From 9e790873d9545889512daaeac9159b7dcefbb237 Mon Sep 17 00:00:00 2001
From: markchien <markchien@google.com>
Date: Fri, 29 May 2020 14:36:36 +0800
Subject: [PATCH] Gate exemptFromEentitlementCheck by Network_STACK permission

Shell has TETHER_PRIVILEGED permission. To avoid any service to adopt
shell identity by lunching service with Shell process, gate
exemptFromEentitlementCheck by NETWORK_STACK.

Bug: 157702014
Test: atest TetheringCoverageTests
Change-Id: I6ddfda23d36ea9981e3e1eb5a87767f452a65852
---
 .../tethering/TetheringService.java           | 17 +++++++++++--
 .../android/net/EthernetTetheringTest.java    |  4 +--
 .../tethering/TetheringServiceTest.java       | 25 +++++++++++++------
 3 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/Tethering/src/com/android/networkstack/tethering/TetheringService.java b/Tethering/src/com/android/networkstack/tethering/TetheringService.java
index c11e86258d..613328d1c1 100644
--- a/Tethering/src/com/android/networkstack/tethering/TetheringService.java
+++ b/Tethering/src/com/android/networkstack/tethering/TetheringService.java
@@ -17,8 +17,10 @@
 package com.android.networkstack.tethering;
 
 import static android.Manifest.permission.ACCESS_NETWORK_STATE;
+import static android.Manifest.permission.NETWORK_STACK;
 import static android.Manifest.permission.TETHER_PRIVILEGED;
 import static android.content.pm.PackageManager.PERMISSION_GRANTED;
+import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
 import static android.net.TetheringManager.TETHER_ERROR_NO_ACCESS_TETHERING_PERMISSION;
 import static android.net.TetheringManager.TETHER_ERROR_NO_CHANGE_TETHERING_PERMISSION;
 import static android.net.TetheringManager.TETHER_ERROR_NO_ERROR;
@@ -253,15 +255,26 @@ public class TetheringService extends Service {
             return false;
         }
 
+        private boolean hasNetworkStackPermission() {
+            return checkCallingOrSelfPermission(NETWORK_STACK)
+                    || checkCallingOrSelfPermission(PERMISSION_MAINLINE_NETWORK_STACK);
+        }
+
         private boolean hasTetherPrivilegedPermission() {
-            return mService.checkCallingOrSelfPermission(TETHER_PRIVILEGED) == PERMISSION_GRANTED;
+            return checkCallingOrSelfPermission(TETHER_PRIVILEGED);
+        }
+
+        private boolean checkCallingOrSelfPermission(final String permission) {
+            return mService.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED;
         }
 
         private boolean hasTetherChangePermission(final String callerPkg,
                 final String callingAttributionTag, final boolean onlyAllowPrivileged) {
+            if (onlyAllowPrivileged && !hasNetworkStackPermission()) return false;
+
             if (hasTetherPrivilegedPermission()) return true;
 
-            if (onlyAllowPrivileged || mTethering.isTetherProvisioningRequired()) return false;
+            if (mTethering.isTetherProvisioningRequired()) return false;
 
             int uid = Binder.getCallingUid();
 
diff --git a/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java b/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java
index 2fb7e607d0..74df11370e 100644
--- a/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java
+++ b/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java
@@ -339,7 +339,7 @@ public class EthernetTetheringTest {
     private MyTetheringEventCallback enableEthernetTethering(String iface) throws Exception {
         return enableEthernetTethering(iface,
                 new TetheringRequest.Builder(TETHERING_ETHERNET)
-                .setExemptFromEntitlementCheck(true).build());
+                .setShouldShowEntitlementUi(false).build());
     }
 
     private int getMTU(TestNetworkInterface iface) throws SocketException {
@@ -510,7 +510,7 @@ public class EthernetTetheringTest {
         LinkAddress clientAddr = client == null ? null : new LinkAddress(client);
         return new TetheringRequest.Builder(TETHERING_ETHERNET)
                 .setStaticIpv4Addresses(localAddr, clientAddr)
-                .setExemptFromEntitlementCheck(true).build();
+                .setShouldShowEntitlementUi(false).build();
     }
 
     private void assertInvalidStaticIpv4Request(String iface, String local, String client)
diff --git a/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringServiceTest.java b/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringServiceTest.java
index cf060ba95d..7bba67b05f 100644
--- a/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringServiceTest.java
+++ b/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringServiceTest.java
@@ -281,22 +281,33 @@ public final class TetheringServiceTest {
         });
     }
 
+    private void runStartTetheringAndVerifyNoPermission(final TestTetheringResult result)
+            throws Exception {
+        final TetheringRequestParcel request = new TetheringRequestParcel();
+        request.tetheringType = TETHERING_WIFI;
+        request.exemptFromEntitlementCheck = true;
+        mTetheringConnector.startTethering(request, TEST_CALLER_PKG, TEST_ATTRIBUTION_TAG,
+                result);
+        result.assertResult(TETHER_ERROR_NO_CHANGE_TETHERING_PERMISSION);
+        verifyNoMoreInteractionsForTethering();
+    }
+
     @Test
-    public void testStartTetheringWithExemptFromEntitlementCheck() throws Exception {
+    public void testFailToBypassEntitlementWithoutNeworkStackPermission() throws Exception {
         final TetheringRequestParcel request = new TetheringRequestParcel();
         request.tetheringType = TETHERING_WIFI;
         request.exemptFromEntitlementCheck = true;
 
+        runAsNoPermission((result) -> {
+            runStartTetheringAndVerifyNoPermission(result);
+        });
+
         runAsTetherPrivileged((result) -> {
-            runStartTethering(result, request);
-            verifyNoMoreInteractionsForTethering();
+            runStartTetheringAndVerifyNoPermission(result);
         });
 
         runAsWriteSettings((result) -> {
-            mTetheringConnector.startTethering(request, TEST_CALLER_PKG, TEST_ATTRIBUTION_TAG,
-                    result);
-            result.assertResult(TETHER_ERROR_NO_CHANGE_TETHERING_PERMISSION);
-            verifyNoMoreInteractionsForTethering();
+            runStartTetheringAndVerifyNoPermission(result);
         });
     }