Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bbeed895 authored by Philip P. Moltmann's avatar Philip P. Moltmann
Browse files

Revert "Check cross-user interactions for permissions and app-op..." 

Revert "Add dedicated host side tests for permissions and appops"

Revert submission 12439864-PermAppOpsCrossUserCheck-Fixed

Reason for revert: Bug 169044600
Reverted Changes:
I95d015e01:Invalidate package/permission cache if cross-profi...
I2a8a84f57:Check cross-user interactions for permissions and ...
Ie8f0db231:Give all non-package services the power to interac...
I11af434a8:Test package/permission cache invalidation when IN...
Ib6d609a4d:Add dedicated host side tests for permissions and ...

Change-Id: Iea5eeded0ee5caf5383bb0e749133d4fef18d392
parent fe97984f

core/java/android/app/ActivityManagerInternal.java

+4 −23
Original line number Diff line number Diff line
@@ -46,39 +46,20 @@ public abstract class ActivityManagerInternal { 




    // Access modes for handleIncomingUser.

    /**

     * Allows access to a caller with {@link android.Manifest.permission#INTERACT_ACROSS_USERS} or

     * {@link android.Manifest.permission#INTERACT_ACROSS_USERS_FULL}.

     */

    public static final int ALLOW_NON_FULL = 0;

    /**

     * Allows access to a caller with {@link android.Manifest.permission#INTERACT_ACROSS_USERS}

     * or {@link android.Manifest.permission#INTERACT_ACROSS_USERS_FULL} if in the same profile

     * group.

     * if in the same profile group.

     * Otherwise, {@link android.Manifest.permission#INTERACT_ACROSS_USERS_FULL} is required.

     */

    public static final int ALLOW_NON_FULL_IN_PROFILE_OR_FULL = 1;

    /**

     * Allows access to a caller with {@link android.Manifest.permission#INTERACT_ACROSS_USERS_FULL}

     * only.

     */

    public static final int ALLOW_NON_FULL_IN_PROFILE = 1;

    public static final int ALLOW_FULL_ONLY = 2;

    /**

     * Allows access to a caller with {@link android.Manifest.permission#INTERACT_ACROSS_PROFILES}

     * or {@link android.Manifest.permission#INTERACT_ACROSS_USERS} or

     * {@link android.Manifest.permission#INTERACT_ACROSS_USERS_FULL} if in the same profile group.

     * or {@link android.Manifest.permission#INTERACT_ACROSS_USERS} if in the same profile group.

     * Otherwise, {@link android.Manifest.permission#INTERACT_ACROSS_USERS_FULL} is required.

     */

    public static final int ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_FULL = 3;

    /**

     * Requires {@link android.Manifest.permission#INTERACT_ACROSS_PROFILES},

     * {@link android.Manifest.permission#INTERACT_ACROSS_USERS}, or

     * {@link android.Manifest.permission#INTERACT_ACROSS_USERS_FULL} if in same profile group,

     * otherwise {@link android.Manifest.permission#INTERACT_ACROSS_USERS} or

     * {@link android.Manifest.permission#INTERACT_ACROSS_USERS_FULL}. (so this is an extension

     * to {@link #ALLOW_NON_FULL})

     */

    public static final int ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_NON_FULL = 4;

    public static final int ALLOW_ALL_PROFILE_PERMISSIONS_IN_PROFILE = 3;



    /**

     * Verify that calling app has access to the given provider.

core/java/android/app/AppOpsManager.java

+19 −65
Original line number Diff line number Diff line
@@ -6741,14 +6741,10 @@ public class AppOpsManager { 
     */

    @RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)

    public void setUidMode(int code, int uid, @Mode int mode) {

        // Clear calling UID to handle calls from inside the system server. See #noteOpNoThrow

        long token = Binder.clearCallingIdentity();

        try {

            mService.setUidMode(code, uid, mode);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        } finally {

            Binder.restoreCallingIdentity(token);

        }

    }
@@ -6766,7 +6762,11 @@ public class AppOpsManager { 
    @TestApi

    @RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)

    public void setUidMode(@NonNull String appOp, int uid, @Mode int mode) {

        setUidMode(AppOpsManager.strOpToOp(appOp), uid, mode);

        try {

            mService.setUidMode(AppOpsManager.strOpToOp(appOp), uid, mode);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

    }



    /** @hide */
@@ -6795,14 +6795,10 @@ public class AppOpsManager { 
    @TestApi

    @RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)

    public void setMode(int code, int uid, String packageName, @Mode int mode) {

        // Clear calling UID to handle calls from inside the system server. See #noteOpNoThrow

        long token = Binder.clearCallingIdentity();

        try {

            mService.setMode(code, uid, packageName, mode);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        } finally {

            Binder.restoreCallingIdentity(token);

        }

    }
@@ -6822,7 +6818,11 @@ public class AppOpsManager { 
    @RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)

    public void setMode(@NonNull String op, int uid, @Nullable String packageName,

            @Mode int mode) {

        setMode(strOpToOp(op), uid, packageName, mode);

        try {

            mService.setMode(strOpToOp(op), uid, packageName, mode);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

    }



    /**
@@ -7298,14 +7298,10 @@ public class AppOpsManager { 
     * @hide

     */

    public int unsafeCheckOpRawNoThrow(int op, int uid, @NonNull String packageName) {

        // Clear calling UID to handle calls from inside the system server. See #noteOpNoThrow

        long token = Binder.clearCallingIdentity();

        try {

            return mService.checkOperationRaw(op, uid, packageName);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        } finally {

            Binder.restoreCallingIdentity(token);

        }

    }
@@ -7477,20 +7473,8 @@ public class AppOpsManager { 
                }

            }



            int mode;

            // Making the binder call "noteOperation" usually sets Binder.callingUid to the calling

            // processes UID. Hence clearing the calling UID is superfluous.

            // If the call is inside the system server though "noteOperation" is not a binder all,

            // it is only a method call. Hence Binder.callingUid might still be set to the app that

            // called the system server. This can lead to problems as not every app can see the

            // same appops the system server can see.

            long token = Binder.clearCallingIdentity();

            try {

                mode = mService.noteOperation(op, uid, packageName, attributionTag,

            int mode = mService.noteOperation(op, uid, packageName, attributionTag,

                    collectionMode == COLLECT_ASYNC, message, shouldCollectMessage);

            } finally {

                Binder.restoreCallingIdentity(token);

            }



            if (mode == MODE_ALLOWED) {

                if (collectionMode == COLLECT_SELF) {
@@ -7653,17 +7637,10 @@ public class AppOpsManager { 
                }

            }



            int mode;

            // Clear calling UID to handle calls from inside the system server. See #noteOpNoThrow

            long token = Binder.clearCallingIdentity();

            try {

                mode = mService.noteProxyOperation(op, proxiedUid, proxiedPackageName,

            int mode = mService.noteProxyOperation(op, proxiedUid, proxiedPackageName,

                    proxiedAttributionTag, myUid, mContext.getOpPackageName(),

                    mContext.getAttributionTag(), collectionMode == COLLECT_ASYNC, message,

                    shouldCollectMessage);

            } finally {

                Binder.restoreCallingIdentity(token);

            }



            if (mode == MODE_ALLOWED) {

                if (collectionMode == COLLECT_SELF) {
@@ -7713,8 +7690,6 @@ public class AppOpsManager { 
     */

    @UnsupportedAppUsage

    public int checkOp(int op, int uid, String packageName) {

        // Clear calling UID to handle calls from inside the system server. See #noteOpNoThrow

        long token = Binder.clearCallingIdentity();

        try {

            int mode = mService.checkOperation(op, uid, packageName);

            if (mode == MODE_ERRORED) {
@@ -7723,8 +7698,6 @@ public class AppOpsManager { 
            return mode;

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        } finally {

            Binder.restoreCallingIdentity(token);

        }

    }
@@ -7735,15 +7708,11 @@ public class AppOpsManager { 
     */

    @UnsupportedAppUsage

    public int checkOpNoThrow(int op, int uid, String packageName) {

        // Clear calling UID to handle calls from inside the system server. See #noteOpNoThrow

        long token = Binder.clearCallingIdentity();

        try {

            int mode = mService.checkOperation(op, uid, packageName);

            return mode == AppOpsManager.MODE_FOREGROUND ? AppOpsManager.MODE_ALLOWED : mode;

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        } finally {

            Binder.restoreCallingIdentity(token);

        }

    }
@@ -7995,16 +7964,9 @@ public class AppOpsManager { 
                }

            }



            int mode;

            // Clear calling UID to handle calls from inside the system server. See #noteOpNoThrow

            long token = Binder.clearCallingIdentity();

            try {

                mode = mService.startOperation(getClientId(), op, uid, packageName,

                        attributionTag, startIfModeDefault, collectionMode == COLLECT_ASYNC,

                        message, shouldCollectMessage);

            } finally {

                Binder.restoreCallingIdentity(token);

            }

            int mode = mService.startOperation(getClientId(), op, uid, packageName,

                    attributionTag, startIfModeDefault, collectionMode == COLLECT_ASYNC, message,

                    shouldCollectMessage);



            if (mode == MODE_ALLOWED) {

                if (collectionMode == COLLECT_SELF) {
@@ -8067,14 +8029,10 @@ public class AppOpsManager { 
     */

    public void finishOp(int op, int uid, @NonNull String packageName,

            @Nullable String attributionTag) {

        // Clear calling UID to handle calls from inside the system server. See #noteOpNoThrow

        long token = Binder.clearCallingIdentity();

        try {

            mService.finishOperation(getClientId(), op, uid, packageName, attributionTag);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        } finally {

            Binder.restoreCallingIdentity(token);

        }

    }
@@ -8666,14 +8624,10 @@ public class AppOpsManager { 
    // TODO: Uncomment below annotation once b/73559440 is fixed

    // @RequiresPermission(value=Manifest.permission.WATCH_APPOPS, conditional=true)

    public boolean isOperationActive(int code, int uid, String packageName) {

        // Clear calling UID to handle calls from inside the system server. See #noteOpNoThrow

        long token = Binder.clearCallingIdentity();

        try {

            return mService.isOperationActive(code, uid, packageName);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        } finally {

            Binder.restoreCallingIdentity(token);

        }

    }

core/java/android/permission/PermissionManager.java

+0 −15
Original line number Diff line number Diff line
@@ -34,7 +34,6 @@ import android.content.Context; 
import android.content.pm.IPackageManager;

import android.content.pm.PackageManager;

import android.content.pm.permission.SplitPermissionInfoParcelable;

import android.os.Binder;

import android.os.Process;

import android.os.RemoteException;

import android.os.ServiceManager;
@@ -544,15 +543,10 @@ public final class PermissionManager { 
                    + permission);

            return PackageManager.PERMISSION_DENIED;

        }

        // Clear Binder.callingUid in case this is called inside the system server. See

        // more extensive comment in checkPackageNamePermissionUncached

        long token = Binder.clearCallingIdentity();

        try {

            return am.checkPermission(permission, pid, uid);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        } finally {

            Binder.restoreCallingIdentity(token);

        }

    }
@@ -685,20 +679,11 @@ public final class PermissionManager { 
    /* @hide */

    private static int checkPackageNamePermissionUncached(

            String permName, String pkgName, @UserIdInt int userId) {

        // Makeing the binder call "checkPermission" usually sets Binder.callingUid to the calling

        // processes UID. Hence clearing the calling UID is superflous.

        // If the call is inside the system server though "checkPermission" is not a binder all, it

        // is only a method call. Hence Binder.callingUid might still be set to the app that called

        // the system server. This can lead to problems as not every app can check the same

        // permissions the system server can check.

        long token = Binder.clearCallingIdentity();

        try {

            return ActivityThread.getPermissionManager().checkPermission(

                    permName, pkgName, userId);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        } finally {

            Binder.restoreCallingIdentity(token);

        }

    }

services/core/java/com/android/server/am/ActiveServices.java

+3 −3
Original line number Diff line number Diff line
@@ -2609,12 +2609,12 @@ public final class ActiveServices { 


    private int getAllowMode(Intent service, @Nullable String callingPackage) {

        if (callingPackage == null || service.getComponent() == null) {

            return ActivityManagerInternal.ALLOW_NON_FULL_IN_PROFILE_OR_FULL;

            return ActivityManagerInternal.ALLOW_NON_FULL_IN_PROFILE;

        }

        if (callingPackage.equals(service.getComponent().getPackageName())) {

            return ActivityManagerInternal.ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_FULL;

            return ActivityManagerInternal.ALLOW_ALL_PROFILE_PERMISSIONS_IN_PROFILE;

        } else {

            return ActivityManagerInternal.ALLOW_NON_FULL_IN_PROFILE_OR_FULL;

            return ActivityManagerInternal.ALLOW_NON_FULL_IN_PROFILE;

        }

    }

services/core/java/com/android/server/am/UserController.java

+8 −14
Original line number Diff line number Diff line
@@ -23,11 +23,10 @@ import static android.app.ActivityManager.USER_OP_ERROR_IS_SYSTEM; 
import static android.app.ActivityManager.USER_OP_ERROR_RELATED_USERS_CANNOT_STOP;

import static android.app.ActivityManager.USER_OP_IS_CURRENT;

import static android.app.ActivityManager.USER_OP_SUCCESS;

import static android.app.ActivityManagerInternal.ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_FULL;

import static android.app.ActivityManagerInternal.ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_NON_FULL;

import static android.app.ActivityManagerInternal.ALLOW_ALL_PROFILE_PERMISSIONS_IN_PROFILE;

import static android.app.ActivityManagerInternal.ALLOW_FULL_ONLY;

import static android.app.ActivityManagerInternal.ALLOW_NON_FULL;

import static android.app.ActivityManagerInternal.ALLOW_NON_FULL_IN_PROFILE_OR_FULL;

import static android.app.ActivityManagerInternal.ALLOW_NON_FULL_IN_PROFILE;

import static android.os.Process.SHELL_UID;

import static android.os.Process.SYSTEM_UID;
@@ -1912,12 +1911,11 @@ class UserController implements Handler.Callback { 
                    callingUid, -1, true) != PackageManager.PERMISSION_GRANTED) {

                // If the caller does not have either permission, they are always doomed.

                allow = false;

            } else if (allowMode == ALLOW_NON_FULL

                    || allowMode == ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_NON_FULL) {

            } else if (allowMode == ALLOW_NON_FULL) {

                // We are blanket allowing non-full access, you lucky caller!

                allow = true;

            } else if (allowMode == ALLOW_NON_FULL_IN_PROFILE_OR_FULL

                        || allowMode == ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_FULL) {

            } else if (allowMode == ALLOW_NON_FULL_IN_PROFILE

                        || allowMode == ALLOW_ALL_PROFILE_PERMISSIONS_IN_PROFILE) {

                // We may or may not allow this depending on whether the two users are

                // in the same profile.

                allow = isSameProfileGroup;
@@ -1944,15 +1942,12 @@ class UserController implements Handler.Callback { 
                    builder.append("; this requires ");

                    builder.append(INTERACT_ACROSS_USERS_FULL);

                    if (allowMode != ALLOW_FULL_ONLY) {

                        if (allowMode == ALLOW_NON_FULL

                                || allowMode == ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_NON_FULL

                                || isSameProfileGroup) {

                        if (allowMode == ALLOW_NON_FULL || isSameProfileGroup) {

                            builder.append(" or ");

                            builder.append(INTERACT_ACROSS_USERS);

                        }

                        if (isSameProfileGroup

                                && (allowMode == ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_FULL

                                || allowMode == ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_NON_FULL)) {

                                && allowMode == ALLOW_ALL_PROFILE_PERMISSIONS_IN_PROFILE) {

                            builder.append(" or ");

                            builder.append(INTERACT_ACROSS_PROFILES);

                        }
@@ -1979,8 +1974,7 @@ class UserController implements Handler.Callback { 
    private boolean canInteractWithAcrossProfilesPermission(

            int allowMode, boolean isSameProfileGroup, int callingPid, int callingUid,

            String callingPackage) {

        if (allowMode != ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_FULL

                && allowMode != ALLOW_ACROSS_PROFILES_IN_PROFILE_OR_NON_FULL) {

        if (allowMode != ALLOW_ALL_PROFILE_PERMISSIONS_IN_PROFILE) {

            return false;

        }

        if (!isSameProfileGroup) {