From 94582d7a31c5305274d0858a51eb179044da195d Mon Sep 17 00:00:00 2001
From: Yi-an Chen <theianchen@google.com>
Date: Tue, 10 Jan 2023 18:45:26 +0000
Subject: Handle privileged permission allowlist and isModule

Bug: 263504888
Test: Build
Change-Id: Id0bc2e7b2402d67a67d9e722ba76067cbff89bcd
---
 .../permission/access/AccessCheckingService.kt     |  6 ++++
 .../server/permission/access/AccessPolicy.kt       |  9 ++++++
 .../server/permission/access/AccessState.kt        |  4 +++
 .../permission/access/permission/Permission.kt     |  3 ++
 .../access/permission/PermissionService.kt         |  2 +-
 .../access/permission/UidPermissionPolicy.kt       | 35 ++++++++++++++++++++--
 6 files changed, 55 insertions(+), 4 deletions(-)

(limited to 'services/permission/java')

diff --git a/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt b/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt
index f549797d42f8..e416718e13bc 100644
--- a/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt
+++ b/services/permission/java/com/android/server/permission/access/AccessCheckingService.kt
@@ -211,6 +211,12 @@ class AccessCheckingService(context: Context) : SystemService(context) {
         }
     }
 
+    internal fun onSystemReady() {
+        mutateState {
+            with(policy) { onSystemReady() }
+        }
+    }
+
     private val PackageManagerLocal.allPackageStates:
         Pair<Map<String, PackageState>, Map<String, PackageState>>
         get() = withUnfilteredSnapshot().use { it.packageStates to it.disabledSystemPackageStates }
diff --git a/services/permission/java/com/android/server/permission/access/AccessPolicy.kt b/services/permission/java/com/android/server/permission/access/AccessPolicy.kt
index e0f94c7707a6..07a5e72fc182 100644
--- a/services/permission/java/com/android/server/permission/access/AccessPolicy.kt
+++ b/services/permission/java/com/android/server/permission/access/AccessPolicy.kt
@@ -255,6 +255,13 @@ class AccessPolicy private constructor(
         }
     }
 
+    fun MutateStateScope.onSystemReady() {
+        newState.systemState.isSystemReady = true
+        forEachSchemePolicy {
+            with(it) { onSystemReady() }
+        }
+    }
+
     fun BinaryXmlPullParser.parseSystemState(state: AccessState) {
         forEachTag {
             when (tagName) {
@@ -362,6 +369,8 @@ abstract class SchemePolicy {
 
     open fun MutateStateScope.onPackageUninstalled(packageName: String, appId: Int, userId: Int) {}
 
+    open fun MutateStateScope.onSystemReady() {}
+
     open fun BinaryXmlPullParser.parseSystemState(state: AccessState) {}
 
     open fun BinaryXmlSerializer.serializeSystemState(state: AccessState) {}
diff --git a/services/permission/java/com/android/server/permission/access/AccessState.kt b/services/permission/java/com/android/server/permission/access/AccessState.kt
index 961619304531..5532311068ab 100644
--- a/services/permission/java/com/android/server/permission/access/AccessState.kt
+++ b/services/permission/java/com/android/server/permission/access/AccessState.kt
@@ -50,6 +50,8 @@ class SystemState private constructor(
     var privilegedPermissionAllowlistPackages: IndexedListSet<String>,
     var permissionAllowlist: PermissionAllowlist,
     var implicitToSourcePermissions: IndexedMap<String, IndexedListSet<String>>,
+    var isSystemReady: Boolean,
+    // TODO: Get and watch the state for deviceAndProfileOwners
     // Mapping from user ID to package name.
     var deviceAndProfileOwners: IntMap<String>,
     val permissionGroups: IndexedMap<String, PermissionGroupInfo>,
@@ -67,6 +69,7 @@ class SystemState private constructor(
         IndexedListSet(),
         PermissionAllowlist(),
         IndexedMap(),
+        false,
         IntMap(),
         IndexedMap(),
         IndexedMap(),
@@ -85,6 +88,7 @@ class SystemState private constructor(
             privilegedPermissionAllowlistPackages,
             permissionAllowlist,
             implicitToSourcePermissions,
+            isSystemReady,
             deviceAndProfileOwners,
             permissionGroups.copy { it },
             permissionTrees.copy { it },
diff --git a/services/permission/java/com/android/server/permission/access/permission/Permission.kt b/services/permission/java/com/android/server/permission/access/permission/Permission.kt
index 7bfca1214b53..714480c526c7 100644
--- a/services/permission/java/com/android/server/permission/access/permission/Permission.kt
+++ b/services/permission/java/com/android/server/permission/access/permission/Permission.kt
@@ -91,6 +91,9 @@ data class Permission(
     inline val isKnownSigner: Boolean
         get() = protectionFlags.hasBits(PermissionInfo.PROTECTION_FLAG_KNOWN_SIGNER)
 
+    inline val isModule: Boolean
+        get() = protectionFlags.hasBits(PermissionInfo.PROTECTION_FLAG_MODULE)
+
     inline val isOem: Boolean
         get() = protectionFlags.hasBits(PermissionInfo.PROTECTION_FLAG_OEM)
 
diff --git a/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt b/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt
index acd0a3cbbb98..b8c03768e378 100644
--- a/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt
+++ b/services/permission/java/com/android/server/permission/access/permission/PermissionService.kt
@@ -1709,7 +1709,7 @@ class PermissionService(
     }
 
     override fun onSystemReady() {
-        // TODO STOPSHIP privappPermissionsViolationsfix check
+        service.onSystemReady()
         permissionControllerManager = PermissionControllerManager(
             context, PermissionThread.getHandler()
         )
diff --git a/services/permission/java/com/android/server/permission/access/permission/UidPermissionPolicy.kt b/services/permission/java/com/android/server/permission/access/permission/UidPermissionPolicy.kt
index d0833bdda35d..694efbbf7cf9 100644
--- a/services/permission/java/com/android/server/permission/access/permission/UidPermissionPolicy.kt
+++ b/services/permission/java/com/android/server/permission/access/permission/UidPermissionPolicy.kt
@@ -54,6 +54,8 @@ class UidPermissionPolicy : SchemePolicy() {
         IndexedListSet<OnPermissionFlagsChangedListener>()
     private val onPermissionFlagsChangedListenersLock = Any()
 
+    private val privilegedPermissionAllowlistViolations = IndexedSet<String>()
+
     override val subjectScheme: String
         get() = UidUri.SCHEME
 
@@ -734,7 +736,7 @@ class UidPermissionPolicy : SchemePolicy() {
             } else {
                 newFlags = newFlags andInv PermissionFlags.LEGACY_GRANTED
                 val wasGrantedByImplicit = newFlags.hasBits(PermissionFlags.IMPLICIT_GRANTED)
-                val isLeanBackNotificationsPermission = newState.systemState.isLeanback &&
+                val isLeanbackNotificationsPermission = newState.systemState.isLeanback &&
                     permissionName in NOTIFICATIONS_PERMISSIONS
                 val isImplicitPermission = anyPackageInAppId(appId) {
                     permissionName in it.androidPackage!!.implicitPermissions
@@ -748,7 +750,7 @@ class UidPermissionPolicy : SchemePolicy() {
                     }
                     !sourcePermission.isRuntime
                 } ?: false
-                val shouldGrantByImplicit = isLeanBackNotificationsPermission ||
+                val shouldGrantByImplicit = isLeanbackNotificationsPermission ||
                     (isImplicitPermission && isAnySourcePermissionNonRuntime)
                 if (shouldGrantByImplicit) {
                     newFlags = newFlags or PermissionFlags.IMPLICIT_GRANTED
@@ -917,7 +919,21 @@ class UidPermissionPolicy : SchemePolicy() {
         if (packageState.isUpdatedSystemApp) {
             return true
         }
-        // TODO: Enforce the allowlist on boot
+        // Only enforce the privileged permission allowlist on boot
+        if (!newState.systemState.isSystemReady) {
+            // Apps that are in updated apex's do not need to be allowlisted
+            if (!packageState.isApkInUpdatedApex) {
+                Log.w(
+                    LOG_TAG, "Privileged permission ${permission.name} for package" +
+                    " ${packageState.packageName} (${packageState.path}) not in" +
+                    " privileged permission allowlist"
+                )
+                if (RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE) {
+                    privilegedPermissionAllowlistViolations += "${packageState.packageName}" +
+                        " (${packageState.path}): ${permission.name}"
+                }
+            }
+        }
         return !RoSystemProperties.CONTROL_PRIVAPP_PERMISSIONS_ENFORCE
     }
 
@@ -1106,6 +1122,12 @@ class UidPermissionPolicy : SchemePolicy() {
             // Special permission for the recents app.
             return true
         }
+        // TODO(b/261913353): STOPSHIP: Add AndroidPackage.apexModuleName.
+        // This should be androidPackage.apexModuleName instead
+        if (permission.isModule && androidPackage.packageName != null) {
+            // Special permission granted for APKs inside APEX modules.
+            return true
+        }
         return false
     }
 
@@ -1155,6 +1177,13 @@ class UidPermissionPolicy : SchemePolicy() {
         return uid == ownerUid
     }
 
+    override fun MutateStateScope.onSystemReady() {
+        if (!privilegedPermissionAllowlistViolations.isEmpty()) {
+            throw IllegalStateException("Signature|privileged permissions not in privileged" +
+                " permission allowlist: $privilegedPermissionAllowlistViolations")
+        }
+    }
+
     override fun BinaryXmlPullParser.parseSystemState(state: AccessState) {
         with(persistence) { this@parseSystemState.parseSystemState(state) }
     }
-- 
cgit v1.2.3-59-g8ed1b