diff options
| author | 2024-02-22 10:51:58 +0100 | |
|---|---|---|
| committer | 2024-03-07 14:12:46 +0000 | |
| commit | f126be35f4b9f179dbb957ec56ca80b12f47abdc (patch) | |
| tree | 515c62ab6ab39572446ac710103d4de6417d223d | |
| parent | ad015f762d14d7f40867b18cc5999d12e5bd9cd7 (diff) | |
Check for NLS bind permission when rebinding services
Also, after updating packages with NLS components, check
the approved services and remove from approved list if missing permissions.
Test: atest ManagedServicesTest
Bug: 321707289
Change-Id: I11901755ec430c6e3145def9d67e4e63cda00806
(cherry picked from commit 24b13a64f9f5e5aa7f45a2132806d6c74e2c62dc)
Merged-In: I11901755ec430c6e3145def9d67e4e63cda00806
| -rw-r--r-- | services/core/java/com/android/server/notification/ManagedServices.java | 106 | ||||
| -rw-r--r-- | services/tests/uiservicestests/src/com/android/server/notification/ManagedServicesTest.java | 54 |
2 files changed, 136 insertions, 24 deletions
diff --git a/services/core/java/com/android/server/notification/ManagedServices.java b/services/core/java/com/android/server/notification/ManagedServices.java index e6bc79679a8f..496e8c6a1a34 100644 --- a/services/core/java/com/android/server/notification/ManagedServices.java +++ b/services/core/java/com/android/server/notification/ManagedServices.java @@ -901,6 +901,23 @@ abstract public class ManagedServices { return false; } + protected boolean isPackageOrComponentAllowedWithPermission(ComponentName component, + int userId) { + if (!(isPackageOrComponentAllowed(component.flattenToString(), userId) + || isPackageOrComponentAllowed(component.getPackageName(), userId))) { + return false; + } + return componentHasBindPermission(component, userId); + } + + private boolean componentHasBindPermission(ComponentName component, int userId) { + ServiceInfo info = getServiceInfo(component, userId); + if (info == null) { + return false; + } + return mConfig.bindPermission.equals(info.permission); + } + boolean isPackageOrComponentUserSet(String pkgOrComponent, int userId) { synchronized (mApproved) { ArraySet<String> services = mUserSetServices.get(userId); @@ -958,6 +975,7 @@ abstract public class ManagedServices { for (int uid : uidList) { if (isPackageAllowed(pkgName, UserHandle.getUserId(uid))) { anyServicesInvolved = true; + trimApprovedListsForInvalidServices(pkgName, UserHandle.getUserId(uid)); } } } @@ -1083,8 +1101,7 @@ abstract public class ManagedServices { synchronized (mMutex) { if (enabled) { - if (isPackageOrComponentAllowed(component.flattenToString(), userId) - || isPackageOrComponentAllowed(component.getPackageName(), userId)) { + if (isPackageOrComponentAllowedWithPermission(component, userId)) { registerServiceLocked(component, userId); } else { Slog.d(TAG, component + " no longer has permission to be bound"); @@ -1222,6 +1239,33 @@ abstract public class ManagedServices { return removed; } + private void trimApprovedListsForInvalidServices(String packageName, int userId) { + synchronized (mApproved) { + final ArrayMap<Boolean, ArraySet<String>> approvedByType = mApproved.get(userId); + if (approvedByType == null) { + return; + } + for (int i = 0; i < approvedByType.size(); i++) { + final ArraySet<String> approved = approvedByType.valueAt(i); + for (int j = approved.size() - 1; j >= 0; j--) { + final String approvedPackageOrComponent = approved.valueAt(j); + if (TextUtils.equals(getPackageName(approvedPackageOrComponent), packageName)) { + final ComponentName component = ComponentName.unflattenFromString( + approvedPackageOrComponent); + if (component != null && !componentHasBindPermission(component, userId)) { + approved.removeAt(j); + if (DEBUG) { + Slog.v(TAG, "Removing " + approvedPackageOrComponent + + " from approved list; no bind permission found " + + mConfig.bindPermission); + } + } + } + } + } + } + } + protected String getPackageName(String packageOrComponent) { final ComponentName component = ComponentName.unflattenFromString(packageOrComponent); if (component != null) { @@ -1405,28 +1449,20 @@ abstract public class ManagedServices { final int userId = componentsToBind.keyAt(i); final Set<ComponentName> add = componentsToBind.get(userId); for (ComponentName component : add) { - try { - ServiceInfo info = mPm.getServiceInfo(component, - PackageManager.GET_META_DATA - | PackageManager.MATCH_DIRECT_BOOT_AWARE - | PackageManager.MATCH_DIRECT_BOOT_UNAWARE, - userId); - if (info == null) { - Slog.w(TAG, "Not binding " + getCaption() + " service " + component - + ": service not found"); - continue; - } - if (!mConfig.bindPermission.equals(info.permission)) { - Slog.w(TAG, "Not binding " + getCaption() + " service " + component - + ": it does not require the permission " + mConfig.bindPermission); - continue; - } - Slog.v(TAG, - "enabling " + getCaption() + " for " + userId + ": " + component); - registerService(info, userId); - } catch (RemoteException e) { - e.rethrowFromSystemServer(); + ServiceInfo info = getServiceInfo(component, userId); + if (info == null) { + Slog.w(TAG, "Not binding " + getCaption() + " service " + component + + ": service not found"); + continue; } + if (!mConfig.bindPermission.equals(info.permission)) { + Slog.w(TAG, "Not binding " + getCaption() + " service " + component + + ": it does not require the permission " + mConfig.bindPermission); + continue; + } + Slog.v(TAG, + "enabling " + getCaption() + " for " + userId + ": " + component); + registerService(info, userId); } } } @@ -1447,6 +1483,15 @@ abstract public class ManagedServices { } } + @VisibleForTesting + void reregisterService(final ComponentName cn, final int userId) { + // If rebinding a package that died, ensure it still has permission + // after the rebind delay + if (isPackageOrComponentAllowedWithPermission(cn, userId)) { + registerService(cn, userId); + } + } + /** * Inject a system service into the management list. */ @@ -1548,7 +1593,7 @@ abstract public class ManagedServices { mHandler.postDelayed(new Runnable() { @Override public void run() { - registerService(name, userid); + reregisterService(name, userid); } }, ON_BINDING_DIED_REBIND_DELAY_MS); } else { @@ -1680,6 +1725,19 @@ abstract public class ManagedServices { } } + private ServiceInfo getServiceInfo(ComponentName component, int userId) { + try { + return mPm.getServiceInfo(component, + PackageManager.GET_META_DATA + | PackageManager.MATCH_DIRECT_BOOT_AWARE + | PackageManager.MATCH_DIRECT_BOOT_UNAWARE, + userId); + } catch (RemoteException e) { + e.rethrowFromSystemServer(); + } + return null; + } + public class ManagedServiceInfo implements IBinder.DeathRecipient { public IInterface service; public ComponentName component; diff --git a/services/tests/uiservicestests/src/com/android/server/notification/ManagedServicesTest.java b/services/tests/uiservicestests/src/com/android/server/notification/ManagedServicesTest.java index 2f054b004d42..27a9522f04c4 100644 --- a/services/tests/uiservicestests/src/com/android/server/notification/ManagedServicesTest.java +++ b/services/tests/uiservicestests/src/com/android/server/notification/ManagedServicesTest.java @@ -28,8 +28,10 @@ import static org.mockito.Matchers.any; import static org.mockito.Matchers.anyInt; import static org.mockito.Matchers.anyLong; import static org.mockito.Matchers.eq; +import static org.mockito.Mockito.doReturn; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.never; +import static org.mockito.Mockito.spy; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; @@ -959,6 +961,58 @@ public class ManagedServicesTest extends UiServiceTestCase { } @Test + public void testUpgradeAppNoPermissionNoRebind() throws Exception { + Context context = spy(getContext()); + doReturn(true).when(context).bindServiceAsUser(any(), any(), anyInt(), any()); + + ManagedServices service = new TestManagedServices(context, mLock, mUserProfiles, + mIpm, + APPROVAL_BY_COMPONENT); + + List<String> packages = new ArrayList<>(); + packages.add("package"); + addExpectedServices(service, packages, 0); + + final ComponentName unapprovedComponent = ComponentName.unflattenFromString("package/C1"); + final ComponentName approvedComponent = ComponentName.unflattenFromString("package/C2"); + + // Both components are approved initially + mExpectedPrimaryComponentNames.clear(); + mExpectedPrimaryPackages.clear(); + mExpectedPrimaryComponentNames.put(0, "package/C1:package/C2"); + mExpectedSecondaryComponentNames.clear(); + mExpectedSecondaryPackages.clear(); + + loadXml(service); + + //Component package/C1 loses bind permission + when(mIpm.getServiceInfo(any(), anyLong(), anyInt())).thenAnswer( + (Answer<ServiceInfo>) invocation -> { + ComponentName invocationCn = invocation.getArgument(0); + if (invocationCn != null) { + ServiceInfo serviceInfo = new ServiceInfo(); + serviceInfo.packageName = invocationCn.getPackageName(); + serviceInfo.name = invocationCn.getClassName(); + if (invocationCn.equals(unapprovedComponent)) { + serviceInfo.permission = "none"; + } else { + serviceInfo.permission = service.getConfig().bindPermission; + } + serviceInfo.metaData = null; + return serviceInfo; + } + return null; + } + ); + + // Trigger package update + service.onPackagesChanged(false, new String[]{"package"}, new int[]{0}); + + assertFalse(service.isComponentEnabledForCurrentProfiles(unapprovedComponent)); + assertTrue(service.isComponentEnabledForCurrentProfiles(approvedComponent)); + } + + @Test public void testSetPackageOrComponentEnabled() throws Exception { for (int approvalLevel : new int[] {APPROVAL_BY_COMPONENT, APPROVAL_BY_PACKAGE}) { ManagedServices service = new TestManagedServices(getContext(), mLock, mUserProfiles, |