diff options
| author | 2023-12-05 05:42:43 +0000 | |
|---|---|---|
| committer | 2023-12-05 05:42:43 +0000 | |
| commit | 119a43570e30a17f05aed0369a83f8acff22f7c5 (patch) | |
| tree | 3d4a167121052ea2a4960b2fbdeeb896408ec5da | |
| parent | 1dfd11ddb3c8cfd3c69c2371aad509159baf5d6e (diff) | |
| parent | d083ff4fbd576ae61fcf26262129c296e2fa2afa (diff) | |
Merge "[DeviceAware] Pass AttributionSource to AppOpsManager from PermissionCheckerService" into main
8 files changed, 355 insertions, 150 deletions
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java index aec042739c0d..71fe47e7b949 100644 --- a/core/java/android/app/AppOpsManager.java +++ b/core/java/android/app/AppOpsManager.java @@ -8370,9 +8370,29 @@ public class AppOpsManager { * Does not throw a security exception, does not translate {@link #MODE_FOREGROUND}. * @hide */ + public int unsafeCheckOpRawNoThrow(int op, @NonNull AttributionSource attributionSource) { + return unsafeCheckOpRawNoThrow(op, attributionSource.getUid(), + attributionSource.getPackageName(), attributionSource.getDeviceId()); + } + + /** + * Returns the <em>raw</em> mode associated with the op. + * Does not throw a security exception, does not translate {@link #MODE_FOREGROUND}. + * @hide + */ public int unsafeCheckOpRawNoThrow(int op, int uid, @NonNull String packageName) { + return unsafeCheckOpRawNoThrow(op, uid, packageName, Context.DEVICE_ID_DEFAULT); + } + + private int unsafeCheckOpRawNoThrow(int op, int uid, @NonNull String packageName, + int virtualDeviceId) { try { - return mService.checkOperationRaw(op, uid, packageName, null); + if (virtualDeviceId == Context.DEVICE_ID_DEFAULT) { + return mService.checkOperationRaw(op, uid, packageName, null); + } else { + return mService.checkOperationRawForDevice(op, uid, packageName, null, + Context.DEVICE_ID_DEFAULT); + } } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -8517,12 +8537,29 @@ public class AppOpsManager { } /** + * @see #noteOp(String, int, String, String, String) + * + * @hide + */ + public int noteOpNoThrow(int op, @NonNull AttributionSource attributionSource, + @Nullable String message) { + return noteOpNoThrow(op, attributionSource.getUid(), attributionSource.getPackageName(), + attributionSource.getAttributionTag(), attributionSource.getDeviceId(), message); + } + + /** * @see #noteOpNoThrow(String, int, String, String, String) * * @hide */ public int noteOpNoThrow(int op, int uid, @Nullable String packageName, @Nullable String attributionTag, @Nullable String message) { + return noteOpNoThrow(op, uid, packageName, attributionTag, Context.DEVICE_ID_DEFAULT, + message); + } + + private int noteOpNoThrow(int op, int uid, @Nullable String packageName, + @Nullable String attributionTag, int virtualDeviceId, @Nullable String message) { try { collectNoteOpCallsForValidation(op); int collectionMode = getNotedOpCollectionMode(uid, packageName, op); @@ -8535,9 +8572,15 @@ public class AppOpsManager { } } - SyncNotedAppOp syncOp = mService.noteOperation(op, uid, packageName, attributionTag, + SyncNotedAppOp syncOp; + if (virtualDeviceId == Context.DEVICE_ID_DEFAULT) { + syncOp = mService.noteOperation(op, uid, packageName, attributionTag, collectionMode == COLLECT_ASYNC, message, shouldCollectMessage); - + } else { + syncOp = mService.noteOperationForDevice(op, uid, packageName, attributionTag, + virtualDeviceId, collectionMode == COLLECT_ASYNC, message, + shouldCollectMessage); + } if (syncOp.getOpMode() == MODE_ALLOWED) { if (collectionMode == COLLECT_SELF) { collectNotedOpForSelf(syncOp); @@ -8775,7 +8818,8 @@ public class AppOpsManager { @UnsupportedAppUsage public int checkOp(int op, int uid, String packageName) { try { - int mode = mService.checkOperation(op, uid, packageName); + int mode = mService.checkOperationForDevice(op, uid, packageName, + Context.DEVICE_ID_DEFAULT); if (mode == MODE_ERRORED) { throw new SecurityException(buildSecurityExceptionMsg(op, uid, packageName)); } @@ -8786,6 +8830,19 @@ public class AppOpsManager { } /** + * Like {@link #checkOp} but instead of throwing a {@link SecurityException}, it + * returns {@link #MODE_ERRORED}. + * + * @see #checkOp(int, int, String) + * + * @hide + */ + public int checkOpNoThrow(int op, AttributionSource attributionSource) { + return checkOpNoThrow(op, attributionSource.getUid(), attributionSource.getPackageName(), + attributionSource.getDeviceId()); + } + + /** * Like {@link #checkOp} but instead of throwing a {@link SecurityException} it * returns {@link #MODE_ERRORED}. * @@ -8795,8 +8852,18 @@ public class AppOpsManager { */ @UnsupportedAppUsage public int checkOpNoThrow(int op, int uid, String packageName) { + return checkOpNoThrow(op, uid, packageName, Context.DEVICE_ID_DEFAULT); + } + + private int checkOpNoThrow(int op, int uid, String packageName, int virtualDeviceId) { try { - int mode = mService.checkOperation(op, uid, packageName); + int mode; + if (virtualDeviceId == Context.DEVICE_ID_DEFAULT) { + mode = mService.checkOperation(op, uid, packageName); + } else { + mode = mService.checkOperationForDevice(op, uid, packageName, virtualDeviceId); + } + return mode == AppOpsManager.MODE_FOREGROUND ? AppOpsManager.MODE_ALLOWED : mode; } catch (RemoteException e) { throw e.rethrowFromSystemServer(); @@ -9026,9 +9093,32 @@ public class AppOpsManager { * * @hide */ + public int startOpNoThrow(@NonNull IBinder token, int op, + @NonNull AttributionSource attributionSource, + boolean startIfModeDefault, @Nullable String message, + @AttributionFlags int attributionFlags, int attributionChainId) { + return startOpNoThrow(token, op, attributionSource.getUid(), + attributionSource.getPackageName(), startIfModeDefault, + attributionSource.getAttributionTag(), attributionSource.getDeviceId(), + message, attributionFlags, attributionChainId); + } + + /** + * @see #startOpNoThrow(String, int, String, String, String) + * + * @hide + */ public int startOpNoThrow(@NonNull IBinder token, int op, int uid, @NonNull String packageName, boolean startIfModeDefault, @Nullable String attributionTag, @Nullable String message, @AttributionFlags int attributionFlags, int attributionChainId) { + return startOpNoThrow(token, op, uid, packageName, startIfModeDefault, attributionTag, + Context.DEVICE_ID_DEFAULT, message, attributionFlags, attributionChainId); + } + + private int startOpNoThrow(@NonNull IBinder token, int op, int uid, @NonNull String packageName, + boolean startIfModeDefault, @Nullable String attributionTag, int virtualDeviceId, + @Nullable String message, @AttributionFlags int attributionFlags, + int attributionChainId) { try { collectNoteOpCallsForValidation(op); int collectionMode = getNotedOpCollectionMode(uid, packageName, op); @@ -9041,10 +9131,17 @@ public class AppOpsManager { } } - SyncNotedAppOp syncOp = mService.startOperation(token, op, uid, packageName, + SyncNotedAppOp syncOp; + if (virtualDeviceId == Context.DEVICE_ID_DEFAULT) { + syncOp = mService.startOperation(token, op, uid, packageName, attributionTag, startIfModeDefault, collectionMode == COLLECT_ASYNC, message, shouldCollectMessage, attributionFlags, attributionChainId); - + } else { + syncOp = mService.startOperationForDevice(token, op, uid, packageName, + attributionTag, virtualDeviceId, startIfModeDefault, + collectionMode == COLLECT_ASYNC, message, shouldCollectMessage, + attributionFlags, attributionChainId); + } if (syncOp.getOpMode() == MODE_ALLOWED) { if (collectionMode == COLLECT_SELF) { collectNotedOpForSelf(syncOp); @@ -9252,10 +9349,31 @@ public class AppOpsManager { * * @hide */ + public void finishOp(IBinder token, int op, @NonNull AttributionSource attributionSource) { + finishOp(token, op, attributionSource.getUid(), + attributionSource.getPackageName(), attributionSource.getAttributionTag(), + attributionSource.getDeviceId()); + } + + /** + * @see #finishOp(String, int, String, String) + * + * @hide + */ public void finishOp(IBinder token, int op, int uid, @NonNull String packageName, @Nullable String attributionTag) { + finishOp(token, op, uid, packageName, attributionTag, Context.DEVICE_ID_DEFAULT); + } + + private void finishOp(IBinder token, int op, int uid, @NonNull String packageName, + @Nullable String attributionTag, int virtualDeviceId ) { try { - mService.finishOperation(token, op, uid, packageName, attributionTag); + if (virtualDeviceId == Context.DEVICE_ID_DEFAULT) { + mService.finishOperation(token, op, uid, packageName, attributionTag); + } else { + mService.finishOperationForDevice(token, op, uid, packageName, attributionTag, + virtualDeviceId); + } } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } diff --git a/core/java/android/app/AppOpsManagerInternal.java b/core/java/android/app/AppOpsManagerInternal.java index 43023fe9c2ab..8daee5867238 100644 --- a/core/java/android/app/AppOpsManagerInternal.java +++ b/core/java/android/app/AppOpsManagerInternal.java @@ -26,11 +26,11 @@ import android.util.SparseArray; import android.util.SparseIntArray; import com.android.internal.app.IAppOpsCallback; -import com.android.internal.util.function.HeptFunction; +import com.android.internal.util.function.DodecFunction; +import com.android.internal.util.function.HexConsumer; import com.android.internal.util.function.HexFunction; +import com.android.internal.util.function.OctFunction; import com.android.internal.util.function.QuadFunction; -import com.android.internal.util.function.QuintConsumer; -import com.android.internal.util.function.QuintFunction; import com.android.internal.util.function.UndecFunction; /** @@ -48,13 +48,14 @@ public abstract class AppOpsManagerInternal { * @param uid The UID for which to check. * @param packageName The package for which to check. * @param attributionTag The attribution tag for which to check. + * @param virtualDeviceId the device for which to check the op * @param raw Whether to check the raw op i.e. not interpret the mode based on UID state. * @param superImpl The super implementation. * @return The app op check result. */ int checkOperation(int code, int uid, String packageName, @Nullable String attributionTag, - boolean raw, QuintFunction<Integer, Integer, String, String, Boolean, Integer> - superImpl); + int virtualDeviceId, boolean raw, HexFunction<Integer, Integer, String, String, + Integer, Boolean, Integer> superImpl); /** * Allows overriding check audio operation behavior. @@ -76,16 +77,17 @@ public abstract class AppOpsManagerInternal { * @param uid The UID for which to note. * @param packageName The package for which to note. {@code null} for system package. * @param featureId Id of the feature in the package + * @param virtualDeviceId the device for which to note the op * @param shouldCollectAsyncNotedOp If an {@link AsyncNotedAppOp} should be collected * @param message The message in the async noted op * @param superImpl The super implementation. * @return The app op note result. */ SyncNotedAppOp noteOperation(int code, int uid, @Nullable String packageName, - @Nullable String featureId, boolean shouldCollectAsyncNotedOp, + @Nullable String featureId, int virtualDeviceId, boolean shouldCollectAsyncNotedOp, @Nullable String message, boolean shouldCollectMessage, - @NonNull HeptFunction<Integer, Integer, String, String, Boolean, String, Boolean, - SyncNotedAppOp> superImpl); + @NonNull OctFunction<Integer, Integer, String, String, Integer, Boolean, String, + Boolean, SyncNotedAppOp> superImpl); /** * Allows overriding note proxy operation behavior. @@ -113,6 +115,7 @@ public abstract class AppOpsManagerInternal { * @param uid The UID for which to note. * @param packageName The package for which to note. {@code null} for system package. * @param attributionTag the attribution tag. + * @param virtualDeviceId the device for which to start the op * @param startIfModeDefault Whether to start the op of the mode is default. * @param shouldCollectAsyncNotedOp If an {@link AsyncNotedAppOp} should be collected * @param message The message in the async noted op @@ -123,11 +126,11 @@ public abstract class AppOpsManagerInternal { * @return The app op note result. */ SyncNotedAppOp startOperation(IBinder token, int code, int uid, - @Nullable String packageName, @Nullable String attributionTag, + @Nullable String packageName, @Nullable String attributionTag, int virtualDeviceId, boolean startIfModeDefault, boolean shouldCollectAsyncNotedOp, @Nullable String message, boolean shouldCollectMessage, @AttributionFlags int attributionFlags, int attributionChainId, - @NonNull UndecFunction<IBinder, Integer, Integer, String, String, Boolean, + @NonNull DodecFunction<IBinder, Integer, Integer, String, String, Integer, Boolean, Boolean, String, Boolean, Integer, Integer, SyncNotedAppOp> superImpl); /** @@ -164,11 +167,13 @@ public abstract class AppOpsManagerInternal { * @param uid The UID for which the op was noted. * @param packageName The package for which it was noted. {@code null} for system package. * @param attributionTag the attribution tag. + * @param virtualDeviceId the device for which to finish the op + * @param superImpl */ default void finishOperation(IBinder clientId, int code, int uid, String packageName, - String attributionTag, - @NonNull QuintConsumer<IBinder, Integer, Integer, String, String> superImpl) { - superImpl.accept(clientId, code, uid, packageName, attributionTag); + String attributionTag, int virtualDeviceId, @NonNull HexConsumer<IBinder, Integer, + Integer, String, String, Integer> superImpl) { + superImpl.accept(clientId, code, uid, packageName, attributionTag, virtualDeviceId); } /** diff --git a/core/java/android/content/AttributionSource.java b/core/java/android/content/AttributionSource.java index 697c25c2a1ec..b2074a6e7309 100644 --- a/core/java/android/content/AttributionSource.java +++ b/core/java/android/content/AttributionSource.java @@ -107,6 +107,13 @@ public final class AttributionSource implements Parcelable { } /** @hide */ + public AttributionSource(int uid, @Nullable String packageName, + @Nullable String attributionTag, int virtualDeviceId) { + this(uid, Process.INVALID_PID, packageName, attributionTag, sDefaultToken, null, + virtualDeviceId, null); + } + + /** @hide */ public AttributionSource(int uid, int pid, @Nullable String packageName, @Nullable String attributionTag) { this(uid, pid, packageName, attributionTag, sDefaultToken); diff --git a/core/java/com/android/internal/app/IAppOpsService.aidl b/core/java/com/android/internal/app/IAppOpsService.aidl index 492e2ac7cc28..3a321e5c26f7 100644 --- a/core/java/com/android/internal/app/IAppOpsService.aidl +++ b/core/java/com/android/internal/app/IAppOpsService.aidl @@ -140,14 +140,26 @@ interface IAppOpsService { void collectNoteOpCallsForValidation(String stackTrace, int op, String packageName, long version); SyncNotedAppOp noteProxyOperationWithState(int code, - in AttributionSourceState attributionSourceStateState, - boolean shouldCollectAsyncNotedOp, String message, boolean shouldCollectMessage, - boolean skipProxyOperation); + in AttributionSourceState attributionSourceStateState, + boolean shouldCollectAsyncNotedOp, String message, boolean shouldCollectMessage, + boolean skipProxyOperation); SyncNotedAppOp startProxyOperationWithState(IBinder clientId, int code, - in AttributionSourceState attributionSourceStateState, boolean startIfModeDefault, - boolean shouldCollectAsyncNotedOp, String message, boolean shouldCollectMessage, - boolean skipProxyOperation, int proxyAttributionFlags, int proxiedAttributionFlags, - int attributionChainId); + in AttributionSourceState attributionSourceStateState, boolean startIfModeDefault, + boolean shouldCollectAsyncNotedOp, String message, boolean shouldCollectMessage, + boolean skipProxyOperation, int proxyAttributionFlags, int proxiedAttributionFlags, + int attributionChainId); void finishProxyOperationWithState(IBinder clientId, int code, - in AttributionSourceState attributionSourceStateState, boolean skipProxyOperation); + in AttributionSourceState attributionSourceStateState, boolean skipProxyOperation); + int checkOperationRawForDevice(int code, int uid, String packageName, + @nullable String attributionTag, int virtualDeviceId); + int checkOperationForDevice(int code, int uid, String packageName, int virtualDeviceId); + SyncNotedAppOp noteOperationForDevice(int code, int uid, String packageName, + @nullable String attributionTag, int virtualDeviceId, + boolean shouldCollectAsyncNotedOp, String message, boolean shouldCollectMessage); + SyncNotedAppOp startOperationForDevice(IBinder clientId, int code, int uid, String packageName, + @nullable String attributionTag, int virtualDeviceId, boolean startIfModeDefault, + boolean shouldCollectAsyncNotedOp, String message, boolean shouldCollectMessage, + int attributionFlags, int attributionChainId); + void finishOperationForDevice(IBinder clientId, int code, int uid, String packageName, + @nullable String attributionTag, int virtualDeviceId); } diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java index b87d02d86c22..6ec4fbc21626 100644 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java @@ -429,10 +429,10 @@ import com.android.internal.util.FastPrintWriter; import com.android.internal.util.FrameworkStatsLog; import com.android.internal.util.MemInfoReader; import com.android.internal.util.Preconditions; -import com.android.internal.util.function.HeptFunction; +import com.android.internal.util.function.DodecFunction; import com.android.internal.util.function.HexFunction; +import com.android.internal.util.function.OctFunction; import com.android.internal.util.function.QuadFunction; -import com.android.internal.util.function.QuintFunction; import com.android.internal.util.function.UndecFunction; import com.android.server.AlarmManagerInternal; import com.android.server.BootReceiver; @@ -20149,20 +20149,21 @@ public class ActivityManagerService extends IActivityManager.Stub } @Override - public int checkOperation(int code, int uid, String packageName, - String attributionTag, boolean raw, - QuintFunction<Integer, Integer, String, String, Boolean, Integer> superImpl) { + public int checkOperation(int code, int uid, String packageName, String attributionTag, + int virtualDeviceId, boolean raw, HexFunction<Integer, Integer, String, String, + Integer, Boolean, Integer> superImpl) { if (uid == mTargetUid && isTargetOp(code)) { final int shellUid = UserHandle.getUid(UserHandle.getUserId(uid), Process.SHELL_UID); final long identity = Binder.clearCallingIdentity(); try { - return superImpl.apply(code, shellUid, "com.android.shell", null, raw); + return superImpl.apply(code, shellUid, "com.android.shell", null, + virtualDeviceId, raw); } finally { Binder.restoreCallingIdentity(identity); } } - return superImpl.apply(code, uid, packageName, attributionTag, raw); + return superImpl.apply(code, uid, packageName, attributionTag, virtualDeviceId, raw); } @Override @@ -20183,23 +20184,24 @@ public class ActivityManagerService extends IActivityManager.Stub @Override public SyncNotedAppOp noteOperation(int code, int uid, @Nullable String packageName, - @Nullable String featureId, boolean shouldCollectAsyncNotedOp, + @Nullable String featureId, int virtualDeviceId, boolean shouldCollectAsyncNotedOp, @Nullable String message, boolean shouldCollectMessage, - @NonNull HeptFunction<Integer, Integer, String, String, Boolean, String, Boolean, - SyncNotedAppOp> superImpl) { + @NonNull OctFunction<Integer, Integer, String, String, Integer, Boolean, String, + Boolean, SyncNotedAppOp> superImpl) { if (uid == mTargetUid && isTargetOp(code)) { final int shellUid = UserHandle.getUid(UserHandle.getUserId(uid), Process.SHELL_UID); final long identity = Binder.clearCallingIdentity(); try { return superImpl.apply(code, shellUid, "com.android.shell", featureId, - shouldCollectAsyncNotedOp, message, shouldCollectMessage); + virtualDeviceId, shouldCollectAsyncNotedOp, message, + shouldCollectMessage); } finally { Binder.restoreCallingIdentity(identity); } } - return superImpl.apply(code, uid, packageName, featureId, shouldCollectAsyncNotedOp, - message, shouldCollectMessage); + return superImpl.apply(code, uid, packageName, featureId, virtualDeviceId, + shouldCollectAsyncNotedOp, message, shouldCollectMessage); } @Override @@ -20230,11 +20232,11 @@ public class ActivityManagerService extends IActivityManager.Stub @Override public SyncNotedAppOp startOperation(IBinder token, int code, int uid, - @Nullable String packageName, @Nullable String attributionTag, + @Nullable String packageName, @Nullable String attributionTag, int virtualDeviceId, boolean startIfModeDefault, boolean shouldCollectAsyncNotedOp, @Nullable String message, boolean shouldCollectMessage, @AttributionFlags int attributionFlags, int attributionChainId, - @NonNull UndecFunction<IBinder, Integer, Integer, String, String, Boolean, + @NonNull DodecFunction<IBinder, Integer, Integer, String, String, Integer, Boolean, Boolean, String, Boolean, Integer, Integer, SyncNotedAppOp> superImpl) { if (uid == mTargetUid && isTargetOp(code)) { final int shellUid = UserHandle.getUid(UserHandle.getUserId(uid), @@ -20242,13 +20244,14 @@ public class ActivityManagerService extends IActivityManager.Stub final long identity = Binder.clearCallingIdentity(); try { return superImpl.apply(token, code, shellUid, "com.android.shell", - attributionTag, startIfModeDefault, shouldCollectAsyncNotedOp, message, - shouldCollectMessage, attributionFlags, attributionChainId); + attributionTag, virtualDeviceId, startIfModeDefault, + shouldCollectAsyncNotedOp, message, shouldCollectMessage, + attributionFlags, attributionChainId); } finally { Binder.restoreCallingIdentity(identity); } } - return superImpl.apply(token, code, uid, packageName, attributionTag, + return superImpl.apply(token, code, uid, packageName, attributionTag, virtualDeviceId, startIfModeDefault, shouldCollectAsyncNotedOp, message, shouldCollectMessage, attributionFlags, attributionChainId); } diff --git a/services/core/java/com/android/server/appop/AppOpsService.java b/services/core/java/com/android/server/appop/AppOpsService.java index 7780b3906b9f..d80638af697e 100644 --- a/services/core/java/com/android/server/appop/AppOpsService.java +++ b/services/core/java/com/android/server/appop/AppOpsService.java @@ -2580,17 +2580,30 @@ public class AppOpsService extends IAppOpsService.Stub { public int checkOperationRaw(int code, int uid, String packageName, @Nullable String attributionTag) { return mCheckOpsDelegateDispatcher.checkOperation(code, uid, packageName, attributionTag, - true /*raw*/); + Context.DEVICE_ID_DEFAULT, true /*raw*/); + } + + @Override + public int checkOperationRawForDevice(int code, int uid, @Nullable String packageName, + @Nullable String attributionTag, int virtualDeviceId) { + return mCheckOpsDelegateDispatcher.checkOperation(code, uid, packageName, attributionTag, + virtualDeviceId, true /*raw*/); } @Override public int checkOperation(int code, int uid, String packageName) { return mCheckOpsDelegateDispatcher.checkOperation(code, uid, packageName, null, - false /*raw*/); + Context.DEVICE_ID_DEFAULT, false /*raw*/); + } + + @Override + public int checkOperationForDevice(int code, int uid, String packageName, int virtualDeviceId) { + return mCheckOpsDelegateDispatcher.checkOperation(code, uid, packageName, null, + virtualDeviceId, false /*raw*/); } private int checkOperationImpl(int code, int uid, String packageName, - @Nullable String attributionTag, boolean raw) { + @Nullable String attributionTag, int virtualDeviceId, boolean raw) { verifyIncomingOp(code); if (!isIncomingPackageValid(packageName, UserHandle.getUserId(uid))) { return AppOpsManager.opToDefaultMode(code); @@ -2816,12 +2829,23 @@ public class AppOpsService extends IAppOpsService.Stub { String attributionTag, boolean shouldCollectAsyncNotedOp, String message, boolean shouldCollectMessage) { return mCheckOpsDelegateDispatcher.noteOperation(code, uid, packageName, - attributionTag, shouldCollectAsyncNotedOp, message, shouldCollectMessage); + attributionTag, Context.DEVICE_ID_DEFAULT, shouldCollectAsyncNotedOp, message, + shouldCollectMessage); + } + + @Override + public SyncNotedAppOp noteOperationForDevice(int code, int uid, @Nullable String packageName, + @Nullable String attributionTag, int virtualDeviceId, boolean shouldCollectAsyncNotedOp, + String message, boolean shouldCollectMessage) { + return mCheckOpsDelegateDispatcher.noteOperation(code, uid, packageName, + attributionTag, virtualDeviceId, shouldCollectAsyncNotedOp, message, + shouldCollectMessage); } private SyncNotedAppOp noteOperationImpl(int code, int uid, @Nullable String packageName, - @Nullable String attributionTag, boolean shouldCollectAsyncNotedOp, - @Nullable String message, boolean shouldCollectMessage) { + @Nullable String attributionTag, int virtualDeviceId, + boolean shouldCollectAsyncNotedOp, @Nullable String message, + boolean shouldCollectMessage) { verifyIncomingUid(uid); verifyIncomingOp(code); if (!isIncomingPackageValid(packageName, UserHandle.getUserId(uid))) { @@ -2840,10 +2864,10 @@ public class AppOpsService extends IAppOpsService.Stub { } private SyncNotedAppOp noteOperationUnchecked(int code, int uid, @NonNull String packageName, - @Nullable String attributionTag, int proxyUid, String proxyPackageName, - @Nullable String proxyAttributionTag, @OpFlags int flags, - boolean shouldCollectAsyncNotedOp, @Nullable String message, - boolean shouldCollectMessage) { + @Nullable String attributionTag, int proxyUid, String proxyPackageName, + @Nullable String proxyAttributionTag, @OpFlags int flags, + boolean shouldCollectAsyncNotedOp, @Nullable String message, + boolean shouldCollectMessage) { PackageVerificationResult pvr; try { pvr = verifyAndGetBypass(uid, packageName, attributionTag, proxyPackageName); @@ -3238,12 +3262,26 @@ public class AppOpsService extends IAppOpsService.Stub { String message, boolean shouldCollectMessage, @AttributionFlags int attributionFlags, int attributionChainId) { return mCheckOpsDelegateDispatcher.startOperation(token, code, uid, packageName, - attributionTag, startIfModeDefault, shouldCollectAsyncNotedOp, message, - shouldCollectMessage, attributionFlags, attributionChainId); + attributionTag, Context.DEVICE_ID_DEFAULT, startIfModeDefault, + shouldCollectAsyncNotedOp, message, shouldCollectMessage, attributionFlags, + attributionChainId + ); + } + + @Override + public SyncNotedAppOp startOperationForDevice(IBinder token, int code, int uid, + @Nullable String packageName, @Nullable String attributionTag, int virtualDeviceId, + boolean startIfModeDefault, boolean shouldCollectAsyncNotedOp, String message, + boolean shouldCollectMessage, @AttributionFlags int attributionFlags, + int attributionChainId) { + return mCheckOpsDelegateDispatcher.startOperation(token, code, uid, packageName, + attributionTag, virtualDeviceId, startIfModeDefault, shouldCollectAsyncNotedOp, + message, shouldCollectMessage, attributionFlags, attributionChainId + ); } private SyncNotedAppOp startOperationImpl(@NonNull IBinder clientId, int code, int uid, - @Nullable String packageName, @Nullable String attributionTag, + @Nullable String packageName, @Nullable String attributionTag, int virtualDeviceId, boolean startIfModeDefault, boolean shouldCollectAsyncNotedOp, @NonNull String message, boolean shouldCollectMessage, @AttributionFlags int attributionFlags, int attributionChainId) { @@ -3614,11 +3652,18 @@ public class AppOpsService extends IAppOpsService.Stub { public void finishOperation(IBinder clientId, int code, int uid, String packageName, String attributionTag) { mCheckOpsDelegateDispatcher.finishOperation(clientId, code, uid, packageName, - attributionTag); + attributionTag, Context.DEVICE_ID_DEFAULT); + } + + @Override + public void finishOperationForDevice(IBinder clientId, int code, int uid, + @Nullable String packageName, @Nullable String attributionTag, int virtualDeviceId) { + mCheckOpsDelegateDispatcher.finishOperation(clientId, code, uid, packageName, + attributionTag, virtualDeviceId); } private void finishOperationImpl(IBinder clientId, int code, int uid, String packageName, - String attributionTag) { + String attributionTag, int virtualDeviceId) { verifyIncomingUid(uid); verifyIncomingOp(code); if (!isIncomingPackageValid(packageName, UserHandle.getUserId(uid))) { @@ -6800,25 +6845,28 @@ public class AppOpsService extends IAppOpsService.Stub { } public int checkOperation(int code, int uid, String packageName, - @Nullable String attributionTag, boolean raw) { + @Nullable String attributionTag, int virtualDeviceId, boolean raw) { if (mPolicy != null) { if (mCheckOpsDelegate != null) { - return mPolicy.checkOperation(code, uid, packageName, attributionTag, raw, - this::checkDelegateOperationImpl); + return mPolicy.checkOperation(code, uid, packageName, attributionTag, + virtualDeviceId, raw, this::checkDelegateOperationImpl + ); } else { - return mPolicy.checkOperation(code, uid, packageName, attributionTag, raw, - AppOpsService.this::checkOperationImpl); + return mPolicy.checkOperation(code, uid, packageName, attributionTag, + virtualDeviceId, raw, AppOpsService.this::checkOperationImpl + ); } } else if (mCheckOpsDelegate != null) { - return checkDelegateOperationImpl(code, uid, packageName, attributionTag, raw); + return checkDelegateOperationImpl(code, uid, packageName, attributionTag, + virtualDeviceId, raw); } - return checkOperationImpl(code, uid, packageName, attributionTag, raw); + return checkOperationImpl(code, uid, packageName, attributionTag, virtualDeviceId, raw); } private int checkDelegateOperationImpl(int code, int uid, String packageName, - @Nullable String attributionTag, boolean raw) { - return mCheckOpsDelegate.checkOperation(code, uid, packageName, attributionTag, raw, - AppOpsService.this::checkOperationImpl); + @Nullable String attributionTag, int virtualDeviceId, boolean raw) { + return mCheckOpsDelegate.checkOperation(code, uid, packageName, attributionTag, + virtualDeviceId, raw, AppOpsService.this::checkOperationImpl); } public int checkAudioOperation(int code, int usage, int uid, String packageName) { @@ -6843,33 +6891,36 @@ public class AppOpsService extends IAppOpsService.Stub { } public SyncNotedAppOp noteOperation(int code, int uid, String packageName, - String attributionTag, boolean shouldCollectAsyncNotedOp, String message, - boolean shouldCollectMessage) { + String attributionTag, int virtualDeviceId, boolean shouldCollectAsyncNotedOp, + String message, boolean shouldCollectMessage) { if (mPolicy != null) { if (mCheckOpsDelegate != null) { return mPolicy.noteOperation(code, uid, packageName, attributionTag, - shouldCollectAsyncNotedOp, message, shouldCollectMessage, - this::noteDelegateOperationImpl); + virtualDeviceId, shouldCollectAsyncNotedOp, message, + shouldCollectMessage, this::noteDelegateOperationImpl + ); } else { return mPolicy.noteOperation(code, uid, packageName, attributionTag, - shouldCollectAsyncNotedOp, message, shouldCollectMessage, - AppOpsService.this::noteOperationImpl); + virtualDeviceId, shouldCollectAsyncNotedOp, message, + shouldCollectMessage, AppOpsService.this::noteOperationImpl + ); } } else if (mCheckOpsDelegate != null) { - return noteDelegateOperationImpl(code, uid, packageName, - attributionTag, shouldCollectAsyncNotedOp, message, shouldCollectMessage); + return noteDelegateOperationImpl(code, uid, packageName, attributionTag, + virtualDeviceId, shouldCollectAsyncNotedOp, message, shouldCollectMessage); } return noteOperationImpl(code, uid, packageName, attributionTag, - shouldCollectAsyncNotedOp, message, shouldCollectMessage); + virtualDeviceId, shouldCollectAsyncNotedOp, message, shouldCollectMessage); } private SyncNotedAppOp noteDelegateOperationImpl(int code, int uid, - @Nullable String packageName, @Nullable String featureId, + @Nullable String packageName, @Nullable String featureId, int virtualDeviceId, boolean shouldCollectAsyncNotedOp, @Nullable String message, boolean shouldCollectMessage) { return mCheckOpsDelegate.noteOperation(code, uid, packageName, featureId, - shouldCollectAsyncNotedOp, message, shouldCollectMessage, - AppOpsService.this::noteOperationImpl); + virtualDeviceId, shouldCollectAsyncNotedOp, message, shouldCollectMessage, + AppOpsService.this::noteOperationImpl + ); } public SyncNotedAppOp noteProxyOperation(int code, AttributionSource attributionSource, @@ -6904,40 +6955,45 @@ public class AppOpsService extends IAppOpsService.Stub { } public SyncNotedAppOp startOperation(IBinder token, int code, int uid, - @Nullable String packageName, @NonNull String attributionTag, + @Nullable String packageName, @NonNull String attributionTag, int virtualDeviceId, boolean startIfModeDefault, boolean shouldCollectAsyncNotedOp, @Nullable String message, boolean shouldCollectMessage, @AttributionFlags int attributionFlags, int attributionChainId) { if (mPolicy != null) { if (mCheckOpsDelegate != null) { - return mPolicy.startOperation(token, code, uid, packageName, - attributionTag, startIfModeDefault, shouldCollectAsyncNotedOp, message, + return mPolicy.startOperation(token, code, uid, packageName, attributionTag, + virtualDeviceId, startIfModeDefault, shouldCollectAsyncNotedOp, message, shouldCollectMessage, attributionFlags, attributionChainId, - this::startDelegateOperationImpl); + this::startDelegateOperationImpl + ); } else { return mPolicy.startOperation(token, code, uid, packageName, attributionTag, - startIfModeDefault, shouldCollectAsyncNotedOp, message, + virtualDeviceId, startIfModeDefault, shouldCollectAsyncNotedOp, message, shouldCollectMessage, attributionFlags, attributionChainId, - AppOpsService.this::startOperationImpl); + AppOpsService.this::startOperationImpl + ); } } else if (mCheckOpsDelegate != null) { return startDelegateOperationImpl(token, code, uid, packageName, attributionTag, - startIfModeDefault, shouldCollectAsyncNotedOp, message, - shouldCollectMessage, attributionFlags, attributionChainId); + virtualDeviceId, startIfModeDefault, shouldCollectAsyncNotedOp, message, + shouldCollectMessage, attributionFlags, attributionChainId + ); } return startOperationImpl(token, code, uid, packageName, attributionTag, - startIfModeDefault, shouldCollectAsyncNotedOp, message, shouldCollectMessage, - attributionFlags, attributionChainId); + virtualDeviceId, startIfModeDefault, shouldCollectAsyncNotedOp, message, + shouldCollectMessage, attributionFlags, attributionChainId + ); } private SyncNotedAppOp startDelegateOperationImpl(IBinder token, int code, int uid, @Nullable String packageName, @Nullable String attributionTag, - boolean startIfModeDefault, boolean shouldCollectAsyncNotedOp, String message, - boolean shouldCollectMessage, @AttributionFlags int attributionFlags, - int attributionChainId) { + int virtualDeviceId, boolean startIfModeDefault, boolean shouldCollectAsyncNotedOp, + String message, boolean shouldCollectMessage, + @AttributionFlags int attributionFlags, int attributionChainId) { return mCheckOpsDelegate.startOperation(token, code, uid, packageName, attributionTag, - startIfModeDefault, shouldCollectAsyncNotedOp, message, shouldCollectMessage, - attributionFlags, attributionChainId, AppOpsService.this::startOperationImpl); + virtualDeviceId, startIfModeDefault, shouldCollectAsyncNotedOp, message, + shouldCollectMessage, attributionFlags, attributionChainId, + AppOpsService.this::startOperationImpl); } public SyncNotedAppOp startProxyOperation(@NonNull IBinder clientId, int code, @@ -6982,26 +7038,28 @@ public class AppOpsService extends IAppOpsService.Stub { } public void finishOperation(IBinder clientId, int code, int uid, String packageName, - String attributionTag) { + String attributionTag, int virtualDeviceId) { if (mPolicy != null) { if (mCheckOpsDelegate != null) { mPolicy.finishOperation(clientId, code, uid, packageName, attributionTag, - this::finishDelegateOperationImpl); + virtualDeviceId, this::finishDelegateOperationImpl); } else { mPolicy.finishOperation(clientId, code, uid, packageName, attributionTag, - AppOpsService.this::finishOperationImpl); + virtualDeviceId, AppOpsService.this::finishOperationImpl); } } else if (mCheckOpsDelegate != null) { - finishDelegateOperationImpl(clientId, code, uid, packageName, attributionTag); + finishDelegateOperationImpl(clientId, code, uid, packageName, attributionTag, + virtualDeviceId); } else { - finishOperationImpl(clientId, code, uid, packageName, attributionTag); + finishOperationImpl(clientId, code, uid, packageName, attributionTag, + virtualDeviceId); } } private void finishDelegateOperationImpl(IBinder clientId, int code, int uid, - String packageName, String attributionTag) { + String packageName, String attributionTag, int virtualDeviceId) { mCheckOpsDelegate.finishOperation(clientId, code, uid, packageName, attributionTag, - AppOpsService.this::finishOperationImpl); + virtualDeviceId, AppOpsService.this::finishOperationImpl); } public void finishProxyOperation(@NonNull IBinder clientId, int code, diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java index 9610d051db95..d3931a303d0d 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java @@ -278,8 +278,11 @@ public class PermissionManagerService extends IPermissionManager.Stub { private boolean setAutoRevokeExemptedInternal(@NonNull AndroidPackage pkg, boolean exempted, @UserIdInt int userId) { final int packageUid = UserHandle.getUid(userId, pkg.getUid()); + final AttributionSource attributionSource = + new AttributionSource(packageUid, pkg.getPackageName(), null); + if (mAppOpsManager.checkOpNoThrow(AppOpsManager.OP_AUTO_REVOKE_MANAGED_BY_INSTALLER, - packageUid, pkg.getPackageName()) != MODE_ALLOWED) { + attributionSource) != MODE_ALLOWED) { // Allowlist user set - don't override return false; } @@ -330,8 +333,10 @@ public class PermissionManagerService extends IPermissionManager.Stub { final long identity = Binder.clearCallingIdentity(); try { + final AttributionSource attributionSource = + new AttributionSource(packageUid, packageName, null); return mAppOpsManager.checkOpNoThrow( - AppOpsManager.OP_AUTO_REVOKE_PERMISSIONS_IF_UNUSED, packageUid, packageName) + AppOpsManager.OP_AUTO_REVOKE_PERMISSIONS_IF_UNUSED, attributionSource) == MODE_IGNORED; } finally { Binder.restoreCallingIdentity(identity); @@ -1157,9 +1162,11 @@ public class PermissionManagerService extends IPermissionManager.Stub { if (resolvedPackageName == null) { return; } + final AttributionSource resolvedAccessorSource = + accessorSource.withPackageName(resolvedPackageName); + appOpsManager.finishOp(attributionSourceState.token, op, - accessorSource.getUid(), resolvedPackageName, - accessorSource.getAttributionTag()); + resolvedAccessorSource); } else { final AttributionSource resolvedAttributionSource = resolveAttributionSource(context, accessorSource); @@ -1583,16 +1590,19 @@ public class PermissionManagerService extends IPermissionManager.Stub { if (resolvedAccessorPackageName == null) { return AppOpsManager.MODE_ERRORED; } + final AttributionSource resolvedAttributionSource = + accessorSource.withPackageName(resolvedAccessorPackageName); final int opMode = appOpsManager.unsafeCheckOpRawNoThrow(op, - accessorSource.getUid(), resolvedAccessorPackageName); + resolvedAttributionSource); final AttributionSource next = accessorSource.getNext(); if (!selfAccess && opMode == AppOpsManager.MODE_ALLOWED && next != null) { final String resolvedNextPackageName = resolvePackageName(context, next); if (resolvedNextPackageName == null) { return AppOpsManager.MODE_ERRORED; } - return appOpsManager.unsafeCheckOpRawNoThrow(op, next.getUid(), - resolvedNextPackageName); + final AttributionSource resolvedNextAttributionSource = + next.withPackageName(resolvedNextPackageName); + return appOpsManager.unsafeCheckOpRawNoThrow(op, resolvedNextAttributionSource); } return opMode; } else if (startDataDelivery) { @@ -1615,9 +1625,7 @@ public class PermissionManagerService extends IPermissionManager.Stub { // the operation. We return the less permissive of the two and check // the permission op while start the attributed op. if (attributedOp != AppOpsManager.OP_NONE && attributedOp != op) { - checkedOpResult = appOpsManager.checkOpNoThrow(op, - resolvedAttributionSource.getUid(), resolvedAttributionSource - .getPackageName()); + checkedOpResult = appOpsManager.checkOpNoThrow(op, resolvedAttributionSource); if (checkedOpResult == MODE_ERRORED) { return checkedOpResult; } @@ -1626,12 +1634,9 @@ public class PermissionManagerService extends IPermissionManager.Stub { if (selfAccess) { try { startedOpResult = appOpsManager.startOpNoThrow( - chainStartToken, startedOp, - resolvedAttributionSource.getUid(), - resolvedAttributionSource.getPackageName(), - /*startIfModeDefault*/ false, - resolvedAttributionSource.getAttributionTag(), - message, proxyAttributionFlags, attributionChainId); + chainStartToken, startedOp, resolvedAttributionSource, + /*startIfModeDefault*/ false, message, proxyAttributionFlags, + attributionChainId); } catch (SecurityException e) { Slog.w(LOG_TAG, "Datasource " + attributionSource + " protecting data with" + " platform defined runtime permission " @@ -1676,9 +1681,7 @@ public class PermissionManagerService extends IPermissionManager.Stub { // the operation. We return the less permissive of the two and check // the permission op while start the attributed op. if (attributedOp != AppOpsManager.OP_NONE && attributedOp != op) { - checkedOpResult = appOpsManager.checkOpNoThrow(op, - resolvedAttributionSource.getUid(), resolvedAttributionSource - .getPackageName()); + checkedOpResult = appOpsManager.checkOpNoThrow(op, resolvedAttributionSource); if (checkedOpResult == MODE_ERRORED) { return checkedOpResult; } @@ -1692,10 +1695,7 @@ public class PermissionManagerService extends IPermissionManager.Stub { // As a fallback we note a proxy op that blames the app and the datasource. try { notedOpResult = appOpsManager.noteOpNoThrow(notedOp, - resolvedAttributionSource.getUid(), - resolvedAttributionSource.getPackageName(), - resolvedAttributionSource.getAttributionTag(), - message); + resolvedAttributionSource, message); } catch (SecurityException e) { Slog.w(LOG_TAG, "Datasource " + attributionSource + " protecting data with" + " platform defined runtime permission " diff --git a/services/core/java/com/android/server/policy/AppOpsPolicy.java b/services/core/java/com/android/server/policy/AppOpsPolicy.java index b83421fe78d7..ecffd382f542 100644 --- a/services/core/java/com/android/server/policy/AppOpsPolicy.java +++ b/services/core/java/com/android/server/policy/AppOpsPolicy.java @@ -50,11 +50,11 @@ import android.util.Log; import android.util.SparseArray; import com.android.internal.annotations.GuardedBy; -import com.android.internal.util.function.HeptFunction; +import com.android.internal.util.function.DodecFunction; +import com.android.internal.util.function.HexConsumer; import com.android.internal.util.function.HexFunction; +import com.android.internal.util.function.OctFunction; import com.android.internal.util.function.QuadFunction; -import com.android.internal.util.function.QuintConsumer; -import com.android.internal.util.function.QuintFunction; import com.android.internal.util.function.UndecFunction; import com.android.server.LocalServices; @@ -230,9 +230,10 @@ public final class AppOpsPolicy implements AppOpsManagerInternal.CheckOpsDelegat @Override public int checkOperation(int code, int uid, String packageName, - @Nullable String attributionTag, boolean raw, - QuintFunction<Integer, Integer, String, String, Boolean, Integer> superImpl) { - return superImpl.apply(code, resolveUid(code, uid), packageName, attributionTag, raw); + @Nullable String attributionTag, int virtualDeviceId, boolean raw, + HexFunction<Integer, Integer, String, String, Integer, Boolean, Integer> superImpl) { + return superImpl.apply(code, resolveUid(code, uid), packageName, attributionTag, + virtualDeviceId, raw); } @Override @@ -243,12 +244,13 @@ public final class AppOpsPolicy implements AppOpsManagerInternal.CheckOpsDelegat @Override public SyncNotedAppOp noteOperation(int code, int uid, @Nullable String packageName, - @Nullable String attributionTag, boolean shouldCollectAsyncNotedOp, @Nullable - String message, boolean shouldCollectMessage, @NonNull HeptFunction<Integer, Integer, - String, String, Boolean, String, Boolean, SyncNotedAppOp> superImpl) { + @Nullable String attributionTag, int virtualDeviceId, + boolean shouldCollectAsyncNotedOp, @Nullable String message, + boolean shouldCollectMessage, @NonNull OctFunction<Integer, Integer, String, String, + Integer, Boolean, String, Boolean, SyncNotedAppOp> superImpl) { return superImpl.apply(resolveDatasourceOp(code, uid, packageName, attributionTag), - resolveUid(code, uid), packageName, attributionTag, shouldCollectAsyncNotedOp, - message, shouldCollectMessage); + resolveUid(code, uid), packageName, attributionTag, virtualDeviceId, + shouldCollectAsyncNotedOp, message, shouldCollectMessage); } @Override @@ -265,16 +267,16 @@ public final class AppOpsPolicy implements AppOpsManagerInternal.CheckOpsDelegat @Override public SyncNotedAppOp startOperation(IBinder token, int code, int uid, - @Nullable String packageName, @Nullable String attributionTag, + @Nullable String packageName, @Nullable String attributionTag, int virtualDeviceId, boolean startIfModeDefault, boolean shouldCollectAsyncNotedOp, String message, boolean shouldCollectMessage, @AttributionFlags int attributionFlags, - int attributionChainId, @NonNull UndecFunction<IBinder, Integer, Integer, String, - String, Boolean, Boolean, String, Boolean, Integer, Integer, - SyncNotedAppOp> superImpl) { + int attributionChainId, @NonNull DodecFunction<IBinder, Integer, Integer, String, + String, Integer, Boolean, Boolean, String, Boolean, Integer, Integer, + SyncNotedAppOp> superImpl) { return superImpl.apply(token, resolveDatasourceOp(code, uid, packageName, attributionTag), - resolveUid(code, uid), packageName, attributionTag, startIfModeDefault, - shouldCollectAsyncNotedOp, message, shouldCollectMessage, attributionFlags, - attributionChainId); + resolveUid(code, uid), packageName, attributionTag, virtualDeviceId, + startIfModeDefault, shouldCollectAsyncNotedOp, message, shouldCollectMessage, + attributionFlags, attributionChainId); } @Override @@ -294,10 +296,10 @@ public final class AppOpsPolicy implements AppOpsManagerInternal.CheckOpsDelegat @Override public void finishOperation(IBinder clientId, int code, int uid, String packageName, - String attributionTag, - @NonNull QuintConsumer<IBinder, Integer, Integer, String, String> superImpl) { + String attributionTag, int virtualDeviceId, + @NonNull HexConsumer<IBinder, Integer, Integer, String, String, Integer> superImpl) { superImpl.accept(clientId, resolveDatasourceOp(code, uid, packageName, attributionTag), - resolveUid(code, uid), packageName, attributionTag); + resolveUid(code, uid), packageName, attributionTag, virtualDeviceId); } @Override |