Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3f026715 authored by Michael Groover's avatar Michael Groover
Browse files

Enable device identifier check for 3P apps 

Bug: 117781266
Test: cts-tradefed run cts -m CtsTelephony3TestCases
Test: cts-tradefed run cts -m CtsPermissionTestCases -t android.permission.cts.TelephonyManagerPermissionTest
Test: cts-tradefed run cts -m CtsTelephonyTestCases -t android.telephony.cts.TelephonyManagerTest
Test: cts-tradefed run cts -m CtsDevicePolicyManagerTestCases -t \
      com.android.cts.devicepolicy.DeviceOwnerTest#testDeviceOwnerCanGetDeviceIdentifiers
Test: cts-tradefed run cts -m CtsDevicePolicyManagerTestCases -t \
      com.android.cts.devicepolicy.ManagedProfileTest#testProfileOwnerCanGetDeviceIdentifiers
Test: cts-tradefed run cts -m CtsDevicePolicyManagerTestCases -t \
      com.android.cts.devicepolicy.ManagedProfileTest#testProfileOwnerCannotGetDeviceIdentifiersWithoutPermission
Test: cts-tradefed run cts -m CtsDevicePolicyManagerTestCases -t \
      com.android.cts.devicepolicy.DeviceOwnerTest#testDeviceOwnerCannotGetDeviceIdentifiersWithoutPermission

Change-Id: Ia511d6d566ab1ceacfedcd45f45500a846fcb983
parent fc1d7e58

core/java/android/provider/Settings.java

+11 −0
Original line number Diff line number Diff line
@@ -12408,6 +12408,17 @@ public final class Settings { 
        public static final String PRIVILEGED_DEVICE_IDENTIFIER_TARGET_Q_BEHAVIOR_ENABLED =

                "privileged_device_identifier_target_q_behavior_enabled";













        /**













         * If set to 1, the device identifier check will be relaxed to the previous READ_PHONE_STATE













         * permission check for 3P apps.













         *













         * STOPSHIP: Remove this once we ship with the new device identifier check enabled.













         *













         * @hide













         */













        public static final String PRIVILEGED_DEVICE_IDENTIFIER_3P_CHECK_RELAXED =













                "privileged_device_identifier_3p_check_relaxed";



























        /**















         * If set to 1, SettingsProvider's restoreAnyVersion="true" attribute will be ignored















         * and restoring to lower version of platform API will be skipped.

































core/tests/coretests/src/android/provider/SettingsBackupTest.java



+1
−0




























Original line number
Diff line number
Diff line








@@ -370,6 +370,7 @@ public class SettingsBackupTest {













                    Settings.Global.PRIVATE_DNS_DEFAULT_MODE,















                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_CHECK_ENABLED,















                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_TARGET_Q_BEHAVIOR_ENABLED,













                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_3P_CHECK_RELAXED,















                    Settings.Global.PROVISIONING_APN_ALARM_DELAY_IN_MS,















                    Settings.Global.RADIO_BLUETOOTH,















                    Settings.Global.RADIO_CELL,

































telephony/java/com/android/internal/telephony/TelephonyPermissions.java



+37
−30




























Original line number
Diff line number
Diff line








@@ -279,22 +279,31 @@ public final class TelephonyPermissions {













            int uid, String callingPackage, String message) {















        Log.wtf(LOG_TAG,















                "reportAccessDeniedToReadIdentifiers:" + callingPackage + ":" + message);













        // if the device identifier check is relaxed then revert to the READ_PHONE_STATE permission













        // check that was previously required to access device identifiers.













        boolean relaxDeviceIdentifierCheck = Settings.Global.getInt(context.getContentResolver(),













                Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_CHECK_ENABLED, 0) == 0;













        if (relaxDeviceIdentifierCheck) {













            return checkReadPhoneState(context, subId, pid, uid, callingPackage, message);













        } else {













        // If the device identifier check is enabled then enforce the new access requirements for













        // both 1P and 3P apps.













        boolean enableDeviceIdentifierCheck = Settings.Global.getInt(context.getContentResolver(),













                Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_CHECK_ENABLED, 0) == 1;













        // Check if the application is a 3P app; if so then a separate setting is required to relax













        // the check to begin flagging problems with 3P apps early.













        boolean relax3PDeviceIdentifierCheck = Settings.Global.getInt(context.getContentResolver(),













                Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_3P_CHECK_RELAXED, 0) == 1;













        boolean is3PApp = true;













        ApplicationInfo callingPackageInfo = null;













        try {













            callingPackageInfo = context.getPackageManager().getApplicationInfo(callingPackage, 0);













            if (callingPackageInfo.isSystemApp()) {













                is3PApp = false;













            }













        } catch (PackageManager.NameNotFoundException e) {













            // If the application info for the calling package could not be found then assume the













            // calling app is a 3P app to detect any issues with the check













        }













        if (enableDeviceIdentifierCheck || (is3PApp && !relax3PDeviceIdentifierCheck)) {















            boolean targetQBehaviorDisabled = Settings.Global.getInt(context.getContentResolver(),















                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_TARGET_Q_BEHAVIOR_ENABLED, 0) == 0;















            if (callingPackage != null) {













                try {















                // if the target SDK is pre-Q or the target Q behavior is disabled then check if















                // the calling package would have previously had access to device identifiers.













                    ApplicationInfo callingPackageInfo =













                            context.getPackageManager().getApplicationInfo(













                                    callingPackage, 0);















                if (callingPackageInfo != null && (















                        callingPackageInfo.targetSdkVersion < Build.VERSION_CODES.Q















                                || targetQBehaviorDisabled)) {









@@ -310,13 +319,11 @@ public final class TelephonyPermissions {













                        return false;















                    }















                }













                } catch (PackageManager.NameNotFoundException e) {













                    // If the application info for the calling package could not be found then













                    // default to throwing the SecurityException.













                }















            }















            throw new SecurityException(message + ": The user " + uid















                    + " does not meet the requirements to access device identifiers.");













        } else {













            return checkReadPhoneState(context, subId, pid, uid, callingPackage, message);















        }















    }