commit ce55edbf135ef3b0fb42cd686ac0738c0565f2d9
author Austin Borger <borgera@google.com> Mon Sep 23 15:12:56 2024 -0700
committer Austin Borger <borgera@google.com> Mon Sep 23 17:31:32 2024 -0700
tree 8d687fcefdb60ea25ff70ca8af974ea08e4c8825
parent 514297fcf357ce31bfb013585f754ce782fe7771

Move getPermissionController / getPackageNameFromUid to AttributionAndPermissionUtils.

These are permission utilities and belong here.

Also remove the cache_permission_services flag in the process.

Bug: 369206663
Test: Presubmit
Flag: EXEMPT minor refactor
Change-Id: Ib16aec7fd141a206992b20d581eaac8aec6437ee

services/camera/libcameraservice/utils/AttributionAndPermissionUtils.cpp

diff --git a/services/camera/libcameraservice/utils/AttributionAndPermissionUtils.cpp b/services/camera/libcameraservice/utils/AttributionAndPermissionUtils.cpp
index 72f8c4b..6c16317 100644
--- a/services/camera/libcameraservice/utils/AttributionAndPermissionUtils.cpp
+++ b/services/camera/libcameraservice/utils/AttributionAndPermissionUtils.cpp
@@ -28,6 +28,10 @@
 #include <hwbinder/IPCThreadState.h>
 #include <binderthreadstate/CallerUtils.h>
 
+namespace {
+    static const std::string kPermissionServiceName = "permission";
+} // namespace anonymous
+
 namespace android {
 
 namespace flags = com::android::internal::camera::flags;
@@ -138,16 +142,9 @@
         return true;
     }
 
-    if (!flags::cache_permission_services()) {
-        PermissionChecker permissionChecker;
-        return permissionChecker.checkPermissionForPreflight(
-                       toString16(permission), attributionSource, toString16(message),
-                       attributedOpCode) != PermissionChecker::PERMISSION_HARD_DENIED;
-    } else {
-        return mPermissionChecker->checkPermissionForPreflight(
-                       toString16(permission), attributionSource, toString16(message),
-                       attributedOpCode) != PermissionChecker::PERMISSION_HARD_DENIED;
-    }
+    return mPermissionChecker->checkPermissionForPreflight(
+                    toString16(permission), attributionSource, toString16(message),
+                    attributedOpCode) != PermissionChecker::PERMISSION_HARD_DENIED;
 }
 
 // Can camera service trust the caller based on the calling UID?
@@ -189,6 +186,33 @@
     return uid == AID_AUTOMOTIVE_EVS;
 }
 
+std::string AttributionAndPermissionUtils::getPackageNameFromUid(int clientUid) const {
+    std::string packageName("");
+
+    sp<IPermissionController> permCtrl = getPermissionController();
+    if (permCtrl == nullptr) {
+        // Return empty package name and the further interaction
+        // with camera will likely fail
+        return packageName;
+    }
+
+    Vector<String16> packages;
+
+    permCtrl->getPackagesForUid(clientUid, packages);
+
+    if (packages.isEmpty()) {
+        ALOGE("No packages for calling UID %d", clientUid);
+        // Return empty package name and the further interaction
+        // with camera will likely fail
+        return packageName;
+    }
+
+    // Arbitrarily pick the first name in the list
+    packageName = toStdString(packages[0]);
+
+    return packageName;
+}
+
 status_t AttributionAndPermissionUtils::getUidForPackage(const std::string &packageName,
         int userId, /*inout*/uid_t& uid, int err) {
     PermissionController pc;
@@ -245,4 +269,23 @@
             attributionSource, std::string(), AppOpsManager::OP_NONE);
 }
 
+const sp<IPermissionController>& AttributionAndPermissionUtils::getPermissionController() const {
+    static const char* kPermissionControllerService = "permission";
+    static thread_local sp<IPermissionController> sPermissionController = nullptr;
+
+    if (sPermissionController == nullptr ||
+            !IInterface::asBinder(sPermissionController)->isBinderAlive()) {
+        sp<IServiceManager> sm = defaultServiceManager();
+        sp<IBinder> binder = sm->checkService(toString16(kPermissionControllerService));
+        if (binder == nullptr) {
+            ALOGE("%s: Could not get permission service", __FUNCTION__);
+            sPermissionController = nullptr;
+        } else {
+            sPermissionController = interface_cast<IPermissionController>(binder);
+        }
+    }
+
+    return sPermissionController;
+}
+
 } // namespace android

services/camera/libcameraservice/utils/AttributionAndPermissionUtils.h

diff --git a/services/camera/libcameraservice/utils/AttributionAndPermissionUtils.h b/services/camera/libcameraservice/utils/AttributionAndPermissionUtils.h
index a23fba7..8bfe6d8 100644
--- a/services/camera/libcameraservice/utils/AttributionAndPermissionUtils.h
+++ b/services/camera/libcameraservice/utils/AttributionAndPermissionUtils.h
@@ -19,6 +19,7 @@
 #include <android/content/AttributionSourceState.h>
 #include <android/permission/PermissionChecker.h>
 #include <binder/BinderService.h>
+#include <binder/IPermissionController.h>
 #include <private/android_filesystem_config.h>
 
 namespace android {
@@ -88,6 +89,15 @@
      */
     virtual bool isAutomotivePrivilegedClient(int32_t uid);
 
+    // In some cases the calling code has no access to the package it runs under.
+    // For example, NDK camera API.
+    // In this case we will get the packages for the calling UID and pick the first one
+    // for attributing the app op. This will work correctly for runtime permissions
+    // as for legacy apps we will toggle the app op for all packages in the UID.
+    // The caveat is that the operation may be attributed to the wrong package and
+    // stats based on app ops may be slightly off.
+    virtual std::string getPackageNameFromUid(int clientUid) const;
+
     virtual status_t getUidForPackage(const std::string &packageName, int userId,
             /*inout*/uid_t& uid, int err);
     virtual bool isCallerCameraServerNotDelegating();
@@ -121,6 +131,8 @@
             const AttributionSourceState &attributionSource);
 
   private:
+    virtual const sp<IPermissionController>& getPermissionController() const;
+
     std::unique_ptr<permission::PermissionChecker> mPermissionChecker =
             std::make_unique<permission::PermissionChecker>();
 };
@@ -258,6 +270,10 @@
         return mAttributionAndPermissionUtils->getUidForPackage(packageName, userId, uid, err);
     }
 
+    std::string getPackageNameFromUid(int clientUid) const {
+        return mAttributionAndPermissionUtils->getPackageNameFromUid(clientUid);
+    }
+
     bool isCallerCameraServerNotDelegating() const {
         return mAttributionAndPermissionUtils->isCallerCameraServerNotDelegating();
     }