Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6f3677dc authored by William Escande's avatar William Escande
Browse files

Enforce Connect permission 

Ignore-AOSP-First: security fix
Fix: 211757425
Test: atest CtsBluetoothTestCases
Tag: #security
Change-Id: Ie52879884adcf8a623948377657b67590d988de0
parent 7c290b99

android/app/src/com/android/bluetooth/btservice/AdapterService.java

+8 −4
Original line number Diff line number Diff line
@@ -2212,18 +2212,22 @@ public class AdapterService extends Service { 
         * methods must be changed if the logic behind this method changes.

         */

        @Override

        public void getProfileConnectionState(int profile, SynchronousResultReceiver receiver) {

        public void getProfileConnectionState(int profile, AttributionSource source,

                SynchronousResultReceiver receiver) {

            try {

                receiver.send(getProfileConnectionState(profile));

                receiver.send(getProfileConnectionState(profile, source));

            } catch (RuntimeException e) {

                receiver.propagateException(e);

            }

        }

        private int getProfileConnectionState(int profile) {

        @RequiresPermission(android.Manifest.permission.BLUETOOTH_CONNECT)

        private int getProfileConnectionState(int profile, AttributionSource source) {

            AdapterService service = getService();

            if (service == null

                    || !callerIsSystemOrActiveOrManagedUser(

                            service, TAG, "getProfileConnectionState")) {

                            service, TAG, "getProfileConnectionState")

                    || !Utils.checkConnectPermissionForDataDelivery(

                            service, source, "AdapterService getProfileConnectionState")) {

                return BluetoothProfile.STATE_DISCONNECTED;

            }

framework/java/android/bluetooth/BluetoothAdapter.java

+10 −6
Original line number Diff line number Diff line
@@ -3046,16 +3046,20 @@ public final class BluetoothAdapter { 
        return STATE_DISCONNECTED;

    }



    private static final IpcDataCache.QueryHandler<Pair<IBluetooth, Integer>, Integer>

    private static final IpcDataCache

            .QueryHandler<Pair<IBluetooth, Pair<AttributionSource, Integer>>, Integer>

            sBluetoothProfileQuery = new IpcDataCache.QueryHandler<>() {

                @RequiresNoPermission

                @Override

                public Integer apply(Pair<IBluetooth, Integer> pairQuery) {

                public Integer apply(Pair<IBluetooth, Pair<AttributionSource, Integer>> pairQuery) {

                    IBluetooth service = pairQuery.first;

                    AttributionSource source = pairQuery.second.first;

                    Integer profile = pairQuery.second.second;

                    final int defaultValue = STATE_DISCONNECTED;

                    try {

                        final SynchronousResultReceiver<Integer> recv =

                                SynchronousResultReceiver.get();

                        pairQuery.first.getProfileConnectionState(pairQuery.second, recv);

                        service.getProfileConnectionState(profile, source, recv);

                        return recv.awaitResultNoInterrupt(getSyncTimeout()).getValue(defaultValue);

                    } catch (RemoteException | TimeoutException e) {

                        throw new RuntimeException(e);
@@ -3065,7 +3069,7 @@ public final class BluetoothAdapter { 


    private static final String PROFILE_API = "BluetoothAdapter_getProfileConnectionState";



    private static final IpcDataCache<Pair<IBluetooth, Integer>, Integer>

    private static final IpcDataCache<Pair<IBluetooth, Pair<AttributionSource, Integer>>, Integer>

            sGetProfileConnectionStateCache = new BluetoothCache<>(PROFILE_API,

                    sBluetoothProfileQuery);
@@ -3095,7 +3099,6 @@ public final class BluetoothAdapter { 
    @RequiresLegacyBluetoothPermission

    @RequiresBluetoothConnectPermission

    @RequiresPermission(android.Manifest.permission.BLUETOOTH_CONNECT)

    @SuppressLint("AndroidFrameworkRequiresPermission")

    public @ConnectionState int getProfileConnectionState(int profile) {

        if (getState() != STATE_ON) {

            return STATE_DISCONNECTED;
@@ -3103,7 +3106,8 @@ public final class BluetoothAdapter { 
        mServiceLock.readLock().lock();

        try {

            if (mService != null) {

                return sGetProfileConnectionStateCache.query(new Pair<>(mService, profile));

                return sGetProfileConnectionStateCache.query(

                        new Pair<>(mService, new Pair<>(mAttributionSource, profile)));

            }

        } catch (RuntimeException e) {

            if (!(e.getCause() instanceof TimeoutException)

system/binder/android/bluetooth/IBluetooth.aidl

+2 −2
Original line number Diff line number Diff line
@@ -98,8 +98,8 @@ interface IBluetooth 


    @JavaPassthrough(annotation="@android.annotation.RequiresNoPermission")

    oneway void getAdapterConnectionState(in SynchronousResultReceiver receiver);

    @JavaPassthrough(annotation="@android.annotation.RequiresNoPermission")

    oneway void getProfileConnectionState(int profile, in SynchronousResultReceiver receiver);

    @JavaPassthrough(annotation="@android.annotation.RequiresPermission(android.Manifest.permission.BLUETOOTH_CONNECT)")

    oneway void getProfileConnectionState(int profile, in AttributionSource source, in SynchronousResultReceiver receiver);



    @JavaPassthrough(annotation="@android.annotation.RequiresPermission(android.Manifest.permission.BLUETOOTH_CONNECT)")

    oneway void getBondedDevices(in AttributionSource attributionSource, in SynchronousResultReceiver receiver);