From 65406494e75a73e38e01a63f0a2f4670bf0ba7be Mon Sep 17 00:00:00 2001 From: Nathan Harold Date: Tue, 15 May 2018 19:18:38 -0700 Subject: [PATCH] Disable the AppOp Restriction for IpSec Tunnels This CL temporarily removes the AppOp restriction that disallows creation of IpSec tunnels due to the lack of the appropriate AppOp in AOSP/master. When the relevant framework merges out to master, this CL should be reverted. Manually merging this due to skipping a merge conflict at ef9f2740a790feceaa47a24b1a179e93c4ffb5e6 Bug: none Test: compilation Change-Id: Ic06c193f85f6bcdd0ead4238825c1add78703cde --- .../core/java/com/android/server/IpSecService.java | 26 +++++++++++++--------- .../server/IpSecServiceParameterizedTest.java | 2 ++ 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java index 60f1877d3739..744ed25f160f 100644 --- a/services/core/java/com/android/server/IpSecService.java +++ b/services/core/java/com/android/server/IpSecService.java @@ -1481,19 +1481,23 @@ public class IpSecService extends IIpSecService.Stub { } } + private static final String TUNNEL_OP = "STOPSHIP"; // = AppOpsManager.OP_MANAGE_IPSEC_TUNNELS; + private void enforceTunnelPermissions(String callingPackage) { checkNotNull(callingPackage, "Null calling package cannot create IpSec tunnels"); - switch (getAppOpsManager().noteOp( - AppOpsManager.OP_MANAGE_IPSEC_TUNNELS, - Binder.getCallingUid(), callingPackage)) { - case AppOpsManager.MODE_DEFAULT: - mContext.enforceCallingOrSelfPermission( - android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService"); - break; - case AppOpsManager.MODE_ALLOWED: - return; - default: - throw new SecurityException("Request to ignore AppOps for non-legacy API"); + if (false) { // STOPSHIP if this line is present + switch (getAppOpsManager().noteOp( + TUNNEL_OP, + Binder.getCallingUid(), callingPackage)) { + case AppOpsManager.MODE_DEFAULT: + mContext.enforceCallingOrSelfPermission( + android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService"); + break; + case AppOpsManager.MODE_ALLOWED: + return; + default: + throw new SecurityException("Request to ignore AppOps for non-legacy API"); + } } } diff --git a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java index e573d3586653..102cb7c77055 100644 --- a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java +++ b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java @@ -50,6 +50,7 @@ import java.util.Arrays; import java.util.Collection; import org.junit.Before; +import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.Parameterized; @@ -592,6 +593,7 @@ public class IpSecServiceParameterizedTest { } } + @Ignore @Test public void testAddTunnelFailsForBadPackageName() throws Exception { try { -- 2.11.0