From: Alexei Czeskis <aczeskis@google.com>
Date: Tue, 22 Dec 2015 22:16:27 +0000 (-0800)
Subject: Enforce BLUETOOTH_PRIVILEGED permission for FIDO U2F over GATT
X-Git-Tag: android-7.1.2_r17~195^2~1^2~6^2
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=717eb278a0deefdb6f43b97f40986641a8ac170b;p=android-x86%2Fpackages-apps-Bluetooth.git

Enforce BLUETOOTH_PRIVILEGED permission for FIDO U2F over GATT

All access to external Bluetooth U2F devices must go through system
APIs so that calling apps cannot spoof their idenity.  This change
blocks the whole FIDO U2F service from being accessed.

Change-Id: I122849452c09fb8bc3bff9ead2db1edf64ddfabc
---

diff --git a/src/com/android/bluetooth/gatt/GattService.java b/src/com/android/bluetooth/gatt/GattService.java
index 376994c7..29159354 100644
--- a/src/com/android/bluetooth/gatt/GattService.java
+++ b/src/com/android/bluetooth/gatt/GattService.java
@@ -90,6 +90,10 @@ public class GattService extends ProfileService {
         UUID.fromString("00002A4D-0000-1000-8000-00805F9B34FB")
     };
 
+    private static final UUID[] FIDO_UUIDS = {
+        UUID.fromString("0000FFFD-0000-1000-8000-00805F9B34FB") // U2F
+    };
+
     /**
      * Search queue to serialize remote onbject inspection.
      */
@@ -850,7 +854,7 @@ public class GattService extends ProfileService {
             + ", charUuid=" + charUuid + ", length=" + data.length);
 
 
-        if (isHidUuid(charUuid) &&
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid) &&
                (0 != checkCallingOrSelfPermission(BLUETOOTH_PRIVILEGED))) {
             return;
         }
@@ -1515,7 +1519,9 @@ public class GattService extends ProfileService {
                             int srvcInstanceId, UUID srvcUuid,
                             int charInstanceId, UUID charUuid, int authReq) {
         enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
-        if (isHidUuid(charUuid)) enforcePrivilegedPermission();
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {
+            enforcePrivilegedPermission();
+        }
 
         if (VDBG) Log.d(TAG, "readCharacteristic() - address=" + address);
 
@@ -1535,7 +1541,9 @@ public class GattService extends ProfileService {
                              int charInstanceId, UUID charUuid, int writeType,
                              int authReq, byte[] value) {
         enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
-        if (isHidUuid(charUuid)) enforcePrivilegedPermission();
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {
+            enforcePrivilegedPermission();
+        }
 
         if (VDBG) Log.d(TAG, "writeCharacteristic() - address=" + address);
 
@@ -1558,7 +1566,9 @@ public class GattService extends ProfileService {
                             int descrInstanceId, UUID descrUuid,
                             int authReq) {
         enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
-        if (isHidUuid(charUuid)) enforcePrivilegedPermission();
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {
+            enforcePrivilegedPermission();
+        }
 
         if (VDBG) Log.d(TAG, "readDescriptor() - address=" + address);
 
@@ -1582,7 +1592,9 @@ public class GattService extends ProfileService {
                             int descrInstanceId, UUID descrUuid,
                             int writeType, int authReq, byte[] value) {
         enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
-        if (isHidUuid(charUuid)) enforcePrivilegedPermission();
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {
+            enforcePrivilegedPermission();
+        }
 
         if (VDBG) Log.d(TAG, "writeDescriptor() - address=" + address);
 
@@ -1623,7 +1635,9 @@ public class GattService extends ProfileService {
                 int charInstanceId, UUID charUuid,
                 boolean enable) {
         enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
-        if (isHidUuid(charUuid)) enforcePrivilegedPermission();
+        if (isRestrictedCharUuid(charUuid) || isRestrictedSrvcUuid(srvcUuid)) {
+            enforcePrivilegedPermission();
+        }
 
         if (DBG) Log.d(TAG, "registerForNotification() - address=" + address + " enable: " + enable);
 
@@ -2097,6 +2111,14 @@ public class GattService extends ProfileService {
      * Private functions
      *************************************************************************/
 
+    private boolean isRestrictedCharUuid(final UUID charUuid) {
+      return isHidUuid(charUuid);
+    }
+
+    private boolean isRestrictedSrvcUuid(final UUID srvcUuid) {
+      return isFidoUUID(srvcUuid);
+    }
+
     private boolean isHidUuid(final UUID uuid) {
         for (UUID hid_uuid : HID_UUIDS) {
             if (hid_uuid.equals(uuid)) return true;
@@ -2104,6 +2126,13 @@ public class GattService extends ProfileService {
         return false;
     }
 
+    private boolean isFidoUUID(final UUID uuid) {
+        for (UUID fido_uuid : FIDO_UUIDS) {
+            if (fido_uuid.equals(uuid)) return true;
+        }
+        return false;
+    }
+
     private int getDeviceType(BluetoothDevice device) {
         int type = gattClientGetDeviceTypeNative(device.getAddress());
         if (DBG) Log.d(TAG, "getDeviceType() - device=" + device