Merge "Use UserHandles instead of userId integers." am: 25312195 am: a2831e13 am: 7eac1eed

import android.annotation.Nullable;

import android.annotation.Nullable;

import android.os.Parcel;

import android.os.Parcel;

import android.os.Parcelable;

import android.os.Parcelable;

import android.os.UserHandle;

import java.util.Collection;

import java.util.Collection;

        return new UidRange(userId * PER_USER_RANGE, (userId + 1) * PER_USER_RANGE - 1);

        return new UidRange(userId * PER_USER_RANGE, (userId + 1) * PER_USER_RANGE - 1);

    }

    }

    /** Creates a UidRange for the specified user. */

    public static UidRange createForUser(UserHandle user) {

        final UserHandle nextUser = UserHandle.of(user.getIdentifier() + 1);

        final int start = UserHandle.getUid(user, 0 /* appId */);

        final int end = UserHandle.getUid(nextUser, 0) - 1;

        return new UidRange(start, end);

    }

    /** Returns the smallest user Id which is contained in this UidRange */

    /** Returns the smallest user Id which is contained in this UidRange */

    public int getStartUser() {

    public int getStartUser() {

        return start / PER_USER_RANGE;

        return start / PER_USER_RANGE;

        }

        }

    }

    }

    private void onUserAdded(int userId) {

    private void onUserAdded(UserHandle user) {

        mPermissionMonitor.onUserAdded(userId);

        mPermissionMonitor.onUserAdded(user);

    }

    }

    private void onUserRemoved(int userId) {

    private void onUserRemoved(UserHandle user) {

        mPermissionMonitor.onUserRemoved(userId);

        mPermissionMonitor.onUserRemoved(user);

    }

    }

    private BroadcastReceiver mIntentReceiver = new BroadcastReceiver() {

    private BroadcastReceiver mIntentReceiver = new BroadcastReceiver() {

        public void onReceive(Context context, Intent intent) {

        public void onReceive(Context context, Intent intent) {

            ensureRunningOnConnectivityServiceThread();

            ensureRunningOnConnectivityServiceThread();

            final String action = intent.getAction();

            final String action = intent.getAction();

            final int userId = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, UserHandle.USER_NULL);

            final UserHandle user = intent.getParcelableExtra(Intent.EXTRA_USER);

            // UserId should be filled for below intents, check the existence.

            // User should be filled for below intents, check the existence.

            if (userId == UserHandle.USER_NULL) return;

            if (user == null) {

                Log.wtf(TAG, intent.getAction() + " broadcast without EXTRA_USER");

                return;

            }

            if (Intent.ACTION_USER_ADDED.equals(action)) {

            if (Intent.ACTION_USER_ADDED.equals(action)) {

                onUserAdded(userId);

                onUserAdded(user);

            } else if (Intent.ACTION_USER_REMOVED.equals(action)) {

            } else if (Intent.ACTION_USER_REMOVED.equals(action)) {

                onUserRemoved(userId);

                onUserRemoved(user);

            }  else {

            }  else {

                Log.wtf(TAG, "received unexpected intent: " + action);

                Log.wtf(TAG, "received unexpected intent: " + action);

            }

            }

    private final INetd mNetd;

    private final INetd mNetd;

    private final Dependencies mDeps;

    private final Dependencies mDeps;

    // Values are User IDs.

    @GuardedBy("this")

    @GuardedBy("this")

    private final Set<Integer> mUsers = new HashSet<>();

    private final Set<UserHandle> mUsers = new HashSet<>();

    // Keys are app uids. Values are true for SYSTEM permission and false for NETWORK permission.

    // Keys are app uids. Values are true for SYSTEM permission and false for NETWORK permission.

    @GuardedBy("this")

    @GuardedBy("this")

            netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);

            netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);

        }

        }

        final List<UserHandle> users = mUserManager.getUserHandles(true /* excludeDying */);

        mUsers.addAll(mUserManager.getUserHandles(true /* excludeDying */));

        for (UserHandle user : users) {

            mUsers.add(user.getIdentifier());

        }

        final SparseArray<ArraySet<String>> systemPermission =

        final SparseArray<ArraySet<String>> systemPermission =

                SystemConfig.getInstance().getSystemPermissions();

                SystemConfig.getInstance().getSystemPermissions();

        return array;

        return array;

    }

    }

    private void update(Set<Integer> users, Map<Integer, Boolean> apps, boolean add) {

    private void update(Set<UserHandle> users, Map<Integer, Boolean> apps, boolean add) {

        List<Integer> network = new ArrayList<>();

        List<Integer> network = new ArrayList<>();

        List<Integer> system = new ArrayList<>();

        List<Integer> system = new ArrayList<>();

        for (Entry<Integer, Boolean> app : apps.entrySet()) {

        for (Entry<Integer, Boolean> app : apps.entrySet()) {

            List<Integer> list = app.getValue() ? system : network;

            List<Integer> list = app.getValue() ? system : network;

            for (int user : users) {

            for (UserHandle user : users) {

                final UserHandle handle = UserHandle.of(user);

                if (user == null) continue;

                if (handle == null) continue;

                list.add(UserHandle.getUid(handle, app.getKey()));

                list.add(UserHandle.getUid(user, app.getKey()));

            }

            }

        }

        }

        try {

        try {

     *

     *

     * @hide

     * @hide

     */

     */

    public synchronized void onUserAdded(int user) {

    public synchronized void onUserAdded(@NonNull UserHandle user) {

        if (user < 0) {

            loge("Invalid user in onUserAdded: " + user);

            return;

        }

        mUsers.add(user);

        mUsers.add(user);

        Set<Integer> users = new HashSet<>();

        Set<UserHandle> users = new HashSet<>();

        users.add(user);

        users.add(user);

        update(users, mApps, true);

        update(users, mApps, true);

    }

    }

     *

     *

     * @hide

     * @hide

     */

     */

    public synchronized void onUserRemoved(int user) {

    public synchronized void onUserRemoved(@NonNull UserHandle user) {

        if (user < 0) {

            loge("Invalid user in onUserRemoved: " + user);

            return;

        }

        mUsers.remove(user);

        mUsers.remove(user);

        Set<Integer> users = new HashSet<>();

        Set<UserHandle> users = new HashSet<>();

        users.add(user);

        users.add(user);

        update(users, mApps, false);

        update(users, mApps, false);

    }

    }

@RunWith(AndroidJUnit4.class)

@RunWith(AndroidJUnit4.class)

@SmallTest

@SmallTest

public class PermissionMonitorTest {

public class PermissionMonitorTest {

    private static final int MOCK_USER1 = 0;

    private static final UserHandle MOCK_USER1 = UserHandle.of(0);

    private static final int MOCK_USER2 = 1;

    private static final UserHandle MOCK_USER2 = UserHandle.of(1);

    private static final int MOCK_UID1 = 10001;

    private static final int MOCK_UID1 = 10001;

    private static final int MOCK_UID2 = 10086;

    private static final int MOCK_UID2 = 10086;

    private static final int SYSTEM_UID1 = 1000;

    private static final int SYSTEM_UID1 = 1000;

        when(mContext.getPackageManager()).thenReturn(mPackageManager);

        when(mContext.getPackageManager()).thenReturn(mPackageManager);

        when(mContext.getSystemService(eq(Context.USER_SERVICE))).thenReturn(mUserManager);

        when(mContext.getSystemService(eq(Context.USER_SERVICE))).thenReturn(mUserManager);

        when(mUserManager.getUserHandles(eq(true))).thenReturn(

        when(mUserManager.getUserHandles(eq(true))).thenReturn(

                Arrays.asList(new UserHandle[] {

                Arrays.asList(new UserHandle[] { MOCK_USER1, MOCK_USER2 }));

                        new UserHandle(MOCK_USER1),

                        new UserHandle(MOCK_USER2),

                }));

        mPermissionMonitor = spy(new PermissionMonitor(mContext, mNetdService, mDeps));

        mPermissionMonitor = spy(new PermissionMonitor(mContext, mNetdService, mDeps));

        return packageInfo;

        return packageInfo;

    }

    }

    private static PackageInfo buildPackageInfo(boolean hasSystemPermission, int uid, int userId) {

    private static PackageInfo buildPackageInfo(boolean hasSystemPermission, int uid,

            UserHandle user) {

        final PackageInfo pkgInfo;

        final PackageInfo pkgInfo;

        if (hasSystemPermission) {

        if (hasSystemPermission) {

            pkgInfo = systemPackageInfoWithPermissions(

            pkgInfo = systemPackageInfoWithPermissions(

        } else {

        } else {

            pkgInfo = packageInfoWithPermissions(REQUESTED_PERMISSION_GRANTED, new String[] {}, "");

            pkgInfo = packageInfoWithPermissions(REQUESTED_PERMISSION_GRANTED, new String[] {}, "");

        }

        }

        pkgInfo.applicationInfo.uid = UserHandle.getUid(userId, UserHandle.getAppId(uid));

        pkgInfo.applicationInfo.uid = UserHandle.getUid(user, UserHandle.getAppId(uid));

        return pkgInfo;

        return pkgInfo;

    }

    }

            }).when(mockNetd).networkClearPermissionForUser(any(int[].class));

            }).when(mockNetd).networkClearPermissionForUser(any(int[].class));

        }

        }

        public void expectPermission(Boolean permission, int[] users, int[] apps) {

        public void expectPermission(Boolean permission, UserHandle[] users, int[] apps) {

            for (final int user : users) {

            for (final UserHandle user : users) {

                for (final int app : apps) {

                for (final int app : apps) {

                    final int uid = UserHandle.getUid(user, app);

                    final int uid = UserHandle.getUid(user, app);

                    if (!mApps.containsKey(uid)) {

                    if (!mApps.containsKey(uid)) {

            }

            }

        }

        }

        public void expectNoPermission(int[] users, int[] apps) {

        public void expectNoPermission(UserHandle[] users, int[] apps) {

            for (final int user : users) {

            for (final UserHandle user : users) {

                for (final int app : apps) {

                for (final int app : apps) {

                    final int uid = UserHandle.getUid(user, app);

                    final int uid = UserHandle.getUid(user, app);

                    if (mApps.containsKey(uid)) {

                    if (mApps.containsKey(uid)) {

        // Add SYSTEM_PACKAGE2, expect only have network permission.

        // Add SYSTEM_PACKAGE2, expect only have network permission.

        mPermissionMonitor.onUserAdded(MOCK_USER1);

        mPermissionMonitor.onUserAdded(MOCK_USER1);

        addPackageForUsers(new int[]{MOCK_USER1}, SYSTEM_PACKAGE2, SYSTEM_UID);

        addPackageForUsers(new UserHandle[]{MOCK_USER1}, SYSTEM_PACKAGE2, SYSTEM_UID);

        mNetdMonitor.expectPermission(NETWORK, new int[]{MOCK_USER1}, new int[]{SYSTEM_UID});

        mNetdMonitor.expectPermission(NETWORK, new UserHandle[]{MOCK_USER1}, new int[]{SYSTEM_UID});

        // Add SYSTEM_PACKAGE1, expect permission escalate.

        // Add SYSTEM_PACKAGE1, expect permission escalate.

        addPackageForUsers(new int[]{MOCK_USER1}, SYSTEM_PACKAGE1, SYSTEM_UID);

        addPackageForUsers(new UserHandle[]{MOCK_USER1}, SYSTEM_PACKAGE1, SYSTEM_UID);

        mNetdMonitor.expectPermission(SYSTEM, new int[]{MOCK_USER1}, new int[]{SYSTEM_UID});

        mNetdMonitor.expectPermission(SYSTEM, new UserHandle[]{MOCK_USER1}, new int[]{SYSTEM_UID});

        mPermissionMonitor.onUserAdded(MOCK_USER2);

        mPermissionMonitor.onUserAdded(MOCK_USER2);

        mNetdMonitor.expectPermission(SYSTEM, new int[]{MOCK_USER1, MOCK_USER2},

        mNetdMonitor.expectPermission(SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},

                new int[]{SYSTEM_UID});

                new int[]{SYSTEM_UID});

        addPackageForUsers(new int[]{MOCK_USER1, MOCK_USER2}, MOCK_PACKAGE1, MOCK_UID1);

        addPackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2}, MOCK_PACKAGE1, MOCK_UID1);

        mNetdMonitor.expectPermission(SYSTEM, new int[]{MOCK_USER1, MOCK_USER2},

        mNetdMonitor.expectPermission(SYSTEM, new UserHandle[]{MOCK_USER1, MOCK_USER2},

                new int[]{SYSTEM_UID});

                new int[]{SYSTEM_UID});

        mNetdMonitor.expectPermission(NETWORK, new int[]{MOCK_USER1, MOCK_USER2},

        mNetdMonitor.expectPermission(NETWORK, new UserHandle[]{MOCK_USER1, MOCK_USER2},

                new int[]{MOCK_UID1});

                new int[]{MOCK_UID1});

        // Remove MOCK_UID1, expect no permission left for all user.

        // Remove MOCK_UID1, expect no permission left for all user.

        mPermissionMonitor.onPackageRemoved(MOCK_PACKAGE1, MOCK_UID1);

        mPermissionMonitor.onPackageRemoved(MOCK_PACKAGE1, MOCK_UID1);

        removePackageForUsers(new int[]{MOCK_USER1, MOCK_USER2}, MOCK_PACKAGE1, MOCK_UID1);

        removePackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2}, MOCK_PACKAGE1, MOCK_UID1);

        mNetdMonitor.expectNoPermission(new int[]{MOCK_USER1, MOCK_USER2}, new int[]{MOCK_UID1});

        mNetdMonitor.expectNoPermission(new UserHandle[]{MOCK_USER1, MOCK_USER2},

                new int[]{MOCK_UID1});

        // Remove SYSTEM_PACKAGE1, expect permission downgrade.

        // Remove SYSTEM_PACKAGE1, expect permission downgrade.

        when(mPackageManager.getPackagesForUid(anyInt())).thenReturn(new String[]{SYSTEM_PACKAGE2});

        when(mPackageManager.getPackagesForUid(anyInt())).thenReturn(new String[]{SYSTEM_PACKAGE2});

        removePackageForUsers(new int[]{MOCK_USER1, MOCK_USER2}, SYSTEM_PACKAGE1, SYSTEM_UID);

        removePackageForUsers(new UserHandle[]{MOCK_USER1, MOCK_USER2},

        mNetdMonitor.expectPermission(NETWORK, new int[]{MOCK_USER1, MOCK_USER2},

                SYSTEM_PACKAGE1, SYSTEM_UID);

        mNetdMonitor.expectPermission(NETWORK, new UserHandle[]{MOCK_USER1, MOCK_USER2},

                new int[]{SYSTEM_UID});

                new int[]{SYSTEM_UID});

        mPermissionMonitor.onUserRemoved(MOCK_USER1);

        mPermissionMonitor.onUserRemoved(MOCK_USER1);

        mNetdMonitor.expectPermission(NETWORK, new int[]{MOCK_USER2}, new int[]{SYSTEM_UID});

        mNetdMonitor.expectPermission(NETWORK, new UserHandle[]{MOCK_USER2}, new int[]{SYSTEM_UID});

        // Remove all packages, expect no permission left.

        // Remove all packages, expect no permission left.

        when(mPackageManager.getPackagesForUid(anyInt())).thenReturn(new String[]{});

        when(mPackageManager.getPackagesForUid(anyInt())).thenReturn(new String[]{});

        removePackageForUsers(new int[]{MOCK_USER2}, SYSTEM_PACKAGE2, SYSTEM_UID);

        removePackageForUsers(new UserHandle[]{MOCK_USER2}, SYSTEM_PACKAGE2, SYSTEM_UID);

        mNetdMonitor.expectNoPermission(new int[]{MOCK_USER1, MOCK_USER2},

        mNetdMonitor.expectNoPermission(new UserHandle[]{MOCK_USER1, MOCK_USER2},

                new int[]{SYSTEM_UID, MOCK_UID1});

                new int[]{SYSTEM_UID, MOCK_UID1});

        // Remove last user, expect no redundant clearPermission is invoked.

        // Remove last user, expect no redundant clearPermission is invoked.

        mPermissionMonitor.onUserRemoved(MOCK_USER2);

        mPermissionMonitor.onUserRemoved(MOCK_USER2);

        mNetdMonitor.expectNoPermission(new int[]{MOCK_USER1, MOCK_USER2},

        mNetdMonitor.expectNoPermission(new UserHandle[]{MOCK_USER1, MOCK_USER2},

                new int[]{SYSTEM_UID, MOCK_UID1});

                new int[]{SYSTEM_UID, MOCK_UID1});

    }

    }

    // Normal package add/remove operations will trigger multiple intent for uids corresponding to

    // Normal package add/remove operations will trigger multiple intent for uids corresponding to

    // each user. To simulate generic package operations, the onPackageAdded/Removed will need to be

    // each user. To simulate generic package operations, the onPackageAdded/Removed will need to be

    // called multiple times with the uid corresponding to each user.

    // called multiple times with the uid corresponding to each user.

    private void addPackageForUsers(int[] users, String packageName, int uid) {

    private void addPackageForUsers(UserHandle[] users, String packageName, int uid) {

        for (final int user : users) {

        for (final UserHandle user : users) {

            mPermissionMonitor.onPackageAdded(packageName, UserHandle.getUid(user, uid));

            mPermissionMonitor.onPackageAdded(packageName, UserHandle.getUid(user, uid));

        }

        }

    }

    }

    private void removePackageForUsers(int[] users, String packageName, int uid) {

    private void removePackageForUsers(UserHandle[] users, String packageName, int uid) {

        for (final int user : users) {

        for (final UserHandle user : users) {

            mPermissionMonitor.onPackageRemoved(packageName, UserHandle.getUid(user, uid));

            mPermissionMonitor.onPackageRemoved(packageName, UserHandle.getUid(user, uid));

        }

        }

    }

    }