Clean up permissions when uids are no longer used

The kernel eBPF maps have a blacklist to store all the uids that doesn't have internet permission. When an app is unintalled from the device and it is the last package on device that uses that uid, make sure we cleaned the uid from the map and do not add no longer used uids into the eBPF map. This action helps reduce the number of entries stored in the map and reduce the chance of overflow the eBPF map. Bug: 128944261 Test: PermissionMonitorTest Change-Id: I10dd0113d00d6cf9ca39902d9721f2591d387d4a
author: Chenbo Feng <fengc@google.com> 2019-03-25 18:13:34 -0700
committer: Chenbo Feng <fengc@google.com> 2019-04-02 20:31:57 -0700
commit: a6817cd532d7036a2ec794f124368de94bf18621 (patch)
tree: 537af77cf47f1875677ddbc11c1f7d31750a1227
parent: 436fe58cce87934a88a6e3c6d7d16e19f69a4200 (diff)
2 files changed, 14 insertions, 4 deletions
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index 31b96ca9e5bf..da1360d59539 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -100,6 +100,9 @@ public class PermissionMonitor {
                               app.requestedPermissionsFlags);
                     }
                 }
+            } else {
+                // The last package of this uid is removed from device. Clean the package up.
+                permission = INetd.PERMISSION_UNINSTALLED;
             }
             return permission;
         }
@@ -470,6 +473,7 @@ public class PermissionMonitor {
         ArrayList<Integer> allPermissionAppIds = new ArrayList<>();
         ArrayList<Integer> internetPermissionAppIds = new ArrayList<>();
         ArrayList<Integer> updateStatsPermissionAppIds = new ArrayList<>();
+        ArrayList<Integer> noPermissionAppIds = new ArrayList<>();
         ArrayList<Integer> uninstalledAppIds = new ArrayList<>();
         for (int i = 0; i < netdPermissionsAppIds.size(); i++) {
             int permissions = netdPermissionsAppIds.valueAt(i);
@@ -484,8 +488,10 @@ public class PermissionMonitor {
                     updateStatsPermissionAppIds.add(netdPermissionsAppIds.keyAt(i));
                     break;
                 case INetd.NO_PERMISSIONS:
-                    uninstalledAppIds.add(netdPermissionsAppIds.keyAt(i));
+                    noPermissionAppIds.add(netdPermissionsAppIds.keyAt(i));
                     break;
+                case INetd.PERMISSION_UNINSTALLED:
+                    uninstalledAppIds.add(netdPermissionsAppIds.keyAt(i));
                 default:
                     Log.e(TAG, "unknown permission type: " + permissions + "for uid: "
                             + netdPermissionsAppIds.keyAt(i));
@@ -506,8 +512,12 @@ public class PermissionMonitor {
                 mNetd.trafficSetNetPermForUids(INetd.PERMISSION_UPDATE_DEVICE_STATS,
                         ArrayUtils.convertToIntArray(updateStatsPermissionAppIds));
             }
-            if (uninstalledAppIds.size() != 0) {
+            if (noPermissionAppIds.size() != 0) {
                 mNetd.trafficSetNetPermForUids(INetd.NO_PERMISSIONS,
+                        ArrayUtils.convertToIntArray(noPermissionAppIds));
+            }
+            if (uninstalledAppIds.size() != 0) {
+                mNetd.trafficSetNetPermForUids(INetd.PERMISSION_UNINSTALLED,
                         ArrayUtils.convertToIntArray(uninstalledAppIds));
             }
         } catch (RemoteException e) {
diff --git a/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java b/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
index 339cc9d2b76e..106cd1fba869 100644
--- a/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
+++ b/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
@@ -501,7 +501,7 @@ public class PermissionMonitorTest {
 
         when(mPackageManager.getPackagesForUid(MOCK_UID1)).thenReturn(new String[]{});
         mObserver.onPackageRemoved(MOCK_PACKAGE1, MOCK_UID1);
-        mNetdServiceMonitor.expectPermission(INetd.NO_PERMISSIONS, new int[]{MOCK_UID1});
+        mNetdServiceMonitor.expectPermission(INetd.PERMISSION_UNINSTALLED, new int[]{MOCK_UID1});
     }
 
     @Test
@@ -515,7 +515,7 @@ public class PermissionMonitorTest {
         // Remove and install the same package to simulate the update action
         when(mPackageManager.getPackagesForUid(MOCK_UID1)).thenReturn(new String[]{});
         mObserver.onPackageRemoved(MOCK_PACKAGE1, MOCK_UID1);
-        mNetdServiceMonitor.expectPermission(INetd.NO_PERMISSIONS, new int[]{MOCK_UID1});
+        mNetdServiceMonitor.expectPermission(INetd.PERMISSION_UNINSTALLED, new int[]{MOCK_UID1});
 
         addPackage(MOCK_PACKAGE1, MOCK_UID1, new String[] {INTERNET});
         mNetdServiceMonitor.expectPermission(INetd.PERMISSION_INTERNET, new int[]{MOCK_UID1});
author	Chenbo Feng <fengc@google.com>	2019-03-25 18:13:34 -0700
committer	Chenbo Feng <fengc@google.com>	2019-04-02 20:31:57 -0700
commit	a6817cd532d7036a2ec794f124368de94bf18621 (patch)
tree	537af77cf47f1875677ddbc11c1f7d31750a1227
parent	436fe58cce87934a88a6e3c6d7d16e19f69a4200 (diff)