settings: Also check WRITE_SECURE_SETTINGS perm for System table

In M+ Google changed the permissions required to access the System table and forced every caller to either hold the WRITE_SECURE_SETTINGS permission or target pre M API Change-Id: Ie4a4dd11e28b1caff1a6cd9be52f79b236f9271f
2021-12-20 13:48:49 +01:00
parent efe6d135bf
commit 9ca1852af1
1 changed files with 19 additions and 8 deletions
--- a/packages/LineageSettingsProvider/src/org/lineageos/lineagesettings/LineageSettingsProvider.java
+++ b/packages/LineageSettingsProvider/src/org/lineageos/lineagesettings/LineageSettingsProvider.java
@@ -1,6 +1,6 @@
 /**
 * Copyright (C) 2015 The CyanogenMod Project
- * Copyright (C) 2019 The LineageOS Project
+ *               2017-2019,2021 The LineageOS Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -773,15 +773,26 @@ public class LineageSettingsProvider extends ContentProvider {
     * @throws SecurityException if the caller is forbidden to write.
     */
    private void checkWritePermissions(String tableName) {
-        if ((LineageDatabaseHelper.LineageTableNames.TABLE_SECURE.equals(tableName) ||
-                LineageDatabaseHelper.LineageTableNames.TABLE_GLOBAL.equals(tableName)) &&
+        final String callingPackage = getCallingPackage();
+        final boolean granted = PackageManager.PERMISSION_GRANTED ==
                getContext().checkCallingOrSelfPermission(
-                        lineageos.platform.Manifest.permission.WRITE_SECURE_SETTINGS) !=
-                        PackageManager.PERMISSION_GRANTED) {
-            throw new SecurityException(
-                    String.format("Permission denial: writing to lineage secure settings requires %1$s",
-                            lineageos.platform.Manifest.permission.WRITE_SECURE_SETTINGS));
+                        lineageos.platform.Manifest.permission.WRITE_SECURE_SETTINGS);
+        final boolean protectedTable =
+                LineageDatabaseHelper.LineageTableNames.TABLE_SECURE.equals(tableName) ||
+                LineageDatabaseHelper.LineageTableNames.TABLE_GLOBAL.equals(tableName);
+        // If the permission is granted simply return, no further checks are needed.
+        if (granted) {
+            return;
        }
+        // If the caller doesn't hold WRITE_SECURE_SETTINGS and isn't a protected table,
+        // we verify whether this operation is allowed for the calling package through appops.
+        if (!protectedTable && Settings.checkAndNoteWriteSettingsOperation(getContext(),
+                Binder.getCallingUid(), callingPackage, getCallingAttributionTag(), true)) {
+            return;
+        }
+        throw new SecurityException(
+                String.format("Permission denial: writing to lineage settings requires %1$s",
+                        lineageos.platform.Manifest.permission.WRITE_SECURE_SETTINGS));
    }

    /**