Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 656ef911 authored by Michael Groover's avatar Michael Groover
Browse files

Grant access to device identifiers with READ_DEVICE_IDENTIFIERS appop 

The app holding the SMS role and other carrier apps installed through
Play that cannot be granted carrier privileges can have a legitimate
need to access device identifiers but do not meet the new
requirements for access. This appop will provide a way to grant role
holders and apps delivered through Play a way to access these
identifiers.

Bug: 124236412
Test: cts-tradefed run cts-dev -m CtsAppSecurityHostTestCases -t \
      android.appsecurity.cts.DeviceIdentifierTest#testDeviceIdentifierAccessWithAppOpGranted

Change-Id: Ieb182b254472b79cb791419222ee6ff9dedc6880
parent d5701f0e

core/java/android/app/AppOpsManager.java

+13 −1
Original line number Diff line number Diff line
@@ -824,9 +824,11 @@ public class AppOpsManager { 
    public static final int OP_LEGACY_STORAGE = 87;

    /** @hide Accessing accessibility features */

    public static final int OP_ACCESS_ACCESSIBILITY = 88;

    /** @hide Read the device identifiers (IMEI / MEID, IMSI, SIM / Build serial) */

    public static final int OP_READ_DEVICE_IDENTIFIERS = 89;

    /** @hide */

    @UnsupportedAppUsage

    public static final int _NUM_OP = 89;

    public static final int _NUM_OP = 90;



    /** Access to coarse location information. */

    public static final String OPSTR_COARSE_LOCATION = "android:coarse_location";
@@ -1100,6 +1102,8 @@ public class AppOpsManager { 
    /** @hide Interact with accessibility. */

    @SystemApi

    public static final String OPSTR_ACCESS_ACCESSIBILITY = "android:access_accessibility";

    /** @hide Read device identifiers */

    public static final String OPSTR_READ_DEVICE_IDENTIFIERS = "android:read_device_identifiers";



    // Warning: If an permission is added here it also has to be added to

    // com.android.packageinstaller.permission.utils.EventLogger
@@ -1260,6 +1264,7 @@ public class AppOpsManager { 
            OP_WRITE_MEDIA_IMAGES,              // WRITE_MEDIA_IMAGES

            OP_LEGACY_STORAGE,                  // LEGACY_STORAGE

            OP_ACCESS_ACCESSIBILITY,            // ACCESS_ACCESSIBILITY

            OP_READ_DEVICE_IDENTIFIERS,         // READ_DEVICE_IDENTIFIERS

    };



    /**
@@ -1355,6 +1360,7 @@ public class AppOpsManager { 
            OPSTR_WRITE_MEDIA_IMAGES,

            OPSTR_LEGACY_STORAGE,

            OPSTR_ACCESS_ACCESSIBILITY,

            OPSTR_READ_DEVICE_IDENTIFIERS,

    };



    /**
@@ -1451,6 +1457,7 @@ public class AppOpsManager { 
            "WRITE_MEDIA_IMAGES",

            "LEGACY_STORAGE",

            "ACCESS_ACCESSIBILITY",

            "READ_DEVICE_IDENTIFIERS",

    };



    /**
@@ -1548,6 +1555,7 @@ public class AppOpsManager { 
            null, // no permission for OP_WRITE_MEDIA_IMAGES

            null, // no permission for OP_LEGACY_STORAGE

            null, // no permission for OP_ACCESS_ACCESSIBILITY

            null, // no direct permission for OP_READ_DEVICE_IDENTIFIERS

    };



    /**
@@ -1645,6 +1653,7 @@ public class AppOpsManager { 
            null, // WRITE_MEDIA_IMAGES

            null, // LEGACY_STORAGE

            null, // ACCESS_ACCESSIBILITY

            null, // READ_DEVICE_IDENTIFIERS

    };



    /**
@@ -1741,6 +1750,7 @@ public class AppOpsManager { 
            false, // WRITE_MEDIA_IMAGES

            false, // LEGACY_STORAGE

            false, // ACCESS_ACCESSIBILITY

            false, // READ_DEVICE_IDENTIFIERS

    };



    /**
@@ -1836,6 +1846,7 @@ public class AppOpsManager { 
            AppOpsManager.MODE_ERRORED, // WRITE_MEDIA_IMAGES

            AppOpsManager.MODE_DEFAULT, // LEGACY_STORAGE

            AppOpsManager.MODE_ALLOWED, // ACCESS_ACCESSIBILITY

            AppOpsManager.MODE_ERRORED, // READ_DEVICE_IDENTIFIERS

    };



    /**
@@ -1935,6 +1946,7 @@ public class AppOpsManager { 
            false, // WRITE_MEDIA_IMAGES

            false, // LEGACY_STORAGE

            false, // ACCESS_ACCESSIBILITY

            false, // READ_DEVICE_IDENTIFIERS

    };



    /**

telephony/java/com/android/internal/telephony/TelephonyPermissions.java

+13 −1
Original line number Diff line number Diff line
@@ -344,10 +344,22 @@ public final class TelephonyPermissions { 
            return true;

        }

        // if the calling package is null then return now as there's no way to perform the

        // DevicePolicyManager device / profile owner checks.

        // DevicePolicyManager device / profile owner and AppOp checks

        if (callingPackage == null) {

            return false;

        }

        // Allow access to an app that has been granted the READ_DEVICE_IDENTIFIERS app op.

        long token = Binder.clearCallingIdentity();

        AppOpsManager appOpsManager = (AppOpsManager) context.getSystemService(

                Context.APP_OPS_SERVICE);

        try {

            if (appOpsManager.noteOpNoThrow(AppOpsManager.OPSTR_READ_DEVICE_IDENTIFIERS, uid,

                    callingPackage) == AppOpsManager.MODE_ALLOWED) {

                return true;

            }

        } finally {

            Binder.restoreCallingIdentity(token);

        }

        // Allow access to a device / profile owner app.

        DevicePolicyManager devicePolicyManager = (DevicePolicyManager) context.getSystemService(

                Context.DEVICE_POLICY_SERVICE);