Merge "[RFPM04] Adjust hasRestrictedNetworkPermission method" am: 89ca9dd0...

            mAllApps.add(UserHandle.getAppId(uid));

            mAllApps.add(UserHandle.getAppId(uid));

            final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);

            final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);

            final boolean hasRestrictedPermission =

            final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(uid)

                    hasRestrictedNetworkPermission(app.applicationInfo);

                    || isCarryoverPackage(app.applicationInfo);

            if (isNetwork || hasRestrictedPermission) {

            if (isNetwork || hasRestrictedPermission) {

                Boolean permission = mApps.get(uid);

                Boolean permission = mApps.get(uid);

        for (int i = 0; i < systemPermission.size(); i++) {

        for (int i = 0; i < systemPermission.size(); i++) {

            ArraySet<String> perms = systemPermission.valueAt(i);

            ArraySet<String> perms = systemPermission.valueAt(i);

            int uid = systemPermission.keyAt(i);

            int uid = systemPermission.keyAt(i);

            int netdPermission = 0;

            int netdPermission = PERMISSION_NONE;

            // Get the uids of native services that have UPDATE_DEVICE_STATS or INTERNET permission.

            // Get the uids of native services that have UPDATE_DEVICE_STATS or INTERNET permission.

            if (perms != null) {

            if (perms != null) {

                netdPermission |= perms.contains(UPDATE_DEVICE_STATS)

                netdPermission |= perms.contains(UPDATE_DEVICE_STATS)

    }

    }

    @VisibleForTesting

    @VisibleForTesting

    boolean hasRestrictedNetworkPermission(@Nullable final ApplicationInfo appInfo) {

    // TODO : remove this check in the future(b/162295056). All apps should just request the

    // appropriate permission for their use case since android Q.

    boolean isCarryoverPackage(@Nullable final ApplicationInfo appInfo) {

        if (appInfo == null) return false;

        if (appInfo == null) return false;

        // TODO : remove this check in the future(b/162295056). All apps should just

        return (appInfo.targetSdkVersion < VERSION_Q && isVendorApp(appInfo))

        // request the appropriate permission for their use case since android Q.

        if ((appInfo.targetSdkVersion < VERSION_Q && isVendorApp(appInfo))

                // Backward compatibility for b/114245686, on devices that launched before Q daemons

                // Backward compatibility for b/114245686, on devices that launched before Q daemons

                // and apps running as the system UID are exempted from this check.

                // and apps running as the system UID are exempted from this check.

                || (appInfo.uid == SYSTEM_UID && mDeps.getDeviceFirstSdkInt() < VERSION_Q)) {

                || (appInfo.uid == SYSTEM_UID && mDeps.getDeviceFirstSdkInt() < VERSION_Q);

            return true;

    }

    }

        return hasPermission(PERMISSION_MAINLINE_NETWORK_STACK, appInfo.uid)

    @VisibleForTesting

                || hasPermission(NETWORK_STACK, appInfo.uid)

    boolean hasRestrictedNetworkPermission(final int uid) {

                || hasPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, appInfo.uid);

        return hasPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, uid)

                || hasPermission(PERMISSION_MAINLINE_NETWORK_STACK, uid)

                || hasPermission(NETWORK_STACK, uid);

    }

    }

    /** Returns whether the given uid has using background network permission. */

    /** Returns whether the given uid has using background network permission. */

        try {

        try {

            final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);

            final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);

            final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);

            final boolean isNetwork = hasPermission(CHANGE_NETWORK_STATE, uid);

            final boolean hasRestrictedPermission =

            final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(uid)

                    hasRestrictedNetworkPermission(app.applicationInfo);

                    || isCarryoverPackage(app.applicationInfo);

            if (isNetwork || hasRestrictedPermission) {

            if (isNetwork || hasRestrictedPermission) {

                currentPermission = hasRestrictedPermission;

                currentPermission = hasRestrictedPermission;

            }

            }

import static android.content.pm.ApplicationInfo.PRIVATE_FLAG_VENDOR;

import static android.content.pm.ApplicationInfo.PRIVATE_FLAG_VENDOR;

import static android.content.pm.PackageManager.GET_PERMISSIONS;

import static android.content.pm.PackageManager.GET_PERMISSIONS;

import static android.content.pm.PackageManager.MATCH_ANY_USER;

import static android.content.pm.PackageManager.MATCH_ANY_USER;

import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;

import static android.os.Process.SYSTEM_UID;

import static android.os.Process.SYSTEM_UID;

import static com.android.server.connectivity.PermissionMonitor.NETWORK;

import static com.android.server.connectivity.PermissionMonitor.NETWORK;

        verify(mMockPmi).getPackageList(mPermissionMonitor);

        verify(mMockPmi).getPackageList(mPermissionMonitor);

    }

    }

    /**

    private boolean wouldBeCarryoverPackage(String partition, int targetSdkVersion, int uid) {

     * Remove all permissions from the uid then build new package info and setup permissions to uid

     * for checking restricted network permission.

     */

    private boolean hasRestrictedNetworkPermission(String partition, int targetSdkVersion, int uid,

            String... permissions) {

        final PackageInfo packageInfo = buildPackageInfo(partition, uid, MOCK_USER1);

        final PackageInfo packageInfo = buildPackageInfo(partition, uid, MOCK_USER1);

        packageInfo.applicationInfo.targetSdkVersion = targetSdkVersion;

        packageInfo.applicationInfo.targetSdkVersion = targetSdkVersion;

        removeAllPermissions(uid);

        return mPermissionMonitor.isCarryoverPackage(packageInfo.applicationInfo);

        addPermissions(uid, permissions);

        return mPermissionMonitor.hasRestrictedNetworkPermission(packageInfo.applicationInfo);

    }

    }

    private static PackageInfo packageInfoWithPartition(String partition) {

    private static PackageInfo packageInfoWithPartition(String partition) {

        assertTrue(mPermissionMonitor.isVendorApp(app.applicationInfo));

        assertTrue(mPermissionMonitor.isVendorApp(app.applicationInfo));

    }

    }

    /**

     * Remove all permissions from the uid then setup permissions to uid for checking restricted

     * network permission.

     */

    private void assertRestrictedNetworkPermission(boolean hasPermission, int uid,

            String... permissions) {

        removeAllPermissions(uid);

        addPermissions(uid, permissions);

        assertEquals(hasPermission, mPermissionMonitor.hasRestrictedNetworkPermission(uid));

    }

    @Test

    @Test

    public void testHasRestrictedNetworkPermission() {

    public void testHasRestrictedNetworkPermission() {

        assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_P, MOCK_UID1));

        assertRestrictedNetworkPermission(false, MOCK_UID1);

        assertFalse(hasRestrictedNetworkPermission(

        assertRestrictedNetworkPermission(false, MOCK_UID1, CHANGE_NETWORK_STATE);

                PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CHANGE_NETWORK_STATE));

        assertRestrictedNetworkPermission(true, MOCK_UID1, NETWORK_STACK);

        assertTrue(hasRestrictedNetworkPermission(

        assertRestrictedNetworkPermission(false, MOCK_UID1, CONNECTIVITY_INTERNAL);

                PARTITION_SYSTEM, VERSION_P, MOCK_UID1, NETWORK_STACK));

        assertRestrictedNetworkPermission(true, MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS);

        assertFalse(hasRestrictedNetworkPermission(

        assertRestrictedNetworkPermission(false, MOCK_UID1, CHANGE_WIFI_STATE);

                PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CONNECTIVITY_INTERNAL));

        assertRestrictedNetworkPermission(true, MOCK_UID1, PERMISSION_MAINLINE_NETWORK_STACK);

        assertTrue(hasRestrictedNetworkPermission(

                PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS));

        assertFalse(mPermissionMonitor.hasRestrictedNetworkPermission(MOCK_UID2));

        assertFalse(hasRestrictedNetworkPermission(

        assertFalse(mPermissionMonitor.hasRestrictedNetworkPermission(SYSTEM_UID));

                PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CHANGE_WIFI_STATE));

        assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_Q, MOCK_UID1));

        assertFalse(hasRestrictedNetworkPermission(

                PARTITION_SYSTEM, VERSION_Q, MOCK_UID1, CONNECTIVITY_INTERNAL));

    }

    }

    @Test

    @Test

    public void testHasRestrictedNetworkPermissionSystemUid() {

    public void testIsCarryoverPackage() {

        doReturn(VERSION_P).when(mDeps).getDeviceFirstSdkInt();

        doReturn(VERSION_P).when(mDeps).getDeviceFirstSdkInt();

        assertTrue(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_P, SYSTEM_UID));

        assertTrue(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, SYSTEM_UID));

        assertTrue(hasRestrictedNetworkPermission(

        assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, SYSTEM_UID));

                PARTITION_SYSTEM, VERSION_P, SYSTEM_UID, CONNECTIVITY_INTERNAL));

        assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, MOCK_UID1));

        assertTrue(hasRestrictedNetworkPermission(

        assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, MOCK_UID1));

                PARTITION_SYSTEM, VERSION_P, SYSTEM_UID, CONNECTIVITY_USE_RESTRICTED_NETWORKS));

        assertTrue(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID));

        assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, SYSTEM_UID));

        assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, MOCK_UID1));

        assertFalse(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, MOCK_UID1));

        doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();

        doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();

        assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID));

        assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, SYSTEM_UID));

        assertFalse(hasRestrictedNetworkPermission(

        assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, SYSTEM_UID));

                PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID, CONNECTIVITY_INTERNAL));

        assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_P, MOCK_UID1));

        assertTrue(hasRestrictedNetworkPermission(

        assertTrue(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_P, MOCK_UID1));

                PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID, CONNECTIVITY_USE_RESTRICTED_NETWORKS));

        assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID));

    }

        assertFalse(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, SYSTEM_UID));

        assertFalse(wouldBeCarryoverPackage(PARTITION_SYSTEM, VERSION_Q, MOCK_UID1));

        assertFalse(wouldBeCarryoverPackage(PARTITION_VENDOR, VERSION_Q, MOCK_UID1));

    @Test

        assertFalse(wouldBeCarryoverPackage(PARTITION_OEM, VERSION_Q, SYSTEM_UID));

    public void testHasRestrictedNetworkPermissionVendorApp() {

        assertFalse(wouldBeCarryoverPackage(PARTITION_PRODUCT, VERSION_Q, SYSTEM_UID));

        assertTrue(hasRestrictedNetworkPermission(PARTITION_VENDOR, VERSION_P, MOCK_UID1));

        assertFalse(wouldBeCarryoverPackage(PARTITION_OEM, VERSION_Q, MOCK_UID1));

        assertTrue(hasRestrictedNetworkPermission(

        assertFalse(wouldBeCarryoverPackage(PARTITION_PRODUCT, VERSION_Q, MOCK_UID1));

                PARTITION_VENDOR, VERSION_P, MOCK_UID1, CHANGE_NETWORK_STATE));

        assertTrue(hasRestrictedNetworkPermission(

                PARTITION_VENDOR, VERSION_P, MOCK_UID1, NETWORK_STACK));

        assertTrue(hasRestrictedNetworkPermission(

                PARTITION_VENDOR, VERSION_P, MOCK_UID1, CONNECTIVITY_INTERNAL));

        assertTrue(hasRestrictedNetworkPermission(

                PARTITION_VENDOR, VERSION_P, MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS));

        assertTrue(hasRestrictedNetworkPermission(

                PARTITION_VENDOR, VERSION_P, MOCK_UID1, CHANGE_WIFI_STATE));

        assertFalse(hasRestrictedNetworkPermission(PARTITION_VENDOR, VERSION_Q, MOCK_UID1));

        assertFalse(hasRestrictedNetworkPermission(

                PARTITION_VENDOR, VERSION_Q, MOCK_UID1, CONNECTIVITY_INTERNAL));

        assertFalse(hasRestrictedNetworkPermission(

                PARTITION_VENDOR, VERSION_Q, MOCK_UID1, CHANGE_NETWORK_STATE));

    }

    }

    private void assertBackgroundPermission(boolean hasPermission, String name, int uid,

    private void assertBackgroundPermission(boolean hasPermission, String name, int uid,

    @Test

    @Test

    public void testHasUseBackgroundNetworksPermission() throws Exception {

    public void testHasUseBackgroundNetworksPermission() throws Exception {

        doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();

        assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(SYSTEM_UID));

        assertBackgroundPermission(false, "system1", SYSTEM_UID);

        assertBackgroundPermission(false, "system2", SYSTEM_UID, CONNECTIVITY_INTERNAL);

        assertBackgroundPermission(true, "system3", SYSTEM_UID, CHANGE_NETWORK_STATE);

        assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID1));

        assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID1));

        assertBackgroundPermission(false, "mock1", MOCK_UID1);

        assertBackgroundPermission(false, "mock1", MOCK_UID1);

        assertBackgroundPermission(true, "mock2", MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS);

        assertBackgroundPermission(false, "mock2", MOCK_UID1, CONNECTIVITY_INTERNAL);

        assertBackgroundPermission(true, "mock3", MOCK_UID1, NETWORK_STACK);

        assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID2));

        assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID2));

        assertBackgroundPermission(false, "mock3", MOCK_UID2, CONNECTIVITY_INTERNAL);

        assertBackgroundPermission(false, "mock4", MOCK_UID2);

        assertBackgroundPermission(true, "mock4", MOCK_UID2, NETWORK_STACK);

        assertBackgroundPermission(true, "mock5", MOCK_UID2,

                CONNECTIVITY_USE_RESTRICTED_NETWORKS);

        doReturn(VERSION_Q).when(mDeps).getDeviceFirstSdkInt();

        assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(SYSTEM_UID));

        assertBackgroundPermission(false, "system1", SYSTEM_UID);

        assertBackgroundPermission(true, "system2", SYSTEM_UID, CHANGE_NETWORK_STATE);

        doReturn(VERSION_P).when(mDeps).getDeviceFirstSdkInt();

        removeAllPermissions(SYSTEM_UID);

        assertBackgroundPermission(true, "system3", SYSTEM_UID);

    }

    }

    private class NetdMonitor {

    private class NetdMonitor {