diff options
| -rw-r--r-- | api/system-current.txt | 4 | ||||
| -rw-r--r-- | api/test-current.txt | 4 | ||||
| -rw-r--r-- | core/java/android/net/NetworkStack.java | 20 | ||||
| -rw-r--r-- | packages/NetworkStack/Android.bp | 1 | ||||
| -rw-r--r-- | packages/NetworkStack/AndroidManifest.xml | 2 | ||||
| -rw-r--r-- | packages/NetworkStackPermissionStub/Android.bp | 27 | ||||
| -rw-r--r-- | packages/NetworkStackPermissionStub/AndroidManifest.xml | 36 | ||||
| -rw-r--r-- | packages/NetworkStackPermissionStub/src/com/android/server/NetworkStackPermissionStub.java | 26 |
8 files changed, 120 insertions, 0 deletions
diff --git a/api/system-current.txt b/api/system-current.txt index 9cfe60428fe1..2b72763cb246 100644 --- a/api/system-current.txt +++ b/api/system-current.txt @@ -3186,6 +3186,10 @@ package android.net { field public static final String EXTRA_PACKAGE_NAME = "packageName"; } + public class NetworkStack { + field public static final String PERMISSION_MAINLINE_NETWORK_STACK = "android.permission.MAINLINE_NETWORK_STACK"; + } + public final class RouteInfo implements android.os.Parcelable { ctor public RouteInfo(android.net.IpPrefix, java.net.InetAddress, String, int); method public int getType(); diff --git a/api/test-current.txt b/api/test-current.txt index 1384f0b7b41e..e4f999bb1f71 100644 --- a/api/test-current.txt +++ b/api/test-current.txt @@ -669,6 +669,10 @@ package android.net { method public boolean satisfiedByNetworkCapabilities(android.net.NetworkCapabilities); } + public class NetworkStack { + field public static final String PERMISSION_MAINLINE_NETWORK_STACK = "android.permission.MAINLINE_NETWORK_STACK"; + } + public final class RouteInfo implements android.os.Parcelable { ctor public RouteInfo(android.net.IpPrefix, java.net.InetAddress, String, int); method public int getType(); diff --git a/core/java/android/net/NetworkStack.java b/core/java/android/net/NetworkStack.java index ac6bff029e8c..ec38ac19fe5e 100644 --- a/core/java/android/net/NetworkStack.java +++ b/core/java/android/net/NetworkStack.java @@ -20,7 +20,9 @@ import static android.os.IServiceManager.DUMP_FLAG_PRIORITY_NORMAL; import android.annotation.NonNull; import android.annotation.Nullable; +import android.annotation.SystemApi; import android.annotation.SystemService; +import android.annotation.TestApi; import android.content.ComponentName; import android.content.Context; import android.content.Intent; @@ -46,9 +48,22 @@ import java.util.ArrayList; * @hide */ @SystemService(Context.NETWORK_STACK_SERVICE) +@SystemApi +@TestApi public class NetworkStack { private static final String TAG = NetworkStack.class.getSimpleName(); + /** + * Permission granted only to the NetworkStack APK, defined in NetworkStackStub with signature + * protection level. + * @hide + */ + @SystemApi + @TestApi + public static final String PERMISSION_MAINLINE_NETWORK_STACK = + "android.permission.MAINLINE_NETWORK_STACK"; + + /** @hide */ public static final String NETWORKSTACK_PACKAGE_NAME = "com.android.mainline.networkstack"; private static final int NETWORKSTACK_TIMEOUT_MS = 10_000; @@ -66,12 +81,14 @@ public class NetworkStack { void onNetworkStackConnected(INetworkStackConnector connector); } + /** @hide */ public NetworkStack() { } /** * Create a DHCP server according to the specified parameters. * * <p>The server will be returned asynchronously through the provided callbacks. + * @hide */ public void makeDhcpServer(final String ifName, final DhcpServingParamsParcel params, final IDhcpServerCallbacks cb) { @@ -88,6 +105,7 @@ public class NetworkStack { * Create an IpClient on the specified interface. * * <p>The IpClient will be returned asynchronously through the provided callbacks. + * @hide */ public void makeIpClient(String ifName, IIpClientCallbacks cb) { requestConnector(connector -> { @@ -103,6 +121,7 @@ public class NetworkStack { * Create a NetworkMonitor. * * <p>The INetworkMonitor will be returned asynchronously through the provided callbacks. + * @hide */ public void makeNetworkMonitor( NetworkParcelable network, String name, INetworkMonitorCallbacks cb) { @@ -153,6 +172,7 @@ public class NetworkStack { * the system server on devices that do not support the network stack module. The network stack * connector will then be delivered asynchronously to clients that requested it before it was * started. + * @hide */ public void start(Context context) { mNetworkStackStartRequested = true; diff --git a/packages/NetworkStack/Android.bp b/packages/NetworkStack/Android.bp index b0522f2a99a0..d6565936c860 100644 --- a/packages/NetworkStack/Android.bp +++ b/packages/NetworkStack/Android.bp @@ -41,4 +41,5 @@ android_app { "NetworkStackLib" ], manifest: "AndroidManifest.xml", + required: ["NetworkStackPermissionStub"], }
\ No newline at end of file diff --git a/packages/NetworkStack/AndroidManifest.xml b/packages/NetworkStack/AndroidManifest.xml index 5ab833bda66d..ac55bfa1aed7 100644 --- a/packages/NetworkStack/AndroidManifest.xml +++ b/packages/NetworkStack/AndroidManifest.xml @@ -25,6 +25,8 @@ <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="android.permission.CONNECTIVITY_INTERNAL" /> <uses-permission android:name="android.permission.NETWORK_SETTINGS" /> + <!-- Signature permission defined in NetworkStackStub --> + <uses-permission android:name="android.permission.MAINLINE_NETWORK_STACK" /> <!-- Launch captive portal app as specific user --> <uses-permission android:name="android.permission.INTERACT_ACROSS_USERS_FULL" /> <uses-permission android:name="android.permission.NETWORK_STACK" /> diff --git a/packages/NetworkStackPermissionStub/Android.bp b/packages/NetworkStackPermissionStub/Android.bp new file mode 100644 index 000000000000..94870c919dfa --- /dev/null +++ b/packages/NetworkStackPermissionStub/Android.bp @@ -0,0 +1,27 @@ +// +// Copyright (C) 2019 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// Stub APK to define permissions for NetworkStack +android_app { + name: "NetworkStackPermissionStub", + // TODO: mark app as hasCode=false in manifest once soong stops complaining about apps without + // a classes.dex. + srcs: ["src/**/*.java"], + platform_apis: true, + certificate: "platform", + privileged: true, + manifest: "AndroidManifest.xml", +} diff --git a/packages/NetworkStackPermissionStub/AndroidManifest.xml b/packages/NetworkStackPermissionStub/AndroidManifest.xml new file mode 100644 index 000000000000..2ccf5ff1a01a --- /dev/null +++ b/packages/NetworkStackPermissionStub/AndroidManifest.xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- +/* + * Copyright (C) 2019 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + package="com.android.mainline.networkstack.permissionstub"> + <!-- + This package only exists to define the below permissions, and enforce that they are only + granted to apps sharing the same signature. + Permissions defined here are intended to be used only by the NetworkStack: both + NetworkStack and this stub APK are to be signed with a dedicated certificate to ensure + that, with the below permissions being signature permissions. + + This APK *must* be installed, even if the NetworkStack app is not installed, because otherwise, + any application will be able to define this permission and the system will give that application + full access to the network stack. + --> + <permission android:name="android.permission.MAINLINE_NETWORK_STACK" + android:protectionLevel="signature"/> + + <application android:name="com.android.server.NetworkStackPermissionStub"/> +</manifest>
\ No newline at end of file diff --git a/packages/NetworkStackPermissionStub/src/com/android/server/NetworkStackPermissionStub.java b/packages/NetworkStackPermissionStub/src/com/android/server/NetworkStackPermissionStub.java new file mode 100644 index 000000000000..01e59d28d995 --- /dev/null +++ b/packages/NetworkStackPermissionStub/src/com/android/server/NetworkStackPermissionStub.java @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2019 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.android.server; + +import android.app.Application; + +/** + * Empty application for NetworkStackStub that only exists because soong builds complain if APKs + * have no source file. + */ +public class NetworkStackPermissionStub extends Application { +} |