[RFPM04] Adjust hasRestrictedNetworkPermission method
There are two parts in hasRestrictedNetworkPermission method. One is carryover package check and one is uid permission check. Seperate carryover package check part to another method to be clearer the usage of hasRestrictedNetworkPermission method. Bug: 132784544 Test: atest FrameworksNetTests Change-Id: Iab0609fcaa52acb0dfcb31ca957f22bfe8d62392
This commit is contained in:
paulhu
@@ -171,8 +171,8 @@ public class PermissionMonitor implements PackageManagerInternal.PackageListObse
|
|||||||
mAllApps.add(UserHandle.getAppId(uid));
|
mAllApps.add(UserHandle.getAppId(uid));
|
||||||
|
|
||||||
final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);
|
final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);
|
||||||
final boolean hasRestrictedPermission =
|
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(uid)
|
||||||
hasRestrictedNetworkPermission(app.applicationInfo);
|
|| isCarryoverPackage(app.applicationInfo);
|
||||||
|
|
||||||
if (isNetwork || hasRestrictedPermission) {
|
if (isNetwork || hasRestrictedPermission) {
|
||||||
Boolean permission = mApps.get(uid);
|
Boolean permission = mApps.get(uid);
|
||||||
@@ -200,7 +200,7 @@ public class PermissionMonitor implements PackageManagerInternal.PackageListObse
|
|||||||
for (int i = 0; i < systemPermission.size(); i++) {
|
for (int i = 0; i < systemPermission.size(); i++) {
|
||||||
ArraySet<String> perms = systemPermission.valueAt(i);
|
ArraySet<String> perms = systemPermission.valueAt(i);
|
||||||
int uid = systemPermission.keyAt(i);
|
int uid = systemPermission.keyAt(i);
|
||||||
int netdPermission = 0;
|
int netdPermission = PERMISSION_NONE;
|
||||||
// Get the uids of native services that have UPDATE_DEVICE_STATS or INTERNET permission.
|
// Get the uids of native services that have UPDATE_DEVICE_STATS or INTERNET permission.
|
||||||
if (perms != null) {
|
if (perms != null) {
|
||||||
netdPermission |= perms.contains(UPDATE_DEVICE_STATS)
|
netdPermission |= perms.contains(UPDATE_DEVICE_STATS)
|
||||||
@@ -225,20 +225,21 @@ public class PermissionMonitor implements PackageManagerInternal.PackageListObse
|
|||||||
}
|
}
|
||||||
|
|
||||||
@VisibleForTesting
|
@VisibleForTesting
|
||||||
boolean hasRestrictedNetworkPermission(@Nullable final ApplicationInfo appInfo) {
|
// TODO : remove this check in the future(b/162295056). All apps should just request the
|
||||||
if (appInfo == null) return false;
|
// appropriate permission for their use case since android Q.
|
||||||
// TODO : remove this check in the future(b/162295056). All apps should just
|
boolean isCarryoverPackage(@Nullable final ApplicationInfo appInfo) {
|
||||||
// request the appropriate permission for their use case since android Q.
|
if (appInfo == null) return false;
|
||||||
if ((appInfo.targetSdkVersion < VERSION_Q && isVendorApp(appInfo))
|
return (appInfo.targetSdkVersion < VERSION_Q && isVendorApp(appInfo))
|
||||||
// Backward compatibility for b/114245686, on devices that launched before Q daemons
|
// Backward compatibility for b/114245686, on devices that launched before Q daemons
|
||||||
// and apps running as the system UID are exempted from this check.
|
// and apps running as the system UID are exempted from this check.
|
||||||
|| (appInfo.uid == SYSTEM_UID && mDeps.getDeviceFirstSdkInt() < VERSION_Q)) {
|
|| (appInfo.uid == SYSTEM_UID && mDeps.getDeviceFirstSdkInt() < VERSION_Q);
|
||||||
return true;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
return hasPermission(PERMISSION_MAINLINE_NETWORK_STACK, appInfo.uid)
|
@VisibleForTesting
|
||||||
|| hasPermission(NETWORK_STACK, appInfo.uid)
|
boolean hasRestrictedNetworkPermission(final int uid) {
|
||||||
|| hasPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, appInfo.uid);
|
return hasPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, uid)
|
||||||
|
|| hasPermission(PERMISSION_MAINLINE_NETWORK_STACK, uid)
|
||||||
|
|| hasPermission(NETWORK_STACK, uid);
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Returns whether the given uid has using background network permission. */
|
/** Returns whether the given uid has using background network permission. */
|
||||||
@@ -328,8 +329,8 @@ public class PermissionMonitor implements PackageManagerInternal.PackageListObse
|
|||||||
try {
|
try {
|
||||||
final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
|
final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
|
||||||
final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);
|
final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);
|
||||||
final boolean hasRestrictedPermission =
|
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(uid)
|
||||||
hasRestrictedNetworkPermission(app.applicationInfo);
|
|| isCarryoverPackage(app.applicationInfo);
|
||||||
if (isNetwork || hasRestrictedPermission) {
|
if (isNetwork || hasRestrictedPermission) {
|
||||||
currentPermission = hasRestrictedPermission;
|
currentPermission = hasRestrictedPermission;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -28,6 +28,7 @@ import static android.content.pm.ApplicationInfo.PRIVATE_FLAG_PRODUCT;
|
|||||||
import static android.content.pm.ApplicationInfo.PRIVATE_FLAG_VENDOR;
|
import static android.content.pm.ApplicationInfo.PRIVATE_FLAG_VENDOR;
|
||||||
import static android.content.pm.PackageManager.GET_PERMISSIONS;
|
import static android.content.pm.PackageManager.GET_PERMISSIONS;
|
||||||
import static android.content.pm.PackageManager.MATCH_ANY_USER;
|
import static android.content.pm.PackageManager.MATCH_ANY_USER;
|
||||||
|
import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
|
||||||
import static android.os.Process.SYSTEM_UID;
|
import static android.os.Process.SYSTEM_UID;
|
||||||
|
|
||||||
import static com.android.server.connectivity.PermissionMonitor.NETWORK;
|
import static com.android.server.connectivity.PermissionMonitor.NETWORK;
|
||||||
@@ -138,17 +139,10 @@ public class PermissionMonitorTest {
|
|||||||
verify(mMockPmi).getPackageList(mPermissionMonitor);
|
verify(mMockPmi).getPackageList(mPermissionMonitor);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
private boolean wouldBeCarryoverPackage(String partition, int targetSdkVersion, int uid) {
|
||||||
* Remove all permissions from the uid then build new package info and setup permissions to uid
|
|
||||||
* for checking restricted network permission.
|
|
||||||
*/
|
|
||||||
private boolean hasRestrictedNetworkPermission(String partition, int targetSdkVersion, int uid,
|
|
||||||
String... permissions) {
|
|
||||||
final PackageInfo packageInfo = buildPackageInfo(partition, uid, MOCK_USER1);
|
final PackageInfo packageInfo = buildPackageInfo(partition, uid, MOCK_USER1);
|
||||||
packageInfo.applicationInfo.targetSdkVersion = targetSdkVersion;
|
packageInfo.applicationInfo.targetSdkVersion = targetSdkVersion;
|
||||||
removeAllPermissions(uid);
|
return mPermissionMonitor.isCarryoverPackage(packageInfo.applicationInfo);
|
||||||
addPermissions(uid, permissions);
|
|
||||||
return mPermissionMonitor.hasRestrictedNetworkPermission(packageInfo.applicationInfo);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private static PackageInfo packageInfoWithPartition(String partition) {
|
private static PackageInfo packageInfoWithPartition(String partition) {
|
||||||
@@ -228,61 +222,57 @@ public class PermissionMonitorTest {
|
|||||||
assertTrue(mPermissionMonitor.isVendorApp(app.applicationInfo));
|
assertTrue(mPermissionMonitor.isVendorApp(app.applicationInfo));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Remove all permissions from the uid then setup permissions to uid for checking restricted
|
||||||
|
* network permission.
|
||||||
|
*/
|
||||||
|
private void assertRestrictedNetworkPermission(boolean hasPermission, int uid,
|
||||||
|
String... permissions) {
|
||||||
|
removeAllPermissions(uid);
|
||||||
|
addPermissions(uid, permissions);
|
||||||
|
assertEquals(hasPermission, mPermissionMonitor.hasRestrictedNetworkPermission(uid));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testHasRestrictedNetworkPermission() {
|
public void testHasRestrictedNetworkPermission() {
|
||||||
assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_P, MOCK_UID1));
|
assertRestrictedNetworkPermission(false, MOCK_UID1);
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
assertRestrictedNetworkPermission(false, MOCK_UID1, CHANGE_NETWORK_STATE);
|
||||||
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CHANGE_NETWORK_STATE));
|
assertRestrictedNetworkPermission(true, MOCK_UID1, NETWORK_STACK);
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
assertRestrictedNetworkPermission(false, MOCK_UID1, CONNECTIVITY_INTERNAL);
|
||||||
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, NETWORK_STACK));
|
assertRestrictedNetworkPermission(true, MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS);
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
assertRestrictedNetworkPermission(false, MOCK_UID1, CHANGE_WIFI_STATE);
|
||||||
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CONNECTIVITY_INTERNAL));
|
assertRestrictedNetworkPermission(true, MOCK_UID1, PERMISSION_MAINLINE_NETWORK_STACK);
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
|
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CHANGE_WIFI_STATE));
|
|
||||||
|
|
||||||
assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_Q, MOCK_UID1));
|
assertFalse(mPermissionMonitor.hasRestrictedNetworkPermission(MOCK_UID2));
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
assertFalse(mPermissionMonitor.hasRestrictedNetworkPermission(SYSTEM_UID));
|
||||||
PARTITION_SYSTEM, VERSION_Q, MOCK_UID1, CONNECTIVITY_INTERNAL));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testHasRestrictedNetworkPermissionSystemUid() {
|
public void testIsCarryoverPackage() {
|
||||||
doReturn(VERSION_P).when(mDeps).getDeviceFirstSdkInt();
|
doReturn(VERSION_P).when(mDeps).getDeviceFirstSdkInt();
|
||||||
assertTrue(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_P, SYSTEM_UID));
|
assertTrue(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, SYSTEM_UID));
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, SYSTEM_UID));
|
||||||
PARTITION_SYSTEM, VERSION_P, SYSTEM_UID, CONNECTIVITY_INTERNAL));
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, MOCK_UID1));
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, MOCK_UID1));
|
||||||
PARTITION_SYSTEM, VERSION_P, SYSTEM_UID, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
|
assertTrue(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID));
|
||||||
|
assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, SYSTEM_UID));
|
||||||
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, MOCK_UID1));
|
||||||
|
assertFalse(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, MOCK_UID1));
|
||||||
|
|
||||||
doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();
|
doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();
|
||||||
assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID));
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, SYSTEM_UID));
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, SYSTEM_UID));
|
||||||
PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID, CONNECTIVITY_INTERNAL));
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, MOCK_UID1));
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, MOCK_UID1));
|
||||||
PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID));
|
||||||
}
|
assertFalse(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, SYSTEM_UID));
|
||||||
|
assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, MOCK_UID1));
|
||||||
|
assertFalse(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, MOCK_UID1));
|
||||||
|
|
||||||
@Test
|
assertFalse(wouldBeCarryoverPackage(PARTITION_OEM, VERSION_Q, SYSTEM_UID));
|
||||||
public void testHasRestrictedNetworkPermissionVendorApp() {
|
assertFalse(wouldBeCarryoverPackage(PARTITION_PRODUCT, VERSION_Q, SYSTEM_UID));
|
||||||
assertTrue(hasRestrictedNetworkPermission(PARTITION_VENDOR, VERSION_P, MOCK_UID1));
|
assertFalse(wouldBeCarryoverPackage(PARTITION_OEM, VERSION_Q, MOCK_UID1));
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
assertFalse(wouldBeCarryoverPackage(PARTITION_PRODUCT, VERSION_Q, MOCK_UID1));
|
||||||
PARTITION_VENDOR, VERSION_P, MOCK_UID1, CHANGE_NETWORK_STATE));
|
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_P, MOCK_UID1, NETWORK_STACK));
|
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_P, MOCK_UID1, CONNECTIVITY_INTERNAL));
|
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_P, MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
|
|
||||||
assertTrue(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_P, MOCK_UID1, CHANGE_WIFI_STATE));
|
|
||||||
|
|
||||||
assertFalse(hasRestrictedNetworkPermission(PARTITION_VENDOR, VERSION_Q, MOCK_UID1));
|
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_Q, MOCK_UID1, CONNECTIVITY_INTERNAL));
|
|
||||||
assertFalse(hasRestrictedNetworkPermission(
|
|
||||||
PARTITION_VENDOR, VERSION_Q, MOCK_UID1, CHANGE_NETWORK_STATE));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private void assertBackgroundPermission(boolean hasPermission, String name, int uid,
|
private void assertBackgroundPermission(boolean hasPermission, String name, int uid,
|
||||||
@@ -296,19 +286,23 @@ public class PermissionMonitorTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testHasUseBackgroundNetworksPermission() throws Exception {
|
public void testHasUseBackgroundNetworksPermission() throws Exception {
|
||||||
|
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID1));
|
||||||
|
assertBackgroundPermission(false, "mock1", MOCK_UID1);
|
||||||
|
assertBackgroundPermission(false, "mock2", MOCK_UID1, CONNECTIVITY_INTERNAL);
|
||||||
|
assertBackgroundPermission(true, "mock3", MOCK_UID1, NETWORK_STACK);
|
||||||
|
|
||||||
|
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID2));
|
||||||
|
assertBackgroundPermission(false, "mock4", MOCK_UID2);
|
||||||
|
assertBackgroundPermission(true, "mock5", MOCK_UID2,
|
||||||
|
CONNECTIVITY_USE_RESTRICTED_NETWORKS);
|
||||||
|
|
||||||
doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();
|
doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();
|
||||||
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(SYSTEM_UID));
|
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(SYSTEM_UID));
|
||||||
assertBackgroundPermission(false, "system1", SYSTEM_UID);
|
assertBackgroundPermission(false, "system1", SYSTEM_UID);
|
||||||
assertBackgroundPermission(false, "system2", SYSTEM_UID, CONNECTIVITY_INTERNAL);
|
assertBackgroundPermission(true, "system2", SYSTEM_UID, CHANGE_NETWORK_STATE);
|
||||||
assertBackgroundPermission(true, "system3", SYSTEM_UID, CHANGE_NETWORK_STATE);
|
doReturn(VERSION_P).when(mDeps).getDeviceFirstSdkInt();
|
||||||
|
removeAllPermissions(SYSTEM_UID);
|
||||||
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID1));
|
assertBackgroundPermission(true, "system3", SYSTEM_UID);
|
||||||
assertBackgroundPermission(false, "mock1", MOCK_UID1);
|
|
||||||
assertBackgroundPermission(true, "mock2", MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS);
|
|
||||||
|
|
||||||
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID2));
|
|
||||||
assertBackgroundPermission(false, "mock3", MOCK_UID2, CONNECTIVITY_INTERNAL);
|
|
||||||
assertBackgroundPermission(true, "mock4", MOCK_UID2, NETWORK_STACK);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private class NetdMonitor {
|
private class NetdMonitor {
|
||||||
|
|||||||
Reference in New Issue
Block a user