Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01c3c948fd416a368e2eaa7895628ceb8564f550
frameworks_base/telephony/java/com/android/internal/telephony/TelephonyPermissions.java
sqian 1ed547ee3e Add telephony commands about SMS apps 
See the other CL on the same topic for the details

Bug: 109809543
Test: See the other CL
Change-Id: I9f750a72edfc282c80f7547647bcddaf2da51d9b
Merged-In: I9f750a72edfc282c80f7547647bcddaf2da51d9b
2018-11-05 14:28:49 -08:00

346 lines
16 KiB
Java
Raw Blame History

/*
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.android.internal.telephony;
import static android.content.pm.PackageManager.PERMISSION_GRANTED;
import android.Manifest;
import android.app.AppOpsManager;
import android.content.Context;
import android.os.Binder;
import android.os.Process;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.telephony.Rlog;
import android.telephony.SubscriptionManager;
import android.telephony.TelephonyManager;
import com.android.internal.annotations.VisibleForTesting;
import java.util.function.Supplier;
/** Utility class for Telephony permission enforcement. */
public final class TelephonyPermissions {
private static final String LOG_TAG = "TelephonyPermissions";
private static final boolean DBG = false;
private static final Supplier<ITelephony> TELEPHONY_SUPPLIER = () ->
ITelephony.Stub.asInterface(ServiceManager.getService(Context.TELEPHONY_SERVICE));
private TelephonyPermissions() {}
/**
* Check whether the caller (or self, if not processing an IPC) can read phone state.
*
* <p>This method behaves in one of the following ways:
* <ul>
* <li>return true: if the caller has the READ_PRIVILEGED_PHONE_STATE permission, the
* READ_PHONE_STATE runtime permission, or carrier privileges on the given subId.
* <li>throw SecurityException: if the caller didn't declare any of these permissions, or, for
* apps which support runtime permissions, if the caller does not currently have any of
* these permissions.
* <li>return false: if the caller lacks all of these permissions and doesn't support runtime
* permissions. This implies that the user revoked the ability to read phone state
* manually (via AppOps). In this case we can't throw as it would break app compatibility,
* so we return false to indicate that the calling function should return dummy data.
* </ul>
*
* <p>Note: for simplicity, this method always returns false for callers using legacy
* permissions and who have had READ_PHONE_STATE revoked, even if they are carrier-privileged.
* Such apps should migrate to runtime permissions or stop requiring READ_PHONE_STATE on P+
* devices.
*
* @param subId the subId of the relevant subscription; used to check carrier privileges. May be
* {@link SubscriptionManager#INVALID_SUBSCRIPTION_ID} to skip this check for cases
* where it isn't relevant (hidden APIs, or APIs which are otherwise okay to leave
* inaccesible to carrier-privileged apps).
*/
public static boolean checkCallingOrSelfReadPhoneState(
Context context, int subId, String callingPackage, String message) {
return checkReadPhoneState(context, subId, Binder.getCallingPid(), Binder.getCallingUid(),
callingPackage, message);
}
/**
* Check whether the app with the given pid/uid can read phone state.
*
* <p>This method behaves in one of the following ways:
* <ul>
* <li>return true: if the caller has the READ_PRIVILEGED_PHONE_STATE permission, the
* READ_PHONE_STATE runtime permission, or carrier privileges on the given subId.
* <li>throw SecurityException: if the caller didn't declare any of these permissions, or, for
* apps which support runtime permissions, if the caller does not currently have any of
* these permissions.
* <li>return false: if the caller lacks all of these permissions and doesn't support runtime
* permissions. This implies that the user revoked the ability to read phone state
* manually (via AppOps). In this case we can't throw as it would break app compatibility,
* so we return false to indicate that the calling function should return dummy data.
* </ul>
*
* <p>Note: for simplicity, this method always returns false for callers using legacy
* permissions and who have had READ_PHONE_STATE revoked, even if they are carrier-privileged.
* Such apps should migrate to runtime permissions or stop requiring READ_PHONE_STATE on P+
* devices.
*/
public static boolean checkReadPhoneState(
Context context, int subId, int pid, int uid, String callingPackage, String message) {
return checkReadPhoneState(
context, TELEPHONY_SUPPLIER, subId, pid, uid, callingPackage, message);
}
@VisibleForTesting
public static boolean checkReadPhoneState(
Context context, Supplier<ITelephony> telephonySupplier, int subId, int pid, int uid,
String callingPackage, String message) {
try {
context.enforcePermission(
android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE, pid, uid, message);
// SKIP checking for run-time permission since caller has PRIVILEGED permission
return true;
} catch (SecurityException privilegedPhoneStateException) {
try {
context.enforcePermission(
android.Manifest.permission.READ_PHONE_STATE, pid, uid, message);
} catch (SecurityException phoneStateException) {
// If we don't have the runtime permission, but do have carrier privileges, that
// suffices for reading phone state.
if (SubscriptionManager.isValidSubscriptionId(subId)) {
enforceCarrierPrivilege(telephonySupplier, subId, uid, message);
return true;
}
throw phoneStateException;
}
}
// We have READ_PHONE_STATE permission, so return true as long as the AppOps bit hasn't been
// revoked.
AppOpsManager appOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
return appOps.noteOp(AppOpsManager.OP_READ_PHONE_STATE, uid, callingPackage) ==
AppOpsManager.MODE_ALLOWED;
}
/**
* Check whether the app with the given pid/uid can read the call log.
* @return {@code true} if the specified app has the read call log permission and AppOpp granted
* to it, {@code false} otherwise.
*/
public static boolean checkReadCallLog(
Context context, int subId, int pid, int uid, String callingPackage) {
return checkReadCallLog(
context, TELEPHONY_SUPPLIER, subId, pid, uid, callingPackage);
}
@VisibleForTesting
public static boolean checkReadCallLog(
Context context, Supplier<ITelephony> telephonySupplier, int subId, int pid, int uid,
String callingPackage) {
if (context.checkPermission(Manifest.permission.READ_CALL_LOG, pid, uid)
!= PERMISSION_GRANTED) {
// If we don't have the runtime permission, but do have carrier privileges, that
// suffices for being able to see the call phone numbers.
if (SubscriptionManager.isValidSubscriptionId(subId)) {
enforceCarrierPrivilege(telephonySupplier, subId, uid, "readCallLog");
return true;
}
return false;
}
// We have READ_CALL_LOG permission, so return true as long as the AppOps bit hasn't been
// revoked.
AppOpsManager appOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
return appOps.noteOp(AppOpsManager.OP_READ_CALL_LOG, uid, callingPackage) ==
AppOpsManager.MODE_ALLOWED;
}
/**
* Returns whether the caller can read phone numbers.
*
* <p>Besides apps with the ability to read phone state per {@link #checkReadPhoneState}, the
* default SMS app and apps with READ_SMS or READ_PHONE_NUMBERS can also read phone numbers.
*/
public static boolean checkCallingOrSelfReadPhoneNumber(
Context context, int subId, String callingPackage, String message) {
return checkReadPhoneNumber(
context, TELEPHONY_SUPPLIER, subId, Binder.getCallingPid(), Binder.getCallingUid(),
callingPackage, message);
}
@VisibleForTesting
public static boolean checkReadPhoneNumber(
Context context, Supplier<ITelephony> telephonySupplier, int subId, int pid, int uid,
String callingPackage, String message) {
// Default SMS app can always read it.
AppOpsManager appOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
if (appOps.noteOp(AppOpsManager.OP_WRITE_SMS, uid, callingPackage) ==
AppOpsManager.MODE_ALLOWED) {
return true;
}
// NOTE(b/73308711): If an app has one of the following AppOps bits explicitly revoked, they
// will be denied access, even if they have another permission and AppOps bit if needed.
// First, check if we can read the phone state.
try {
return checkReadPhoneState(
context, telephonySupplier, subId, pid, uid, callingPackage, message);
} catch (SecurityException readPhoneStateSecurityException) {
}
// Can be read with READ_SMS too.
try {
context.enforcePermission(android.Manifest.permission.READ_SMS, pid, uid, message);
int opCode = AppOpsManager.permissionToOpCode(android.Manifest.permission.READ_SMS);
if (opCode != AppOpsManager.OP_NONE) {
return appOps.noteOp(opCode, uid, callingPackage) == AppOpsManager.MODE_ALLOWED;
} else {
return true;
}
} catch (SecurityException readSmsSecurityException) {
}
// Can be read with READ_PHONE_NUMBERS too.
try {
context.enforcePermission(android.Manifest.permission.READ_PHONE_NUMBERS, pid, uid,
message);
int opCode = AppOpsManager.permissionToOpCode(
android.Manifest.permission.READ_PHONE_NUMBERS);
if (opCode != AppOpsManager.OP_NONE) {
return appOps.noteOp(opCode, uid, callingPackage) == AppOpsManager.MODE_ALLOWED;
} else {
return true;
}
} catch (SecurityException readPhoneNumberSecurityException) {
}
throw new SecurityException(message + ": Neither user " + uid +
" nor current process has " + android.Manifest.permission.READ_PHONE_STATE +
", " + android.Manifest.permission.READ_SMS + ", or " +
android.Manifest.permission.READ_PHONE_NUMBERS);
}
/**
* Ensure the caller (or self, if not processing an IPC) has MODIFY_PHONE_STATE (and is thus a
* privileged app) or carrier privileges.
*
* @throws SecurityException if the caller does not have the required permission/privileges
*/
public static void enforceCallingOrSelfModifyPermissionOrCarrierPrivilege(
Context context, int subId, String message) {
if (context.checkCallingOrSelfPermission(android.Manifest.permission.MODIFY_PHONE_STATE) ==
PERMISSION_GRANTED) {
return;
}
if (DBG) Rlog.d(LOG_TAG, "No modify permission, check carrier privilege next.");
enforceCallingOrSelfCarrierPrivilege(subId, message);
}
/**
* Ensure the caller (or self, if not processing an IPC) has
* {@link android.Manifest.permission#READ_PHONE_STATE} or carrier privileges.
*
* @throws SecurityException if the caller does not have the required permission/privileges
*/
public static void enforeceCallingOrSelfReadPhoneStatePermissionOrCarrierPrivilege(
Context context, int subId, String message) {
if (context.checkCallingOrSelfPermission(android.Manifest.permission.READ_PHONE_STATE)
== PERMISSION_GRANTED) {
return;
}
if (DBG) {
Rlog.d(LOG_TAG, "No READ_PHONE_STATE permission, check carrier privilege next.");
}
enforceCallingOrSelfCarrierPrivilege(subId, message);
}
/**
* Ensure the caller (or self, if not processing an IPC) has
* {@link android.Manifest.permission#READ_PRIVILEGED_PHONE_STATE} or carrier privileges.
*
* @throws SecurityException if the caller does not have the required permission/privileges
*/
public static void enforeceCallingOrSelfReadPrivilegedPhoneStatePermissionOrCarrierPrivilege(
Context context, int subId, String message) {
if (context.checkCallingOrSelfPermission(Manifest.permission.READ_PRIVILEGED_PHONE_STATE)
== PERMISSION_GRANTED) {
return;
}
if (DBG) {
Rlog.d(LOG_TAG, "No READ_PRIVILEDED_PHONE_STATE permission, " +
"check carrier privilege next.");
}
enforceCallingOrSelfCarrierPrivilege(subId, message);
}
/**
* Make sure the caller (or self, if not processing an IPC) has carrier privileges.
*
* @throws SecurityException if the caller does not have the required privileges
*/
public static void enforceCallingOrSelfCarrierPrivilege(int subId, String message) {
// NOTE: It's critical that we explicitly pass the calling UID here rather than call
// TelephonyManager#hasCarrierPrivileges directly, as the latter only works when called from
// the phone process. When called from another process, it will check whether that process
// has carrier privileges instead.
enforceCarrierPrivilege(subId, Binder.getCallingUid(), message);
}
private static void enforceCarrierPrivilege(int subId, int uid, String message) {
enforceCarrierPrivilege(TELEPHONY_SUPPLIER, subId, uid, message);
}
private static void enforceCarrierPrivilege(
Supplier<ITelephony> telephonySupplier, int subId, int uid, String message) {
if (getCarrierPrivilegeStatus(telephonySupplier, subId, uid) !=
TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS) {
if (DBG) Rlog.e(LOG_TAG, "No Carrier Privilege.");
throw new SecurityException(message);
}
}
private static int getCarrierPrivilegeStatus(
Supplier<ITelephony> telephonySupplier, int subId, int uid) {
ITelephony telephony = telephonySupplier.get();
try {
if (telephony != null) {
return telephony.getCarrierPrivilegeStatusForUid(subId, uid);
}
} catch (RemoteException e) {
// Fallback below.
}
Rlog.e(LOG_TAG, "Phone process is down, cannot check carrier privileges");
return TelephonyManager.CARRIER_PRIVILEGE_STATUS_NO_ACCESS;
}
/**
* Throws if the caller is not of a shell (or root) UID.
*
* @param callingUid pass Binder.callingUid().
*/
public static void enforceShellOnly(int callingUid, String message) {
if (callingUid == Process.SHELL_UID || callingUid == Process.ROOT_UID) {
return; // okay
}
throw new SecurityException(message + ": Only shell user can call it");
}
}
Reference in New Issue View Git Blame Copy Permalink