import com.android.internal.telephony.PhoneConstantConversions;
import com.android.internal.telephony.PhoneConstants;
import com.android.internal.telephony.TelephonyIntents;
+import com.android.internal.telephony.TelephonyPermissions;
import com.android.internal.util.DumpUtils;
import com.android.internal.util.IndentingPrintWriter;
import com.android.server.am.BatteryStatsService;
+ " callback.asBinder=" + callback.asBinder());
}
- try {
- mContext.enforceCallingOrSelfPermission(
- android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE,
- "addOnSubscriptionsChangedListener");
- // SKIP checking for run-time permission since caller or self has PRIVILEGED permission
- } catch (SecurityException e) {
- mContext.enforceCallingOrSelfPermission(
- android.Manifest.permission.READ_PHONE_STATE,
- "addOnSubscriptionsChangedListener");
-
- if (mAppOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, Binder.getCallingUid(),
- callingPackage) != AppOpsManager.MODE_ALLOWED) {
- return;
- }
+ if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(
+ mContext, callingPackage, "addOnSubscriptionsChangedListener")) {
+ return;
}
}
if (events != PhoneStateListener.LISTEN_NONE) {
- /* Checks permission and throws Security exception */
- checkListenerPermission(events);
-
- if ((events & ENFORCE_PHONE_STATE_PERMISSION_MASK) != 0) {
- try {
- mContext.enforceCallingOrSelfPermission(
- android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, null);
- // SKIP checking for run-time permission since caller or self has PRIVILEGED
- // permission
- } catch (SecurityException e) {
- if (mAppOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, Binder.getCallingUid(),
- callingPackage) != AppOpsManager.MODE_ALLOWED) {
- return;
- }
- }
+ // Checks permission and throws SecurityException for disallowed operations. For pre-M
+ // apps whose runtime permission has been revoked, we return immediately to skip sending
+ // events to the app without crashing it.
+ if (!checkListenerPermission(events, callingPackage, "listen")) {
+ return;
}
int phoneId = SubscriptionManager.getPhoneId(subId);
r.callerPid = Binder.getCallingPid();
boolean isPhoneStateEvent = (events & (CHECK_PHONE_STATE_PERMISSION_MASK
| ENFORCE_PHONE_STATE_PERMISSION_MASK)) != 0;
- r.canReadPhoneState = isPhoneStateEvent && canReadPhoneState(callingPackage);
+ r.canReadPhoneState =
+ isPhoneStateEvent && canReadPhoneState(callingPackage, "listen");
// Legacy applications pass SubscriptionManager.DEFAULT_SUB_ID,
// force all illegal subId to SubscriptionManager.DEFAULT_SUB_ID
if (!SubscriptionManager.isValidSubscriptionId(subId)) {
}
}
- private boolean canReadPhoneState(String callingPackage) {
- if (mContext.checkCallingOrSelfPermission(
- android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE) ==
- PackageManager.PERMISSION_GRANTED) {
- // SKIP checking for run-time permission since caller or self has PRIVILEGED permission
- return true;
- }
- boolean canReadPhoneState = mContext.checkCallingOrSelfPermission(
- android.Manifest.permission.READ_PHONE_STATE) == PackageManager.PERMISSION_GRANTED;
- if (canReadPhoneState &&
- mAppOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, Binder.getCallingUid(),
- callingPackage) != AppOpsManager.MODE_ALLOWED) {
+ private boolean canReadPhoneState(String callingPackage, String message) {
+ try {
+ return TelephonyPermissions.checkCallingOrSelfReadPhoneState(
+ mContext, callingPackage, message);
+ } catch (SecurityException e) {
return false;
}
- return canReadPhoneState;
}
private String getCallIncomingNumber(Record record, int phoneId) {
}
private void enforceNotifyPermissionOrCarrierPrivilege(String method) {
- if (checkNotifyPermission()) {
+ if (checkNotifyPermission()) {
return;
}
- enforceCarrierPrivilege();
+ TelephonyPermissions.enforceCallingOrSelfCarrierPrivilege(
+ SubscriptionManager.getDefaultSubscriptionId(), method);
}
private boolean checkNotifyPermission(String method) {
== PackageManager.PERMISSION_GRANTED;
}
- private void enforceCarrierPrivilege() {
- TelephonyManager tm = TelephonyManager.getDefault();
- String[] pkgs = mContext.getPackageManager().getPackagesForUid(Binder.getCallingUid());
- for (String pkg : pkgs) {
- if (tm.checkCarrierPrivilegesForPackage(pkg) ==
- TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS) {
- return;
- }
- }
-
- String msg = "Carrier Privilege Permission Denial: from pid=" + Binder.getCallingPid()
- + ", uid=" + Binder.getCallingUid();
- if (DBG) log(msg);
- throw new SecurityException(msg);
- }
-
- private void checkListenerPermission(int events) {
+ private boolean checkListenerPermission(int events, String callingPackage, String message) {
if ((events & PhoneStateListener.LISTEN_CELL_LOCATION) != 0) {
mContext.enforceCallingOrSelfPermission(
android.Manifest.permission.ACCESS_COARSE_LOCATION, null);
}
if ((events & ENFORCE_PHONE_STATE_PERMISSION_MASK) != 0) {
- try {
- mContext.enforceCallingOrSelfPermission(
- android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, null);
- // SKIP checking for run-time permission since caller or self has PRIVILEGED
- // permission
- } catch (SecurityException e) {
- mContext.enforceCallingOrSelfPermission(
- android.Manifest.permission.READ_PHONE_STATE, null);
+ if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(
+ mContext, callingPackage, message)) {
+ return false;
}
}
if ((events & PRECISE_PHONE_STATE_PERMISSION_MASK) != 0) {
mContext.enforceCallingOrSelfPermission(
android.Manifest.permission.READ_PRECISE_PHONE_STATE, null);
-
}
+
+ return true;
}
private void handleRemoveListLocked() {
--- /dev/null
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.internal.telephony;
+
+import android.app.AppOpsManager;
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.os.Binder;
+import android.os.RemoteException;
+import android.os.ServiceManager;
+import android.telephony.Rlog;
+import android.telephony.SubscriptionManager;
+import android.telephony.TelephonyManager;
+
+import com.android.internal.annotations.VisibleForTesting;
+import com.android.internal.telephony.ITelephony;
+
+/** Utility class for Telephony permission enforcement. */
+public final class TelephonyPermissions {
+ private static final String LOG_TAG = "TelephonyPermissions";
+
+ private static final boolean DBG = false;
+
+ private TelephonyPermissions() {}
+
+ /**
+ * Check whether the caller (or self, if not processing an IPC) can read phone state.
+ *
+ * <p>This method behaves in one of the following ways:
+ * <ul>
+ * <li>return true: if the caller has either the READ_PRIVILEGED_PHONE_STATE permission or the
+ * READ_PHONE_STATE runtime permission.
+ * <li>throw SecurityException: if the caller didn't declare any of these permissions, or, for
+ * apps which support runtime permissions, if the caller does not currently have any of
+ * these permissions.
+ * <li>return false: if the caller lacks all of these permissions and doesn't support runtime
+ * permissions. This implies that the user revoked the ability to read phone state
+ * manually (via AppOps). In this case we can't throw as it would break app compatibility,
+ * so we return false to indicate that the calling function should return dummy data.
+ * </ul>
+ */
+ public static boolean checkCallingOrSelfReadPhoneState(
+ Context context, String callingPackage, String message) {
+ return checkReadPhoneState(context, Binder.getCallingPid(), Binder.getCallingUid(),
+ callingPackage, message);
+ }
+
+ /**
+ * Check whether the app with the given pid/uid can read phone state.
+ *
+ * <p>This method behaves in one of the following ways:
+ * <ul>
+ * <li>return true: if the caller has either the READ_PRIVILEGED_PHONE_STATE permission or the
+ * READ_PHONE_STATE runtime permission.
+ * <li>throw SecurityException: if the caller didn't declare any of these permissions, or, for
+ * apps which support runtime permissions, if the caller does not currently have any of
+ * these permissions.
+ * <li>return false: if the caller lacks all of these permissions and doesn't support runtime
+ * permissions. This implies that the user revoked the ability to read phone state
+ * manually (via AppOps). In this case we can't throw as it would break app compatibility,
+ * so we return false to indicate that the calling function should return dummy data.
+ * </ul>
+ */
+ public static boolean checkReadPhoneState(
+ Context context, int pid, int uid, String callingPackage, String message) {
+ try {
+ context.enforcePermission(
+ android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, pid, uid, message);
+
+ // SKIP checking for run-time permission since caller has PRIVILEGED permission
+ return true;
+ } catch (SecurityException privilegedPhoneStateException) {
+ context.enforcePermission(
+ android.Manifest.permission.READ_PHONE_STATE, pid, uid, message);
+ }
+
+ // We have READ_PHONE_STATE permission, so return true as long as the AppOps bit hasn't been
+ // revoked.
+ AppOpsManager appOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
+ return appOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, uid, callingPackage) ==
+ AppOpsManager.MODE_ALLOWED;
+ }
+
+ /**
+ * Returns whether the caller can read phone numbers.
+ *
+ * <p>Besides apps with the ability to read phone state per {@link #checkReadPhoneState}, the
+ * default SMS app and apps with READ_SMS or READ_PHONE_NUMBERS can also read phone numbers.
+ */
+ public static boolean checkCallingOrSelfReadPhoneNumber(
+ Context context, String callingPackage, String message) {
+ return checkReadPhoneNumber(
+ context, Binder.getCallingPid(), Binder.getCallingUid(), callingPackage, message);
+ }
+
+ @VisibleForTesting
+ public static boolean checkReadPhoneNumber(
+ Context context, int pid, int uid, String callingPackage, String message) {
+ // Default SMS app can always read it.
+ AppOpsManager appOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
+ if (appOps.noteOp(AppOpsManager.OP_WRITE_SMS, uid, callingPackage) ==
+ AppOpsManager.MODE_ALLOWED) {
+ return true;
+ }
+
+ // NOTE(b/73308711): If an app has one of the following AppOps bits explicitly revoked, they
+ // will be denied access, even if they have another permission and AppOps bit if needed.
+
+ // First, check if we can read the phone state.
+ try {
+ return checkReadPhoneState(context, pid, uid, callingPackage, message);
+ } catch (SecurityException readPhoneStateSecurityException) {
+ }
+ // Can be read with READ_SMS too.
+ try {
+ context.enforcePermission(android.Manifest.permission.READ_SMS, pid, uid, message);
+ int opCode = AppOpsManager.permissionToOpCode(android.Manifest.permission.READ_SMS);
+ if (opCode != AppOpsManager.OP_NONE) {
+ return appOps.noteOp(opCode, uid, callingPackage) == AppOpsManager.MODE_ALLOWED;
+ } else {
+ return true;
+ }
+ } catch (SecurityException readSmsSecurityException) {
+ }
+ // Can be read with READ_PHONE_NUMBERS too.
+ try {
+ context.enforcePermission(android.Manifest.permission.READ_PHONE_NUMBERS, pid, uid,
+ message);
+ int opCode = AppOpsManager.permissionToOpCode(
+ android.Manifest.permission.READ_PHONE_NUMBERS);
+ if (opCode != AppOpsManager.OP_NONE) {
+ return appOps.noteOp(opCode, uid, callingPackage) == AppOpsManager.MODE_ALLOWED;
+ } else {
+ return true;
+ }
+ } catch (SecurityException readPhoneNumberSecurityException) {
+ }
+
+ throw new SecurityException(message + ": Neither user " + uid +
+ " nor current process has " + android.Manifest.permission.READ_PHONE_STATE +
+ ", " + android.Manifest.permission.READ_SMS + ", or " +
+ android.Manifest.permission.READ_PHONE_NUMBERS);
+ }
+
+ /**
+ * Ensure the caller (or self, if not processing an IPC) has MODIFY_PHONE_STATE (and is thus a
+ * privileged app) or carrier privileges.
+ *
+ * @throws SecurityException if the caller does not have the required permission/privileges
+ */
+ public static void enforceCallingOrSelfModifyPermissionOrCarrierPrivilege(
+ Context context, int subId, String message) {
+ if (context.checkCallingOrSelfPermission(android.Manifest.permission.MODIFY_PHONE_STATE) ==
+ PackageManager.PERMISSION_GRANTED) {
+ return;
+ }
+
+ if (DBG) Rlog.d(LOG_TAG, "No modify permission, check carrier privilege next.");
+ enforceCallingOrSelfCarrierPrivilege(subId, message);
+ }
+
+ /**
+ * Make sure the caller (or self, if not processing an IPC) has carrier privileges.
+ *
+ * @throws SecurityException if the caller does not have the required privileges
+ */
+ public static void enforceCallingOrSelfCarrierPrivilege(int subId, String message) {
+ // NOTE: It's critical that we explicitly pass the calling UID here rather than call
+ // TelephonyManager#hasCarrierPrivileges directly, as the latter only works when called from
+ // the phone process. When called from another process, it will check whether that process
+ // has carrier privileges instead.
+ enforceCarrierPrivilege(subId, Binder.getCallingUid(), message);
+ }
+
+ private static void enforceCarrierPrivilege(int subId, int uid, String message) {
+ if (getCarrierPrivilegeStatus(subId, uid) !=
+ TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS) {
+ if (DBG) Rlog.e(LOG_TAG, "No Carrier Privilege.");
+ throw new SecurityException(message);
+ }
+ }
+
+ private static int getCarrierPrivilegeStatus(int subId, int uid) {
+ ITelephony telephony =
+ ITelephony.Stub.asInterface(ServiceManager.getService(Context.TELEPHONY_SERVICE));
+ try {
+ if (telephony != null) {
+ return telephony.getCarrierPrivilegeStatusForUid(subId, uid);
+ }
+ } catch (RemoteException e) {
+ // Fallback below.
+ }
+ Rlog.e(LOG_TAG, "Phone process is down, cannot check carrier privileges");
+ return TelephonyManager.CARRIER_PRIVILEGE_STATUS_NO_ACCESS;
+ }
+}
OSDN Git Service
