From bf1b57d856685243f677e1f1bd29866e637a16fb Mon Sep 17 00:00:00 2001
From: Dianne Hackborn <hackbod@google.com>
Date: Wed, 7 Mar 2018 12:42:47 -0800
Subject: [PATCH] Fix issue #62342672: API Review: OPSTR_ACTIVATE_VPN SystemApi

Add a new platform-only permission for being able to change
app ops mode, so nothing outside of the platform can do this.

Bug: 62342672
Test: Booted, ran, settings works, shell works, apps install
Change-Id: I372e649c019a8f9b95919ff0da6f56612d7061c2
---
 api/system-current.txt                        |  1 +
 core/java/android/app/AppOpsManager.java      | 27 ++++++++++++++++++-
 core/res/AndroidManifest.xml                  |  6 +++++
 packages/Shell/AndroidManifest.xml            |  1 +
 .../com/android/server/AppOpsService.java     | 12 +++++----
 .../server/notification/ZenModeHelper.java    | 15 ++++++++---
 6 files changed, 53 insertions(+), 9 deletions(-)

diff --git a/api/system-current.txt b/api/system-current.txt
index d543629ad2d90..4fded790b1b17 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -261,6 +261,7 @@ package android.app {
 
   public class AppOpsManager {
     method public static java.lang.String[] getOpStrs();
+    method public void setMode(java.lang.String, int, java.lang.String, int);
     method public void setUidMode(java.lang.String, int, int);
     field public static final java.lang.String OPSTR_ACCEPT_HANDOVER = "android:accept_handover";
     field public static final java.lang.String OPSTR_ACCESS_NOTIFICATIONS = "android:access_notifications";
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
index 05a9861f5a20b..14edd31a48cfe 100644
--- a/core/java/android/app/AppOpsManager.java
+++ b/core/java/android/app/AppOpsManager.java
@@ -1609,6 +1609,7 @@ public class AppOpsManager {
      * @param mode The app op mode to set.
      * @hide
      */
+    @RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)
     public void setUidMode(int code, int uid, int mode) {
         try {
             mService.setUidMode(code, uid, mode);
@@ -1628,7 +1629,7 @@ public class AppOpsManager {
      * @hide
      */
     @SystemApi
-    @RequiresPermission(android.Manifest.permission.UPDATE_APP_OPS_STATS)
+    @RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)
     public void setUidMode(String appOp, int uid, int mode) {
         try {
             mService.setUidMode(AppOpsManager.strOpToOp(appOp), uid, mode);
@@ -1660,6 +1661,7 @@ public class AppOpsManager {
 
     /** @hide */
     @TestApi
+    @RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)
     public void setMode(int code, int uid, String packageName, int mode) {
         try {
             mService.setMode(code, uid, packageName, mode);
@@ -1668,6 +1670,27 @@ public class AppOpsManager {
         }
     }
 
+    /**
+     * Change the operating mode for the given op in the given app package.  You must pass
+     * in both the uid and name of the application whose mode is being modified; if these
+     * do not match, the modification will not be applied.
+     *
+     * @param op The operation to modify.  One of the OPSTR_* constants.
+     * @param uid The user id of the application whose mode will be changed.
+     * @param packageName The name of the application package name whose mode will
+     * be changed.
+     * @hide
+     */
+    @SystemApi
+    @RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)
+    public void setMode(String op, int uid, String packageName, int mode) {
+        try {
+            mService.setMode(strOpToOp(op), uid, packageName, mode);
+        } catch (RemoteException e) {
+            throw e.rethrowFromSystemServer();
+        }
+    }
+
     /**
      * Set a non-persisted restriction on an audio operation at a stream-level.
      * Restrictions are temporary additional constraints imposed on top of the persisted rules
@@ -1679,6 +1702,7 @@ public class AppOpsManager {
      * @param exceptionPackages Optional list of packages to exclude from the restriction.
      * @hide
      */
+    @RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)
     public void setRestriction(int code, @AttributeUsage int usage, int mode,
             String[] exceptionPackages) {
         try {
@@ -1690,6 +1714,7 @@ public class AppOpsManager {
     }
 
     /** @hide */
+    @RequiresPermission(android.Manifest.permission.MANAGE_APP_OPS_MODES)
     public void resetAllModes() {
         try {
             mService.resetAllModes(mContext.getUserId(), null);
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index a4c0c54322e31..9b11a33593bd1 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -2552,6 +2552,12 @@
     <permission android:name="android.permission.MANAGE_APP_OPS_RESTRICTIONS"
         android:protectionLevel="signature|installer" />
 
+    <!-- Allows an application to update the user app op modes.
+         Not for use by third party apps.
+         @hide -->
+    <permission android:name="android.permission.MANAGE_APP_OPS_MODES"
+        android:protectionLevel="signature|installer|verifier" />
+
     <!-- @SystemApi Allows an application to open windows that are for use by parts
          of the system user interface.
          <p>Not for use by third-party applications.
diff --git a/packages/Shell/AndroidManifest.xml b/packages/Shell/AndroidManifest.xml
index 937b9397a9a57..589ae2a1193fa 100644
--- a/packages/Shell/AndroidManifest.xml
+++ b/packages/Shell/AndroidManifest.xml
@@ -118,6 +118,7 @@
     <uses-permission android:name="android.permission.REGISTER_CONNECTION_MANAGER" />
     <uses-permission android:name="android.permission.REGISTER_SIM_SUBSCRIPTION" />
     <uses-permission android:name="android.permission.GET_APP_OPS_STATS" />
+    <uses-permission android:name="android.permission.MANAGE_APP_OPS_MODES" />
     <uses-permission android:name="android.permission.VIBRATE" />
     <uses-permission android:name="android.permission.MANAGE_ACTIVITY_STACKS" />
     <uses-permission android:name="android.permission.ACTIVITY_EMBEDDING" />
diff --git a/services/core/java/com/android/server/AppOpsService.java b/services/core/java/com/android/server/AppOpsService.java
index 15f3a2362043d..ecf80ba73683a 100644
--- a/services/core/java/com/android/server/AppOpsService.java
+++ b/services/core/java/com/android/server/AppOpsService.java
@@ -610,7 +610,7 @@ public class AppOpsService extends IAppOpsService.Stub {
     @Override
     public void setUidMode(int code, int uid, int mode) {
         if (Binder.getCallingPid() != Process.myPid()) {
-            mContext.enforcePermission(android.Manifest.permission.UPDATE_APP_OPS_STATS,
+            mContext.enforcePermission(android.Manifest.permission.MANAGE_APP_OPS_MODES,
                     Binder.getCallingPid(), Binder.getCallingUid(), null);
         }
         verifyIncomingOp(code);
@@ -714,7 +714,7 @@ public class AppOpsService extends IAppOpsService.Stub {
     @Override
     public void setMode(int code, int uid, String packageName, int mode) {
         if (Binder.getCallingPid() != Process.myPid()) {
-            mContext.enforcePermission(android.Manifest.permission.UPDATE_APP_OPS_STATS,
+            mContext.enforcePermission(android.Manifest.permission.MANAGE_APP_OPS_MODES,
                     Binder.getCallingPid(), Binder.getCallingUid(), null);
         }
         verifyIncomingOp(code);
@@ -832,7 +832,7 @@ public class AppOpsService extends IAppOpsService.Stub {
     public void resetAllModes(int reqUserId, String reqPackageName) {
         final int callingPid = Binder.getCallingPid();
         final int callingUid = Binder.getCallingUid();
-        mContext.enforcePermission(android.Manifest.permission.UPDATE_APP_OPS_STATS,
+        mContext.enforcePermission(android.Manifest.permission.MANAGE_APP_OPS_MODES,
                 callingPid, callingUid, null);
         reqUserId = ActivityManager.handleIncomingUser(callingPid, callingUid, reqUserId,
                 true, true, "resetAllModes", null);
@@ -1087,6 +1087,8 @@ public class AppOpsService extends IAppOpsService.Stub {
             String[] exceptionPackages) {
         verifyIncomingUid(uid);
         verifyIncomingOp(code);
+        mContext.enforcePermission(android.Manifest.permission.MANAGE_APP_OPS_MODES,
+                Binder.getCallingPid(), Binder.getCallingUid(), null);
         synchronized (this) {
             SparseArray<Restriction> usageRestrictions = mAudioRestrictions.get(code);
             if (usageRestrictions == null) {
@@ -2330,7 +2332,7 @@ public class AppOpsService extends IAppOpsService.Stub {
                 }
                 case "write-settings": {
                     shell.mInternal.mContext.enforcePermission(
-                            android.Manifest.permission.UPDATE_APP_OPS_STATS,
+                            android.Manifest.permission.MANAGE_APP_OPS_MODES,
                             Binder.getCallingPid(), Binder.getCallingUid(), null);
                     long token = Binder.clearCallingIdentity();
                     try {
@@ -2346,7 +2348,7 @@ public class AppOpsService extends IAppOpsService.Stub {
                 }
                 case "read-settings": {
                     shell.mInternal.mContext.enforcePermission(
-                            android.Manifest.permission.UPDATE_APP_OPS_STATS,
+                            android.Manifest.permission.MANAGE_APP_OPS_MODES,
                             Binder.getCallingPid(), Binder.getCallingUid(), null);
                     long token = Binder.clearCallingIdentity();
                     try {
diff --git a/services/core/java/com/android/server/notification/ZenModeHelper.java b/services/core/java/com/android/server/notification/ZenModeHelper.java
index c1593a7fa7e4d..141b47d6a0282 100644
--- a/services/core/java/com/android/server/notification/ZenModeHelper.java
+++ b/services/core/java/com/android/server/notification/ZenModeHelper.java
@@ -893,9 +893,18 @@ public class ZenModeHelper {
     protected void applyRestrictions(boolean mute, int usage, int code) {
         final String[] exceptionPackages = null; // none (for now)
 
-        mAppOps.setRestriction(code, usage,
-                mute ? AppOpsManager.MODE_IGNORED : AppOpsManager.MODE_ALLOWED,
-                exceptionPackages);
+        // Only do this if we are executing within the system process...  otherwise
+        // we are running as test code, so don't have access to the protected call.
+        if (Process.myUid() == Process.SYSTEM_UID) {
+            final long ident = Binder.clearCallingIdentity();
+            try {
+                mAppOps.setRestriction(code, usage,
+                        mute ? AppOpsManager.MODE_IGNORED : AppOpsManager.MODE_ALLOWED,
+                        exceptionPackages);
+            } finally {
+                Binder.restoreCallingIdentity(ident);
+            }
+        }
     }
 
     @VisibleForTesting