From f04137e99ed59ead11954e0b70a7fc425799c727 Mon Sep 17 00:00:00 2001 From: Chiachang Wang Date: Tue, 9 Apr 2019 19:42:52 +0800 Subject: [PATCH 1/3] Enforce NETWORK_STACK permission for calling NSS#forceUpdateIfaces ConnectivityManager and its usages are removed from NetworkStatsService. After that, forceUpdateIfaces requires information that only ConnectivityService has, hence restricting the calling permission to NETWORK_STACK or MAINLINE_NETWORK_STACK permission. The required permission will be changed from READ_NETWORK_USAGE_HISTORY to NETWORK_STACK or MAINLINE_NETWORK_STACK. This change would make it impossible to call outside the system. Bug: 126830974 Test: atest FrameworksNetTests Change-Id: I776484921b2dbb6735d7940c558fb5e4baed6d1e --- .../core/java/com/android/server/net/NetworkStatsService.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/core/java/com/android/server/net/NetworkStatsService.java b/services/core/java/com/android/server/net/NetworkStatsService.java index f237c4bca5..484efd6bfd 100644 --- a/services/core/java/com/android/server/net/NetworkStatsService.java +++ b/services/core/java/com/android/server/net/NetworkStatsService.java @@ -25,6 +25,7 @@ import static android.content.Intent.ACTION_USER_REMOVED; import static android.content.Intent.EXTRA_UID; import static android.net.ConnectivityManager.ACTION_TETHER_STATE_CHANGED; import static android.net.ConnectivityManager.isNetworkTypeMobile; +import static android.net.NetworkStack.checkNetworkStackPermission; import static android.net.NetworkStats.DEFAULT_NETWORK_ALL; import static android.net.NetworkStats.IFACE_ALL; import static android.net.NetworkStats.INTERFACES_ALL; @@ -899,7 +900,7 @@ public class NetworkStatsService extends INetworkStatsService.Stub { VpnInfo[] vpnArray, NetworkState[] networkStates, String activeIface) { - mContext.enforceCallingOrSelfPermission(READ_NETWORK_USAGE_HISTORY, TAG); + checkNetworkStackPermission(mContext); assertBandwidthControlEnabled(); final long token = Binder.clearCallingIdentity(); From 098b1e8ab04b3cd6c76a1d66378212028ccf891b Mon Sep 17 00:00:00 2001 From: Benedict Wong Date: Tue, 9 Apr 2019 11:31:46 -0700 Subject: [PATCH 2/3] Fix remove-before-add for IpSecService RefcountedResource This patch fixes a bug where if a binder dies before the linkToDeath call, the cleanup will be performed before the entry is added to the array. While it is safe in that quotas and tracking performs as per normal, the RefcountedRecord may not be cleaned up. Rethrowing this exception is safe, since the only paths that would hit this are all on binder threads coming from applications. Further, it seems there is only one real way of this getting hit - if the app that called the creation died during the binder call. Bug: 126802451 Test: Compiled, CTS tests passing Change-Id: Ib955acaa5e498c0e977cb5f2e48cffbc9fea8c7c Merged-In: I6db75853da9f29e1573512e26351623f22770c5d Merged-In: I416c2e43961ec0e1cc6b2fbcef970fbce858603b Merged-In: Ib955acaa5e498c0e977cb5f2e48cffbc9fea8c7c (cherry picked from commit 6c089d90bfa728e9842de0f5947f0c557c62dea0) --- services/core/java/com/android/server/IpSecService.java | 1 + 1 file changed, 1 insertion(+) diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java index 2cfcecca5f..2055b64483 100644 --- a/services/core/java/com/android/server/IpSecService.java +++ b/services/core/java/com/android/server/IpSecService.java @@ -208,6 +208,7 @@ public class IpSecService extends IIpSecService.Stub { mBinder.linkToDeath(this, 0); } catch (RemoteException e) { binderDied(); + e.rethrowFromSystemServer(); } } } From 8757df33e42ac7377a487e39955c98006fe30b52 Mon Sep 17 00:00:00 2001 From: Chiachang Wang Date: Tue, 9 Apr 2019 23:24:41 -0700 Subject: [PATCH 3/3] Enforce NETWORK_STACK permission for calling NSS#forceUpdateIfaces ConnectivityManager and its usages are removed from NetworkStatsService. After that, forceUpdateIfaces requires information that only ConnectivityService has, hence restricting the calling permission to NETWORK_STACK or MAINLINE_NETWORK_STACK permission. The required permission will be changed from READ_NETWORK_USAGE_HISTORY to NETWORK_STACK or MAINLINE_NETWORK_STACK. This change would make it impossible to call outside the system. Bug: 126830974 Test: atest FrameworksNetTests Merged-In: I1b26dc64eaab2151e6885fd01cc5e8d4e18c4e60 Change-Id: I4ea421e4126a45f65d25fe0bec74243a3b20aeab (cherry picked from commit 6b895dea25b4fca87d275bb78367411623ded1d4) --- .../core/java/com/android/server/net/NetworkStatsService.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/core/java/com/android/server/net/NetworkStatsService.java b/services/core/java/com/android/server/net/NetworkStatsService.java index 15599111f6..f34ace55a7 100644 --- a/services/core/java/com/android/server/net/NetworkStatsService.java +++ b/services/core/java/com/android/server/net/NetworkStatsService.java @@ -25,6 +25,7 @@ import static android.content.Intent.ACTION_USER_REMOVED; import static android.content.Intent.EXTRA_UID; import static android.net.ConnectivityManager.ACTION_TETHER_STATE_CHANGED; import static android.net.ConnectivityManager.isNetworkTypeMobile; +import static android.net.NetworkStack.checkNetworkStackPermission; import static android.net.NetworkStats.DEFAULT_NETWORK_ALL; import static android.net.NetworkStats.IFACE_ALL; import static android.net.NetworkStats.INTERFACES_ALL; @@ -866,7 +867,7 @@ public class NetworkStatsService extends INetworkStatsService.Stub { VpnInfo[] vpnArray, NetworkState[] networkStates, String activeIface) { - mContext.enforceCallingOrSelfPermission(READ_NETWORK_USAGE_HISTORY, TAG); + checkNetworkStackPermission(mContext); assertBandwidthControlEnabled(); final long token = Binder.clearCallingIdentity();