPermissionsFlags[i] & REQUESTED_PERMISSION_GRANTED) != 0)) {
permissions |= INetd.PERMISSION_UPDATE_DEVICE_STATS; permissions |= INetd.PERMISSION_UPDATE_DEVICE_STATS;
} }
} }