Enforce BLUETOOTH_PRIVILEGED permission for FIDO U2F over GATT

All access to external Bluetooth U2F devices must go through system
APIs so that calling apps cannot spoof their idenity.  This change
blocks the whole FIDO U2F service from being accessed.

Change-Id: I122849452c09fb8bc3bff9ead2db1edf64ddfabc

diff --git a/src/com/android/bluetooth/gatt/GattService.java b/src/com/android/bluetooth/gatt/GattService.java
index 376994c..2915935 100644 (file)
--- a/src/com/android/bluetooth/gatt/GattService.java
+++ b/src/com/android/bluetooth/gatt/GattService.java
@@ -90,6 +90,10 @@ public class GattService extends ProfileService {
         UUID.fromString("00002A4D-0000-1000-8000-00805F9B34FB")
     };
 
+    private static final UUID[] FIDO_UUIDS = {
+        UUID.fromString("0000FFFD-0000-1000-8000-00805F9B34FB") // U2F
+    };
+
     /**
      * Search queue to serialize remote onbject inspection.
      */
@@ -850,7 +854,7 @@ public class GattService extends ProfileService {
             + ", charUuid=" + charUuid + ", length=" + data.length);
 
 
-        if (isHidUuid(charUuid) &&
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid) &&
                (0 != checkCallingOrSelfPermission(BLUETOOTH_PRIVILEGED))) {
             return;
         }
@@ -1515,7 +1519,9 @@ public class GattService extends ProfileService {
                             int srvcInstanceId, UUID srvcUuid,
                             int charInstanceId, UUID charUuid, int authReq) {
         enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
-        if (isHidUuid(charUuid)) enforcePrivilegedPermission();
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {
+            enforcePrivilegedPermission();
+        }
 
         if (VDBG) Log.d(TAG, "readCharacteristic() - address=" + address);
 
@@ -1535,7 +1541,9 @@ public class GattService extends ProfileService {
                              int charInstanceId, UUID charUuid, int writeType,
                              int authReq, byte[] value) {
         enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
-        if (isHidUuid(charUuid)) enforcePrivilegedPermission();
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {
+            enforcePrivilegedPermission();
+        }
 
         if (VDBG) Log.d(TAG, "writeCharacteristic() - address=" + address);
 
@@ -1558,7 +1566,9 @@ public class GattService extends ProfileService {
                             int descrInstanceId, UUID descrUuid,
                             int authReq) {
         enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
-        if (isHidUuid(charUuid)) enforcePrivilegedPermission();
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {
+            enforcePrivilegedPermission();
+        }
 
         if (VDBG) Log.d(TAG, "readDescriptor() - address=" + address);
 
@@ -1582,7 +1592,9 @@ public class GattService extends ProfileService {
                             int descrInstanceId, UUID descrUuid,
                             int writeType, int authReq, byte[] value) {
         enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
-        if (isHidUuid(charUuid)) enforcePrivilegedPermission();
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {
+            enforcePrivilegedPermission();
+        }
 
         if (VDBG) Log.d(TAG, "writeDescriptor() - address=" + address);
 
@@ -1623,7 +1635,9 @@ public class GattService extends ProfileService {
                 int charInstanceId, UUID charUuid,
                 boolean enable) {
         enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
-        if (isHidUuid(charUuid)) enforcePrivilegedPermission();
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {
+            enforcePrivilegedPermission();
+        }
 
         if (DBG) Log.d(TAG, "registerForNotification() - address=" + address + " enable: " + enable);
 
@@ -2097,6 +2111,14 @@ public class GattService extends ProfileService {
      * Private functions
      *************************************************************************/
 
+    private boolean isRestrictedCharUuid(final UUID charUuid) {
+      return isHidUuid(charUuid);
+    }
+
+    private boolean isRestrictedSrvcUuid(final UUID srvcUuid) {
+      return isFidoUUID(srvcUuid);
+    }
+
     private boolean isHidUuid(final UUID uuid) {
         for (UUID hid_uuid : HID_UUIDS) {
             if (hid_uuid.equals(uuid)) return true;
@@ -2104,6 +2126,13 @@ public class GattService extends ProfileService {
         return false;
     }
 
+    private boolean isFidoUUID(final UUID uuid) {
+        for (UUID fido_uuid : FIDO_UUIDS) {
+            if (fido_uuid.equals(uuid)) return true;
+        }
+        return false;
+    }
+
     private int getDeviceType(BluetoothDevice device) {
         int type = gattClientGetDeviceTypeNative(device.getAddress());
         if (DBG) Log.d(TAG, "getDeviceType() - device=" + device