Merge "Handle privileged permission allowlist and isModule"

author: Yi-an Chen <theianchen@google.com> 2023-01-12 22:56:25 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2023-01-12 22:56:25 +0000
commit: 170553978fa85a09fc55a93638fefa9c039d20ac (patch)
tree: 0e29d5b62614aef470e2a99a141ce891b113910b
parent: 1160db2a84fde8f12da46b4cf009ba0b5a9d1771 (diff)
parent: 94582d7a31c5305274d0858a51eb179044da195d (diff)
6 files changed, 55 insertions, 4 deletions
diff --git a/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt b/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt
index f549797d42f8..e416718e13bc 100644
--- a/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt
+++ b/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt
@@ -211,6 +211,12 @@ class AccessCheckingService(context: Context) : SystemService(context) {
         }
     }
 
+    internal fun onSystemReady() {
+        mutateState {
+            with(policy) { onSystemReady() }
+        }
+    }
+
     private val PackageManagerLocal.allPackageStates:
         Pair<Map<String, PackageState>, Map<String, PackageState>>
         get() = withUnfilteredSnapshot().use { it.packageStates to it.disabledSystemPackageStates }
diff --git a/services/permission/java/com/android/server/permission/access/AccessPolicy.kt b/services/permission/java/com/android/server/permission/access/AccessPolicy.kt
index e0f94c7707a6..07a5e72fc182 100644
--- a/services/permission/java/com/android/server/permission/access/AccessPolicy.kt
+++ b/services/permission/java/com/android/server/permission/access/AccessPolicy.kt
@@ -255,6 +255,13 @@ class AccessPolicy private constructor(
         }
     }
 
+    fun MutateStateScope.onSystemReady() {
+        newState.systemState.isSystemReady = true
+        forEachSchemePolicy {
+            with(it) { onSystemReady() }
+        }
+    }
+
     fun BinaryXmlPullParser.parseSystemState(state: AccessState) {
         forEachTag {
             when (tagName) {
@@ -362,6 +369,8 @@ abstract class SchemePolicy {
 
     open fun MutateStateScope.onPackageUninstalled(packageName: String, appId: Int, userId: Int) {}
 
+    open fun MutateStateScope.onSystemReady() {}
+
     open fun BinaryXmlPullParser.parseSystemState(state: AccessState) {}
 
     open fun BinaryXmlSerializer.serializeSystemState(state: AccessState) {}
diff --git a/services/permission/java/com/android/server/permission/access/AccessState.kt b/services/permission/java/com/android/server/permission/access/AccessState.kt
index 961619304531..5532311068ab 100644
--- a/services/permission/java/com/android/server/permission/access/AccessState.kt
+++ b/services/permission/java/com/android/server/permission/access/AccessState.kt
@@ -50,6 +50,8 @@ class SystemState private constructor(
     var privilegedPermissionAllowlistPackages: IndexedListSet<String>,
     var permissionAllowlist: PermissionAllowlist,
     var implicitToSourcePermissions: IndexedMap<String, IndexedListSet<String>>,
+    var isSystemReady: Boolean,
+    // TODO: Get and watch the state for deviceAndProfileOwners
     // Mapping from user ID to package name.
     var deviceAndProfileOwners: IntMap<String>,
     val permissionGroups: IndexedMap<String, PermissionGroupInfo>,
@@ -67,6 +69,7 @@ class SystemState private constructor(
         IndexedListSet(),
         PermissionAllowlist(),
         IndexedMap(),
+        false,
         IntMap(),
         IndexedMap(),
         IndexedMap(),
@@ -85,6 +88,7 @@ class SystemState private constructor(
             privilegedPermissionAllowlistPackages,
             permissionAllowlist,
             implicitToSourcePermissions,
+            isSystemReady,
             deviceAndProfileOwners,
             permissionGroups.copy { it },
             permissionTrees.copy { it },
diff --git a/services/permission/java/com/android/server/permission/access/permission/Permission.kt b/services/permission/java/com/android/server/permission/access/permission/Permission.kt
index 7bfca1214b53..714480c526c7 100644
--- a/services/permission/java/com/android/server/permission/access/permission/Permission.kt
+++ b/services/permission/java/com/android/server/permission/access/permission/Permission.kt
@@ -91,6 +91,9 @@ data class Permission(
     inline val isKnownSigner: Boolean
         get() = protectionFlags.hasBits(PermissionInfo.PROTECTION_FLAG_KNOWN_SIGNER)
 
+    inline val isModule: Boolean
+        get() = protectionFlags.hasBits(PermissionInfo.PROTECTION_FLAG_MODULE)
+
     inline val isOem: Boolean
         get() = protectionFlags.hasBits(PermissionInfo.PROTECTION_FLAG_OEM)
 
diff --git a/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt b/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt
index 903fad33055f..c7e937102ca0 100644
--- a/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt
+++ b/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt
@@ -1747,7 +1747,7 @@ class PermissionService(
     override fun writeLegacyPermissionStateTEMP() {}
 
     override fun onSystemReady() {
-        // TODO STOPSHIP privappPermissionsViolationsfix check
+        service.onSystemReady()
         permissionControllerManager = PermissionControllerManager(
             context, PermissionThread.getHandler()
         )
diff --git a/services/permission/java/com/android/server/permission/access/permission/UidPermissionPolicy.kt b/services/permission/java/com/android/server/permission/access/permission/UidPermissionPolicy.kt
index d0833bdda35d..694efbbf7cf9 100644
--- a/services/permission/java/com/android/server/permission/access/permission/UidPermissionPolicy.kt
+++ b/services/permission/java/com/android/server/permission/access/permission/UidPermissionPolicy.kt
@@ -54,6 +54,8 @@ class UidPermissionPolicy : SchemePolicy() {
         IndexedListSet<OnPermissionFlagsChangedListener>()
     private val onPermissionFlagsChangedListenersLock = Any()
 
+    private val privilegedPermissionAllowlistViolations = IndexedSet<String>()
+
     override val subjectScheme: String
         get() = UidUri.SCHEME
 
@@ -734,7 +736,7 @@ class UidPermissionPolicy : SchemePolicy() {
             } else {
                 newFlags = newFlags andInv PermissionFlags.LEGACY_GRANTED
                 val wasGrantedByImplicit = newFlags.hasBits(PermissionFlags.IMPLICIT_GRANTED)
-                val isLeanBackNotificationsPermission = newState.systemState.isLeanback &&
+                val isLeanbackNotificationsPermission = newState.systemState.isLeanback &&
                     permissionName in NOTIFICATIONS_PERMISSIONS
                 val isImplicitPermission = anyPackageInAppId(appId) {
                     permissionName in it.androidPackage!!.implicitPermissions
@@ -748,7 +750,7 @@ class UidPermissionPolicy : SchemePolicy() {
                     }
                     !sourcePermission.isRuntime
                 } ?: false
-                val shouldGrantByImplicit = isLeanBackNotificationsPermission ||
+                val shouldGrantByImplicit = isLeanbackNotificationsPermission ||
                     (isImplicitPermission && isAnySourcePermissionNonRuntime)
                 if (shouldGrantByImplicit) {
                     newFlags = newFlags or PermissionFlags.IMPLICIT_GRANTED
@@ -917,7 +919,21 @@ class UidPermissionPolicy : SchemePolicy() {
         if (packageState.isUpdatedSystemApp) {
             return true
         }
-        // TODO: Enforce the allowlist on boot
+        // Only enforce the privileged permission allowlist on boot
+        if (!newState.systemState.isSystemReady) {
+            // Apps that are in updated apex's do not need to be allowlisted
+            if (!packageState.isApkInUpdatedApex) {
+                Log.w(
+                    LOG_TAG, "Privileged permission ${permission.name} for package" +
+                    " ${packageState.packageName} (${packageState.path}) not in" +
+                    " privileged permission allowlist"
+                )
+                if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) {
+                    privilegedPermissionAllowlistViolations += "${packageState.packageName}" +
+                        " (${packageState.path}): ${permission.name}"
+                }
+            }
+        }
         return !RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE
     }
 
@@ -1106,6 +1122,12 @@ class UidPermissionPolicy : SchemePolicy() {
             // Special permission for the recents app.
             return true
         }
+        // TODO(b/261913353): STOPSHIP: Add AndroidPackage.apexModuleName.
+        // This should be androidPackage.apexModuleName instead
+        if (permission.isModule && androidPackage.packageName != null) {
+            // Special permission granted for APKs inside APEX modules.
+            return true
+        }
         return false
     }
 
@@ -1155,6 +1177,13 @@ class UidPermissionPolicy : SchemePolicy() {
         return uid == ownerUid
     }
 
+    override fun MutateStateScope.onSystemReady() {
+        if (!privilegedPermissionAllowlistViolations.isEmpty()) {
+            throw IllegalStateException("Signature|privileged permissions not in privileged" +
+                " permission allowlist: $privilegedPermissionAllowlistViolations")
+        }
+    }
+
     override fun BinaryXmlPullParser.parseSystemState(state: AccessState) {
         with(persistence) { this@parseSystemState.parseSystemState(state) }
     }
author	Yi-an Chen <theianchen@google.com>	2023-01-12 22:56:25 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2023-01-12 22:56:25 +0000
commit	170553978fa85a09fc55a93638fefa9c039d20ac (patch)
tree	0e29d5b62614aef470e2a99a141ce891b113910b
parent	1160db2a84fde8f12da46b4cf009ba0b5a9d1771 (diff)
parent	94582d7a31c5305274d0858a51eb179044da195d (diff)