Merge "[Permissions] Add temporary logging to debug Bluetooth security exception" into main (cc887171) · Commits · e / os / android_frameworks_base

core/java/android/app/AppOpsManager.java

+34 −0

Original line number	Diff line number	Diff line
		@@ -71,6 +71,7 @@ import android.os.UserManager;
		import android.provider.DeviceConfig;
		import android.util.ArrayMap;
		import android.util.ArraySet;
		import android.util.Log;
		import android.util.LongSparseArray;
		import android.util.LongSparseLongArray;
		import android.util.Pools;
		@@ -7705,6 +7706,14 @@ public class AppOpsManager {
		@RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)
		public void setUidMode(int code, int uid, @Mode int mode) {
		try {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (code == OP_BLUETOOTH_CONNECT) {
		Log.i(DEBUG_LOGGING_TAG,
		"setUidMode called for OP_BLUETOOTH_CONNECT with mode: " + mode
		+ " for uid: " + uid + " calling uid: " + Binder.getCallingUid()
		+ " trace: "
		+ Arrays.toString(Thread.currentThread().getStackTrace()));
		}
		mService.setUidMode(code, uid, mode);
		} catch (RemoteException e) {
		throw e.rethrowFromSystemServer();
		@@ -7725,6 +7734,15 @@ public class AppOpsManager {
		@RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)
		public void setUidMode(@NonNull String appOp, int uid, @Mode int mode) {
		try {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (appOp.equals(OPSTR_BLUETOOTH_CONNECT)) {
		Log.i(DEBUG_LOGGING_TAG,
		"setUidMode called for OPSTR_BLUETOOTH_CONNECT with mode: " + mode
		+ " for uid: " + uid + " calling uid: " + Binder.getCallingUid()
		+ " trace: "
		+ Arrays.toString(Thread.currentThread().getStackTrace()));
		}

		mService.setUidMode(AppOpsManager.strOpToOp(appOp), uid, mode);
		} catch (RemoteException e) {
		throw e.rethrowFromSystemServer();
		@@ -7765,6 +7783,14 @@ public class AppOpsManager {
		@RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)
		public void setMode(int code, int uid, String packageName, @Mode int mode) {
		try {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (code == OP_BLUETOOTH_CONNECT) {
		Log.i(DEBUG_LOGGING_TAG,
		"setMode called for OPSTR_BLUETOOTH_CONNECT with mode: " + mode
		+ " for uid: " + uid + " calling uid: " + Binder.getCallingUid()
		+ " trace: "
		+ Arrays.toString(Thread.currentThread().getStackTrace()));
		}
		mService.setMode(code, uid, packageName, mode);
		} catch (RemoteException e) {
		throw e.rethrowFromSystemServer();
		@@ -7787,6 +7813,14 @@ public class AppOpsManager {
		public void setMode(@NonNull String op, int uid, @Nullable String packageName,
		@Mode int mode) {
		try {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (op.equals(OPSTR_BLUETOOTH_CONNECT)) {
		Log.i(DEBUG_LOGGING_TAG,
		"setMode called for OPSTR_BLUETOOTH_CONNECT with mode: " + mode
		+ " for uid: " + uid + " calling uid: " + Binder.getCallingUid()
		+ " trace: "
		+ Arrays.toString(Thread.currentThread().getStackTrace()));
		}
		mService.setMode(strOpToOp(op), uid, packageName, mode);
		} catch (RemoteException e) {
		throw e.rethrowFromSystemServer();

services/core/java/com/android/server/appop/AppOpsService.java

+28 −0

Original line number	Diff line number	Diff line
		@@ -33,6 +33,7 @@ import static android.app.AppOpsManager.MODE_DEFAULT;
		import static android.app.AppOpsManager.MODE_ERRORED;
		import static android.app.AppOpsManager.MODE_FOREGROUND;
		import static android.app.AppOpsManager.MODE_IGNORED;
		import static android.app.AppOpsManager.OP_BLUETOOTH_CONNECT;
		import static android.app.AppOpsManager.OP_CAMERA;
		import static android.app.AppOpsManager.OP_CAMERA_SANDBOXED;
		import static android.app.AppOpsManager.OP_FLAGS_ALL;
		@@ -2849,6 +2850,11 @@ public class AppOpsService extends IAppOpsService.Stub {
		verifyIncomingUid(uid);
		verifyIncomingOp(code);
		if (!isIncomingPackageValid(packageName, UserHandle.getUserId(uid))) {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (code == OP_BLUETOOTH_CONNECT) {
		Slog.e(TAG, "noting OP_BLUETOOTH_CONNECT returned MODE_ERRORED as incoming "
		+ "package: " + packageName + " and uid: " + uid + " is invalid");
		}
		return new SyncNotedAppOp(AppOpsManager.MODE_ERRORED, code, attributionTag,
		packageName);
		}
		@@ -2877,6 +2883,13 @@ public class AppOpsService extends IAppOpsService.Stub {
		}
		} catch (SecurityException e) {
		logVerifyAndGetBypassFailure(uid, e, "noteOperation");
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (code == OP_BLUETOOTH_CONNECT) {
		Slog.e(TAG, "noting OP_BLUETOOTH_CONNECT returned MODE_ERRORED as"
		+ " verifyAndGetBypass returned a SecurityException for package: "
		+ packageName + " and uid: " + uid + " and attributionTag: "
		+ attributionTag, e);
		}
		return new SyncNotedAppOp(AppOpsManager.MODE_ERRORED, code, attributionTag,
		packageName);
		}
		@@ -2890,6 +2903,11 @@ public class AppOpsService extends IAppOpsService.Stub {
		if (DEBUG) Slog.d(TAG, "noteOperation: no op for code " + code + " uid " + uid
		+ " package " + packageName + "flags: " +
		AppOpsManager.flagsToString(flags));
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (code == OP_BLUETOOTH_CONNECT) {
		Slog.e(TAG, "noting OP_BLUETOOTH_CONNECT returned MODE_ERRORED as"
		+ " #getOpsLocked returned null");
		}
		return new SyncNotedAppOp(AppOpsManager.MODE_ERRORED, code, attributionTag,
		packageName);
		}
		@@ -2930,6 +2948,11 @@ public class AppOpsService extends IAppOpsService.Stub {
		attributedOp.rejected(uidState.getState(), flags);
		scheduleOpNotedIfNeededLocked(code, uid, packageName, attributionTag, flags,
		uidMode);
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (code == OP_BLUETOOTH_CONNECT && uidMode == MODE_ERRORED) {
		Slog.e(TAG, "noting OP_BLUETOOTH_CONNECT returned MODE_ERRORED as"
		+ " uid mode is MODE_ERRORED");
		}
		return new SyncNotedAppOp(uidMode, code, attributionTag, packageName);
		}
		} else {
		@@ -2949,6 +2972,11 @@ public class AppOpsService extends IAppOpsService.Stub {
		attributedOp.rejected(uidState.getState(), flags);
		scheduleOpNotedIfNeededLocked(code, uid, packageName, attributionTag, flags,
		mode);
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (code == OP_BLUETOOTH_CONNECT && mode == MODE_ERRORED) {
		Slog.e(TAG, "noting OP_BLUETOOTH_CONNECT returned MODE_ERRORED as"
		+ " package mode is MODE_ERRORED");
		}
		return new SyncNotedAppOp(mode, code, attributionTag, packageName);
		}
		}

services/core/java/com/android/server/pm/permission/PermissionManagerService.java

+0 −35

Original line number	Diff line number	Diff line
		@@ -1229,11 +1229,6 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		sPlatformPermissions.put(permission, permissionInfo);
		}
		} catch (PackageManager.NameNotFoundException ignored) {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (permission.equals(Manifest.permission.BLUETOOTH_CONNECT)) {
		Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as package"
		+ " not found when retrieving permission info");
		}
		return PermissionChecker.PERMISSION_HARD_DENIED;
		}
		}
		@@ -1353,34 +1348,17 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		// way we can avoid the datasource creating an attribution context for every call.
		if (!(fromDatasource && current.equals(attributionSource))
		&& next != null && !current.isTrusted(context)) {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (permission.equals(Manifest.permission.BLUETOOTH_CONNECT)) {
		Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as "
		+ current + " attribution source isn't a data source and "
		+ current + " isn't trusted");
		}
		return PermissionChecker.PERMISSION_HARD_DENIED;
		}

		// If we already checked the permission for this one, skip the work
		if (!skipCurrentChecks && !checkPermission(context, permissionManagerServiceInt,
		permission, current)) {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (permission.equals(Manifest.permission.BLUETOOTH_CONNECT)) {
		Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as we"
		+ " aren't skipping permission checks and permission check returns"
		+ " false for " + current);
		}
		return PermissionChecker.PERMISSION_HARD_DENIED;
		}

		if (next != null && !checkPermission(context, permissionManagerServiceInt,
		permission, next)) {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (permission.equals(Manifest.permission.BLUETOOTH_CONNECT)) {
		Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as"
		+ " permission check returns false for next source " + next);
		}
		return PermissionChecker.PERMISSION_HARD_DENIED;
		}

		@@ -1697,12 +1675,6 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		final AttributionSource resolvedAttributionSource = resolveAttributionSource(
		context, accessorSource);
		if (resolvedAttributionSource.getPackageName() == null) {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (op == OP_BLUETOOTH_CONNECT) {
		Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as resolved"
		+ "package name for " + resolvedAttributionSource + " returned"
		+ " null");
		}
		return AppOpsManager.MODE_ERRORED;
		}
		int notedOp = op;
		@@ -1716,13 +1688,6 @@ public class PermissionManagerService extends IPermissionManager.Stub {
		if (attributedOp != AppOpsManager.OP_NONE && attributedOp != op) {
		checkedOpResult = appOpsManager.checkOpNoThrow(op, resolvedAttributionSource);
		if (checkedOpResult == MODE_ERRORED) {
		// TODO(b/302609140): Remove extra logging after this issue is diagnosed.
		if (op == OP_BLUETOOTH_CONNECT) {
		Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as"
		+ " checkOp for resolvedAttributionSource "
		+ resolvedAttributionSource + " and op " + op
		+ " returned MODE_ERRORED");
		}
		return checkedOpResult;
		}
		notedOp = attributedOp;