ConnectivityManager and its usages are removed from
NetworkStatsService. After that, forceUpdateIfaces requires
information that only ConnectivityService has, hence
restricting the calling permission to NETWORK_STACK or
MAINLINE_NETWORK_STACK permission. The required permission
will be changed from READ_NETWORK_USAGE_HISTORY to
NETWORK_STACK or MAINLINE_NETWORK_STACK. This change would make
it impossible to call outside the system.
Bug:
126830974
Test: atest FrameworksNetTests
Merged-In: I1b26dc64eaab2151e6885fd01cc5e8d4e18c4e60
Change-Id: I4ea421e4126a45f65d25fe0bec74243a3b20aeab
(cherry picked from commit
6b895dea25b4fca87d275bb78367411623ded1d4)
*/
package android.net;
+import static android.Manifest.permission.NETWORK_STACK;
+import static android.content.pm.PackageManager.PERMISSION_GRANTED;
+
+import android.annotation.NonNull;
import android.annotation.SystemApi;
import android.annotation.TestApi;
+import android.content.Context;
+import java.util.ArrayList;
+import java.util.Arrays;
/**
*
* Constants for client code communicating with the network stack service.
"android.permission.MAINLINE_NETWORK_STACK";
private NetworkStack() {}
+
+ /**
+ * If the NetworkStack, MAINLINE_NETWORK_STACK are not allowed for a particular process, throw a
+ * {@link SecurityException}.
+ *
+ * @param context {@link android.content.Context} for the process.
+ *
+ * @hide
+ */
+ public static void checkNetworkStackPermission(final @NonNull Context context) {
+ checkNetworkStackPermissionOr(context);
+ }
+
+ /**
+ * If the NetworkStack, MAINLINE_NETWORK_STACK or other specified permissions are not allowed
+ * for a particular process, throw a {@link SecurityException}.
+ *
+ * @param context {@link android.content.Context} for the process.
+ * @param otherPermissions The set of permissions that could be the candidate permissions , or
+ * empty string if none of other permissions needed.
+ * @hide
+ */
+ public static void checkNetworkStackPermissionOr(final @NonNull Context context,
+ final @NonNull String... otherPermissions) {
+ ArrayList<String> permissions = new ArrayList<String>(Arrays.asList(otherPermissions));
+ permissions.add(NETWORK_STACK);
+ permissions.add(PERMISSION_MAINLINE_NETWORK_STACK);
+ enforceAnyPermissionOf(context, permissions.toArray(new String[0]));
+ }
+
+ private static void enforceAnyPermissionOf(final @NonNull Context context,
+ final @NonNull String... permissions) {
+ if (!checkAnyPermissionOf(context, permissions)) {
+ throw new SecurityException("Requires one of the following permissions: "
+ + String.join(", ", permissions) + ".");
+ }
+ }
+
+ private static boolean checkAnyPermissionOf(final @NonNull Context context,
+ final @NonNull String... permissions) {
+ for (String permission : permissions) {
+ if (context.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED) {
+ return true;
+ }
+ }
+ return false;
+ }
+
}
import static android.content.Intent.EXTRA_UID;
import static android.net.ConnectivityManager.ACTION_TETHER_STATE_CHANGED;
import static android.net.ConnectivityManager.isNetworkTypeMobile;
+import static android.net.NetworkStack.checkNetworkStackPermission;
import static android.net.NetworkStats.DEFAULT_NETWORK_ALL;
import static android.net.NetworkStats.IFACE_ALL;
import static android.net.NetworkStats.INTERFACES_ALL;
VpnInfo[] vpnArray,
NetworkState[] networkStates,
String activeIface) {
- mContext.enforceCallingOrSelfPermission(READ_NETWORK_USAGE_HISTORY, TAG);
+ checkNetworkStackPermission(mContext);
assertBandwidthControlEnabled();
final long token = Binder.clearCallingIdentity();
--- /dev/null
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.net;
+
+import static android.Manifest.permission.NETWORK_STACK;
+import static android.content.pm.PackageManager.PERMISSION_DENIED;
+import static android.content.pm.PackageManager.PERMISSION_GRANTED;
+import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
+import static android.net.NetworkStack.checkNetworkStackPermission;
+import static android.net.NetworkStack.checkNetworkStackPermissionOr;
+
+import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.when;
+
+import android.content.Context;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+
+@RunWith(AndroidJUnit4.class)
+public class NetworkStackTest {
+ private static final String [] OTHER_PERMISSION = {"otherpermission1", "otherpermission2"};
+
+ @Mock Context mCtx;
+
+ @Before public void setUp() throws Exception {
+ MockitoAnnotations.initMocks(this);
+ }
+
+ @Test
+ public void testCheckNetworkStackPermission() throws Exception {
+ when(mCtx.checkCallingOrSelfPermission(eq(NETWORK_STACK))).thenReturn(PERMISSION_GRANTED);
+ when(mCtx.checkCallingOrSelfPermission(eq(PERMISSION_MAINLINE_NETWORK_STACK)))
+ .thenReturn(PERMISSION_DENIED);
+ checkNetworkStackPermission(mCtx);
+ checkNetworkStackPermissionOr(mCtx, OTHER_PERMISSION);
+
+ when(mCtx.checkCallingOrSelfPermission(eq(NETWORK_STACK))).thenReturn(PERMISSION_DENIED);
+ when(mCtx.checkCallingOrSelfPermission(eq(PERMISSION_MAINLINE_NETWORK_STACK)))
+ .thenReturn(PERMISSION_GRANTED);
+ checkNetworkStackPermission(mCtx);
+ checkNetworkStackPermissionOr(mCtx, OTHER_PERMISSION);
+
+ when(mCtx.checkCallingOrSelfPermission(any())).thenReturn(PERMISSION_DENIED);
+
+ try {
+ checkNetworkStackPermissionOr(mCtx, OTHER_PERMISSION);
+ } catch (SecurityException e) {
+ // Expect to get a SecurityException
+ return;
+ }
+
+ fail("Expect fail but permission granted.");
+ }
+}