Merge "Grant access to device identifiers with READ_DEVICE_IDENTIFIERS appop" into qt-dev

author: TreeHugger Robot <treehugger-gerrit@google.com> 2019-04-16 21:52:56 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2019-04-16 21:52:56 +0000
commit: f636d3cde86392cfb5b849ffcb0a51fd6574f231 (patch)
tree: 474450d006e9c25425799e490ab051a888bb31fd
parent: b33a6c6067ec3896be2584e4481b1ec038e7f774 (diff)
parent: 656ef911b4655c1b3e2c62b46ddd700534ccc9a2 (diff)
2 files changed, 26 insertions, 2 deletions
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
index 6f9224481eba..227703d7c027 100644
--- a/core/java/android/app/AppOpsManager.java
+++ b/core/java/android/app/AppOpsManager.java
@@ -823,9 +823,11 @@ public class AppOpsManager {
     public static final int OP_LEGACY_STORAGE = 87;
     /** @hide Accessing accessibility features */
     public static final int OP_ACCESS_ACCESSIBILITY = 88;
+    /** @hide Read the device identifiers (IMEI / MEID, IMSI, SIM / Build serial) */
+    public static final int OP_READ_DEVICE_IDENTIFIERS = 89;
     /** @hide */
     @UnsupportedAppUsage
-    public static final int _NUM_OP = 89;
+    public static final int _NUM_OP = 90;
 
     /** Access to coarse location information. */
     public static final String OPSTR_COARSE_LOCATION = "android:coarse_location";
@@ -1099,6 +1101,8 @@ public class AppOpsManager {
     /** @hide Interact with accessibility. */
     @SystemApi
     public static final String OPSTR_ACCESS_ACCESSIBILITY = "android:access_accessibility";
+    /** @hide Read device identifiers */
+    public static final String OPSTR_READ_DEVICE_IDENTIFIERS = "android:read_device_identifiers";
 
     // Warning: If an permission is added here it also has to be added to
     // com.android.packageinstaller.permission.utils.EventLogger
@@ -1259,6 +1263,7 @@ public class AppOpsManager {
             OP_WRITE_MEDIA_IMAGES,              // WRITE_MEDIA_IMAGES
             OP_LEGACY_STORAGE,                  // LEGACY_STORAGE
             OP_ACCESS_ACCESSIBILITY,            // ACCESS_ACCESSIBILITY
+            OP_READ_DEVICE_IDENTIFIERS,         // READ_DEVICE_IDENTIFIERS
     };
 
     /**
@@ -1354,6 +1359,7 @@ public class AppOpsManager {
             OPSTR_WRITE_MEDIA_IMAGES,
             OPSTR_LEGACY_STORAGE,
             OPSTR_ACCESS_ACCESSIBILITY,
+            OPSTR_READ_DEVICE_IDENTIFIERS,
     };
 
     /**
@@ -1450,6 +1456,7 @@ public class AppOpsManager {
             "WRITE_MEDIA_IMAGES",
             "LEGACY_STORAGE",
             "ACCESS_ACCESSIBILITY",
+            "READ_DEVICE_IDENTIFIERS",
     };
 
     /**
@@ -1547,6 +1554,7 @@ public class AppOpsManager {
             null, // no permission for OP_WRITE_MEDIA_IMAGES
             null, // no permission for OP_LEGACY_STORAGE
             null, // no permission for OP_ACCESS_ACCESSIBILITY
+            null, // no direct permission for OP_READ_DEVICE_IDENTIFIERS
     };
 
     /**
@@ -1644,6 +1652,7 @@ public class AppOpsManager {
             null, // WRITE_MEDIA_IMAGES
             null, // LEGACY_STORAGE
             null, // ACCESS_ACCESSIBILITY
+            null, // READ_DEVICE_IDENTIFIERS
     };
 
     /**
@@ -1740,6 +1749,7 @@ public class AppOpsManager {
             false, // WRITE_MEDIA_IMAGES
             false, // LEGACY_STORAGE
             false, // ACCESS_ACCESSIBILITY
+            false, // READ_DEVICE_IDENTIFIERS
     };
 
     /**
@@ -1835,6 +1845,7 @@ public class AppOpsManager {
             AppOpsManager.MODE_ERRORED, // WRITE_MEDIA_IMAGES
             AppOpsManager.MODE_DEFAULT, // LEGACY_STORAGE
             AppOpsManager.MODE_ALLOWED, // ACCESS_ACCESSIBILITY
+            AppOpsManager.MODE_ERRORED, // READ_DEVICE_IDENTIFIERS
     };
 
     /**
@@ -1934,6 +1945,7 @@ public class AppOpsManager {
             false, // WRITE_MEDIA_IMAGES
             false, // LEGACY_STORAGE
             false, // ACCESS_ACCESSIBILITY
+            false, // READ_DEVICE_IDENTIFIERS
     };
 
     /**
diff --git a/telephony/java/com/android/internal/telephony/TelephonyPermissions.java b/telephony/java/com/android/internal/telephony/TelephonyPermissions.java
index 80fb58d45078..12b20efcb0b3 100644
--- a/telephony/java/com/android/internal/telephony/TelephonyPermissions.java
+++ b/telephony/java/com/android/internal/telephony/TelephonyPermissions.java
@@ -344,10 +344,22 @@ public final class TelephonyPermissions {
             return true;
         }
         // if the calling package is null then return now as there's no way to perform the
-        // DevicePolicyManager device / profile owner checks.
+        // DevicePolicyManager device / profile owner and AppOp checks
         if (callingPackage == null) {
             return false;
         }
+        // Allow access to an app that has been granted the READ_DEVICE_IDENTIFIERS app op.
+        long token = Binder.clearCallingIdentity();
+        AppOpsManager appOpsManager = (AppOpsManager) context.getSystemService(
+                Context.APP_OPS_SERVICE);
+        try {
+            if (appOpsManager.noteOpNoThrow(AppOpsManager.OPSTR_READ_DEVICE_IDENTIFIERS, uid,
+                    callingPackage) == AppOpsManager.MODE_ALLOWED) {
+                return true;
+            }
+        } finally {
+            Binder.restoreCallingIdentity(token);
+        }
         // Allow access to a device / profile owner app.
         DevicePolicyManager devicePolicyManager = (DevicePolicyManager) context.getSystemService(
                 Context.DEVICE_POLICY_SERVICE);
author	TreeHugger Robot <treehugger-gerrit@google.com>	2019-04-16 21:52:56 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2019-04-16 21:52:56 +0000
commit	f636d3cde86392cfb5b849ffcb0a51fd6574f231 (patch)
tree	474450d006e9c25425799e490ab051a888bb31fd
parent	b33a6c6067ec3896be2584e4481b1ec038e7f774 (diff)
parent	656ef911b4655c1b3e2c62b46ddd700534ccc9a2 (diff)