Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 445d1e71 authored by Michael Groover's avatar Michael Groover
Browse files

Enable device identifier check for non-priv apps 

Bug: 117781266
Test: atest CtsTelephony3TestCases
Test: atest android.telephony.cts.TelephonyManagerTest
Test: atest com.android.cts.devicepolicy.DeviceOwnerTest#testDeviceOwnerCanGetDeviceIdentifiers
Test: atest com.android.cts.devicepolicy.DeviceOwnerTest#testDeviceOwnerCannotGetDeviceIdentifiersWithoutPermission
Test: atest com.android.cts.devicepolicy.ManagedProfileTest#testProfileOwnerCanGetDeviceIdentifiers
Test: atest com.android.cts.devicepolicy.ManagedProfileTest#testProfileOwnerCannotGetDeviceIdentifiersWithoutPermission
Change-Id: Ie87b31e22de248249b206e866fb38a494923d51f
parent 745811ae

core/java/android/provider/Settings.java

+11 −0
Original line number Diff line number Diff line
@@ -12819,6 +12819,17 @@ public final class Settings { 
        public static final String PRIVILEGED_DEVICE_IDENTIFIER_3P_CHECK_RELAXED =

                "privileged_device_identifier_3p_check_relaxed";













        /**













         * If set to 1, the device identifier check will be relaxed to the previous READ_PHONE_STATE













         * permission check for preloaded non-privileged apps.













         *













         * STOPSHIP: Remove this once we ship with the new device identifier check enabled.













         *













         * @hide













         */













        public static final String PRIVILEGED_DEVICE_IDENTIFIER_NON_PRIV_CHECK_RELAXED =













                "privileged_device_identifier_non_priv_check_relaxed";



























        /**















         * If set to 1, SettingsProvider's restoreAnyVersion="true" attribute will be ignored















         * and restoring to lower version of platform API will be skipped.

































core/tests/coretests/src/android/provider/SettingsBackupTest.java



+1
−0




























Original line number
Diff line number
Diff line








@@ -384,6 +384,7 @@ public class SettingsBackupTest {













                    Settings.Global.PRIV_APP_OOB_LIST,















                    Settings.Global.PRIVATE_DNS_DEFAULT_MODE,















                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_CHECK_ENABLED,













                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_NON_PRIV_CHECK_RELAXED,















                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_TARGET_Q_BEHAVIOR_ENABLED,















                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_3P_CHECK_RELAXED,















                    Settings.Global.PROVISIONING_APN_ALARM_DELAY_IN_MS,

































telephony/java/com/android/internal/telephony/TelephonyPermissions.java



+25
−4




























Original line number
Diff line number
Diff line








@@ -284,8 +284,6 @@ public final class TelephonyPermissions {













     */















    private static boolean reportAccessDeniedToReadIdentifiers(Context context, int subId, int pid,















            int uid, String callingPackage, String message) {













        Log.wtf(LOG_TAG,













                "reportAccessDeniedToReadIdentifiers:" + callingPackage + ":" + message);















        // If the device identifier check is enabled then enforce the new access requirements for















        // both 1P and 3P apps.















        boolean enableDeviceIdentifierCheck = Settings.Global.getInt(context.getContentResolver(),









@@ -295,17 +293,40 @@ public final class TelephonyPermissions {













        boolean relax3PDeviceIdentifierCheck = Settings.Global.getInt(context.getContentResolver(),















                Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_3P_CHECK_RELAXED, 0) == 1;















        boolean is3PApp = true;













        // Also check if the application is a preloaded non-privileged app; if so there is a













        // separate setting to relax the check for these apps to ensure users can relax the check













        // for 3P or non-priv apps as needed while continuing to test the other.













        boolean relaxNonPrivDeviceIdentifierCheck = Settings.Global.getInt(













                context.getContentResolver(),













                Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_NON_PRIV_CHECK_RELAXED, 0) == 1;













        boolean isNonPrivApp = false;















        ApplicationInfo callingPackageInfo = null;















        try {















            callingPackageInfo = context.getPackageManager().getApplicationInfo(callingPackage, 0);













            if (callingPackageInfo.isSystemApp()) {













            if (callingPackageInfo.isPrivilegedApp()) {















                is3PApp = false;













            } else if (callingPackageInfo.isSystemApp()) {













                is3PApp = false;













                isNonPrivApp = true;















            }















        } catch (PackageManager.NameNotFoundException e) {















            // If the application info for the calling package could not be found then assume the















            // calling app is a 3P app to detect any issues with the check













        }













        if (enableDeviceIdentifierCheck || (is3PApp && !relax3PDeviceIdentifierCheck)) {













            Log.e(LOG_TAG, "Exception caught obtaining package info for package " + callingPackage,













                    e);













        }













        Log.wtf(LOG_TAG, "reportAccessDeniedToReadIdentifiers:" + callingPackage + ":" + message













                + ":is3PApp=" + is3PApp + ":isNonPrivApp=" + isNonPrivApp);













        // The new Q restrictions for device identifier access will be enforced if any of the













        // following are true:













        // - The PRIVILEGED_DEVICE_IDENTIFIER_CHECK_ENABLED setting has been set.













        // - The app requesting a device identifier is not a preloaded app (3P), and the













        //   PRIVILEGED_DEVICE_IDENTIFIER_3P_CHECK_RELAXED setting has not been set.













        // - The app requesting a device identifier is a preloaded app but is not a privileged app,













        //   and the PRIVILEGED_DEVICE_IDENTIFIER_NON_PRIV_CHECK_RELAXED setting has not been set.













        if (enableDeviceIdentifierCheck













                || (is3PApp && !relax3PDeviceIdentifierCheck)













                || (isNonPrivApp && !relaxNonPrivDeviceIdentifierCheck)) {















            boolean targetQBehaviorDisabled = Settings.Global.getInt(context.getContentResolver(),















                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_TARGET_Q_BEHAVIOR_ENABLED, 0) == 0;















            if (callingPackage != null) {