Merge changes Id2ffb056,I2a4e298b
* changes: Adjust some behaviors on PermissionMonitorTest Use common code
This commit is contained in:
Paul Hu
@@ -74,7 +74,6 @@ import java.util.HashMap;
|
|||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Map.Entry;
|
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -86,8 +85,6 @@ import java.util.Set;
|
|||||||
public class PermissionMonitor {
|
public class PermissionMonitor {
|
||||||
private static final String TAG = "PermissionMonitor";
|
private static final String TAG = "PermissionMonitor";
|
||||||
private static final boolean DBG = true;
|
private static final boolean DBG = true;
|
||||||
protected static final Boolean SYSTEM = Boolean.TRUE;
|
|
||||||
protected static final Boolean NETWORK = Boolean.FALSE;
|
|
||||||
private static final int VERSION_Q = Build.VERSION_CODES.Q;
|
private static final int VERSION_Q = Build.VERSION_CODES.Q;
|
||||||
|
|
||||||
private final PackageManager mPackageManager;
|
private final PackageManager mPackageManager;
|
||||||
@@ -102,7 +99,7 @@ public class PermissionMonitor {
|
|||||||
|
|
||||||
// Keys are appIds. Values are true for SYSTEM permission and false for NETWORK permission.
|
// Keys are appIds. Values are true for SYSTEM permission and false for NETWORK permission.
|
||||||
@GuardedBy("this")
|
@GuardedBy("this")
|
||||||
private final Map<Integer, Boolean> mApps = new HashMap<>();
|
private final SparseIntArray mApps = new SparseIntArray();
|
||||||
|
|
||||||
// Keys are active non-bypassable and fully-routed VPN's interface name, Values are uid ranges
|
// Keys are active non-bypassable and fully-routed VPN's interface name, Values are uid ranges
|
||||||
// for apps under the VPN
|
// for apps under the VPN
|
||||||
@@ -194,6 +191,23 @@ public class PermissionMonitor {
|
|||||||
mContext = context;
|
mContext = context;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private int getPackageNetdNetworkPermission(@NonNull final PackageInfo app) {
|
||||||
|
if (hasRestrictedNetworkPermission(app)) {
|
||||||
|
return PERMISSION_SYSTEM;
|
||||||
|
}
|
||||||
|
if (hasNetworkPermission(app)) {
|
||||||
|
return PERMISSION_NETWORK;
|
||||||
|
}
|
||||||
|
return PERMISSION_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static boolean isHigherNetworkPermission(final int targetPermission,
|
||||||
|
final int currentPermission) {
|
||||||
|
// This is relied on strict order of network permissions (SYSTEM > NETWORK > NONE), and it
|
||||||
|
// is enforced in tests.
|
||||||
|
return targetPermission > currentPermission;
|
||||||
|
}
|
||||||
|
|
||||||
// Intended to be called only once at startup, after the system is ready. Installs a broadcast
|
// Intended to be called only once at startup, after the system is ready. Installs a broadcast
|
||||||
// receiver to monitor ongoing UID changes, so this shouldn't/needn't be called again.
|
// receiver to monitor ongoing UID changes, so this shouldn't/needn't be called again.
|
||||||
public synchronized void startMonitoring() {
|
public synchronized void startMonitoring() {
|
||||||
@@ -247,16 +261,9 @@ public class PermissionMonitor {
|
|||||||
final int appId = UserHandle.getAppId(uid);
|
final int appId = UserHandle.getAppId(uid);
|
||||||
mAllApps.add(appId);
|
mAllApps.add(appId);
|
||||||
|
|
||||||
boolean hasNetworkPermission = hasNetworkPermission(app);
|
final int permission = getPackageNetdNetworkPermission(app);
|
||||||
boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
|
if (isHigherNetworkPermission(permission, mApps.get(appId, PERMISSION_NONE))) {
|
||||||
|
mApps.put(appId, permission);
|
||||||
if (hasNetworkPermission || hasRestrictedPermission) {
|
|
||||||
final Boolean permission = mApps.get(appId);
|
|
||||||
// If multiple packages share a UID (cf: android:sharedUserId) and ask for different
|
|
||||||
// permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
|
|
||||||
if (permission == null || permission == NETWORK) {
|
|
||||||
mApps.put(appId, hasRestrictedPermission);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//TODO: unify the management of the permissions into one codepath.
|
//TODO: unify the management of the permissions into one codepath.
|
||||||
@@ -353,25 +360,29 @@ public class PermissionMonitor {
|
|||||||
// networks. mApps contains the result of checks for both hasNetworkPermission and
|
// networks. mApps contains the result of checks for both hasNetworkPermission and
|
||||||
// hasRestrictedNetworkPermission. If uid is in the mApps list that means uid has one of
|
// hasRestrictedNetworkPermission. If uid is in the mApps list that means uid has one of
|
||||||
// permissions at least.
|
// permissions at least.
|
||||||
return mApps.containsKey(UserHandle.getAppId(uid));
|
return mApps.get(UserHandle.getAppId(uid), PERMISSION_NONE) != PERMISSION_NONE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns whether the given uid has permission to use restricted networks.
|
* Returns whether the given uid has permission to use restricted networks.
|
||||||
*/
|
*/
|
||||||
public synchronized boolean hasRestrictedNetworksPermission(int uid) {
|
public synchronized boolean hasRestrictedNetworksPermission(int uid) {
|
||||||
return Boolean.TRUE.equals(mApps.get(UserHandle.getAppId(uid)));
|
return PERMISSION_SYSTEM == mApps.get(UserHandle.getAppId(uid), PERMISSION_NONE);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void update(Set<UserHandle> users, Map<Integer, Boolean> apps, boolean add) {
|
private void update(Set<UserHandle> users, SparseIntArray apps, boolean add) {
|
||||||
List<Integer> network = new ArrayList<>();
|
List<Integer> network = new ArrayList<>();
|
||||||
List<Integer> system = new ArrayList<>();
|
List<Integer> system = new ArrayList<>();
|
||||||
for (Entry<Integer, Boolean> app : apps.entrySet()) {
|
for (int i = 0; i < apps.size(); i++) {
|
||||||
List<Integer> list = app.getValue() ? system : network;
|
final int permission = apps.valueAt(i);
|
||||||
|
if (PERMISSION_NONE == permission) {
|
||||||
|
continue; // Normally NONE is not stored in this map, but just in case
|
||||||
|
}
|
||||||
|
List<Integer> list = (PERMISSION_SYSTEM == permission) ? system : network;
|
||||||
for (UserHandle user : users) {
|
for (UserHandle user : users) {
|
||||||
if (user == null) continue;
|
if (user == null) continue;
|
||||||
|
|
||||||
list.add(user.getUid(app.getKey()));
|
list.add(user.getUid(apps.keyAt(i)));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
@@ -396,10 +407,7 @@ public class PermissionMonitor {
|
|||||||
*/
|
*/
|
||||||
public synchronized void onUserAdded(@NonNull UserHandle user) {
|
public synchronized void onUserAdded(@NonNull UserHandle user) {
|
||||||
mUsers.add(user);
|
mUsers.add(user);
|
||||||
|
update(Set.of(user), mApps, true);
|
||||||
Set<UserHandle> users = new HashSet<>();
|
|
||||||
users.add(user);
|
|
||||||
update(users, mApps, true);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -411,10 +419,7 @@ public class PermissionMonitor {
|
|||||||
*/
|
*/
|
||||||
public synchronized void onUserRemoved(@NonNull UserHandle user) {
|
public synchronized void onUserRemoved(@NonNull UserHandle user) {
|
||||||
mUsers.remove(user);
|
mUsers.remove(user);
|
||||||
|
update(Set.of(user), mApps, false);
|
||||||
Set<UserHandle> users = new HashSet<>();
|
|
||||||
users.add(user);
|
|
||||||
update(users, mApps, false);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -426,17 +431,16 @@ public class PermissionMonitor {
|
|||||||
* permission.
|
* permission.
|
||||||
*/
|
*/
|
||||||
@VisibleForTesting
|
@VisibleForTesting
|
||||||
protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
|
protected int highestPermissionForUid(int currentPermission, String name) {
|
||||||
if (currentPermission == SYSTEM) {
|
if (currentPermission == PERMISSION_SYSTEM) {
|
||||||
return currentPermission;
|
return currentPermission;
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
final PackageInfo app = mPackageManager.getPackageInfo(name,
|
final PackageInfo app = mPackageManager.getPackageInfo(name,
|
||||||
GET_PERMISSIONS | MATCH_ANY_USER);
|
GET_PERMISSIONS | MATCH_ANY_USER);
|
||||||
final boolean isNetwork = hasNetworkPermission(app);
|
final int permission = getPackageNetdNetworkPermission(app);
|
||||||
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
|
if (isHigherNetworkPermission(permission, currentPermission)) {
|
||||||
if (isNetwork || hasRestrictedPermission) {
|
return permission;
|
||||||
currentPermission = hasRestrictedPermission;
|
|
||||||
}
|
}
|
||||||
} catch (NameNotFoundException e) {
|
} catch (NameNotFoundException e) {
|
||||||
// App not found.
|
// App not found.
|
||||||
@@ -465,6 +469,17 @@ public class PermissionMonitor {
|
|||||||
return permission;
|
return permission;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private synchronized void updateVpnUid(int uid, boolean add) {
|
||||||
|
for (Map.Entry<String, Set<UidRange>> vpn : mVpnUidRanges.entrySet()) {
|
||||||
|
if (UidRange.containsUid(vpn.getValue(), uid)) {
|
||||||
|
final Set<Integer> changedUids = new HashSet<>();
|
||||||
|
changedUids.add(uid);
|
||||||
|
removeBypassingUids(changedUids, -1 /* vpnAppUid */);
|
||||||
|
updateVpnUidsInterfaceRules(vpn.getKey(), changedUids, add);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Called when a package is added.
|
* Called when a package is added.
|
||||||
*
|
*
|
||||||
@@ -479,38 +494,32 @@ public class PermissionMonitor {
|
|||||||
|
|
||||||
// If multiple packages share a UID (cf: android:sharedUserId) and ask for different
|
// If multiple packages share a UID (cf: android:sharedUserId) and ask for different
|
||||||
// permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
|
// permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
|
||||||
final Boolean permission = highestPermissionForUid(mApps.get(appId), packageName);
|
final int currentPermission = mApps.get(appId, PERMISSION_NONE);
|
||||||
if (permission != mApps.get(appId)) {
|
final int permission = highestPermissionForUid(currentPermission, packageName);
|
||||||
|
if (permission != currentPermission) {
|
||||||
mApps.put(appId, permission);
|
mApps.put(appId, permission);
|
||||||
|
|
||||||
Map<Integer, Boolean> apps = new HashMap<>();
|
SparseIntArray apps = new SparseIntArray();
|
||||||
apps.put(appId, permission);
|
apps.put(appId, permission);
|
||||||
update(mUsers, apps, true);
|
update(mUsers, apps, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
// If the newly-installed package falls within some VPN's uid range, update Netd with it.
|
// If the newly-installed package falls within some VPN's uid range, update Netd with it.
|
||||||
// This needs to happen after the mApps update above, since removeBypassingUids() depends
|
// This needs to happen after the mApps update above, since removeBypassingUids() in
|
||||||
// on mApps to check if the package can bypass VPN.
|
// updateVpnUid() depends on mApps to check if the package can bypass VPN.
|
||||||
for (Map.Entry<String, Set<UidRange>> vpn : mVpnUidRanges.entrySet()) {
|
updateVpnUid(uid, true /* add */);
|
||||||
if (UidRange.containsUid(vpn.getValue(), uid)) {
|
|
||||||
final Set<Integer> changedUids = new HashSet<>();
|
|
||||||
changedUids.add(uid);
|
|
||||||
removeBypassingUids(changedUids, /* vpnAppUid */ -1);
|
|
||||||
updateVpnUids(vpn.getKey(), changedUids, true);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
mAllApps.add(appId);
|
mAllApps.add(appId);
|
||||||
}
|
}
|
||||||
|
|
||||||
private Boolean highestUidNetworkPermission(int uid) {
|
private int highestUidNetworkPermission(int uid) {
|
||||||
Boolean permission = null;
|
int permission = PERMISSION_NONE;
|
||||||
final String[] packages = mPackageManager.getPackagesForUid(uid);
|
final String[] packages = mPackageManager.getPackagesForUid(uid);
|
||||||
if (!CollectionUtils.isEmpty(packages)) {
|
if (!CollectionUtils.isEmpty(packages)) {
|
||||||
for (String name : packages) {
|
for (String name : packages) {
|
||||||
// If multiple packages have the same UID, give the UID all permissions that
|
// If multiple packages have the same UID, give the UID all permissions that
|
||||||
// any package in that UID has.
|
// any package in that UID has.
|
||||||
permission = highestPermissionForUid(permission, name);
|
permission = highestPermissionForUid(permission, name);
|
||||||
if (permission == SYSTEM) {
|
if (permission == PERMISSION_SYSTEM) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -531,40 +540,32 @@ public class PermissionMonitor {
|
|||||||
sendPackagePermissionsForAppId(appId, getPermissionForUid(uid));
|
sendPackagePermissionsForAppId(appId, getPermissionForUid(uid));
|
||||||
|
|
||||||
// If the newly-removed package falls within some VPN's uid range, update Netd with it.
|
// If the newly-removed package falls within some VPN's uid range, update Netd with it.
|
||||||
// This needs to happen before the mApps update below, since removeBypassingUids() depends
|
// This needs to happen before the mApps update below, since removeBypassingUids() in
|
||||||
// on mApps to check if the package can bypass VPN.
|
// updateVpnUid() depends on mApps to check if the package can bypass VPN.
|
||||||
for (Map.Entry<String, Set<UidRange>> vpn : mVpnUidRanges.entrySet()) {
|
updateVpnUid(uid, false /* add */);
|
||||||
if (UidRange.containsUid(vpn.getValue(), uid)) {
|
|
||||||
final Set<Integer> changedUids = new HashSet<>();
|
|
||||||
changedUids.add(uid);
|
|
||||||
removeBypassingUids(changedUids, /* vpnAppUid */ -1);
|
|
||||||
updateVpnUids(vpn.getKey(), changedUids, false);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// If the package has been removed from all users on the device, clear it form mAllApps.
|
// If the package has been removed from all users on the device, clear it form mAllApps.
|
||||||
if (mPackageManager.getNameForUid(uid) == null) {
|
if (mPackageManager.getNameForUid(uid) == null) {
|
||||||
mAllApps.remove(appId);
|
mAllApps.remove(appId);
|
||||||
}
|
}
|
||||||
|
|
||||||
Map<Integer, Boolean> apps = new HashMap<>();
|
final int permission = highestUidNetworkPermission(uid);
|
||||||
final Boolean permission = highestUidNetworkPermission(uid);
|
if (permission == PERMISSION_SYSTEM) {
|
||||||
if (permission == SYSTEM) {
|
|
||||||
// An app with this UID still has the SYSTEM permission.
|
// An app with this UID still has the SYSTEM permission.
|
||||||
// Therefore, this UID must already have the SYSTEM permission.
|
// Therefore, this UID must already have the SYSTEM permission.
|
||||||
// Nothing to do.
|
// Nothing to do.
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
// If the permissions of this UID have not changed, do nothing.
|
||||||
|
if (permission == mApps.get(appId, PERMISSION_NONE)) return;
|
||||||
|
|
||||||
if (permission == mApps.get(appId)) {
|
final SparseIntArray apps = new SparseIntArray();
|
||||||
// The permissions of this UID have not changed. Nothing to do.
|
if (permission != PERMISSION_NONE) {
|
||||||
return;
|
|
||||||
} else if (permission != null) {
|
|
||||||
mApps.put(appId, permission);
|
mApps.put(appId, permission);
|
||||||
apps.put(appId, permission);
|
apps.put(appId, permission);
|
||||||
update(mUsers, apps, true);
|
update(mUsers, apps, true);
|
||||||
} else {
|
} else {
|
||||||
mApps.remove(appId);
|
mApps.delete(appId);
|
||||||
apps.put(appId, NETWORK); // doesn't matter which permission we pick here
|
apps.put(appId, PERMISSION_NETWORK); // doesn't matter which permission we pick here
|
||||||
update(mUsers, apps, false);
|
update(mUsers, apps, false);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -611,7 +612,7 @@ public class PermissionMonitor {
|
|||||||
// but that's safe.
|
// but that's safe.
|
||||||
final Set<Integer> changedUids = intersectUids(rangesToAdd, mAllApps);
|
final Set<Integer> changedUids = intersectUids(rangesToAdd, mAllApps);
|
||||||
removeBypassingUids(changedUids, vpnAppUid);
|
removeBypassingUids(changedUids, vpnAppUid);
|
||||||
updateVpnUids(iface, changedUids, true);
|
updateVpnUidsInterfaceRules(iface, changedUids, true /* add */);
|
||||||
if (mVpnUidRanges.containsKey(iface)) {
|
if (mVpnUidRanges.containsKey(iface)) {
|
||||||
mVpnUidRanges.get(iface).addAll(rangesToAdd);
|
mVpnUidRanges.get(iface).addAll(rangesToAdd);
|
||||||
} else {
|
} else {
|
||||||
@@ -632,7 +633,7 @@ public class PermissionMonitor {
|
|||||||
// ranges and update Netd about them.
|
// ranges and update Netd about them.
|
||||||
final Set<Integer> changedUids = intersectUids(rangesToRemove, mAllApps);
|
final Set<Integer> changedUids = intersectUids(rangesToRemove, mAllApps);
|
||||||
removeBypassingUids(changedUids, vpnAppUid);
|
removeBypassingUids(changedUids, vpnAppUid);
|
||||||
updateVpnUids(iface, changedUids, false);
|
updateVpnUidsInterfaceRules(iface, changedUids, false /* add */);
|
||||||
Set<UidRange> existingRanges = mVpnUidRanges.getOrDefault(iface, null);
|
Set<UidRange> existingRanges = mVpnUidRanges.getOrDefault(iface, null);
|
||||||
if (existingRanges == null) {
|
if (existingRanges == null) {
|
||||||
loge("Attempt to remove unknown vpn uid Range iface = " + iface);
|
loge("Attempt to remove unknown vpn uid Range iface = " + iface);
|
||||||
@@ -671,7 +672,7 @@ public class PermissionMonitor {
|
|||||||
/**
|
/**
|
||||||
* Remove all apps which can elect to bypass the VPN from the list of uids
|
* Remove all apps which can elect to bypass the VPN from the list of uids
|
||||||
*
|
*
|
||||||
* An app can elect to bypass the VPN if it hold SYSTEM permission, or if its the active VPN
|
* An app can elect to bypass the VPN if it holds SYSTEM permission, or if it's the active VPN
|
||||||
* app itself.
|
* app itself.
|
||||||
*
|
*
|
||||||
* @param uids The list of uids to operate on
|
* @param uids The list of uids to operate on
|
||||||
@@ -679,7 +680,8 @@ public class PermissionMonitor {
|
|||||||
*/
|
*/
|
||||||
private void removeBypassingUids(Set<Integer> uids, int vpnAppUid) {
|
private void removeBypassingUids(Set<Integer> uids, int vpnAppUid) {
|
||||||
uids.remove(vpnAppUid);
|
uids.remove(vpnAppUid);
|
||||||
uids.removeIf(uid -> mApps.getOrDefault(UserHandle.getAppId(uid), NETWORK) == SYSTEM);
|
uids.removeIf(uid ->
|
||||||
|
mApps.get(UserHandle.getAppId(uid), PERMISSION_NONE) == PERMISSION_SYSTEM);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -693,7 +695,7 @@ public class PermissionMonitor {
|
|||||||
* @param add {@code true} if the uids are to be added to the interface, {@code false} if they
|
* @param add {@code true} if the uids are to be added to the interface, {@code false} if they
|
||||||
* are to be removed from the interface.
|
* are to be removed from the interface.
|
||||||
*/
|
*/
|
||||||
private void updateVpnUids(String iface, Set<Integer> uids, boolean add) {
|
private void updateVpnUidsInterfaceRules(String iface, Set<Integer> uids, boolean add) {
|
||||||
if (uids.size() == 0) {
|
if (uids.size() == 0) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@@ -811,17 +813,18 @@ public class PermissionMonitor {
|
|||||||
updateUidsAllowedOnRestrictedNetworks(mDeps.getUidsAllowedOnRestrictedNetworks(mContext));
|
updateUidsAllowedOnRestrictedNetworks(mDeps.getUidsAllowedOnRestrictedNetworks(mContext));
|
||||||
uidsToUpdate.addAll(mUidsAllowedOnRestrictedNetworks);
|
uidsToUpdate.addAll(mUidsAllowedOnRestrictedNetworks);
|
||||||
|
|
||||||
final Map<Integer, Boolean> updatedUids = new HashMap<>();
|
final SparseIntArray updatedUids = new SparseIntArray();
|
||||||
final Map<Integer, Boolean> removedUids = new HashMap<>();
|
final SparseIntArray removedUids = new SparseIntArray();
|
||||||
|
|
||||||
// Step2. For each uid to update, find out its new permission.
|
// Step2. For each uid to update, find out its new permission.
|
||||||
for (Integer uid : uidsToUpdate) {
|
for (Integer uid : uidsToUpdate) {
|
||||||
final Boolean permission = highestUidNetworkPermission(uid);
|
final int permission = highestUidNetworkPermission(uid);
|
||||||
|
|
||||||
final int appId = UserHandle.getAppId(uid);
|
final int appId = UserHandle.getAppId(uid);
|
||||||
if (null == permission) {
|
if (PERMISSION_NONE == permission) {
|
||||||
removedUids.put(appId, NETWORK); // Doesn't matter which permission is set here.
|
// Doesn't matter which permission is set here.
|
||||||
mApps.remove(appId);
|
removedUids.put(appId, PERMISSION_NETWORK);
|
||||||
|
mApps.delete(appId);
|
||||||
} else {
|
} else {
|
||||||
updatedUids.put(appId, permission);
|
updatedUids.put(appId, permission);
|
||||||
mApps.put(appId, permission);
|
mApps.put(appId, permission);
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ import static android.content.pm.PackageManager.GET_PERMISSIONS;
|
|||||||
import static android.content.pm.PackageManager.MATCH_ANY_USER;
|
import static android.content.pm.PackageManager.MATCH_ANY_USER;
|
||||||
import static android.net.ConnectivitySettingsManager.UIDS_ALLOWED_ON_RESTRICTED_NETWORKS;
|
import static android.net.ConnectivitySettingsManager.UIDS_ALLOWED_ON_RESTRICTED_NETWORKS;
|
||||||
import static android.net.INetd.PERMISSION_INTERNET;
|
import static android.net.INetd.PERMISSION_INTERNET;
|
||||||
|
import static android.net.INetd.PERMISSION_NETWORK;
|
||||||
import static android.net.INetd.PERMISSION_NONE;
|
import static android.net.INetd.PERMISSION_NONE;
|
||||||
import static android.net.INetd.PERMISSION_SYSTEM;
|
import static android.net.INetd.PERMISSION_SYSTEM;
|
||||||
import static android.net.INetd.PERMISSION_UNINSTALLED;
|
import static android.net.INetd.PERMISSION_UNINSTALLED;
|
||||||
@@ -39,8 +40,7 @@ import static android.net.INetd.PERMISSION_UPDATE_DEVICE_STATS;
|
|||||||
import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
|
import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
|
||||||
import static android.os.Process.SYSTEM_UID;
|
import static android.os.Process.SYSTEM_UID;
|
||||||
|
|
||||||
import static com.android.server.connectivity.PermissionMonitor.NETWORK;
|
import static com.android.server.connectivity.PermissionMonitor.isHigherNetworkPermission;
|
||||||
import static com.android.server.connectivity.PermissionMonitor.SYSTEM;
|
|
||||||
|
|
||||||
import static junit.framework.Assert.fail;
|
import static junit.framework.Assert.fail;
|
||||||
|
|
||||||
@@ -102,7 +102,6 @@ import org.mockito.invocation.InvocationOnMock;
|
|||||||
|
|
||||||
import java.lang.reflect.Array;
|
import java.lang.reflect.Array;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.HashMap;
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
@@ -152,7 +151,7 @@ public class PermissionMonitorTest {
|
|||||||
MockitoAnnotations.initMocks(this);
|
MockitoAnnotations.initMocks(this);
|
||||||
when(mContext.getPackageManager()).thenReturn(mPackageManager);
|
when(mContext.getPackageManager()).thenReturn(mPackageManager);
|
||||||
when(mContext.getSystemService(eq(Context.USER_SERVICE))).thenReturn(mUserManager);
|
when(mContext.getSystemService(eq(Context.USER_SERVICE))).thenReturn(mUserManager);
|
||||||
when(mUserManager.getUserHandles(eq(true))).thenReturn(List.of(MOCK_USER1, MOCK_USER2));
|
doReturn(List.of(MOCK_USER1)).when(mUserManager).getUserHandles(eq(true));
|
||||||
when(mContext.getSystemServiceName(SystemConfigManager.class))
|
when(mContext.getSystemServiceName(SystemConfigManager.class))
|
||||||
.thenReturn(Context.SYSTEM_CONFIG_SERVICE);
|
.thenReturn(Context.SYSTEM_CONFIG_SERVICE);
|
||||||
when(mContext.getSystemService(Context.SYSTEM_CONFIG_SERVICE))
|
when(mContext.getSystemService(Context.SYSTEM_CONFIG_SERVICE))
|
||||||
@@ -173,8 +172,7 @@ public class PermissionMonitorTest {
|
|||||||
mPermissionMonitor = new PermissionMonitor(mContext, mNetdService, mDeps);
|
mPermissionMonitor = new PermissionMonitor(mContext, mNetdService, mDeps);
|
||||||
mNetdMonitor = new NetdMonitor(mNetdService);
|
mNetdMonitor = new NetdMonitor(mNetdService);
|
||||||
|
|
||||||
when(mPackageManager.getInstalledPackages(anyInt())).thenReturn(/* empty app list */ null);
|
doReturn(List.of()).when(mPackageManager).getInstalledPackages(anyInt());
|
||||||
mPermissionMonitor.startMonitoring();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean hasRestrictedNetworkPermission(String partition, int targetSdkVersion,
|
private boolean hasRestrictedNetworkPermission(String partition, int targetSdkVersion,
|
||||||
@@ -506,21 +504,22 @@ public class PermissionMonitorTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private class NetdMonitor {
|
private class NetdMonitor {
|
||||||
private final HashMap<Integer, Boolean> mUidsNetworkPermission = new HashMap<>();
|
private final SparseIntArray mUidsNetworkPermission = new SparseIntArray();
|
||||||
private final HashMap<Integer, Integer> mAppIdsTrafficPermission = new HashMap<>();
|
private final SparseIntArray mAppIdsTrafficPermission = new SparseIntArray();
|
||||||
|
private static final int DOES_NOT_EXIST = -2;
|
||||||
|
|
||||||
NetdMonitor(INetd mockNetd) throws Exception {
|
NetdMonitor(INetd mockNetd) throws Exception {
|
||||||
// Add hook to verify and track result of networkSetPermission.
|
// Add hook to verify and track result of networkSetPermission.
|
||||||
doAnswer((InvocationOnMock invocation) -> {
|
doAnswer((InvocationOnMock invocation) -> {
|
||||||
final Object[] args = invocation.getArguments();
|
final Object[] args = invocation.getArguments();
|
||||||
final Boolean isSystem = args[0].equals(PERMISSION_SYSTEM);
|
final int permission = (int) args[0];
|
||||||
for (final int uid : (int[]) args[1]) {
|
for (final int uid : (int[]) args[1]) {
|
||||||
// TODO: Currently, permission monitor will send duplicate commands for each uid
|
// TODO: Currently, permission monitor will send duplicate commands for each uid
|
||||||
// corresponding to each user. Need to fix that and uncomment below test.
|
// corresponding to each user. Need to fix that and uncomment below test.
|
||||||
// if (mApps.containsKey(uid) && mApps.get(uid) == isSystem) {
|
// if (mApps.containsKey(uid) && mApps.get(uid) == isSystem) {
|
||||||
// fail("uid " + uid + " is already set to " + isSystem);
|
// fail("uid " + uid + " is already set to " + isSystem);
|
||||||
// }
|
// }
|
||||||
mUidsNetworkPermission.put(uid, isSystem);
|
mUidsNetworkPermission.put(uid, permission);
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}).when(mockNetd).networkSetPermissionForUser(anyInt(), any(int[].class));
|
}).when(mockNetd).networkSetPermissionForUser(anyInt(), any(int[].class));
|
||||||
@@ -534,7 +533,7 @@ public class PermissionMonitorTest {
|
|||||||
// if (!mApps.containsKey(uid)) {
|
// if (!mApps.containsKey(uid)) {
|
||||||
// fail("uid " + uid + " does not exist.");
|
// fail("uid " + uid + " does not exist.");
|
||||||
// }
|
// }
|
||||||
mUidsNetworkPermission.remove(uid);
|
mUidsNetworkPermission.delete(uid);
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}).when(mockNetd).networkClearPermissionForUser(any(int[].class));
|
}).when(mockNetd).networkClearPermissionForUser(any(int[].class));
|
||||||
@@ -550,11 +549,11 @@ public class PermissionMonitorTest {
|
|||||||
}).when(mockNetd).trafficSetNetPermForUids(anyInt(), any(int[].class));
|
}).when(mockNetd).trafficSetNetPermForUids(anyInt(), any(int[].class));
|
||||||
}
|
}
|
||||||
|
|
||||||
public void expectNetworkPerm(Boolean permission, UserHandle[] users, int... appIds) {
|
public void expectNetworkPerm(int permission, UserHandle[] users, int... appIds) {
|
||||||
for (final UserHandle user : users) {
|
for (final UserHandle user : users) {
|
||||||
for (final int appId : appIds) {
|
for (final int appId : appIds) {
|
||||||
final int uid = user.getUid(appId);
|
final int uid = user.getUid(appId);
|
||||||
if (!mUidsNetworkPermission.containsKey(uid)) {
|
if (mUidsNetworkPermission.get(uid, DOES_NOT_EXIST) == DOES_NOT_EXIST) {
|
||||||
fail("uid " + uid + " does not exist.");
|
fail("uid " + uid + " does not exist.");
|
||||||
}
|
}
|
||||||
if (mUidsNetworkPermission.get(uid) != permission) {
|
if (mUidsNetworkPermission.get(uid) != permission) {
|
||||||
@@ -568,7 +567,7 @@ public class PermissionMonitorTest {
|
|||||||
for (final UserHandle user : users) {
|
for (final UserHandle user : users) {
|
||||||
for (final int appId : appIds) {
|
for (final int appId : appIds) {
|
||||||
final int uid = user.getUid(appId);
|
final int uid = user.getUid(appId);
|
||||||
if (mUidsNetworkPermission.containsKey(uid)) {
|
if (mUidsNetworkPermission.get(uid, DOES_NOT_EXIST) != DOES_NOT_EXIST) {
|
||||||
fail("uid " + uid + " has listed permissions, expected none.");
|
fail("uid " + uid + " has listed permissions, expected none.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -577,7 +576,7 @@ public class PermissionMonitorTest {
|
|||||||
|
|
||||||
public void expectTrafficPerm(int permission, int... appIds) {
|
public void expectTrafficPerm(int permission, int... appIds) {
|
||||||
for (final int appId : appIds) {
|
for (final int appId : appIds) {
|
||||||
if (!mAppIdsTrafficPermission.containsKey(appId)) {
|
if (mAppIdsTrafficPermission.get(appId, DOES_NOT_EXIST) == DOES_NOT_EXIST) {
|
||||||
fail("appId " + appId + " does not exist.");
|
fail("appId " + appId + " does not exist.");
|
||||||
}
|
}
|
||||||
if (mAppIdsTrafficPermission.get(appId) != permission) {
|
if (mAppIdsTrafficPermission.get(appId) != permission) {
|
||||||
@@ -599,17 +598,21 @@ public class PermissionMonitorTest {
|
|||||||
buildAndMockPackageInfoWithPermissions(SYSTEM_PACKAGE2, SYSTEM_APP_UID1,
|
buildAndMockPackageInfoWithPermissions(SYSTEM_PACKAGE2, SYSTEM_APP_UID1,
|
||||||
CHANGE_NETWORK_STATE);
|
CHANGE_NETWORK_STATE);
|
||||||
|
|
||||||
// Add SYSTEM_PACKAGE2, expect only have network permission.
|
// Add user MOCK_USER1.
|
||||||
mPermissionMonitor.onUserAdded(MOCK_USER1);
|
mPermissionMonitor.onUserAdded(MOCK_USER1);
|
||||||
|
// Add SYSTEM_PACKAGE2, expect only have network permission.
|
||||||
addPackageForUsers(new UserHandle[]{MOCK_USER1}, SYSTEM_PACKAGE2, SYSTEM_APPID1);
|
addPackageForUsers(new UserHandle[]{MOCK_USER1}, SYSTEM_PACKAGE2, SYSTEM_APPID1);
|
||||||
mNetdMonitor.expectNetworkPerm(NETWORK, new UserHandle[]{MOCK_USER1}, SYSTEM_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_NETWORK, new UserHandle[]{MOCK_USER1},
|
||||||
|
SYSTEM_APPID1);
|
||||||
|
|
||||||
// Add SYSTEM_PACKAGE1, expect permission upgrade.
|
// Add SYSTEM_PACKAGE1, expect permission upgrade.
|
||||||
addPackageForUsers(new UserHandle[]{MOCK_USER1}, SYSTEM_PACKAGE1, SYSTEM_APPID1);
|
addPackageForUsers(new UserHandle[]{MOCK_USER1}, SYSTEM_PACKAGE1, SYSTEM_APPID1);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1}, SYSTEM_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1},
|
||||||
|
SYSTEM_APPID1);
|
||||||
|
|
||||||
|
// Add user MOCK_USER2.
|
||||||
mPermissionMonitor.onUserAdded(MOCK_USER2);
|
mPermissionMonitor.onUserAdded(MOCK_USER2);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
||||||
SYSTEM_APPID1);
|
SYSTEM_APPID1);
|
||||||
|
|
||||||
// Remove SYSTEM_PACKAGE2, expect keep system permission.
|
// Remove SYSTEM_PACKAGE2, expect keep system permission.
|
||||||
@@ -619,19 +622,19 @@ public class PermissionMonitorTest {
|
|||||||
.thenReturn(new String[]{SYSTEM_PACKAGE1});
|
.thenReturn(new String[]{SYSTEM_PACKAGE1});
|
||||||
removePackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
removePackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
||||||
SYSTEM_PACKAGE2, SYSTEM_APPID1);
|
SYSTEM_PACKAGE2, SYSTEM_APPID1);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
||||||
SYSTEM_APPID1);
|
SYSTEM_APPID1);
|
||||||
|
|
||||||
// Add SYSTEM_PACKAGE2, expect keep system permission.
|
// Add SYSTEM_PACKAGE2, expect keep system permission.
|
||||||
addPackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2}, SYSTEM_PACKAGE2,
|
addPackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2}, SYSTEM_PACKAGE2,
|
||||||
SYSTEM_APPID1);
|
SYSTEM_APPID1);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
||||||
SYSTEM_APPID1);
|
SYSTEM_APPID1);
|
||||||
|
|
||||||
addPackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2}, MOCK_PACKAGE1, MOCK_APPID1);
|
addPackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2}, MOCK_PACKAGE1, MOCK_APPID1);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
||||||
SYSTEM_APPID1);
|
SYSTEM_APPID1);
|
||||||
mNetdMonitor.expectNetworkPerm(NETWORK, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
mNetdMonitor.expectNetworkPerm(PERMISSION_NETWORK, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
||||||
MOCK_APPID1);
|
MOCK_APPID1);
|
||||||
|
|
||||||
// Remove MOCK_PACKAGE1, expect no permission left for all user.
|
// Remove MOCK_PACKAGE1, expect no permission left for all user.
|
||||||
@@ -647,11 +650,12 @@ public class PermissionMonitorTest {
|
|||||||
.thenReturn(new String[]{SYSTEM_PACKAGE2});
|
.thenReturn(new String[]{SYSTEM_PACKAGE2});
|
||||||
removePackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
removePackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
||||||
SYSTEM_PACKAGE1, SYSTEM_APPID1);
|
SYSTEM_PACKAGE1, SYSTEM_APPID1);
|
||||||
mNetdMonitor.expectNetworkPerm(NETWORK, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
mNetdMonitor.expectNetworkPerm(PERMISSION_NETWORK, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
||||||
SYSTEM_APPID1);
|
SYSTEM_APPID1);
|
||||||
|
|
||||||
mPermissionMonitor.onUserRemoved(MOCK_USER1);
|
mPermissionMonitor.onUserRemoved(MOCK_USER1);
|
||||||
mNetdMonitor.expectNetworkPerm(NETWORK, new UserHandle[]{MOCK_USER2}, SYSTEM_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_NETWORK, new UserHandle[]{MOCK_USER2},
|
||||||
|
SYSTEM_APPID1);
|
||||||
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, SYSTEM_APPID1);
|
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, SYSTEM_APPID1);
|
||||||
|
|
||||||
// Remove all packages, expect no permission left.
|
// Remove all packages, expect no permission left.
|
||||||
@@ -866,7 +870,6 @@ public class PermissionMonitorTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testUpdateUidPermissionsFromSystemConfig() throws Exception {
|
public void testUpdateUidPermissionsFromSystemConfig() throws Exception {
|
||||||
when(mPackageManager.getInstalledPackages(anyInt())).thenReturn(List.of());
|
|
||||||
when(mSystemConfigManager.getSystemPermissionUids(eq(INTERNET)))
|
when(mSystemConfigManager.getSystemPermissionUids(eq(INTERNET)))
|
||||||
.thenReturn(new int[]{ MOCK_UID1, MOCK_UID2 });
|
.thenReturn(new int[]{ MOCK_UID1, MOCK_UID2 });
|
||||||
when(mSystemConfigManager.getSystemPermissionUids(eq(UPDATE_DEVICE_STATS)))
|
when(mSystemConfigManager.getSystemPermissionUids(eq(UPDATE_DEVICE_STATS)))
|
||||||
@@ -894,6 +897,7 @@ public class PermissionMonitorTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testIntentReceiver() throws Exception {
|
public void testIntentReceiver() throws Exception {
|
||||||
|
mPermissionMonitor.startMonitoring();
|
||||||
final BroadcastReceiver receiver = expectBroadcastReceiver(
|
final BroadcastReceiver receiver = expectBroadcastReceiver(
|
||||||
Intent.ACTION_PACKAGE_ADDED, Intent.ACTION_PACKAGE_REMOVED);
|
Intent.ACTION_PACKAGE_ADDED, Intent.ACTION_PACKAGE_REMOVED);
|
||||||
|
|
||||||
@@ -925,10 +929,10 @@ public class PermissionMonitorTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testUidsAllowedOnRestrictedNetworksChanged() throws Exception {
|
public void testUidsAllowedOnRestrictedNetworksChanged() throws Exception {
|
||||||
|
mPermissionMonitor.startMonitoring();
|
||||||
final ContentObserver contentObserver = expectRegisterContentObserver(
|
final ContentObserver contentObserver = expectRegisterContentObserver(
|
||||||
Settings.Global.getUriFor(UIDS_ALLOWED_ON_RESTRICTED_NETWORKS));
|
Settings.Global.getUriFor(UIDS_ALLOWED_ON_RESTRICTED_NETWORKS));
|
||||||
|
|
||||||
mPermissionMonitor.onUserAdded(MOCK_USER1);
|
|
||||||
// Prepare PackageInfo for MOCK_PACKAGE1 and MOCK_PACKAGE2
|
// Prepare PackageInfo for MOCK_PACKAGE1 and MOCK_PACKAGE2
|
||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE1, MOCK_UID1);
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE1, MOCK_UID1);
|
||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID2);
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID2);
|
||||||
@@ -937,14 +941,16 @@ public class PermissionMonitorTest {
|
|||||||
// should have SYSTEM permission.
|
// should have SYSTEM permission.
|
||||||
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of(MOCK_UID1));
|
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of(MOCK_UID1));
|
||||||
contentObserver.onChange(true /* selfChange */);
|
contentObserver.onChange(true /* selfChange */);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID1);
|
||||||
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID2);
|
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID2);
|
||||||
|
|
||||||
// MOCK_UID2 is listed in setting that allow to use restricted networks, MOCK_UID2
|
// MOCK_UID2 is listed in setting that allow to use restricted networks, MOCK_UID2
|
||||||
// should have SYSTEM permission but MOCK_UID1 should revoke permission.
|
// should have SYSTEM permission but MOCK_UID1 should revoke permission.
|
||||||
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of(MOCK_UID2));
|
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of(MOCK_UID2));
|
||||||
contentObserver.onChange(true /* selfChange */);
|
contentObserver.onChange(true /* selfChange */);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1}, MOCK_APPID2);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID2);
|
||||||
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
||||||
|
|
||||||
// No uid lists in setting, should revoke permission from all uids.
|
// No uid lists in setting, should revoke permission from all uids.
|
||||||
@@ -955,27 +961,30 @@ public class PermissionMonitorTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testUidsAllowedOnRestrictedNetworksChangedWithSharedUid() throws Exception {
|
public void testUidsAllowedOnRestrictedNetworksChangedWithSharedUid() throws Exception {
|
||||||
|
mPermissionMonitor.startMonitoring();
|
||||||
final ContentObserver contentObserver = expectRegisterContentObserver(
|
final ContentObserver contentObserver = expectRegisterContentObserver(
|
||||||
Settings.Global.getUriFor(UIDS_ALLOWED_ON_RESTRICTED_NETWORKS));
|
Settings.Global.getUriFor(UIDS_ALLOWED_ON_RESTRICTED_NETWORKS));
|
||||||
|
|
||||||
mPermissionMonitor.onUserAdded(MOCK_USER1);
|
|
||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE1, MOCK_UID1, CHANGE_NETWORK_STATE);
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE1, MOCK_UID1, CHANGE_NETWORK_STATE);
|
||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID1);
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID1);
|
||||||
|
|
||||||
// MOCK_PACKAGE1 have CHANGE_NETWORK_STATE, MOCK_UID1 should have NETWORK permission.
|
// MOCK_PACKAGE1 have CHANGE_NETWORK_STATE, MOCK_UID1 should have NETWORK permission.
|
||||||
addPackageForUsers(new UserHandle[]{MOCK_USER1}, MOCK_PACKAGE1, MOCK_APPID1);
|
addPackageForUsers(new UserHandle[]{MOCK_USER1}, MOCK_PACKAGE1, MOCK_APPID1);
|
||||||
mNetdMonitor.expectNetworkPerm(NETWORK, new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_NETWORK, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID1);
|
||||||
|
|
||||||
// MOCK_UID1 is listed in setting that allow to use restricted networks, MOCK_UID1
|
// MOCK_UID1 is listed in setting that allow to use restricted networks, MOCK_UID1
|
||||||
// should upgrade to SYSTEM permission.
|
// should upgrade to SYSTEM permission.
|
||||||
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of(MOCK_UID1));
|
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of(MOCK_UID1));
|
||||||
contentObserver.onChange(true /* selfChange */);
|
contentObserver.onChange(true /* selfChange */);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID1);
|
||||||
|
|
||||||
// No app lists in setting, MOCK_UID1 should downgrade to NETWORK permission.
|
// No app lists in setting, MOCK_UID1 should downgrade to NETWORK permission.
|
||||||
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of());
|
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of());
|
||||||
contentObserver.onChange(true /* selfChange */);
|
contentObserver.onChange(true /* selfChange */);
|
||||||
mNetdMonitor.expectNetworkPerm(NETWORK, new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_NETWORK, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID1);
|
||||||
|
|
||||||
// MOCK_PACKAGE1 removed, should revoke permission from MOCK_UID1.
|
// MOCK_PACKAGE1 removed, should revoke permission from MOCK_UID1.
|
||||||
when(mPackageManager.getPackagesForUid(MOCK_UID1)).thenReturn(new String[]{MOCK_PACKAGE2});
|
when(mPackageManager.getPackagesForUid(MOCK_UID1)).thenReturn(new String[]{MOCK_PACKAGE2});
|
||||||
@@ -985,11 +994,10 @@ public class PermissionMonitorTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testUidsAllowedOnRestrictedNetworksChangedWithMultipleUsers() throws Exception {
|
public void testUidsAllowedOnRestrictedNetworksChangedWithMultipleUsers() throws Exception {
|
||||||
|
mPermissionMonitor.startMonitoring();
|
||||||
final ContentObserver contentObserver = expectRegisterContentObserver(
|
final ContentObserver contentObserver = expectRegisterContentObserver(
|
||||||
Settings.Global.getUriFor(UIDS_ALLOWED_ON_RESTRICTED_NETWORKS));
|
Settings.Global.getUriFor(UIDS_ALLOWED_ON_RESTRICTED_NETWORKS));
|
||||||
|
|
||||||
// One user MOCK_USER1
|
|
||||||
mPermissionMonitor.onUserAdded(MOCK_USER1);
|
|
||||||
// Prepare PackageInfo for MOCK_PACKAGE1 and MOCK_PACKAGE2.
|
// Prepare PackageInfo for MOCK_PACKAGE1 and MOCK_PACKAGE2.
|
||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE1, MOCK_UID1);
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE1, MOCK_UID1);
|
||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID2);
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID2);
|
||||||
@@ -998,14 +1006,15 @@ public class PermissionMonitorTest {
|
|||||||
// should have SYSTEM permission and MOCK_UID2 has no permissions.
|
// should have SYSTEM permission and MOCK_UID2 has no permissions.
|
||||||
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of(MOCK_UID1));
|
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of(MOCK_UID1));
|
||||||
contentObserver.onChange(true /* selfChange */);
|
contentObserver.onChange(true /* selfChange */);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID1);
|
||||||
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID2);
|
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID2);
|
||||||
|
|
||||||
// Add user MOCK_USER2.
|
// Add user MOCK_USER2.
|
||||||
mPermissionMonitor.onUserAdded(MOCK_USER2);
|
mPermissionMonitor.onUserAdded(MOCK_USER2);
|
||||||
// MOCK_APPID1 in both users should all have SYSTEM permission and MOCK_APPID2 has no
|
// MOCK_APPID1 in both users should all have SYSTEM permission and MOCK_APPID2 has no
|
||||||
// permissions in either user.
|
// permissions in either user.
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
||||||
MOCK_APPID1);
|
MOCK_APPID1);
|
||||||
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1, MOCK_USER2}, MOCK_APPID2);
|
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1, MOCK_USER2}, MOCK_APPID2);
|
||||||
|
|
||||||
@@ -1014,13 +1023,14 @@ public class PermissionMonitorTest {
|
|||||||
// user.
|
// user.
|
||||||
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of(MOCK_UID2));
|
when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(Set.of(MOCK_UID2));
|
||||||
contentObserver.onChange(true /* selfChange */);
|
contentObserver.onChange(true /* selfChange */);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},
|
||||||
MOCK_APPID2);
|
MOCK_APPID2);
|
||||||
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1, MOCK_USER2}, MOCK_APPID1);
|
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1, MOCK_USER2}, MOCK_APPID1);
|
||||||
|
|
||||||
// Remove user MOCK_USER1
|
// Remove user MOCK_USER1
|
||||||
mPermissionMonitor.onUserRemoved(MOCK_USER1);
|
mPermissionMonitor.onUserRemoved(MOCK_USER1);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER2}, MOCK_APPID2);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER2},
|
||||||
|
MOCK_APPID2);
|
||||||
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER2}, MOCK_APPID1);
|
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER2}, MOCK_APPID1);
|
||||||
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID2);
|
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID2);
|
||||||
|
|
||||||
@@ -1032,12 +1042,8 @@ public class PermissionMonitorTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testOnExternalApplicationsAvailable() throws Exception {
|
public void testOnExternalApplicationsAvailable() throws Exception {
|
||||||
final BroadcastReceiver receiver = expectBroadcastReceiver(
|
|
||||||
Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
|
||||||
|
|
||||||
// Initial the permission state. MOCK_PACKAGE1 and MOCK_PACKAGE2 are installed on external
|
// Initial the permission state. MOCK_PACKAGE1 and MOCK_PACKAGE2 are installed on external
|
||||||
// and have different uids. There has no permission for both uids.
|
// and have different uids. There has no permission for both uids.
|
||||||
when(mUserManager.getUserHandles(eq(true))).thenReturn(List.of(MOCK_USER1));
|
|
||||||
when(mPackageManager.getInstalledPackages(eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
|
when(mPackageManager.getInstalledPackages(eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
|
||||||
List.of(buildPackageInfo(MOCK_PACKAGE1, MOCK_UID1),
|
List.of(buildPackageInfo(MOCK_PACKAGE1, MOCK_UID1),
|
||||||
buildPackageInfo(MOCK_PACKAGE2, MOCK_UID2)));
|
buildPackageInfo(MOCK_PACKAGE2, MOCK_UID2)));
|
||||||
@@ -1045,6 +1051,8 @@ public class PermissionMonitorTest {
|
|||||||
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID1, MOCK_APPID2);
|
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID1, MOCK_APPID2);
|
||||||
mNetdMonitor.expectTrafficPerm(PERMISSION_NONE, MOCK_APPID1, MOCK_APPID2);
|
mNetdMonitor.expectTrafficPerm(PERMISSION_NONE, MOCK_APPID1, MOCK_APPID2);
|
||||||
|
|
||||||
|
final BroadcastReceiver receiver = expectBroadcastReceiver(
|
||||||
|
Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
||||||
// Verify receiving EXTERNAL_APPLICATIONS_AVAILABLE intent and update permission to netd.
|
// Verify receiving EXTERNAL_APPLICATIONS_AVAILABLE intent and update permission to netd.
|
||||||
final Intent externalIntent = new Intent(Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
final Intent externalIntent = new Intent(Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
||||||
externalIntent.putExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST,
|
externalIntent.putExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST,
|
||||||
@@ -1054,8 +1062,10 @@ public class PermissionMonitorTest {
|
|||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID2, CHANGE_NETWORK_STATE,
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID2, CHANGE_NETWORK_STATE,
|
||||||
UPDATE_DEVICE_STATS);
|
UPDATE_DEVICE_STATS);
|
||||||
receiver.onReceive(mContext, externalIntent);
|
receiver.onReceive(mContext, externalIntent);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1},
|
||||||
mNetdMonitor.expectNetworkPerm(NETWORK, new UserHandle[]{MOCK_USER1}, MOCK_APPID2);
|
MOCK_APPID1);
|
||||||
|
mNetdMonitor.expectNetworkPerm(PERMISSION_NETWORK, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID2);
|
||||||
mNetdMonitor.expectTrafficPerm(PERMISSION_INTERNET, MOCK_APPID1);
|
mNetdMonitor.expectTrafficPerm(PERMISSION_INTERNET, MOCK_APPID1);
|
||||||
mNetdMonitor.expectTrafficPerm(PERMISSION_UPDATE_DEVICE_STATS, MOCK_APPID2);
|
mNetdMonitor.expectTrafficPerm(PERMISSION_UPDATE_DEVICE_STATS, MOCK_APPID2);
|
||||||
}
|
}
|
||||||
@@ -1063,12 +1073,10 @@ public class PermissionMonitorTest {
|
|||||||
@Test
|
@Test
|
||||||
public void testOnExternalApplicationsAvailable_AppsNotRegisteredOnStartMonitoring()
|
public void testOnExternalApplicationsAvailable_AppsNotRegisteredOnStartMonitoring()
|
||||||
throws Exception {
|
throws Exception {
|
||||||
|
mPermissionMonitor.startMonitoring();
|
||||||
final BroadcastReceiver receiver = expectBroadcastReceiver(
|
final BroadcastReceiver receiver = expectBroadcastReceiver(
|
||||||
Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
||||||
|
|
||||||
// One user MOCK_USER1
|
|
||||||
mPermissionMonitor.onUserAdded(MOCK_USER1);
|
|
||||||
|
|
||||||
// Initial the permission state. MOCK_PACKAGE1 and MOCK_PACKAGE2 are installed on external
|
// Initial the permission state. MOCK_PACKAGE1 and MOCK_PACKAGE2 are installed on external
|
||||||
// and have different uids. There has no permission for both uids.
|
// and have different uids. There has no permission for both uids.
|
||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE1, MOCK_UID1,
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE1, MOCK_UID1,
|
||||||
@@ -1081,8 +1089,10 @@ public class PermissionMonitorTest {
|
|||||||
externalIntent.putExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST,
|
externalIntent.putExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST,
|
||||||
new String[] { MOCK_PACKAGE1 , MOCK_PACKAGE2});
|
new String[] { MOCK_PACKAGE1 , MOCK_PACKAGE2});
|
||||||
receiver.onReceive(mContext, externalIntent);
|
receiver.onReceive(mContext, externalIntent);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1},
|
||||||
mNetdMonitor.expectNetworkPerm(NETWORK, new UserHandle[]{MOCK_USER1}, MOCK_APPID2);
|
MOCK_APPID1);
|
||||||
|
mNetdMonitor.expectNetworkPerm(PERMISSION_NETWORK, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID2);
|
||||||
mNetdMonitor.expectTrafficPerm(PERMISSION_INTERNET, MOCK_APPID1);
|
mNetdMonitor.expectTrafficPerm(PERMISSION_INTERNET, MOCK_APPID1);
|
||||||
mNetdMonitor.expectTrafficPerm(PERMISSION_UPDATE_DEVICE_STATS, MOCK_APPID2);
|
mNetdMonitor.expectTrafficPerm(PERMISSION_UPDATE_DEVICE_STATS, MOCK_APPID2);
|
||||||
}
|
}
|
||||||
@@ -1090,12 +1100,8 @@ public class PermissionMonitorTest {
|
|||||||
@Test
|
@Test
|
||||||
public void testOnExternalApplicationsAvailableWithSharedUid()
|
public void testOnExternalApplicationsAvailableWithSharedUid()
|
||||||
throws Exception {
|
throws Exception {
|
||||||
final BroadcastReceiver receiver = expectBroadcastReceiver(
|
|
||||||
Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
|
||||||
|
|
||||||
// Initial the permission state. MOCK_PACKAGE1 and MOCK_PACKAGE2 are installed on external
|
// Initial the permission state. MOCK_PACKAGE1 and MOCK_PACKAGE2 are installed on external
|
||||||
// storage and shared on MOCK_UID1. There has no permission for MOCK_UID1.
|
// storage and shared on MOCK_UID1. There has no permission for MOCK_UID1.
|
||||||
when(mUserManager.getUserHandles(eq(true))).thenReturn(List.of(MOCK_USER1));
|
|
||||||
when(mPackageManager.getInstalledPackages(eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
|
when(mPackageManager.getInstalledPackages(eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
|
||||||
List.of(buildPackageInfo(MOCK_PACKAGE1, MOCK_UID1),
|
List.of(buildPackageInfo(MOCK_PACKAGE1, MOCK_UID1),
|
||||||
buildPackageInfo(MOCK_PACKAGE2, MOCK_UID1)));
|
buildPackageInfo(MOCK_PACKAGE2, MOCK_UID1)));
|
||||||
@@ -1103,34 +1109,36 @@ public class PermissionMonitorTest {
|
|||||||
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNoNetworkPerm(new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
||||||
mNetdMonitor.expectTrafficPerm(PERMISSION_NONE, MOCK_APPID1);
|
mNetdMonitor.expectTrafficPerm(PERMISSION_NONE, MOCK_APPID1);
|
||||||
|
|
||||||
|
final BroadcastReceiver receiver = expectBroadcastReceiver(
|
||||||
|
Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
||||||
// Verify receiving EXTERNAL_APPLICATIONS_AVAILABLE intent and update permission to netd.
|
// Verify receiving EXTERNAL_APPLICATIONS_AVAILABLE intent and update permission to netd.
|
||||||
final Intent externalIntent = new Intent(Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
final Intent externalIntent = new Intent(Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
||||||
externalIntent.putExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST, new String[] {MOCK_PACKAGE1});
|
externalIntent.putExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST, new String[] {MOCK_PACKAGE1});
|
||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE1, MOCK_UID1, CHANGE_NETWORK_STATE);
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE1, MOCK_UID1, CHANGE_NETWORK_STATE);
|
||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID1, UPDATE_DEVICE_STATS);
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID1, UPDATE_DEVICE_STATS);
|
||||||
receiver.onReceive(mContext, externalIntent);
|
receiver.onReceive(mContext, externalIntent);
|
||||||
mNetdMonitor.expectNetworkPerm(NETWORK, new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_NETWORK, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID1);
|
||||||
mNetdMonitor.expectTrafficPerm(PERMISSION_UPDATE_DEVICE_STATS, MOCK_APPID1);
|
mNetdMonitor.expectTrafficPerm(PERMISSION_UPDATE_DEVICE_STATS, MOCK_APPID1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testOnExternalApplicationsAvailableWithSharedUid_DifferentStorage()
|
public void testOnExternalApplicationsAvailableWithSharedUid_DifferentStorage()
|
||||||
throws Exception {
|
throws Exception {
|
||||||
final BroadcastReceiver receiver = expectBroadcastReceiver(
|
|
||||||
Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
|
||||||
|
|
||||||
// Initial the permission state. MOCK_PACKAGE1 is installed on external storage and
|
// Initial the permission state. MOCK_PACKAGE1 is installed on external storage and
|
||||||
// MOCK_PACKAGE2 is installed on device. These two packages are shared on MOCK_UID1.
|
// MOCK_PACKAGE2 is installed on device. These two packages are shared on MOCK_UID1.
|
||||||
// MOCK_UID1 has NETWORK and INTERNET permissions.
|
// MOCK_UID1 has NETWORK and INTERNET permissions.
|
||||||
when(mUserManager.getUserHandles(eq(true))).thenReturn(List.of(MOCK_USER1));
|
|
||||||
when(mPackageManager.getInstalledPackages(eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
|
when(mPackageManager.getInstalledPackages(eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
|
||||||
List.of(buildPackageInfo(MOCK_PACKAGE1, MOCK_UID1),
|
List.of(buildPackageInfo(MOCK_PACKAGE1, MOCK_UID1),
|
||||||
buildPackageInfo(MOCK_PACKAGE2, MOCK_UID1, CHANGE_NETWORK_STATE,
|
buildPackageInfo(MOCK_PACKAGE2, MOCK_UID1, CHANGE_NETWORK_STATE,
|
||||||
INTERNET)));
|
INTERNET)));
|
||||||
mPermissionMonitor.startMonitoring();
|
mPermissionMonitor.startMonitoring();
|
||||||
mNetdMonitor.expectNetworkPerm(NETWORK, new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_NETWORK, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID1);
|
||||||
mNetdMonitor.expectTrafficPerm(PERMISSION_INTERNET, MOCK_APPID1);
|
mNetdMonitor.expectTrafficPerm(PERMISSION_INTERNET, MOCK_APPID1);
|
||||||
|
|
||||||
|
final BroadcastReceiver receiver = expectBroadcastReceiver(
|
||||||
|
Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
||||||
// Verify receiving EXTERNAL_APPLICATIONS_AVAILABLE intent and update permission to netd.
|
// Verify receiving EXTERNAL_APPLICATIONS_AVAILABLE intent and update permission to netd.
|
||||||
final Intent externalIntent = new Intent(Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
final Intent externalIntent = new Intent(Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
|
||||||
externalIntent.putExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST, new String[] {MOCK_PACKAGE1});
|
externalIntent.putExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST, new String[] {MOCK_PACKAGE1});
|
||||||
@@ -1139,7 +1147,21 @@ public class PermissionMonitorTest {
|
|||||||
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID1, CHANGE_NETWORK_STATE,
|
buildAndMockPackageInfoWithPermissions(MOCK_PACKAGE2, MOCK_UID1, CHANGE_NETWORK_STATE,
|
||||||
INTERNET);
|
INTERNET);
|
||||||
receiver.onReceive(mContext, externalIntent);
|
receiver.onReceive(mContext, externalIntent);
|
||||||
mNetdMonitor.expectNetworkPerm(SYSTEM, new UserHandle[]{MOCK_USER1}, MOCK_APPID1);
|
mNetdMonitor.expectNetworkPerm(PERMISSION_SYSTEM, new UserHandle[]{MOCK_USER1},
|
||||||
|
MOCK_APPID1);
|
||||||
mNetdMonitor.expectTrafficPerm(PERMISSION_TRAFFIC_ALL, MOCK_APPID1);
|
mNetdMonitor.expectTrafficPerm(PERMISSION_TRAFFIC_ALL, MOCK_APPID1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testIsHigherNetworkPermission() {
|
||||||
|
assertFalse(isHigherNetworkPermission(PERMISSION_NONE, PERMISSION_NONE));
|
||||||
|
assertFalse(isHigherNetworkPermission(PERMISSION_NONE, PERMISSION_NETWORK));
|
||||||
|
assertFalse(isHigherNetworkPermission(PERMISSION_NONE, PERMISSION_SYSTEM));
|
||||||
|
assertTrue(isHigherNetworkPermission(PERMISSION_NETWORK, PERMISSION_NONE));
|
||||||
|
assertFalse(isHigherNetworkPermission(PERMISSION_NETWORK, PERMISSION_NETWORK));
|
||||||
|
assertFalse(isHigherNetworkPermission(PERMISSION_NETWORK, PERMISSION_SYSTEM));
|
||||||
|
assertTrue(isHigherNetworkPermission(PERMISSION_SYSTEM, PERMISSION_NONE));
|
||||||
|
assertTrue(isHigherNetworkPermission(PERMISSION_SYSTEM, PERMISSION_NETWORK));
|
||||||
|
assertFalse(isHigherNetworkPermission(PERMISSION_SYSTEM, PERMISSION_SYSTEM));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user