Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Fix issue #72116995: Add permission guarding Service#startForeground" into pi-dev

Browse Source
This commit is contained in:
Dianne Hackborn
2018-03-06 23:04:16 +00:00
committed by Android (Google) Code Review
parent 69598bbef5 dd027b3ab2
commit 16268a69d6
13 changed files with 54 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
api/current.txt
View File

@@ -73,6 +73,7 @@ package android {
field public static final java.lang.String DUMP = "android.permission.DUMP";
field public static final java.lang.String EXPAND_STATUS_BAR = "android.permission.EXPAND_STATUS_BAR";
field public static final java.lang.String FACTORY_TEST = "android.permission.FACTORY_TEST";
field public static final java.lang.String FOREGROUND_SERVICE = "android.permission.FOREGROUND_SERVICE";
field public static final java.lang.String GET_ACCOUNTS = "android.permission.GET_ACCOUNTS";
field public static final java.lang.String GET_ACCOUNTS_PRIVILEGED = "android.permission.GET_ACCOUNTS_PRIVILEGED";
field public static final java.lang.String GET_PACKAGE_SIZE = "android.permission.GET_PACKAGE_SIZE";

12
core/java/android/app/Service.java
View File

@@ -471,14 +471,6 @@ public abstract class Service extends ContextWrapper implements ComponentCallbac
* {@link #onStart} and returns either {@link #START_STICKY}
* or {@link #START_STICKY_COMPATIBILITY}.
*
* <p>If you need your application to run on platform versions prior to API
* level 5, you can use the following model to handle the older {@link #onStart}
* callback in that case. The <code>handleCommand</code> method is implemented by
* you as appropriate:
*
* {@sample development/samples/ApiDemos/src/com/example/android/apis/app/ForegroundService.java
* start_compatibility}
*
* <p class="caution">Note that the system calls this on your
* service's main thread. A service's main thread is the same
* thread where UI operations take place for Activities running in the
@@ -687,6 +679,10 @@ public abstract class Service extends ContextWrapper implements ComponentCallbac
* {@link #startService(Intent)} first to tell the system it should keep the service running,
* and then use this method to tell it to keep it running harder.</p>
*
* <p>Apps targeting API {@link android.os.Build.VERSION_CODES#P} or later must request
* the permission {@link android.Manifest.permission#FOREGROUND_SERVICE} in order to use
* this API.</p>
*
* @param id The identifier for this notification as per
* {@link NotificationManager#notify(int, Notification)
* NotificationManager.notify(int, Notification)}; must not be 0.

8
core/java/android/os/Build.java
View File

@@ -896,6 +896,14 @@ public class Build {
/**
* P.
*
* <p>Applications targeting this or a later release will get these
* new changes in behavior:</p>
* <ul>
* <li>{@link android.app.Service#startForeground Service.startForeground} requires
* that apps hold the permission
* {@link android.Manifest.permission#FOREGROUND_SERVICE}.</li>
* </ul>
*/
public static final int P = CUR_DEVELOPMENT; // STOPSHIP Replace with the real version.
}

9
core/res/AndroidManifest.xml
View File

@@ -3827,6 +3827,15 @@
<permission android:name="android.permission.INSTANT_APP_FOREGROUND_SERVICE"
android:protectionLevel="signature|development|instant|appop" />
<!-- Allows a regular application to use {@link android.app.Service#startForeground
Service.startForeground}.
<p>Protection level: normal
-->
<permission android:name="android.permission.FOREGROUND_SERVICE"
android:description="@string/permdesc_foregroundService"
android:label="@string/permlab_foregroundService"
android:protectionLevel="normal|instant" />
<!-- @SystemApi Allows to access all app shortcuts.
@hide -->
<permission android:name="android.permission.ACCESS_SHORTCUTS"

5
core/res/res/values/strings.xml
View File

@@ -926,6 +926,11 @@
<string name="permdesc_persistentActivity" product="tv">Allows the app to make parts of itself persistent in memory. This can limit memory available to other apps slowing down the TV.</string>
<string name="permdesc_persistentActivity" product="default">Allows the app to make parts of itself persistent in memory. This can limit memory available to other apps slowing down the phone.</string>
<!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permlab_foregroundService">run foreground service</string>
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permdesc_foregroundService">Allows the app to make use of foreground services.</string>
<!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
<string name="permlab_getPackageSize">measure app storage space</string>
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->

1
core/tests/coretests/AndroidManifest.xml
View File

@@ -51,6 +51,7 @@
<uses-permission android:name="android.permission.CLEAR_APP_USER_DATA" />
<uses-permission android:name="android.permission.DELETE_CACHE_FILES" />
<uses-permission android:name="android.permission.DOWNLOAD_CACHE_NON_PURGEABLE" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
<uses-permission android:name="android.permission.GET_PACKAGE_SIZE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.INJECT_EVENTS" />

1
packages/MtpDocumentsProvider/AndroidManifest.xml
View File

@@ -3,6 +3,7 @@
package="com.android.mtp"
android:sharedUserId="android.media">
<uses-feature android:name="android.hardware.usb.host" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
<uses-permission android:name="android.permission.MANAGE_USB" />
<application android:label="@string/app_label">
<provider

1
packages/Shell/AndroidManifest.xml
View File

@@ -44,6 +44,7 @@
<uses-permission android:name="android.permission.MANAGE_NETWORK_POLICY" />
<uses-permission android:name="android.permission.MANAGE_USB" />
<uses-permission android:name="android.permission.USE_RESERVED_DISK" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
<!-- System tool permissions granted to the shell. -->
<uses-permission android:name="android.permission.REAL_GET_TASKS" />
<uses-permission android:name="android.permission.CHANGE_CONFIGURATION" />

20
services/core/java/com/android/server/am/ActiveServices.java
View File

@@ -1043,20 +1043,14 @@ public final class ActiveServices {
throw new SecurityException("Instant app " + r.appInfo.packageName
+ " does not have permission to create foreground services");
default:
try {
if (AppGlobals.getPackageManager().checkPermission(
android.Manifest.permission.INSTANT_APP_FOREGROUND_SERVICE,
r.appInfo.packageName, UserHandle.getUserId(r.appInfo.uid))
!= PackageManager.PERMISSION_GRANTED) {
throw new SecurityException("Instant app " + r.appInfo.packageName
+ " does not have permission to create foreground"
+ "services");
}
} catch (RemoteException e) {
throw new SecurityException("Failed to check instant app permission." ,
e);
}
mAm.enforcePermission(
android.Manifest.permission.INSTANT_APP_FOREGROUND_SERVICE,
r.app.pid, r.appInfo.uid, "startForeground");
}
} else if (r.appInfo.targetSdkVersion >= Build.VERSION_CODES.P) {
mAm.enforcePermission(
android.Manifest.permission.FOREGROUND_SERVICE,
r.app.pid, r.appInfo.uid, "startForeground");
}
if (r.fgRequired) {
if (DEBUG_SERVICE || DEBUG_BACKGROUND_CHECK) {

14
services/core/java/com/android/server/am/ActivityManagerService.java
View File

@@ -8970,6 +8970,20 @@ public class ActivityManagerService extends IActivityManager.Stub
throw new SecurityException(msg);
}
/**
* This can be called with or without the global lock held.
*/
void enforcePermission(String permission, int pid, int uid, String func) {
if (checkPermission(permission, pid, uid) == PackageManager.PERMISSION_GRANTED) {
return;
}
String msg = "Permission Denial: " + func + " from pid=" + pid + ", uid=" + uid
+ " requires " + permission;
Slog.w(TAG, msg);
throw new SecurityException(msg);
}
/**
* This can be called with or without the global lock held.
*/

1
services/tests/servicestests/AndroidManifest.xml
View File

@@ -61,6 +61,7 @@
<uses-permission android:name="android.permission.READ_FRAME_BUFFER" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WATCH_APPOPS" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
<!-- Uses API introduced in O (26) -->
<uses-sdk android:minSdkVersion="1"

1
tests/FrameworkPerf/AndroidManifest.xml
View File

@@ -1,5 +1,6 @@
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.frameworkperf">
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-sdk android:minSdkVersion="5" />

1
tests/OneMedia/AndroidManifest.xml
View File

@@ -5,6 +5,7 @@
android:versionName="1.0" >
<uses-sdk android:minSdkVersion="19"/>
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />