Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 717eb278 authored by Alexei Czeskis's avatar Alexei Czeskis
Browse files

Enforce BLUETOOTH_PRIVILEGED permission for FIDO U2F over GATT 

All access to external Bluetooth U2F devices must go through system
APIs so that calling apps cannot spoof their idenity.  This change
blocks the whole FIDO U2F service from being accessed.

Change-Id: I122849452c09fb8bc3bff9ead2db1edf64ddfabc
parent 82e316ef

src/com/android/bluetooth/gatt/GattService.java

+35 −6
Original line number Diff line number Diff line
@@ -90,6 +90,10 @@ public class GattService extends ProfileService { 
        UUID.fromString("00002A4D-0000-1000-8000-00805F9B34FB")

    };



    private static final UUID[] FIDO_UUIDS = {

        UUID.fromString("0000FFFD-0000-1000-8000-00805F9B34FB") // U2F

    };



    /**

     * Search queue to serialize remote onbject inspection.

     */
@@ -850,7 +854,7 @@ public class GattService extends ProfileService { 
            + ", charUuid=" + charUuid + ", length=" + data.length);





        if (isHidUuid(charUuid) &&

        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid) &&

               (0 != checkCallingOrSelfPermission(BLUETOOTH_PRIVILEGED))) {

            return;

        }
@@ -1515,7 +1519,9 @@ public class GattService extends ProfileService { 
                            int srvcInstanceId, UUID srvcUuid,

                            int charInstanceId, UUID charUuid, int authReq) {

        enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");

        if (isHidUuid(charUuid)) enforcePrivilegedPermission();

        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {

            enforcePrivilegedPermission();

        }



        if (VDBG) Log.d(TAG, "readCharacteristic() - address=" + address);
@@ -1535,7 +1541,9 @@ public class GattService extends ProfileService { 
                             int charInstanceId, UUID charUuid, int writeType,

                             int authReq, byte[] value) {

        enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");

        if (isHidUuid(charUuid)) enforcePrivilegedPermission();

        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {

            enforcePrivilegedPermission();

        }



        if (VDBG) Log.d(TAG, "writeCharacteristic() - address=" + address);
@@ -1558,7 +1566,9 @@ public class GattService extends ProfileService { 
                            int descrInstanceId, UUID descrUuid,

                            int authReq) {

        enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");

        if (isHidUuid(charUuid)) enforcePrivilegedPermission();

        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {

            enforcePrivilegedPermission();

        }



        if (VDBG) Log.d(TAG, "readDescriptor() - address=" + address);
@@ -1582,7 +1592,9 @@ public class GattService extends ProfileService { 
                            int descrInstanceId, UUID descrUuid,

                            int writeType, int authReq, byte[] value) {

        enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");

        if (isHidUuid(charUuid)) enforcePrivilegedPermission();

        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {

            enforcePrivilegedPermission();

        }



        if (VDBG) Log.d(TAG, "writeDescriptor() - address=" + address);
@@ -1623,7 +1635,9 @@ public class GattService extends ProfileService { 
                int charInstanceId, UUID charUuid,

                boolean enable) {

        enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");

        if (isHidUuid(charUuid)) enforcePrivilegedPermission();

        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {

            enforcePrivilegedPermission();

        }



        if (DBG) Log.d(TAG, "registerForNotification() - address=" + address + " enable: " + enable);
@@ -2097,6 +2111,14 @@ public class GattService extends ProfileService { 
     * Private functions

     *************************************************************************/



    private boolean isRestrictedCharUuid(final UUID charUuid) {

      return isHidUuid(charUuid);

    }



    private boolean isRestrictedSrvcUuid(final UUID srvcUuid) {

      return isFidoUUID(srvcUuid);

    }



    private boolean isHidUuid(final UUID uuid) {

        for (UUID hid_uuid : HID_UUIDS) {

            if (hid_uuid.equals(uuid)) return true;
@@ -2104,6 +2126,13 @@ public class GattService extends ProfileService { 
        return false;

    }



    private boolean isFidoUUID(final UUID uuid) {

        for (UUID fido_uuid : FIDO_UUIDS) {

            if (fido_uuid.equals(uuid)) return true;

        }

        return false;

    }



    private int getDeviceType(BluetoothDevice device) {

        int type = gattClientGetDeviceTypeNative(device.getAddress());

        if (DBG) Log.d(TAG, "getDeviceType() - device=" + device