Factor out telephony permission checks into a helper class. (d4ddd4ca) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/TelephonyRegistry.java

+25 −71

Original line number	Diff line number	Diff line
		@@ -55,6 +55,7 @@ import com.android.internal.telephony.ITelephonyRegistry;
		import com.android.internal.telephony.PhoneConstantConversions;
		import com.android.internal.telephony.PhoneConstants;
		import com.android.internal.telephony.TelephonyIntents;
		import com.android.internal.telephony.TelephonyPermissions;
		import com.android.internal.util.DumpUtils;
		import com.android.internal.util.IndentingPrintWriter;
		import com.android.server.am.BatteryStatsService;
		@@ -362,21 +363,10 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub {
		+ " callback.asBinder=" + callback.asBinder());
		}

		try {
		mContext.enforceCallingOrSelfPermission(
		android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE,
		"addOnSubscriptionsChangedListener");
		// SKIP checking for run-time permission since caller or self has PRIVILEGED permission
		} catch (SecurityException e) {
		mContext.enforceCallingOrSelfPermission(
		android.Manifest.permission.READ_PHONE_STATE,
		"addOnSubscriptionsChangedListener");

		if (mAppOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, Binder.getCallingUid(),
		callingPackage) != AppOpsManager.MODE_ALLOWED) {
		if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(
		mContext, callingPackage, "addOnSubscriptionsChangedListener")) {
		return;
		}
		}

		Record r;

		@@ -477,22 +467,12 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub {
		}

		if (events != PhoneStateListener.LISTEN_NONE) {
		/* Checks permission and throws Security exception */
		checkListenerPermission(events);

		if ((events & ENFORCE_PHONE_STATE_PERMISSION_MASK) != 0) {
		try {
		mContext.enforceCallingOrSelfPermission(
		android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, null);
		// SKIP checking for run-time permission since caller or self has PRIVILEGED
		// permission
		} catch (SecurityException e) {
		if (mAppOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, Binder.getCallingUid(),
		callingPackage) != AppOpsManager.MODE_ALLOWED) {
		// Checks permission and throws SecurityException for disallowed operations. For pre-M
		// apps whose runtime permission has been revoked, we return immediately to skip sending
		// events to the app without crashing it.
		if (!checkListenerPermission(events, callingPackage, "listen")) {
		return;
		}
		}
		}

		synchronized (mRecords) {
		// register
		@@ -517,7 +497,8 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub {
		r.callerUserId = callerUserId;
		boolean isPhoneStateEvent = (events & (CHECK_PHONE_STATE_PERMISSION_MASK
		\| ENFORCE_PHONE_STATE_PERMISSION_MASK)) != 0;
		r.canReadPhoneState = isPhoneStateEvent && canReadPhoneState(callingPackage);
		r.canReadPhoneState =
		isPhoneStateEvent && canReadPhoneState(callingPackage, "listen");
		// Legacy applications pass SubscriptionManager.DEFAULT_SUB_ID,
		// force all illegal subId to SubscriptionManager.DEFAULT_SUB_ID
		if (!SubscriptionManager.isValidSubscriptionId(subId)) {
		@@ -675,21 +656,13 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub {
		}
		}

		private boolean canReadPhoneState(String callingPackage) {
		if (mContext.checkCallingOrSelfPermission(
		android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE) ==
		PackageManager.PERMISSION_GRANTED) {
		// SKIP checking for run-time permission since caller or self has PRIVILEGED permission
		return true;
		}
		boolean canReadPhoneState = mContext.checkCallingOrSelfPermission(
		android.Manifest.permission.READ_PHONE_STATE) == PackageManager.PERMISSION_GRANTED;
		if (canReadPhoneState &&
		mAppOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, Binder.getCallingUid(),
		callingPackage) != AppOpsManager.MODE_ALLOWED) {
		private boolean canReadPhoneState(String callingPackage, String message) {
		try {
		return TelephonyPermissions.checkCallingOrSelfReadPhoneState(
		mContext, callingPackage, message);
		} catch (SecurityException e) {
		return false;
		}
		return canReadPhoneState;
		}

		private String getCallIncomingNumber(Record record, int phoneId) {
		@@ -1623,7 +1596,8 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub {
		return;
		}

		enforceCarrierPrivilege();
		TelephonyPermissions.enforceCallingOrSelfCarrierPrivilege(
		SubscriptionManager.getDefaultSubscriptionId(), method);
		}

		private boolean checkNotifyPermission(String method) {
		@@ -1641,23 +1615,7 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub {
		== PackageManager.PERMISSION_GRANTED;
		}

		private void enforceCarrierPrivilege() {
		TelephonyManager tm = TelephonyManager.getDefault();
		String[] pkgs = mContext.getPackageManager().getPackagesForUid(Binder.getCallingUid());
		for (String pkg : pkgs) {
		if (tm.checkCarrierPrivilegesForPackage(pkg) ==
		TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS) {
		return;
		}
		}

		String msg = "Carrier Privilege Permission Denial: from pid=" + Binder.getCallingPid()
		+ ", uid=" + Binder.getCallingUid();
		if (DBG) log(msg);
		throw new SecurityException(msg);
		}

		private void checkListenerPermission(int events) {
		private boolean checkListenerPermission(int events, String callingPackage, String message) {
		if ((events & PhoneStateListener.LISTEN_CELL_LOCATION) != 0) {
		mContext.enforceCallingOrSelfPermission(
		android.Manifest.permission.ACCESS_COARSE_LOCATION, null);
		@@ -1671,22 +1629,18 @@ class TelephonyRegistry extends ITelephonyRegistry.Stub {
		}

		if ((events & ENFORCE_PHONE_STATE_PERMISSION_MASK) != 0) {
		try {
		mContext.enforceCallingOrSelfPermission(
		android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, null);
		// SKIP checking for run-time permission since caller or self has PRIVILEGED
		// permission
		} catch (SecurityException e) {
		mContext.enforceCallingOrSelfPermission(
		android.Manifest.permission.READ_PHONE_STATE, null);
		if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(
		mContext, callingPackage, message)) {
		return false;
		}
		}

		if ((events & PRECISE_PHONE_STATE_PERMISSION_MASK) != 0) {
		mContext.enforceCallingOrSelfPermission(
		android.Manifest.permission.READ_PRECISE_PHONE_STATE, null);

		}

		return true;
		}

		private void handleRemoveListLocked() {

telephony/java/com/android/internal/telephony/ITelephony.aidl

+5 −0

Original line number	Diff line number	Diff line
		@@ -951,6 +951,11 @@ interface ITelephony {
		*/
		int getCarrierPrivilegeStatus(int subId);

		/**
		* Similar to above, but check for the given uid.
		*/
		int getCarrierPrivilegeStatusForUid(int subId, int uid);

		/**
		* Similar to above, but check for the package whose name is pkgName.
		*/

telephony/java/com/android/internal/telephony/TelephonyPermissions.java

0 → 100644

+209 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (C) 2018 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/
		package com.android.internal.telephony;

		import android.app.AppOpsManager;
		import android.content.Context;
		import android.content.pm.PackageManager;
		import android.os.Binder;
		import android.os.RemoteException;
		import android.os.ServiceManager;
		import android.telephony.Rlog;
		import android.telephony.SubscriptionManager;
		import android.telephony.TelephonyManager;

		import com.android.internal.annotations.VisibleForTesting;
		import com.android.internal.telephony.ITelephony;

		/** Utility class for Telephony permission enforcement. */
		public final class TelephonyPermissions {
		private static final String LOG_TAG = "TelephonyPermissions";

		private static final boolean DBG = false;

		private TelephonyPermissions() {}

		/**
		* Check whether the caller (or self, if not processing an IPC) can read phone state.
		*
		* <p>This method behaves in one of the following ways:
		* <ul>
		* <li>return true: if the caller has either the READ_PRIVILEGED_PHONE_STATE permission or the
		* READ_PHONE_STATE runtime permission.
		* <li>throw SecurityException: if the caller didn't declare any of these permissions, or, for
		* apps which support runtime permissions, if the caller does not currently have any of
		* these permissions.
		* <li>return false: if the caller lacks all of these permissions and doesn't support runtime
		* permissions. This implies that the user revoked the ability to read phone state
		* manually (via AppOps). In this case we can't throw as it would break app compatibility,
		* so we return false to indicate that the calling function should return dummy data.
		* </ul>
		*/
		public static boolean checkCallingOrSelfReadPhoneState(
		Context context, String callingPackage, String message) {
		return checkReadPhoneState(context, Binder.getCallingPid(), Binder.getCallingUid(),
		callingPackage, message);
		}

		/**
		* Check whether the app with the given pid/uid can read phone state.
		*
		* <p>This method behaves in one of the following ways:
		* <ul>
		* <li>return true: if the caller has either the READ_PRIVILEGED_PHONE_STATE permission or the
		* READ_PHONE_STATE runtime permission.
		* <li>throw SecurityException: if the caller didn't declare any of these permissions, or, for
		* apps which support runtime permissions, if the caller does not currently have any of
		* these permissions.
		* <li>return false: if the caller lacks all of these permissions and doesn't support runtime
		* permissions. This implies that the user revoked the ability to read phone state
		* manually (via AppOps). In this case we can't throw as it would break app compatibility,
		* so we return false to indicate that the calling function should return dummy data.
		* </ul>
		*/
		public static boolean checkReadPhoneState(
		Context context, int pid, int uid, String callingPackage, String message) {
		try {
		context.enforcePermission(
		android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, pid, uid, message);

		// SKIP checking for run-time permission since caller has PRIVILEGED permission
		return true;
		} catch (SecurityException privilegedPhoneStateException) {
		context.enforcePermission(
		android.Manifest.permission.READ_PHONE_STATE, pid, uid, message);
		}

		// We have READ_PHONE_STATE permission, so return true as long as the AppOps bit hasn't been
		// revoked.
		AppOpsManager appOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
		return appOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, uid, callingPackage) ==
		AppOpsManager.MODE_ALLOWED;
		}

		/**
		* Returns whether the caller can read phone numbers.
		*
		* <p>Besides apps with the ability to read phone state per {@link #checkReadPhoneState}, the
		* default SMS app and apps with READ_SMS or READ_PHONE_NUMBERS can also read phone numbers.
		*/
		public static boolean checkCallingOrSelfReadPhoneNumber(
		Context context, String callingPackage, String message) {
		return checkReadPhoneNumber(
		context, Binder.getCallingPid(), Binder.getCallingUid(), callingPackage, message);
		}

		@VisibleForTesting
		public static boolean checkReadPhoneNumber(
		Context context, int pid, int uid, String callingPackage, String message) {
		// Default SMS app can always read it.
		AppOpsManager appOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
		if (appOps.noteOp(AppOpsManager.OP_WRITE_SMS, uid, callingPackage) ==
		AppOpsManager.MODE_ALLOWED) {
		return true;
		}

		// NOTE(b/73308711): If an app has one of the following AppOps bits explicitly revoked, they
		// will be denied access, even if they have another permission and AppOps bit if needed.

		// First, check if we can read the phone state.
		try {
		return checkReadPhoneState(context, pid, uid, callingPackage, message);
		} catch (SecurityException readPhoneStateSecurityException) {
		}
		// Can be read with READ_SMS too.
		try {
		context.enforcePermission(android.Manifest.permission.READ_SMS, pid, uid, message);
		int opCode = AppOpsManager.permissionToOpCode(android.Manifest.permission.READ_SMS);
		if (opCode != AppOpsManager.OP_NONE) {
		return appOps.noteOp(opCode, uid, callingPackage) == AppOpsManager.MODE_ALLOWED;
		} else {
		return true;
		}
		} catch (SecurityException readSmsSecurityException) {
		}
		// Can be read with READ_PHONE_NUMBERS too.
		try {
		context.enforcePermission(android.Manifest.permission.READ_PHONE_NUMBERS, pid, uid,
		message);
		int opCode = AppOpsManager.permissionToOpCode(
		android.Manifest.permission.READ_PHONE_NUMBERS);
		if (opCode != AppOpsManager.OP_NONE) {
		return appOps.noteOp(opCode, uid, callingPackage) == AppOpsManager.MODE_ALLOWED;
		} else {
		return true;
		}
		} catch (SecurityException readPhoneNumberSecurityException) {
		}

		throw new SecurityException(message + ": Neither user " + uid +
		" nor current process has " + android.Manifest.permission.READ_PHONE_STATE +
		", " + android.Manifest.permission.READ_SMS + ", or " +
		android.Manifest.permission.READ_PHONE_NUMBERS);
		}

		/**
		* Ensure the caller (or self, if not processing an IPC) has MODIFY_PHONE_STATE (and is thus a
		* privileged app) or carrier privileges.
		*
		* @throws SecurityException if the caller does not have the required permission/privileges
		*/
		public static void enforceCallingOrSelfModifyPermissionOrCarrierPrivilege(
		Context context, int subId, String message) {
		if (context.checkCallingOrSelfPermission(android.Manifest.permission.MODIFY_PHONE_STATE) ==
		PackageManager.PERMISSION_GRANTED) {
		return;
		}

		if (DBG) Rlog.d(LOG_TAG, "No modify permission, check carrier privilege next.");
		enforceCallingOrSelfCarrierPrivilege(subId, message);
		}

		/**
		* Make sure the caller (or self, if not processing an IPC) has carrier privileges.
		*
		* @throws SecurityException if the caller does not have the required privileges
		*/
		public static void enforceCallingOrSelfCarrierPrivilege(int subId, String message) {
		// NOTE: It's critical that we explicitly pass the calling UID here rather than call
		// TelephonyManager#hasCarrierPrivileges directly, as the latter only works when called from
		// the phone process. When called from another process, it will check whether that process
		// has carrier privileges instead.
		enforceCarrierPrivilege(subId, Binder.getCallingUid(), message);
		}

		private static void enforceCarrierPrivilege(int subId, int uid, String message) {
		if (getCarrierPrivilegeStatus(subId, uid) !=
		TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS) {
		if (DBG) Rlog.e(LOG_TAG, "No Carrier Privilege.");
		throw new SecurityException(message);
		}
		}

		private static int getCarrierPrivilegeStatus(int subId, int uid) {
		ITelephony telephony =
		ITelephony.Stub.asInterface(ServiceManager.getService(Context.TELEPHONY_SERVICE));
		try {
		if (telephony != null) {
		return telephony.getCarrierPrivilegeStatusForUid(subId, uid);
		}
		} catch (RemoteException e) {
		// Fallback below.
		}
		Rlog.e(LOG_TAG, "Phone process is down, cannot check carrier privileges");
		return TelephonyManager.CARRIER_PRIVILEGE_STATUS_NO_ACCESS;
		}
		}