Merge "[RFPM04] Adjust hasRestrictedNetworkPermission method"
This commit is contained in:
Paul Hu
@@ -171,8 +171,8 @@ public class PermissionMonitor implements PackageManagerInternal.PackageListObse
|
|||||||
mAllApps.add(UserHandle.getAppId(uid));
|
mAllApps.add(UserHandle.getAppId(uid));
|
||||||
|
|
||||||
final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);
|
final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);
|
||||||
final boolean hasRestrictedPermission =
|
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(uid)
|
||||||
hasRestrictedNetworkPermission(app.applicationInfo);
|
|| isCarryoverPackage(app.applicationInfo);
|
||||||
|
|
||||||
if (isNetwork || hasRestrictedPermission) {
|
if (isNetwork || hasRestrictedPermission) {
|
||||||
Boolean permission = mApps.get(uid);
|
Boolean permission = mApps.get(uid);
|
||||||
@@ -200,7 +200,7 @@ public class PermissionMonitor implements PackageManagerInternal.PackageListObse
|
|||||||
for (int i = 0; i < systemPermission.size(); i++) {
|
for (int i = 0; i < systemPermission.size(); i++) {
|
||||||
ArraySet<String> perms = systemPermission.valueAt(i);
|
ArraySet<String> perms = systemPermission.valueAt(i);
|
||||||
int uid = systemPermission.keyAt(i);
|
int uid = systemPermission.keyAt(i);
|
||||||
int netdPermission = 0;
|
int netdPermission = PERMISSION_NONE;
|
||||||
// Get the uids of native services that have UPDATE_DEVICE_STATS or INTERNET permission.
|
// Get the uids of native services that have UPDATE_DEVICE_STATS or INTERNET permission.
|
||||||
if (perms != null) {
|
if (perms != null) {
|
||||||
netdPermission |= perms.contains(UPDATE_DEVICE_STATS)
|
netdPermission |= perms.contains(UPDATE_DEVICE_STATS)
|
||||||
@@ -225,20 +225,21 @@ public class PermissionMonitor implements PackageManagerInternal.PackageListObse
|
|||||||
}
|
}
|
||||||
|
|
||||||
@VisibleForTesting
|
@VisibleForTesting
|
||||||
boolean hasRestrictedNetworkPermission(@Nullable final ApplicationInfo appInfo) {
|
// TODO : remove this check in the future(b/162295056). All apps should just request the
|
||||||
|
// appropriate permission for their use case since android Q.
|
||||||
|
boolean isCarryoverPackage(@Nullable final ApplicationInfo appInfo) {
|
||||||
if (appInfo == null) return false;
|
if (appInfo == null) return false;
|
||||||
// TODO : remove this check in the future(b/162295056). All apps should just
|
return (appInfo.targetSdkVersion < VERSION_Q && isVendorApp(appInfo))
|
||||||
// request the appropriate permission for their use case since android Q.
|
|
||||||
if ((appInfo.targetSdkVersion < VERSION_Q && isVendorApp(appInfo))
|
|
||||||
// Backward compatibility for b/114245686, on devices that launched before Q daemons
|
// Backward compatibility for b/114245686, on devices that launched before Q daemons
|
||||||
// and apps running as the system UID are exempted from this check.
|
// and apps running as the system UID are exempted from this check.
|
||||||
|| (appInfo.uid == SYSTEM_UID && mDeps.getDeviceFirstSdkInt() < VERSION_Q)) {
|
|| (appInfo.uid == SYSTEM_UID && mDeps.getDeviceFirstSdkInt() < VERSION_Q);
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return hasPermission(PERMISSION_MAINLINE_NETWORK_STACK, appInfo.uid)
|
@VisibleForTesting
|
||||||
|| hasPermission(NETWORK_STACK, appInfo.uid)
|
boolean hasRestrictedNetworkPermission(final int uid) {
|
||||||
|| hasPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, appInfo.uid);
|
return hasPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, uid)
|
||||||
|
|| hasPermission(PERMISSION_MAINLINE_NETWORK_STACK, uid)
|
||||||
|
|| hasPermission(NETWORK_STACK, uid);
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Returns whether the given uid has using background network permission. */
|
/** Returns whether the given uid has using background network permission. */
|
||||||
@@ -328,8 +329,8 @@ public class PermissionMonitor implements PackageManagerInternal.PackageListObse
|
|||||||
try {
|
try {
|
||||||
final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
|
final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
|
||||||
final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);
|
final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);
|
||||||
final boolean hasRestrictedPermission =
|
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(uid)
|
||||||
hasRestrictedNetworkPermission(app.applicationInfo);
|
|| isCarryoverPackage(app.applicationInfo);
|
||||||
if (isNetwork || hasRestrictedPermission) {
|
if (isNetwork || hasRestrictedPermission) {
|
||||||
currentPermission = hasRestrictedPermission;
|
currentPermission = hasRestrictedPermission;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -28,6 +28,7 @@ import static android.content.pm.ApplicationInfo.PRIVATE_FLAG_PRODUCT;
|
|||||||
import static android.content.pm.ApplicationInfo.PRIVATE_FLAG_VENDOR;
|
import static android.content.pm.ApplicationInfo.PRIVATE_FLAG_VENDOR;
|
||||||
import static android.content.pm.PackageManager.GET_PERMISSIONS;
|
import static android.content.pm.PackageManager.GET_PERMISSIONS;
|
||||||
import static android.content.pm.PackageManager.MATCH_ANY_USER;
|
import static android.content.pm.PackageManager.MATCH_ANY_USER;
|
||||||
|
import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
|
||||||
import static android.os.Process.SYSTEM_UID;
|
import static android.os.Process.SYSTEM_UID;
|
||||||
|
|
||||||
import static com.android.server.connectivity.PermissionMonitor.NETWORK;
|
import static com.android.server.connectivity.PermissionMonitor.NETWORK;
|
||||||
@@ -138,17 +139,10 @@ public class PermissionMonitorTest {
|
|||||||
verify(mMockPmi).getPackageList(mPermissionMonitor);
|
verify(mMockPmi).getPackageList(mPermissionMonitor);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
private boolean wouldBeCarryoverPackage(String partition, int targetSdkVersion, int uid) {
|
||||||
* Remove all permissions from the uid then build new package info and setup permissions to uid
|
|
||||||
* for checking restricted network permission.
|
|
||||||
*/
|
|
||||||
private boolean hasRestrictedNetworkPermission(String partition, int targetSdkVersion, int uid,
|
|
||||||
String... permissions) {
|
|
||||||
final PackageInfo packageInfo = buildPackageInfo(partition, uid, MOCK_USER1);
|
final PackageInfo packageInfo = buildPackageInfo(partition, uid, MOCK_USER1);
|
||||||
packageInfo.applicationInfo.targetSdkVersion = targetSdkVersion;
|
packageInfo.applicationInfo.targetSdkVersion = targetSdkVersion;
|
||||||
removeAllPermissions(uid);
|
return mPermissionMonitor.isCarryoverPackage(packageInfo.applicationInfo);
|
||||||
addPermissions(uid, permissions);
|
|
||||||
return mPermissionMonitor.hasRestrictedNetworkPermission(packageInfo.applicationInfo);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private static PackageInfo packageInfoWithPartition(String partition) {
|
private static PackageInfo packageInfoWithPartition(String partition) {
|
||||||
@@ -228,61 +222,57 @@ public class PermissionMonitorTest {
|
|||||||
assertTrue(mPermissionMonitor.isVendorApp(app.applicationInfo));
|
assertTrue(mPermissionMonitor.isVendorApp(app.applicationInfo));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Remove all permissions from the uid then setup permissions to uid for checking restricted
|
||||||
|
* network permission.
|
||||||
|
*/
|
||||||
|
private void assertRestrictedNetworkPermission(boolean hasPermission, int uid,
|
||||||
|
String... permissions) {
|
||||||
|
removeAllPermissions(uid);
|
||||||
|
addPermissions(uid, permissions);
|
||||||
|
assertEquals(hasPermission, mPermissionMonitor.hasRestrictedNetworkPermission(uid));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testHasRestrictedNetworkPermission() {
|
public void testHasRestrictedNetworkPermission() {
|
||||||
assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_P, MOCK_UID1));
|
assertRestrictedNetworkPermission(false, MOCK_UID1);
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
assertRestrictedNetworkPermission(false, MOCK_UID1, CHANGE_NETWORK_STATE);
|
||||||
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CHANGE_NETWORK_STATE));
|
assertRestrictedNetworkPermission(true, MOCK_UID1, NETWORK_STACK);
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
assertRestrictedNetworkPermission(false, MOCK_UID1, CONNECTIVITY_INTERNAL);
|
||||||
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, NETWORK_STACK));
|
assertRestrictedNetworkPermission(true, MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS);
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
assertRestrictedNetworkPermission(false, MOCK_UID1, CHANGE_WIFI_STATE);
|
||||||
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CONNECTIVITY_INTERNAL));
|
assertRestrictedNetworkPermission(true, MOCK_UID1, PERMISSION_MAINLINE_NETWORK_STACK);
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
|
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CHANGE_WIFI_STATE));
|
|
||||||
|
|
||||||
assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_Q, MOCK_UID1));
|
assertFalse(mPermissionMonitor.hasRestrictedNetworkPermission(MOCK_UID2));
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
assertFalse(mPermissionMonitor.hasRestrictedNetworkPermission(SYSTEM_UID));
|
||||||
PARTITION_SYSTEM, VERSION_Q, MOCK_UID1, CONNECTIVITY_INTERNAL));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testHasRestrictedNetworkPermissionSystemUid() {
|
public void testIsCarryoverPackage() {
|
||||||
doReturn(VERSION_P).when(mDeps).getDeviceFirstSdkInt();
|
doReturn(VERSION_P).when(mDeps).getDeviceFirstSdkInt();
|
||||||
assertTrue(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_P, SYSTEM_UID));
|
assertTrue(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, SYSTEM_UID));
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, SYSTEM_UID));
|
||||||
PARTITION_SYSTEM, VERSION_P, SYSTEM_UID, CONNECTIVITY_INTERNAL));
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, MOCK_UID1));
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, MOCK_UID1));
|
||||||
PARTITION_SYSTEM, VERSION_P, SYSTEM_UID, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
|
assertTrue(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID));
|
||||||
|
assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, SYSTEM_UID));
|
||||||
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, MOCK_UID1));
|
||||||
|
assertFalse(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, MOCK_UID1));
|
||||||
|
|
||||||
doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();
|
doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();
|
||||||
assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID));
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, SYSTEM_UID));
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, SYSTEM_UID));
|
||||||
PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID, CONNECTIVITY_INTERNAL));
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, MOCK_UID1));
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, MOCK_UID1));
|
||||||
PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID));
|
||||||
}
|
assertFalse(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, SYSTEM_UID));
|
||||||
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, MOCK_UID1));
|
||||||
|
assertFalse(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, MOCK_UID1));
|
||||||
|
|
||||||
@Test
|
assertFalse(wouldBeCarryoverPackage(PARTITION_OEM, VERSION_Q, SYSTEM_UID));
|
||||||
public void testHasRestrictedNetworkPermissionVendorApp() {
|
assertFalse(wouldBeCarryoverPackage(PARTITION_PRODUCT, VERSION_Q, SYSTEM_UID));
|
||||||
assertTrue(hasRestrictedNetworkPermission(PARTITION_VENDOR, VERSION_P, MOCK_UID1));
|
assertFalse(wouldBeCarryoverPackage(PARTITION_OEM, VERSION_Q, MOCK_UID1));
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
assertFalse(wouldBeCarryoverPackage(PARTITION_PRODUCT, VERSION_Q, MOCK_UID1));
|
||||||
PARTITION_VENDOR, VERSION_P, MOCK_UID1, CHANGE_NETWORK_STATE));
|
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_P, MOCK_UID1, NETWORK_STACK));
|
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_P, MOCK_UID1, CONNECTIVITY_INTERNAL));
|
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_P, MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
|
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_P, MOCK_UID1, CHANGE_WIFI_STATE));
|
|
||||||
|
|
||||||
assertFalse(hasRestrictedNetworkPermission(PARTITION_VENDOR, VERSION_Q, MOCK_UID1));
|
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_Q, MOCK_UID1, CONNECTIVITY_INTERNAL));
|
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_Q, MOCK_UID1, CHANGE_NETWORK_STATE));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private void assertBackgroundPermission(boolean hasPermission, String name, int uid,
|
private void assertBackgroundPermission(boolean hasPermission, String name, int uid,
|
||||||
@@ -296,19 +286,23 @@ public class PermissionMonitorTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testHasUseBackgroundNetworksPermission() throws Exception {
|
public void testHasUseBackgroundNetworksPermission() throws Exception {
|
||||||
|
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID1));
|
||||||
|
assertBackgroundPermission(false, "mock1", MOCK_UID1);
|
||||||
|
assertBackgroundPermission(false, "mock2", MOCK_UID1, CONNECTIVITY_INTERNAL);
|
||||||
|
assertBackgroundPermission(true, "mock3", MOCK_UID1, NETWORK_STACK);
|
||||||
|
|
||||||
|
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID2));
|
||||||
|
assertBackgroundPermission(false, "mock4", MOCK_UID2);
|
||||||
|
assertBackgroundPermission(true, "mock5", MOCK_UID2,
|
||||||
|
CONNECTIVITY_USE_RESTRICTED_NETWORKS);
|
||||||
|
|
||||||
doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();
|
doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();
|
||||||
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(SYSTEM_UID));
|
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(SYSTEM_UID));
|
||||||
assertBackgroundPermission(false, "system1", SYSTEM_UID);
|
assertBackgroundPermission(false, "system1", SYSTEM_UID);
|
||||||
assertBackgroundPermission(false, "system2", SYSTEM_UID, CONNECTIVITY_INTERNAL);
|
assertBackgroundPermission(true, "system2", SYSTEM_UID, CHANGE_NETWORK_STATE);
|
||||||
assertBackgroundPermission(true, "system3", SYSTEM_UID, CHANGE_NETWORK_STATE);
|
doReturn(VERSION_P).when(mDeps).getDeviceFirstSdkInt();
|
||||||
|
removeAllPermissions(SYSTEM_UID);
|
||||||
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID1));
|
assertBackgroundPermission(true, "system3", SYSTEM_UID);
|
||||||
assertBackgroundPermission(false, "mock1", MOCK_UID1);
|
|
||||||
assertBackgroundPermission(true, "mock2", MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS);
|
|
||||||
|
|
||||||
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID2));
|
|
||||||
assertBackgroundPermission(false, "mock3", MOCK_UID2, CONNECTIVITY_INTERNAL);
|
|
||||||
assertBackgroundPermission(true, "mock4", MOCK_UID2, NETWORK_STACK);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private class NetdMonitor {
|
private class NetdMonitor {
|
||||||
|
|||||||
Reference in New Issue
Block a user