diff --git a/framework/api/module-lib-current.txt b/framework/api/module-lib-current.txt index 6c454bcd4c..7fc038245d 100644 --- a/framework/api/module-lib-current.txt +++ b/framework/api/module-lib-current.txt @@ -48,7 +48,6 @@ package android.net { public class ConnectivitySettingsManager { method public static void clearGlobalProxy(@NonNull android.content.Context); - method @NonNull public static java.util.Set getAppsAllowedOnRestrictedNetworks(@NonNull android.content.Context); method @Nullable public static String getCaptivePortalHttpUrl(@NonNull android.content.Context); method public static int getCaptivePortalMode(@NonNull android.content.Context, int); method @NonNull public static java.time.Duration getConnectivityKeepPendingIntentDuration(@NonNull android.content.Context, @NonNull java.time.Duration); @@ -66,9 +65,9 @@ package android.net { method @NonNull public static String getPrivateDnsDefaultMode(@NonNull android.content.Context); method @Nullable public static String getPrivateDnsHostname(@NonNull android.content.Context); method public static int getPrivateDnsMode(@NonNull android.content.Context); + method @NonNull public static java.util.Set getUidsAllowedOnRestrictedNetworks(@NonNull android.content.Context); method public static boolean getWifiAlwaysRequested(@NonNull android.content.Context, boolean); method @NonNull public static java.time.Duration getWifiDataActivityTimeout(@NonNull android.content.Context, @NonNull java.time.Duration); - method public static void setAppsAllowedOnRestrictedNetworks(@NonNull android.content.Context, @NonNull java.util.Set); method public static void setCaptivePortalHttpUrl(@NonNull android.content.Context, @Nullable String); method public static void setCaptivePortalMode(@NonNull android.content.Context, int); method public static void setConnectivityKeepPendingIntentDuration(@NonNull android.content.Context, @NonNull java.time.Duration); @@ -86,6 +85,7 @@ package android.net { method public static void setPrivateDnsDefaultMode(@NonNull android.content.Context, @NonNull int); method public static void setPrivateDnsHostname(@NonNull android.content.Context, @Nullable String); method public static void setPrivateDnsMode(@NonNull android.content.Context, int); + method public static void setUidsAllowedOnRestrictedNetworks(@NonNull android.content.Context, @NonNull java.util.Set); method public static void setWifiAlwaysRequested(@NonNull android.content.Context, boolean); method public static void setWifiDataActivityTimeout(@NonNull android.content.Context, @NonNull java.time.Duration); field public static final int CAPTIVE_PORTAL_MODE_AVOID = 2; // 0x2 diff --git a/framework/src/android/net/ConnectivitySettingsManager.java b/framework/src/android/net/ConnectivitySettingsManager.java index 762f24f7e7..5f7f539d0a 100644 --- a/framework/src/android/net/ConnectivitySettingsManager.java +++ b/framework/src/android/net/ConnectivitySettingsManager.java @@ -374,12 +374,12 @@ public class ConnectivitySettingsManager { private static final String PRIVATE_DNS_MODE_PROVIDER_HOSTNAME_STRING = "hostname"; /** - * A list of apps that is allowed on restricted networks. + * A list of uids that is allowed to use restricted networks. * * @hide */ - public static final String APPS_ALLOWED_ON_RESTRICTED_NETWORKS = - "apps_allowed_on_restricted_networks"; + public static final String UIDS_ALLOWED_ON_RESTRICTED_NETWORKS = + "uids_allowed_on_restricted_networks"; /** * Get mobile data activity timeout from {@link Settings}. @@ -1003,6 +1003,28 @@ public class ConnectivitySettingsManager { context.getContentResolver(), NETWORK_METERED_MULTIPATH_PREFERENCE, preference); } + private static Set getUidSetFromString(@Nullable String uidList) { + final Set uids = new ArraySet<>(); + if (TextUtils.isEmpty(uidList)) { + return uids; + } + for (String uid : uidList.split(";")) { + uids.add(Integer.valueOf(uid)); + } + return uids; + } + + private static String getUidStringFromSet(@NonNull Set uidList) { + final StringJoiner joiner = new StringJoiner(";"); + for (Integer uid : uidList) { + if (uid < 0 || UserHandle.getAppId(uid) > Process.LAST_APPLICATION_UID) { + throw new IllegalArgumentException("Invalid uid"); + } + joiner.add(uid.toString()); + } + return joiner.toString(); + } + /** * Get the list of uids(from {@link Settings}) that should go on cellular networks in preference * even when higher-priority networks are connected. @@ -1015,14 +1037,7 @@ public class ConnectivitySettingsManager { public static Set getMobileDataPreferredUids(@NonNull Context context) { final String uidList = Settings.Secure.getString( context.getContentResolver(), MOBILE_DATA_PREFERRED_UIDS); - final Set uids = new ArraySet<>(); - if (TextUtils.isEmpty(uidList)) { - return uids; - } - for (String uid : uidList.split(";")) { - uids.add(Integer.valueOf(uid)); - } - return uids; + return getUidSetFromString(uidList); } /** @@ -1035,53 +1050,41 @@ public class ConnectivitySettingsManager { */ public static void setMobileDataPreferredUids(@NonNull Context context, @NonNull Set uidList) { - final StringJoiner joiner = new StringJoiner(";"); - for (Integer uid : uidList) { - if (uid < 0 || UserHandle.getAppId(uid) > Process.LAST_APPLICATION_UID) { - throw new IllegalArgumentException("Invalid uid"); - } - joiner.add(uid.toString()); - } - Settings.Secure.putString( - context.getContentResolver(), MOBILE_DATA_PREFERRED_UIDS, joiner.toString()); + final String uids = getUidStringFromSet(uidList); + Settings.Secure.putString(context.getContentResolver(), MOBILE_DATA_PREFERRED_UIDS, uids); } /** - * Get the list of apps(from {@link Settings}) that is allowed on restricted networks. + * Get the list of uids (from {@link Settings}) allowed to use restricted networks. + * + * Access to restricted networks is controlled by the (preinstalled-only) + * CONNECTIVITY_USE_RESTRICTED_NETWORKS permission, but highly privileged + * callers can also set a list of uids that can access restricted networks. + * + * This is useful for example in some jurisdictions where government apps, + * that can't be preinstalled, must still have access to emergency services. * * @param context The {@link Context} to query the setting. - * @return A list of apps that is allowed on restricted networks or null if no setting + * @return A list of uids that is allowed to use restricted networks or null if no setting * value. */ @NonNull - public static Set getAppsAllowedOnRestrictedNetworks(@NonNull Context context) { - final String appList = Settings.Secure.getString( - context.getContentResolver(), APPS_ALLOWED_ON_RESTRICTED_NETWORKS); - if (TextUtils.isEmpty(appList)) { - return new ArraySet<>(); - } - return new ArraySet<>(appList.split(";")); + public static Set getUidsAllowedOnRestrictedNetworks(@NonNull Context context) { + final String uidList = Settings.Secure.getString( + context.getContentResolver(), UIDS_ALLOWED_ON_RESTRICTED_NETWORKS); + return getUidSetFromString(uidList); } /** - * Set the list of apps(from {@link Settings}) that is allowed on restricted networks. - * - * Note: Please refer to android developer guidelines for valid app(package name). - * https://developer.android.com/guide/topics/manifest/manifest-element.html#package + * Set the list of uids(from {@link Settings}) that is allowed to use restricted networks. * * @param context The {@link Context} to set the setting. - * @param list A list of apps that is allowed on restricted networks. + * @param uidList A list of uids that is allowed to use restricted networks. */ - public static void setAppsAllowedOnRestrictedNetworks(@NonNull Context context, - @NonNull Set list) { - final StringJoiner joiner = new StringJoiner(";"); - for (String app : list) { - if (app == null || app.contains(";")) { - throw new IllegalArgumentException("Invalid app(package name)"); - } - joiner.add(app); - } - Settings.Secure.putString(context.getContentResolver(), APPS_ALLOWED_ON_RESTRICTED_NETWORKS, - joiner.toString()); + public static void setUidsAllowedOnRestrictedNetworks(@NonNull Context context, + @NonNull Set uidList) { + final String uids = getUidStringFromSet(uidList); + Settings.Secure.putString(context.getContentResolver(), UIDS_ALLOWED_ON_RESTRICTED_NETWORKS, + uids); } } diff --git a/service/src/com/android/server/connectivity/PermissionMonitor.java b/service/src/com/android/server/connectivity/PermissionMonitor.java index 673c80417b..49b43f86ec 100644 --- a/service/src/com/android/server/connectivity/PermissionMonitor.java +++ b/service/src/com/android/server/connectivity/PermissionMonitor.java @@ -24,7 +24,7 @@ import static android.Manifest.permission.UPDATE_DEVICE_STATS; import static android.content.pm.PackageInfo.REQUESTED_PERMISSION_GRANTED; import static android.content.pm.PackageManager.GET_PERMISSIONS; import static android.content.pm.PackageManager.MATCH_ANY_USER; -import static android.net.ConnectivitySettingsManager.APPS_ALLOWED_ON_RESTRICTED_NETWORKS; +import static android.net.ConnectivitySettingsManager.UIDS_ALLOWED_ON_RESTRICTED_NETWORKS; import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK; import static android.os.Process.INVALID_UID; import static android.os.Process.SYSTEM_UID; @@ -109,13 +109,13 @@ public class PermissionMonitor { @GuardedBy("this") private final Set mAllApps = new HashSet<>(); - // A set of apps which are allowed to use restricted networks. These apps can't hold the - // CONNECTIVITY_USE_RESTRICTED_NETWORKS permission because they can't be signature|privileged - // apps. However, these apps should still be able to use restricted networks under certain - // conditions (e.g. government app using emergency services). So grant netd system permission - // to uids whose package name is listed in APPS_ALLOWED_ON_RESTRICTED_NETWORKS setting. + // A set of uids which are allowed to use restricted networks. The packages of these uids can't + // hold the CONNECTIVITY_USE_RESTRICTED_NETWORKS permission because they can't be + // signature|privileged apps. However, these apps should still be able to use restricted + // networks under certain conditions (e.g. government app using emergency services). So grant + // netd system permission to these uids which is listed in UIDS_ALLOWED_ON_RESTRICTED_NETWORKS. @GuardedBy("this") - private final Set mAppsAllowedOnRestrictedNetworks = new ArraySet<>(); + private final Set mUidsAllowedOnRestrictedNetworks = new ArraySet<>(); private BroadcastReceiver mIntentReceiver = new BroadcastReceiver() { @Override @@ -149,10 +149,10 @@ public class PermissionMonitor { } /** - * Get apps allowed to use restricted networks via ConnectivitySettingsManager. + * Get uids allowed to use restricted networks via ConnectivitySettingsManager. */ - public Set getAppsAllowedOnRestrictedNetworks(@NonNull Context context) { - return ConnectivitySettingsManager.getAppsAllowedOnRestrictedNetworks(context); + public Set getUidsAllowedOnRestrictedNetworks(@NonNull Context context) { + return ConnectivitySettingsManager.getUidsAllowedOnRestrictedNetworks(context); } /** @@ -194,10 +194,10 @@ public class PermissionMonitor { mIntentReceiver, intentFilter, null /* broadcastPermission */, null /* scheduler */); - // Register APPS_ALLOWED_ON_RESTRICTED_NETWORKS setting observer + // Register UIDS_ALLOWED_ON_RESTRICTED_NETWORKS setting observer mDeps.registerContentObserver( userAllContext, - Settings.Secure.getUriFor(APPS_ALLOWED_ON_RESTRICTED_NETWORKS), + Settings.Secure.getUriFor(UIDS_ALLOWED_ON_RESTRICTED_NETWORKS), false /* notifyForDescendants */, new ContentObserver(null) { @Override @@ -206,9 +206,9 @@ public class PermissionMonitor { } }); - // Read APPS_ALLOWED_ON_RESTRICTED_NETWORKS setting and update - // mAppsAllowedOnRestrictedNetworks. - updateAppsAllowedOnRestrictedNetworks(mDeps.getAppsAllowedOnRestrictedNetworks(mContext)); + // Read UIDS_ALLOWED_ON_RESTRICTED_NETWORKS setting and update + // mUidsAllowedOnRestrictedNetworks. + updateUidsAllowedOnRestrictedNetworks(mDeps.getUidsAllowedOnRestrictedNetworks(mContext)); List apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS | MATCH_ANY_USER); @@ -265,9 +265,9 @@ public class PermissionMonitor { } @VisibleForTesting - void updateAppsAllowedOnRestrictedNetworks(final Set apps) { - mAppsAllowedOnRestrictedNetworks.clear(); - mAppsAllowedOnRestrictedNetworks.addAll(apps); + void updateUidsAllowedOnRestrictedNetworks(final Set uids) { + mUidsAllowedOnRestrictedNetworks.clear(); + mUidsAllowedOnRestrictedNetworks.addAll(uids); } @VisibleForTesting @@ -285,10 +285,11 @@ public class PermissionMonitor { } @VisibleForTesting - boolean isAppAllowedOnRestrictedNetworks(@NonNull final PackageInfo app) { - // Check whether package name is in allowed on restricted networks app list. If so, this app - // can have netd system permission. - return mAppsAllowedOnRestrictedNetworks.contains(app.packageName); + boolean isUidAllowedOnRestrictedNetworks(final ApplicationInfo appInfo) { + if (appInfo == null) return false; + // Check whether package's uid is in allowed on restricted networks uid list. If so, this + // uid can have netd system permission. + return mUidsAllowedOnRestrictedNetworks.contains(appInfo.uid); } @VisibleForTesting @@ -310,7 +311,8 @@ public class PermissionMonitor { boolean hasRestrictedNetworkPermission(@NonNull final PackageInfo app) { // TODO : remove carryover package check in the future(b/31479477). All apps should just // request the appropriate permission for their use case since android Q. - return isCarryoverPackage(app.applicationInfo) || isAppAllowedOnRestrictedNetworks(app) + return isCarryoverPackage(app.applicationInfo) + || isUidAllowedOnRestrictedNetworks(app.applicationInfo) || hasPermission(app, PERMISSION_MAINLINE_NETWORK_STACK) || hasPermission(app, NETWORK_STACK) || hasPermission(app, CONNECTIVITY_USE_RESTRICTED_NETWORKS); @@ -770,35 +772,31 @@ public class PermissionMonitor { } private synchronized void onSettingChanged() { - // Step1. Update apps allowed to use restricted networks and compute the set of packages to + // Step1. Update uids allowed to use restricted networks and compute the set of uids to // update. - final Set packagesToUpdate = new ArraySet<>(mAppsAllowedOnRestrictedNetworks); - updateAppsAllowedOnRestrictedNetworks(mDeps.getAppsAllowedOnRestrictedNetworks(mContext)); - packagesToUpdate.addAll(mAppsAllowedOnRestrictedNetworks); + final Set uidsToUpdate = new ArraySet<>(mUidsAllowedOnRestrictedNetworks); + updateUidsAllowedOnRestrictedNetworks(mDeps.getUidsAllowedOnRestrictedNetworks(mContext)); + uidsToUpdate.addAll(mUidsAllowedOnRestrictedNetworks); - final Map updatedApps = new HashMap<>(); - final Map removedApps = new HashMap<>(); + final Map updatedUids = new HashMap<>(); + final Map removedUids = new HashMap<>(); - // Step2. For each package to update, find out its new permission. - for (String app : packagesToUpdate) { - final PackageInfo info = getPackageInfo(app); - if (info == null || info.applicationInfo == null) continue; - - final int uid = info.applicationInfo.uid; + // Step2. For each uid to update, find out its new permission. + for (Integer uid : uidsToUpdate) { final Boolean permission = highestUidNetworkPermission(uid); if (null == permission) { - removedApps.put(uid, NETWORK); // Doesn't matter which permission is set here. + removedUids.put(uid, NETWORK); // Doesn't matter which permission is set here. mApps.remove(uid); } else { - updatedApps.put(uid, permission); + updatedUids.put(uid, permission); mApps.put(uid, permission); } } // Step3. Update or revoke permission for uids with netd. - update(mUsers, updatedApps, true /* add */); - update(mUsers, removedApps, false /* add */); + update(mUsers, updatedUids, true /* add */); + update(mUsers, removedUids, false /* add */); } /** Dump info to dumpsys */ diff --git a/tests/unit/java/com/android/server/connectivity/PermissionMonitorTest.java b/tests/unit/java/com/android/server/connectivity/PermissionMonitorTest.java index c75618f43c..c6e7606135 100644 --- a/tests/unit/java/com/android/server/connectivity/PermissionMonitorTest.java +++ b/tests/unit/java/com/android/server/connectivity/PermissionMonitorTest.java @@ -30,7 +30,7 @@ import static android.content.pm.PackageInfo.REQUESTED_PERMISSION_GRANTED; import static android.content.pm.PackageInfo.REQUESTED_PERMISSION_REQUIRED; import static android.content.pm.PackageManager.GET_PERMISSIONS; import static android.content.pm.PackageManager.MATCH_ANY_USER; -import static android.net.ConnectivitySettingsManager.APPS_ALLOWED_ON_RESTRICTED_NETWORKS; +import static android.net.ConnectivitySettingsManager.UIDS_ALLOWED_ON_RESTRICTED_NETWORKS; import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK; import static android.os.Process.SYSTEM_UID; @@ -142,7 +142,7 @@ public class PermissionMonitorTest { final Context asUserCtx = mock(Context.class, AdditionalAnswers.delegatesTo(mContext)); doReturn(UserHandle.ALL).when(asUserCtx).getUser(); when(mContext.createContextAsUser(eq(UserHandle.ALL), anyInt())).thenReturn(asUserCtx); - when(mDeps.getAppsAllowedOnRestrictedNetworks(any())).thenReturn(new ArraySet<>()); + when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(new ArraySet<>()); mPermissionMonitor = spy(new PermissionMonitor(mContext, mNetdService, mDeps)); @@ -341,9 +341,9 @@ public class PermissionMonitorTest { } @Test - public void testHasRestrictedNetworkPermissionAppAllowedOnRestrictedNetworks() { - mPermissionMonitor.updateAppsAllowedOnRestrictedNetworks( - new ArraySet<>(new String[] { MOCK_PACKAGE1 })); + public void testHasRestrictedNetworkPermissionUidAllowedOnRestrictedNetworks() { + mPermissionMonitor.updateUidsAllowedOnRestrictedNetworks( + new ArraySet<>(new Integer[] { MOCK_UID1 })); assertTrue(hasRestrictedNetworkPermission( PARTITION_VENDOR, VERSION_Q, MOCK_PACKAGE1, MOCK_UID1)); assertTrue(hasRestrictedNetworkPermission( @@ -352,11 +352,11 @@ public class PermissionMonitorTest { PARTITION_VENDOR, VERSION_Q, MOCK_PACKAGE1, MOCK_UID1, CONNECTIVITY_INTERNAL)); assertFalse(hasRestrictedNetworkPermission( - PARTITION_VENDOR, VERSION_Q, MOCK_PACKAGE2, MOCK_UID1)); + PARTITION_VENDOR, VERSION_Q, MOCK_PACKAGE2, MOCK_UID2)); assertFalse(hasRestrictedNetworkPermission( - PARTITION_VENDOR, VERSION_Q, MOCK_PACKAGE2, MOCK_UID1, CHANGE_NETWORK_STATE)); + PARTITION_VENDOR, VERSION_Q, MOCK_PACKAGE2, MOCK_UID2, CHANGE_NETWORK_STATE)); assertFalse(hasRestrictedNetworkPermission( - PARTITION_VENDOR, VERSION_Q, MOCK_PACKAGE2, MOCK_UID1, CONNECTIVITY_INTERNAL)); + PARTITION_VENDOR, VERSION_Q, MOCK_PACKAGE2, MOCK_UID2, CONNECTIVITY_INTERNAL)); } @@ -396,32 +396,32 @@ public class PermissionMonitorTest { assertFalse(wouldBeCarryoverPackage(PARTITION_PRODUCT, VERSION_Q, MOCK_UID1)); } - private boolean wouldBeAppAllowedOnRestrictedNetworks(String packageName) { - final PackageInfo packageInfo = new PackageInfo(); - packageInfo.packageName = packageName; - return mPermissionMonitor.isAppAllowedOnRestrictedNetworks(packageInfo); + private boolean wouldBeUidAllowedOnRestrictedNetworks(int uid) { + final ApplicationInfo applicationInfo = new ApplicationInfo(); + applicationInfo.uid = uid; + return mPermissionMonitor.isUidAllowedOnRestrictedNetworks(applicationInfo); } @Test public void testIsAppAllowedOnRestrictedNetworks() { - mPermissionMonitor.updateAppsAllowedOnRestrictedNetworks(new ArraySet<>()); - assertFalse(wouldBeAppAllowedOnRestrictedNetworks(MOCK_PACKAGE1)); - assertFalse(wouldBeAppAllowedOnRestrictedNetworks(MOCK_PACKAGE2)); + mPermissionMonitor.updateUidsAllowedOnRestrictedNetworks(new ArraySet<>()); + assertFalse(wouldBeUidAllowedOnRestrictedNetworks(MOCK_UID1)); + assertFalse(wouldBeUidAllowedOnRestrictedNetworks(MOCK_UID2)); - mPermissionMonitor.updateAppsAllowedOnRestrictedNetworks( - new ArraySet<>(new String[] { MOCK_PACKAGE1 })); - assertTrue(wouldBeAppAllowedOnRestrictedNetworks(MOCK_PACKAGE1)); - assertFalse(wouldBeAppAllowedOnRestrictedNetworks(MOCK_PACKAGE2)); + mPermissionMonitor.updateUidsAllowedOnRestrictedNetworks( + new ArraySet<>(new Integer[] { MOCK_UID1 })); + assertTrue(wouldBeUidAllowedOnRestrictedNetworks(MOCK_UID1)); + assertFalse(wouldBeUidAllowedOnRestrictedNetworks(MOCK_UID2)); - mPermissionMonitor.updateAppsAllowedOnRestrictedNetworks( - new ArraySet<>(new String[] { MOCK_PACKAGE2 })); - assertFalse(wouldBeAppAllowedOnRestrictedNetworks(MOCK_PACKAGE1)); - assertTrue(wouldBeAppAllowedOnRestrictedNetworks(MOCK_PACKAGE2)); + mPermissionMonitor.updateUidsAllowedOnRestrictedNetworks( + new ArraySet<>(new Integer[] { MOCK_UID2 })); + assertFalse(wouldBeUidAllowedOnRestrictedNetworks(MOCK_UID1)); + assertTrue(wouldBeUidAllowedOnRestrictedNetworks(MOCK_UID2)); - mPermissionMonitor.updateAppsAllowedOnRestrictedNetworks( - new ArraySet<>(new String[] { "com.android.test" })); - assertFalse(wouldBeAppAllowedOnRestrictedNetworks(MOCK_PACKAGE1)); - assertFalse(wouldBeAppAllowedOnRestrictedNetworks(MOCK_PACKAGE2)); + mPermissionMonitor.updateUidsAllowedOnRestrictedNetworks( + new ArraySet<>(new Integer[] { 123 })); + assertFalse(wouldBeUidAllowedOnRestrictedNetworks(MOCK_UID1)); + assertFalse(wouldBeUidAllowedOnRestrictedNetworks(MOCK_UID2)); } private void assertBackgroundPermission(boolean hasPermission, String name, int uid, @@ -901,12 +901,12 @@ public class PermissionMonitorTest { } @Test - public void testAppsAllowedOnRestrictedNetworksChanged() throws Exception { + public void testUidsAllowedOnRestrictedNetworksChanged() throws Exception { final NetdMonitor mNetdMonitor = new NetdMonitor(mNetdService); final ArgumentCaptor captor = ArgumentCaptor.forClass(ContentObserver.class); verify(mDeps, times(1)).registerContentObserver(any(), - argThat(uri -> uri.getEncodedPath().contains(APPS_ALLOWED_ON_RESTRICTED_NETWORKS)), + argThat(uri -> uri.getEncodedPath().contains(UIDS_ALLOWED_ON_RESTRICTED_NETWORKS)), anyBoolean(), captor.capture()); final ContentObserver contentObserver = captor.getValue(); @@ -924,24 +924,24 @@ public class PermissionMonitorTest { when(mPackageManager.getPackageInfo(eq(MOCK_PACKAGE2), anyInt())).thenReturn(packageInfo2); when(mPackageManager.getPackagesForUid(MOCK_UID2)).thenReturn(new String[]{MOCK_PACKAGE2}); - // MOCK_PACKAGE1 is listed in setting that allow to use restricted networks, MOCK_UID1 + // MOCK_UID1 is listed in setting that allow to use restricted networks, MOCK_UID1 // should have SYSTEM permission. - when(mDeps.getAppsAllowedOnRestrictedNetworks(any())).thenReturn( - new ArraySet<>(new String[] { MOCK_PACKAGE1 })); + when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn( + new ArraySet<>(new Integer[] { MOCK_UID1 })); contentObserver.onChange(true /* selfChange */); mNetdMonitor.expectPermission(SYSTEM, new UserHandle[]{MOCK_USER1}, new int[]{MOCK_UID1}); mNetdMonitor.expectNoPermission(new UserHandle[]{MOCK_USER1}, new int[]{MOCK_UID2}); - // MOCK_PACKAGE2 is listed in setting that allow to use restricted networks, MOCK_UID2 + // MOCK_UID2 is listed in setting that allow to use restricted networks, MOCK_UID2 // should have SYSTEM permission but MOCK_UID1 should revoke permission. - when(mDeps.getAppsAllowedOnRestrictedNetworks(any())).thenReturn( - new ArraySet<>(new String[] { MOCK_PACKAGE2 })); + when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn( + new ArraySet<>(new Integer[] { MOCK_UID2 })); contentObserver.onChange(true /* selfChange */); mNetdMonitor.expectPermission(SYSTEM, new UserHandle[]{MOCK_USER1}, new int[]{MOCK_UID2}); mNetdMonitor.expectNoPermission(new UserHandle[]{MOCK_USER1}, new int[]{MOCK_UID1}); - // No app lists in setting, should revoke permission from all uids. - when(mDeps.getAppsAllowedOnRestrictedNetworks(any())).thenReturn(new ArraySet<>()); + // No uid lists in setting, should revoke permission from all uids. + when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(new ArraySet<>()); contentObserver.onChange(true /* selfChange */); mNetdMonitor.expectNoPermission( new UserHandle[]{MOCK_USER1}, new int[]{MOCK_UID1, MOCK_UID2}); @@ -953,7 +953,7 @@ public class PermissionMonitorTest { final ArgumentCaptor captor = ArgumentCaptor.forClass(ContentObserver.class); verify(mDeps, times(1)).registerContentObserver(any(), - argThat(uri -> uri.getEncodedPath().contains(APPS_ALLOWED_ON_RESTRICTED_NETWORKS)), + argThat(uri -> uri.getEncodedPath().contains(UIDS_ALLOWED_ON_RESTRICTED_NETWORKS)), anyBoolean(), captor.capture()); final ContentObserver contentObserver = captor.getValue(); @@ -974,22 +974,15 @@ public class PermissionMonitorTest { addPackageForUsers(new UserHandle[]{MOCK_USER1}, MOCK_PACKAGE1, MOCK_UID1); mNetdMonitor.expectPermission(NETWORK, new UserHandle[]{MOCK_USER1}, new int[]{MOCK_UID1}); - // MOCK_PACKAGE2 is listed in setting that allow to use restricted networks, MOCK_UID1 + // MOCK_UID1 is listed in setting that allow to use restricted networks, MOCK_UID1 // should upgrade to SYSTEM permission. - when(mDeps.getAppsAllowedOnRestrictedNetworks(any())).thenReturn( - new ArraySet<>(new String[] { MOCK_PACKAGE2 })); - contentObserver.onChange(true /* selfChange */); - mNetdMonitor.expectPermission(SYSTEM, new UserHandle[]{MOCK_USER1}, new int[]{MOCK_UID1}); - - // MOCK_PACKAGE1 is listed in setting that allow to use restricted networks, MOCK_UID1 - // should still have SYSTEM permission. - when(mDeps.getAppsAllowedOnRestrictedNetworks(any())).thenReturn( - new ArraySet<>(new String[] { MOCK_PACKAGE1 })); + when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn( + new ArraySet<>(new Integer[] { MOCK_UID1 })); contentObserver.onChange(true /* selfChange */); mNetdMonitor.expectPermission(SYSTEM, new UserHandle[]{MOCK_USER1}, new int[]{MOCK_UID1}); // No app lists in setting, MOCK_UID1 should downgrade to NETWORK permission. - when(mDeps.getAppsAllowedOnRestrictedNetworks(any())).thenReturn(new ArraySet<>()); + when(mDeps.getUidsAllowedOnRestrictedNetworks(any())).thenReturn(new ArraySet<>()); contentObserver.onChange(true /* selfChange */); mNetdMonitor.expectPermission(NETWORK, new UserHandle[]{MOCK_USER1}, new int[]{MOCK_UID1}); @@ -998,4 +991,4 @@ public class PermissionMonitorTest { removePackageForUsers(new UserHandle[]{MOCK_USER1}, MOCK_PACKAGE1, MOCK_UID1); mNetdMonitor.expectNoPermission(new UserHandle[]{MOCK_USER1}, new int[]{MOCK_UID1}); } -} \ No newline at end of file +}