diff options
3 files changed, 239 insertions, 71 deletions
diff --git a/services/core/java/com/android/server/TelephonyRegistry.java b/services/core/java/com/android/server/TelephonyRegistry.java index ce786656c043..8b5176e2c858 100644 --- a/services/core/java/com/android/server/TelephonyRegistry.java +++ b/services/core/java/com/android/server/TelephonyRegistry.java @@ -56,6 +56,7 @@ import com.android.internal.telephony.ITelephonyRegistry; import com.android.internal.telephony.PhoneConstantConversions; import com.android.internal.telephony.PhoneConstants; import com.android.internal.telephony.TelephonyIntents; +import com.android.internal.telephony.TelephonyPermissions; import com.android.internal.util.DumpUtils; import com.android.internal.util.IndentingPrintWriter; import com.android.server.am.BatteryStatsService; @@ -384,20 +385,9 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub { + " callback.asBinder=" + callback.asBinder()); } - try { - mContext.enforceCallingOrSelfPermission( - android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, - "addOnSubscriptionsChangedListener"); - // SKIP checking for run-time permission since caller or self has PRIVILEGED permission - } catch (SecurityException e) { - mContext.enforceCallingOrSelfPermission( - android.Manifest.permission.READ_PHONE_STATE, - "addOnSubscriptionsChangedListener"); - - if (mAppOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, Binder.getCallingUid(), - callingPackage) != AppOpsManager.MODE_ALLOWED) { - return; - } + if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState( + mContext, callingPackage, "addOnSubscriptionsChangedListener")) { + return; } @@ -493,21 +483,11 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub { } if (events != PhoneStateListener.LISTEN_NONE) { - /* Checks permission and throws Security exception */ - checkListenerPermission(events); - - if ((events & ENFORCE_PHONE_STATE_PERMISSION_MASK) != 0) { - try { - mContext.enforceCallingOrSelfPermission( - android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, null); - // SKIP checking for run-time permission since caller or self has PRIVILEGED - // permission - } catch (SecurityException e) { - if (mAppOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, Binder.getCallingUid(), - callingPackage) != AppOpsManager.MODE_ALLOWED) { - return; - } - } + // Checks permission and throws SecurityException for disallowed operations. For pre-M + // apps whose runtime permission has been revoked, we return immediately to skip sending + // events to the app without crashing it. + if (!checkListenerPermission(events, callingPackage, "listen")) { + return; } int phoneId = SubscriptionManager.getPhoneId(subId); @@ -526,7 +506,8 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub { r.callerPid = Binder.getCallingPid(); boolean isPhoneStateEvent = (events & (CHECK_PHONE_STATE_PERMISSION_MASK | ENFORCE_PHONE_STATE_PERMISSION_MASK)) != 0; - r.canReadPhoneState = isPhoneStateEvent && canReadPhoneState(callingPackage); + r.canReadPhoneState = + isPhoneStateEvent && canReadPhoneState(callingPackage, "listen"); // Legacy applications pass SubscriptionManager.DEFAULT_SUB_ID, // force all illegal subId to SubscriptionManager.DEFAULT_SUB_ID if (!SubscriptionManager.isValidSubscriptionId(subId)) { @@ -686,21 +667,13 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub { } } - private boolean canReadPhoneState(String callingPackage) { - if (mContext.checkCallingOrSelfPermission( - android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE) == - PackageManager.PERMISSION_GRANTED) { - // SKIP checking for run-time permission since caller or self has PRIVILEGED permission - return true; - } - boolean canReadPhoneState = mContext.checkCallingOrSelfPermission( - android.Manifest.permission.READ_PHONE_STATE) == PackageManager.PERMISSION_GRANTED; - if (canReadPhoneState && - mAppOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, Binder.getCallingUid(), - callingPackage) != AppOpsManager.MODE_ALLOWED) { + private boolean canReadPhoneState(String callingPackage, String message) { + try { + return TelephonyPermissions.checkCallingOrSelfReadPhoneState( + mContext, callingPackage, message); + } catch (SecurityException e) { return false; } - return canReadPhoneState; } private String getCallIncomingNumber(Record record, int phoneId) { @@ -1672,11 +1645,12 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub { } private void enforceNotifyPermissionOrCarrierPrivilege(String method) { - if (checkNotifyPermission()) { + if (checkNotifyPermission()) { return; } - enforceCarrierPrivilege(); + TelephonyPermissions.enforceCallingOrSelfCarrierPrivilege( + SubscriptionManager.getDefaultSubscriptionId(), method); } private boolean checkNotifyPermission(String method) { @@ -1694,23 +1668,7 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub { == PackageManager.PERMISSION_GRANTED; } - private void enforceCarrierPrivilege() { - TelephonyManager tm = TelephonyManager.getDefault(); - String[] pkgs = mContext.getPackageManager().getPackagesForUid(Binder.getCallingUid()); - for (String pkg : pkgs) { - if (tm.checkCarrierPrivilegesForPackage(pkg) == - TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS) { - return; - } - } - - String msg = "Carrier Privilege Permission Denial: from pid=" + Binder.getCallingPid() - + ", uid=" + Binder.getCallingUid(); - if (DBG) log(msg); - throw new SecurityException(msg); - } - - private void checkListenerPermission(int events) { + private boolean checkListenerPermission(int events, String callingPackage, String message) { if ((events & PhoneStateListener.LISTEN_CELL_LOCATION) != 0) { mContext.enforceCallingOrSelfPermission( android.Manifest.permission.ACCESS_COARSE_LOCATION, null); @@ -1724,22 +1682,18 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub { } if ((events & ENFORCE_PHONE_STATE_PERMISSION_MASK) != 0) { - try { - mContext.enforceCallingOrSelfPermission( - android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, null); - // SKIP checking for run-time permission since caller or self has PRIVILEGED - // permission - } catch (SecurityException e) { - mContext.enforceCallingOrSelfPermission( - android.Manifest.permission.READ_PHONE_STATE, null); + if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState( + mContext, callingPackage, message)) { + return false; } } if ((events & PRECISE_PHONE_STATE_PERMISSION_MASK) != 0) { mContext.enforceCallingOrSelfPermission( android.Manifest.permission.READ_PRECISE_PHONE_STATE, null); - } + + return true; } private void handleRemoveListLocked() { diff --git a/telephony/java/com/android/internal/telephony/ITelephony.aidl b/telephony/java/com/android/internal/telephony/ITelephony.aidl index 02cc82cf56b0..9e2b519e3dd6 100644 --- a/telephony/java/com/android/internal/telephony/ITelephony.aidl +++ b/telephony/java/com/android/internal/telephony/ITelephony.aidl @@ -952,6 +952,11 @@ interface ITelephony { int getCarrierPrivilegeStatus(int subId); /** + * Similar to above, but check for the given uid. + */ + int getCarrierPrivilegeStatusForUid(int subId, int uid); + + /** * Similar to above, but check for the package whose name is pkgName. */ int checkCarrierPrivilegesForPackage(String pkgName); diff --git a/telephony/java/com/android/internal/telephony/TelephonyPermissions.java b/telephony/java/com/android/internal/telephony/TelephonyPermissions.java new file mode 100644 index 000000000000..da8471fa19ed --- /dev/null +++ b/telephony/java/com/android/internal/telephony/TelephonyPermissions.java @@ -0,0 +1,209 @@ +/* + * Copyright (C) 2018 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.android.internal.telephony; + +import android.app.AppOpsManager; +import android.content.Context; +import android.content.pm.PackageManager; +import android.os.Binder; +import android.os.RemoteException; +import android.os.ServiceManager; +import android.telephony.Rlog; +import android.telephony.SubscriptionManager; +import android.telephony.TelephonyManager; + +import com.android.internal.annotations.VisibleForTesting; +import com.android.internal.telephony.ITelephony; + +/** Utility class for Telephony permission enforcement. */ +public final class TelephonyPermissions { + private static final String LOG_TAG = "TelephonyPermissions"; + + private static final boolean DBG = false; + + private TelephonyPermissions() {} + + /** + * Check whether the caller (or self, if not processing an IPC) can read phone state. + * + * <p>This method behaves in one of the following ways: + * <ul> + * <li>return true: if the caller has either the READ_PRIVILEGED_PHONE_STATE permission or the + * READ_PHONE_STATE runtime permission. + * <li>throw SecurityException: if the caller didn't declare any of these permissions, or, for + * apps which support runtime permissions, if the caller does not currently have any of + * these permissions. + * <li>return false: if the caller lacks all of these permissions and doesn't support runtime + * permissions. This implies that the user revoked the ability to read phone state + * manually (via AppOps). In this case we can't throw as it would break app compatibility, + * so we return false to indicate that the calling function should return dummy data. + * </ul> + */ + public static boolean checkCallingOrSelfReadPhoneState( + Context context, String callingPackage, String message) { + return checkReadPhoneState(context, Binder.getCallingPid(), Binder.getCallingUid(), + callingPackage, message); + } + + /** + * Check whether the app with the given pid/uid can read phone state. + * + * <p>This method behaves in one of the following ways: + * <ul> + * <li>return true: if the caller has either the READ_PRIVILEGED_PHONE_STATE permission or the + * READ_PHONE_STATE runtime permission. + * <li>throw SecurityException: if the caller didn't declare any of these permissions, or, for + * apps which support runtime permissions, if the caller does not currently have any of + * these permissions. + * <li>return false: if the caller lacks all of these permissions and doesn't support runtime + * permissions. This implies that the user revoked the ability to read phone state + * manually (via AppOps). In this case we can't throw as it would break app compatibility, + * so we return false to indicate that the calling function should return dummy data. + * </ul> + */ + public static boolean checkReadPhoneState( + Context context, int pid, int uid, String callingPackage, String message) { + try { + context.enforcePermission( + android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, pid, uid, message); + + // SKIP checking for run-time permission since caller has PRIVILEGED permission + return true; + } catch (SecurityException privilegedPhoneStateException) { + context.enforcePermission( + android.Manifest.permission.READ_PHONE_STATE, pid, uid, message); + } + + // We have READ_PHONE_STATE permission, so return true as long as the AppOps bit hasn't been + // revoked. + AppOpsManager appOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE); + return appOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, uid, callingPackage) == + AppOpsManager.MODE_ALLOWED; + } + + /** + * Returns whether the caller can read phone numbers. + * + * <p>Besides apps with the ability to read phone state per {@link #checkReadPhoneState}, the + * default SMS app and apps with READ_SMS or READ_PHONE_NUMBERS can also read phone numbers. + */ + public static boolean checkCallingOrSelfReadPhoneNumber( + Context context, String callingPackage, String message) { + return checkReadPhoneNumber( + context, Binder.getCallingPid(), Binder.getCallingUid(), callingPackage, message); + } + + @VisibleForTesting + public static boolean checkReadPhoneNumber( + Context context, int pid, int uid, String callingPackage, String message) { + // Default SMS app can always read it. + AppOpsManager appOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE); + if (appOps.noteOp(AppOpsManager.OP_WRITE_SMS, uid, callingPackage) == + AppOpsManager.MODE_ALLOWED) { + return true; + } + + // NOTE(b/73308711): If an app has one of the following AppOps bits explicitly revoked, they + // will be denied access, even if they have another permission and AppOps bit if needed. + + // First, check if we can read the phone state. + try { + return checkReadPhoneState(context, pid, uid, callingPackage, message); + } catch (SecurityException readPhoneStateSecurityException) { + } + // Can be read with READ_SMS too. + try { + context.enforcePermission(android.Manifest.permission.READ_SMS, pid, uid, message); + int opCode = AppOpsManager.permissionToOpCode(android.Manifest.permission.READ_SMS); + if (opCode != AppOpsManager.OP_NONE) { + return appOps.noteOp(opCode, uid, callingPackage) == AppOpsManager.MODE_ALLOWED; + } else { + return true; + } + } catch (SecurityException readSmsSecurityException) { + } + // Can be read with READ_PHONE_NUMBERS too. + try { + context.enforcePermission(android.Manifest.permission.READ_PHONE_NUMBERS, pid, uid, + message); + int opCode = AppOpsManager.permissionToOpCode( + android.Manifest.permission.READ_PHONE_NUMBERS); + if (opCode != AppOpsManager.OP_NONE) { + return appOps.noteOp(opCode, uid, callingPackage) == AppOpsManager.MODE_ALLOWED; + } else { + return true; + } + } catch (SecurityException readPhoneNumberSecurityException) { + } + + throw new SecurityException(message + ": Neither user " + uid + + " nor current process has " + android.Manifest.permission.READ_PHONE_STATE + + ", " + android.Manifest.permission.READ_SMS + ", or " + + android.Manifest.permission.READ_PHONE_NUMBERS); + } + + /** + * Ensure the caller (or self, if not processing an IPC) has MODIFY_PHONE_STATE (and is thus a + * privileged app) or carrier privileges. + * + * @throws SecurityException if the caller does not have the required permission/privileges + */ + public static void enforceCallingOrSelfModifyPermissionOrCarrierPrivilege( + Context context, int subId, String message) { + if (context.checkCallingOrSelfPermission(android.Manifest.permission.MODIFY_PHONE_STATE) == + PackageManager.PERMISSION_GRANTED) { + return; + } + + if (DBG) Rlog.d(LOG_TAG, "No modify permission, check carrier privilege next."); + enforceCallingOrSelfCarrierPrivilege(subId, message); + } + + /** + * Make sure the caller (or self, if not processing an IPC) has carrier privileges. + * + * @throws SecurityException if the caller does not have the required privileges + */ + public static void enforceCallingOrSelfCarrierPrivilege(int subId, String message) { + // NOTE: It's critical that we explicitly pass the calling UID here rather than call + // TelephonyManager#hasCarrierPrivileges directly, as the latter only works when called from + // the phone process. When called from another process, it will check whether that process + // has carrier privileges instead. + enforceCarrierPrivilege(subId, Binder.getCallingUid(), message); + } + + private static void enforceCarrierPrivilege(int subId, int uid, String message) { + if (getCarrierPrivilegeStatus(subId, uid) != + TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS) { + if (DBG) Rlog.e(LOG_TAG, "No Carrier Privilege."); + throw new SecurityException(message); + } + } + + private static int getCarrierPrivilegeStatus(int subId, int uid) { + ITelephony telephony = + ITelephony.Stub.asInterface(ServiceManager.getService(Context.TELEPHONY_SERVICE)); + try { + if (telephony != null) { + return telephony.getCarrierPrivilegeStatusForUid(subId, uid); + } + } catch (RemoteException e) { + // Fallback below. + } + Rlog.e(LOG_TAG, "Phone process is down, cannot check carrier privileges"); + return TelephonyManager.CARRIER_PRIVILEGE_STATUS_NO_ACCESS; + } +} |