blob: 4926e465db95c3ccdb0ba29e98f62fc617b58f1f [file] [log] [blame]
Glenn Kasten44deb052012-02-05 18:09:08 -08001/*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
guochuang0c55eae2024-03-08 19:42:54 +080017//#define LOG_NDEBUG 0
Eric Laurent9b11c022018-06-06 19:19:22 -070018#define LOG_TAG "ServiceUtilities"
19
Andy Hunga85efab2019-12-23 11:41:29 -080020#include <audio_utils/clock.h>
Svet Ganovbe71aa22015-04-28 12:06:02 -070021#include <binder/AppOpsManager.h>
Glenn Kasten44deb052012-02-05 18:09:08 -080022#include <binder/IPCThreadState.h>
23#include <binder/IServiceManager.h>
24#include <binder/PermissionCache.h>
Andy Hungab7ef302018-05-15 19:35:29 -070025#include "mediautils/ServiceUtilities.h"
Nate Myrene69cada2020-12-10 10:00:36 -080026#include <system/audio-hal-enums.h>
Philip P. Moltmannbda45752020-07-17 16:41:18 -070027#include <media/AidlConversion.h>
28#include <media/AidlConversionUtil.h>
Svet Ganov33761132021-05-13 22:51:08 +000029#include <android/content/AttributionSourceState.h>
Glenn Kasten44deb052012-02-05 18:09:08 -080030
Kevin Rocard8be94972019-02-22 13:26:25 -080031#include <iterator>
32#include <algorithm>
Andy Hunga85efab2019-12-23 11:41:29 -080033#include <pwd.h>
Kevin Rocard8be94972019-02-22 13:26:25 -080034
Svet Ganovbe71aa22015-04-28 12:06:02 -070035/* When performing permission checks we do not use permission cache for
36 * runtime permissions (protection level dangerous) as they may change at
37 * runtime. All other permissions (protection level normal and dangerous)
38 * can be cached as they never change. Of course all permission checked
39 * here are platform defined.
40 */
41
Glenn Kasten44deb052012-02-05 18:09:08 -080042namespace android {
43
Svet Ganov33761132021-05-13 22:51:08 +000044using content::AttributionSourceState;
Philip P. Moltmannbda45752020-07-17 16:41:18 -070045
Svet Ganov5b81f552018-03-02 09:21:30 -080046static const String16 sAndroidPermissionRecordAudio("android.permission.RECORD_AUDIO");
Eric Laurent42984412019-05-09 17:57:03 -070047static const String16 sModifyPhoneState("android.permission.MODIFY_PHONE_STATE");
48static const String16 sModifyAudioRouting("android.permission.MODIFY_AUDIO_ROUTING");
Eric Laurentb0eff0f2021-11-09 16:05:49 +010049static const String16 sCallAudioInterception("android.permission.CALL_AUDIO_INTERCEPTION");
Eric Laurent24df2832023-10-13 18:13:43 +020050static const String16 sAndroidPermissionBluetoothConnect("android.permission.BLUETOOTH_CONNECT");
Svet Ganov5b81f552018-03-02 09:21:30 -080051
Svet Ganov5b81f552018-03-02 09:21:30 -080052static String16 resolveCallingPackage(PermissionController& permissionController,
Philip P. Moltmannbda45752020-07-17 16:41:18 -070053 const std::optional<String16> opPackageName, uid_t uid) {
54 if (opPackageName.has_value() && opPackageName.value().size() > 0) {
55 return opPackageName.value();
Svet Ganovbe71aa22015-04-28 12:06:02 -070056 }
Svet Ganovbe71aa22015-04-28 12:06:02 -070057 // In some cases the calling code has no access to the package it runs under.
58 // For example, code using the wilhelm framework's OpenSL-ES APIs. In this
59 // case we will get the packages for the calling UID and pick the first one
60 // for attributing the app op. This will work correctly for runtime permissions
61 // as for legacy apps we will toggle the app op for all packages in the UID.
62 // The caveat is that the operation may be attributed to the wrong package and
63 // stats based on app ops may be slightly off.
Svet Ganov5b81f552018-03-02 09:21:30 -080064 Vector<String16> packages;
65 permissionController.getPackagesForUid(uid, packages);
66 if (packages.isEmpty()) {
67 ALOGE("No packages for uid %d", uid);
Philip P. Moltmannbda45752020-07-17 16:41:18 -070068 return String16();
Svet Ganov5b81f552018-03-02 09:21:30 -080069 }
70 return packages[0];
71}
Svetoslav Ganov599ec462018-03-01 22:19:55 +000072
Eric Laurent45e16b92021-05-20 11:10:47 +020073int32_t getOpForSource(audio_source_t source) {
Nate Myrene69cada2020-12-10 10:00:36 -080074 switch (source) {
75 case AUDIO_SOURCE_HOTWORD:
76 return AppOpsManager::OP_RECORD_AUDIO_HOTWORD;
Mickey Keeley90d657d2021-10-20 18:06:38 -070077 case AUDIO_SOURCE_ECHO_REFERENCE: // fallthrough
Nate Myrene69cada2020-12-10 10:00:36 -080078 case AUDIO_SOURCE_REMOTE_SUBMIX:
79 return AppOpsManager::OP_RECORD_AUDIO_OUTPUT;
Nate Myrenf7c88352021-04-12 14:41:49 -070080 case AUDIO_SOURCE_VOICE_DOWNLINK:
81 return AppOpsManager::OP_RECORD_INCOMING_PHONE_AUDIO;
Nate Myrene69cada2020-12-10 10:00:36 -080082 case AUDIO_SOURCE_DEFAULT:
83 default:
84 return AppOpsManager::OP_RECORD_AUDIO;
85 }
86}
87
Svet Ganov33761132021-05-13 22:51:08 +000088std::optional<AttributionSourceState> resolveAttributionSource(
89 const AttributionSourceState& callerAttributionSource) {
90 AttributionSourceState nextAttributionSource = callerAttributionSource;
91
92 if (!nextAttributionSource.packageName.has_value()) {
93 nextAttributionSource = AttributionSourceState(nextAttributionSource);
94 PermissionController permissionController;
95 const uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(nextAttributionSource.uid));
96 nextAttributionSource.packageName = VALUE_OR_FATAL(legacy2aidl_String16_string(
97 resolveCallingPackage(permissionController, VALUE_OR_FATAL(
98 aidl2legacy_string_view_String16(nextAttributionSource.packageName.value_or(""))),
99 uid)));
100 if (!nextAttributionSource.packageName.has_value()) {
101 return std::nullopt;
102 }
103 }
104
105 AttributionSourceState myAttributionSource;
106 myAttributionSource.uid = VALUE_OR_FATAL(android::legacy2aidl_uid_t_int32_t(getuid()));
107 myAttributionSource.pid = VALUE_OR_FATAL(android::legacy2aidl_pid_t_int32_t(getpid()));
Nate Myrene84d6912022-11-10 14:09:34 -0800108 // Create a static token for audioserver requests, which identifies the
109 // audioserver to the app ops system
110 static sp<BBinder> appOpsToken = sp<BBinder>::make();
111 myAttributionSource.token = appOpsToken;
Svet Ganov33761132021-05-13 22:51:08 +0000112 myAttributionSource.next.push_back(nextAttributionSource);
113
114 return std::optional<AttributionSourceState>{myAttributionSource};
115}
116
Marvin Ramine5a122d2023-12-07 13:57:59 +0100117 static bool checkRecordingInternal(const AttributionSourceState &attributionSource,
118 const uint32_t virtualDeviceId,
119 const String16 &msg, bool start, audio_source_t source) {
Eric Laurent58a0dd82019-10-24 12:42:17 -0700120 // Okay to not track in app ops as audio server or media server is us and if
Svet Ganov5b81f552018-03-02 09:21:30 -0800121 // device is rooted security model is considered compromised.
Jeffrey Carlyle62cc92b2019-09-17 11:15:15 -0700122 // system_server loses its RECORD_AUDIO permission when a secondary
123 // user is active, but it is a core system service so let it through.
124 // TODO(b/141210120): UserManager.DISALLOW_RECORD_AUDIO should not affect system user 0
Svet Ganov33761132021-05-13 22:51:08 +0000125 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
Eric Laurent58a0dd82019-10-24 12:42:17 -0700126 if (isAudioServerOrMediaServerOrSystemServerOrRootUid(uid)) return true;
Svetoslav Ganov599ec462018-03-01 22:19:55 +0000127
Svet Ganov5b81f552018-03-02 09:21:30 -0800128 // We specify a pid and uid here as mediaserver (aka MediaRecorder or StageFrightRecorder)
Svet Ganov33761132021-05-13 22:51:08 +0000129 // may open a record track on behalf of a client. Note that pid may be a tid.
Svet Ganov5b81f552018-03-02 09:21:30 -0800130 // IMPORTANT: DON'T USE PermissionCache - RUNTIME PERMISSIONS CHANGE.
Marvin Ramine5a122d2023-12-07 13:57:59 +0100131 std::optional<AttributionSourceState> resolvedAttributionSource =
Svet Ganov33761132021-05-13 22:51:08 +0000132 resolveAttributionSource(attributionSource);
133 if (!resolvedAttributionSource.has_value()) {
Svet Ganov5b81f552018-03-02 09:21:30 -0800134 return false;
135 }
136
Svet Ganov33761132021-05-13 22:51:08 +0000137 const int32_t attributedOpCode = getOpForSource(source);
Svetoslav Ganov599ec462018-03-01 22:19:55 +0000138
Svet Ganov33761132021-05-13 22:51:08 +0000139 permission::PermissionChecker permissionChecker;
Marvin Ramine5a122d2023-12-07 13:57:59 +0100140 resolvedAttributionSource.value().deviceId = virtualDeviceId;
Svet Ganov33761132021-05-13 22:51:08 +0000141 bool permitted = false;
Svet Ganov5b81f552018-03-02 09:21:30 -0800142 if (start) {
Svet Ganov33761132021-05-13 22:51:08 +0000143 permitted = (permissionChecker.checkPermissionForStartDataDeliveryFromDatasource(
144 sAndroidPermissionRecordAudio, resolvedAttributionSource.value(), msg,
145 attributedOpCode) != permission::PermissionChecker::PERMISSION_HARD_DENIED);
Svet Ganov5b81f552018-03-02 09:21:30 -0800146 } else {
Svet Ganov33761132021-05-13 22:51:08 +0000147 permitted = (permissionChecker.checkPermissionForPreflightFromDatasource(
148 sAndroidPermissionRecordAudio, resolvedAttributionSource.value(), msg,
149 attributedOpCode) != permission::PermissionChecker::PERMISSION_HARD_DENIED);
Svetoslav Ganov599ec462018-03-01 22:19:55 +0000150 }
151
Svet Ganov33761132021-05-13 22:51:08 +0000152 return permitted;
Glenn Kasten44deb052012-02-05 18:09:08 -0800153}
154
Marvin Ramine5a122d2023-12-07 13:57:59 +0100155static constexpr int DEVICE_ID_DEFAULT = 0;
156
157bool recordingAllowed(const AttributionSourceState &attributionSource, audio_source_t source) {
158 return checkRecordingInternal(attributionSource, DEVICE_ID_DEFAULT, String16(), /*start*/ false,
159 source);
160}
161
162bool recordingAllowed(const AttributionSourceState &attributionSource,
163 const uint32_t virtualDeviceId,
164 audio_source_t source) {
165 return checkRecordingInternal(attributionSource, virtualDeviceId,
166 String16(), /*start*/ false, source);
Svet Ganov5b81f552018-03-02 09:21:30 -0800167}
168
Svet Ganov33761132021-05-13 22:51:08 +0000169bool startRecording(const AttributionSourceState& attributionSource, const String16& msg,
170 audio_source_t source) {
Marvin Ramine5a122d2023-12-07 13:57:59 +0100171 return checkRecordingInternal(attributionSource, DEVICE_ID_DEFAULT, msg, /*start*/ true,
172 source);
Svet Ganov5b81f552018-03-02 09:21:30 -0800173}
174
Svet Ganov33761132021-05-13 22:51:08 +0000175void finishRecording(const AttributionSourceState& attributionSource, audio_source_t source) {
Svet Ganov5b81f552018-03-02 09:21:30 -0800176 // Okay to not track in app ops as audio server is us and if
177 // device is rooted security model is considered compromised.
Svet Ganov33761132021-05-13 22:51:08 +0000178 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
179 if (isAudioServerOrMediaServerOrSystemServerOrRootUid(uid)) return;
Svet Ganov5b81f552018-03-02 09:21:30 -0800180
Svet Ganov33761132021-05-13 22:51:08 +0000181 // We specify a pid and uid here as mediaserver (aka MediaRecorder or StageFrightRecorder)
182 // may open a record track on behalf of a client. Note that pid may be a tid.
183 // IMPORTANT: DON'T USE PermissionCache - RUNTIME PERMISSIONS CHANGE.
184 const std::optional<AttributionSourceState> resolvedAttributionSource =
185 resolveAttributionSource(attributionSource);
186 if (!resolvedAttributionSource.has_value()) {
Svet Ganov5b81f552018-03-02 09:21:30 -0800187 return;
188 }
189
Svet Ganov33761132021-05-13 22:51:08 +0000190 const int32_t attributedOpCode = getOpForSource(source);
191 permission::PermissionChecker permissionChecker;
192 permissionChecker.finishDataDeliveryFromDatasource(attributedOpCode,
193 resolvedAttributionSource.value());
Svet Ganov5b81f552018-03-02 09:21:30 -0800194}
195
Svet Ganov33761132021-05-13 22:51:08 +0000196bool captureAudioOutputAllowed(const AttributionSourceState& attributionSource) {
197 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
Andy Hung4ef19fa2018-05-15 19:35:29 -0700198 if (isAudioServerOrRootUid(uid)) return true;
Jeff Brown893a5642013-08-16 20:19:26 -0700199 static const String16 sCaptureAudioOutput("android.permission.CAPTURE_AUDIO_OUTPUT");
lpeter20d2e032022-06-01 19:38:44 +0800200 // Use PermissionChecker, which includes some logic for allowing the isolated
201 // HotwordDetectionService to hold certain permissions.
202 permission::PermissionChecker permissionChecker;
203 bool ok = (permissionChecker.checkPermissionForPreflight(
204 sCaptureAudioOutput, attributionSource, String16(),
205 AppOpsManager::OP_NONE) != permission::PermissionChecker::PERMISSION_HARD_DENIED);
Eric Laurent6ede98f2019-06-11 14:50:30 -0700206 if (!ok) ALOGV("Request requires android.permission.CAPTURE_AUDIO_OUTPUT");
Jeff Brown893a5642013-08-16 20:19:26 -0700207 return ok;
208}
209
Svet Ganov33761132021-05-13 22:51:08 +0000210bool captureMediaOutputAllowed(const AttributionSourceState& attributionSource) {
211 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
212 pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(attributionSource.pid));
Kevin Rocard36b17552019-03-07 18:48:07 -0800213 if (isAudioServerOrRootUid(uid)) return true;
214 static const String16 sCaptureMediaOutput("android.permission.CAPTURE_MEDIA_OUTPUT");
215 bool ok = PermissionCache::checkPermission(sCaptureMediaOutput, pid, uid);
216 if (!ok) ALOGE("Request requires android.permission.CAPTURE_MEDIA_OUTPUT");
217 return ok;
218}
219
Svet Ganov33761132021-05-13 22:51:08 +0000220bool captureTunerAudioInputAllowed(const AttributionSourceState& attributionSource) {
221 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
222 pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(attributionSource.pid));
Hayden Gomesb7429922020-12-11 13:59:18 -0800223 if (isAudioServerOrRootUid(uid)) return true;
224 static const String16 sCaptureTunerAudioInput("android.permission.CAPTURE_TUNER_AUDIO_INPUT");
225 bool ok = PermissionCache::checkPermission(sCaptureTunerAudioInput, pid, uid);
226 if (!ok) ALOGV("Request requires android.permission.CAPTURE_TUNER_AUDIO_INPUT");
227 return ok;
228}
229
Svet Ganov33761132021-05-13 22:51:08 +0000230bool captureVoiceCommunicationOutputAllowed(const AttributionSourceState& attributionSource) {
231 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
232 uid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(attributionSource.pid));
Nadav Bardbf0a2e2020-01-16 23:09:25 +0200233 if (isAudioServerOrRootUid(uid)) return true;
234 static const String16 sCaptureVoiceCommOutput(
235 "android.permission.CAPTURE_VOICE_COMMUNICATION_OUTPUT");
236 bool ok = PermissionCache::checkPermission(sCaptureVoiceCommOutput, pid, uid);
237 if (!ok) ALOGE("Request requires android.permission.CAPTURE_VOICE_COMMUNICATION_OUTPUT");
238 return ok;
239}
240
Carter Hsua3abb402021-10-26 11:11:20 +0800241bool accessUltrasoundAllowed(const AttributionSourceState& attributionSource) {
242 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
243 uid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(attributionSource.pid));
244 if (isAudioServerOrRootUid(uid)) return true;
245 static const String16 sAccessUltrasound(
246 "android.permission.ACCESS_ULTRASOUND");
247 bool ok = PermissionCache::checkPermission(sAccessUltrasound, pid, uid);
248 if (!ok) ALOGE("Request requires android.permission.ACCESS_ULTRASOUND");
249 return ok;
250}
251
Svet Ganov33761132021-05-13 22:51:08 +0000252bool captureHotwordAllowed(const AttributionSourceState& attributionSource) {
Eric Laurent7504b9e2017-08-15 18:17:26 -0700253 // CAPTURE_AUDIO_HOTWORD permission implies RECORD_AUDIO permission
Svet Ganov33761132021-05-13 22:51:08 +0000254 bool ok = recordingAllowed(attributionSource);
Eric Laurent7504b9e2017-08-15 18:17:26 -0700255
256 if (ok) {
257 static const String16 sCaptureHotwordAllowed("android.permission.CAPTURE_AUDIO_HOTWORD");
Ahaan Ugaleb18227c2021-06-07 11:52:54 -0700258 // Use PermissionChecker, which includes some logic for allowing the isolated
259 // HotwordDetectionService to hold certain permissions.
260 permission::PermissionChecker permissionChecker;
261 ok = (permissionChecker.checkPermissionForPreflight(
262 sCaptureHotwordAllowed, attributionSource, String16(),
263 AppOpsManager::OP_NONE) != permission::PermissionChecker::PERMISSION_HARD_DENIED);
Eric Laurent7504b9e2017-08-15 18:17:26 -0700264 }
Eric Laurent6ede98f2019-06-11 14:50:30 -0700265 if (!ok) ALOGV("android.permission.CAPTURE_AUDIO_HOTWORD");
Eric Laurent9a54bc22013-09-09 09:08:44 -0700266 return ok;
267}
268
Glenn Kasten44deb052012-02-05 18:09:08 -0800269bool settingsAllowed() {
Andy Hung4ef19fa2018-05-15 19:35:29 -0700270 // given this is a permission check, could this be isAudioServerOrRootUid()?
271 if (isAudioServerUid(IPCThreadState::self()->getCallingUid())) return true;
Glenn Kasten44deb052012-02-05 18:09:08 -0800272 static const String16 sAudioSettings("android.permission.MODIFY_AUDIO_SETTINGS");
Svet Ganovbe71aa22015-04-28 12:06:02 -0700273 // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
274 bool ok = PermissionCache::checkCallingPermission(sAudioSettings);
Glenn Kasten44deb052012-02-05 18:09:08 -0800275 if (!ok) ALOGE("Request requires android.permission.MODIFY_AUDIO_SETTINGS");
276 return ok;
277}
278
Eric Laurent5284ed52014-05-29 14:37:38 -0700279bool modifyAudioRoutingAllowed() {
Svet Ganov33761132021-05-13 22:51:08 +0000280 return modifyAudioRoutingAllowed(getCallingAttributionSource());
Eric Laurent8a1095a2019-11-08 14:44:16 -0800281}
282
Svet Ganov33761132021-05-13 22:51:08 +0000283bool modifyAudioRoutingAllowed(const AttributionSourceState& attributionSource) {
284 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
285 pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(attributionSource.pid));
Eric Laurent8a1095a2019-11-08 14:44:16 -0800286 if (isAudioServerUid(IPCThreadState::self()->getCallingUid())) return true;
Svet Ganovbe71aa22015-04-28 12:06:02 -0700287 // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
Eric Laurent8a1095a2019-11-08 14:44:16 -0800288 bool ok = PermissionCache::checkPermission(sModifyAudioRouting, pid, uid);
289 if (!ok) ALOGE("%s(): android.permission.MODIFY_AUDIO_ROUTING denied for uid %d",
290 __func__, uid);
Eric Laurent5284ed52014-05-29 14:37:38 -0700291 return ok;
292}
293
Ari Hausman-Cohen433722e2018-04-24 14:25:22 -0700294bool modifyDefaultAudioEffectsAllowed() {
Svet Ganov33761132021-05-13 22:51:08 +0000295 return modifyDefaultAudioEffectsAllowed(getCallingAttributionSource());
Eric Laurent3f75a5b2019-11-12 15:55:51 -0800296}
297
Svet Ganov33761132021-05-13 22:51:08 +0000298bool modifyDefaultAudioEffectsAllowed(const AttributionSourceState& attributionSource) {
299 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
300 pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(attributionSource.pid));
Eric Laurent3f75a5b2019-11-12 15:55:51 -0800301 if (isAudioServerUid(IPCThreadState::self()->getCallingUid())) return true;
302
Ari Hausman-Cohen433722e2018-04-24 14:25:22 -0700303 static const String16 sModifyDefaultAudioEffectsAllowed(
304 "android.permission.MODIFY_DEFAULT_AUDIO_EFFECTS");
305 // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
Eric Laurent3f75a5b2019-11-12 15:55:51 -0800306 bool ok = PermissionCache::checkPermission(sModifyDefaultAudioEffectsAllowed, pid, uid);
307 ALOGE_IF(!ok, "%s(): android.permission.MODIFY_DEFAULT_AUDIO_EFFECTS denied for uid %d",
308 __func__, uid);
Ari Hausman-Cohen433722e2018-04-24 14:25:22 -0700309 return ok;
310}
311
Glenn Kasten44deb052012-02-05 18:09:08 -0800312bool dumpAllowed() {
Glenn Kasten44deb052012-02-05 18:09:08 -0800313 static const String16 sDump("android.permission.DUMP");
Svet Ganovbe71aa22015-04-28 12:06:02 -0700314 // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
Glenn Kasten44deb052012-02-05 18:09:08 -0800315 bool ok = PermissionCache::checkCallingPermission(sDump);
316 // convention is for caller to dump an error message to fd instead of logging here
317 //if (!ok) ALOGE("Request requires android.permission.DUMP");
318 return ok;
319}
320
Svet Ganov33761132021-05-13 22:51:08 +0000321bool modifyPhoneStateAllowed(const AttributionSourceState& attributionSource) {
322 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
323 pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(attributionSource.pid));
Svet Ganov5b81f552018-03-02 09:21:30 -0800324 bool ok = PermissionCache::checkPermission(sModifyPhoneState, pid, uid);
Eric Laurent42984412019-05-09 17:57:03 -0700325 ALOGE_IF(!ok, "Request requires %s", String8(sModifyPhoneState).c_str());
326 return ok;
327}
328
329// privileged behavior needed by Dialer, Settings, SetupWizard and CellBroadcastReceiver
Svet Ganov33761132021-05-13 22:51:08 +0000330bool bypassInterruptionPolicyAllowed(const AttributionSourceState& attributionSource) {
331 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
332 pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(attributionSource.pid));
Eric Laurent42984412019-05-09 17:57:03 -0700333 static const String16 sWriteSecureSettings("android.permission.WRITE_SECURE_SETTINGS");
334 bool ok = PermissionCache::checkPermission(sModifyPhoneState, pid, uid)
335 || PermissionCache::checkPermission(sWriteSecureSettings, pid, uid)
336 || PermissionCache::checkPermission(sModifyAudioRouting, pid, uid);
337 ALOGE_IF(!ok, "Request requires %s or %s",
338 String8(sModifyPhoneState).c_str(), String8(sWriteSecureSettings).c_str());
Nadav Bar766fb022018-01-07 12:18:03 +0200339 return ok;
340}
341
Eric Laurentb0eff0f2021-11-09 16:05:49 +0100342bool callAudioInterceptionAllowed(const AttributionSourceState& attributionSource) {
343 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
344 pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(attributionSource.pid));
345
346 // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
347 bool ok = PermissionCache::checkPermission(sCallAudioInterception, pid, uid);
Eric Laurenta6244a02021-12-14 14:05:25 +0100348 if (!ok) ALOGV("%s(): android.permission.CALL_AUDIO_INTERCEPTION denied for uid %d",
Eric Laurentb0eff0f2021-11-09 16:05:49 +0100349 __func__, uid);
350 return ok;
351}
352
Svet Ganov33761132021-05-13 22:51:08 +0000353AttributionSourceState getCallingAttributionSource() {
354 AttributionSourceState attributionSource = AttributionSourceState();
355 attributionSource.pid = VALUE_OR_FATAL(legacy2aidl_pid_t_int32_t(
356 IPCThreadState::self()->getCallingPid()));
357 attributionSource.uid = VALUE_OR_FATAL(legacy2aidl_uid_t_int32_t(
358 IPCThreadState::self()->getCallingUid()));
359 attributionSource.token = sp<BBinder>::make();
360 return attributionSource;
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700361}
362
Eric Laurent269acb42021-04-23 16:53:22 +0200363void purgePermissionCache() {
364 PermissionCache::purgeCache();
365}
366
Eric Laurent9b11c022018-06-06 19:19:22 -0700367status_t checkIMemory(const sp<IMemory>& iMemory)
368{
369 if (iMemory == 0) {
370 ALOGE("%s check failed: NULL IMemory pointer", __FUNCTION__);
371 return BAD_VALUE;
372 }
373
374 sp<IMemoryHeap> heap = iMemory->getMemory();
375 if (heap == 0) {
376 ALOGE("%s check failed: NULL heap pointer", __FUNCTION__);
377 return BAD_VALUE;
378 }
379
380 off_t size = lseek(heap->getHeapID(), 0, SEEK_END);
381 lseek(heap->getHeapID(), 0, SEEK_SET);
382
Ytai Ben-Tsvi7dd39722019-09-05 15:14:30 -0700383 if (iMemory->unsecurePointer() == NULL || size < (off_t)iMemory->size()) {
Eric Laurent9b11c022018-06-06 19:19:22 -0700384 ALOGE("%s check failed: pointer %p size %zu fd size %u",
Ytai Ben-Tsvi7dd39722019-09-05 15:14:30 -0700385 __FUNCTION__, iMemory->unsecurePointer(), iMemory->size(), (uint32_t)size);
Eric Laurent9b11c022018-06-06 19:19:22 -0700386 return BAD_VALUE;
387 }
388
389 return NO_ERROR;
390}
391
Eric Laurent24df2832023-10-13 18:13:43 +0200392/**
393 * Determines if the MAC address in Bluetooth device descriptors returned by APIs of
394 * a native audio service (audio flinger, audio policy) must be anonymized.
395 * MAC addresses returned to system server or apps with BLUETOOTH_CONNECT permission
396 * are not anonymized.
397 *
398 * @param attributionSource The attribution source of the calling app.
399 * @param caller string identifying the caller for logging.
400 * @return true if the MAC addresses must be anonymized, false otherwise.
401 */
402bool mustAnonymizeBluetoothAddress(
403 const AttributionSourceState& attributionSource, const String16& caller) {
Eric Laurent24df2832023-10-13 18:13:43 +0200404 uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(attributionSource.uid));
405 if (isAudioServerOrSystemServerUid(uid)) {
406 return false;
407 }
408 const std::optional<AttributionSourceState> resolvedAttributionSource =
409 resolveAttributionSource(attributionSource);
410 if (!resolvedAttributionSource.has_value()) {
411 return true;
412 }
413 permission::PermissionChecker permissionChecker;
414 return permissionChecker.checkPermissionForPreflightFromDatasource(
415 sAndroidPermissionBluetoothConnect, resolvedAttributionSource.value(), caller,
416 AppOpsManager::OP_BLUETOOTH_CONNECT)
417 != permission::PermissionChecker::PERMISSION_GRANTED;
418}
419
420/**
421 * Modifies the passed MAC address string in place for consumption by unprivileged clients.
422 * the string is assumed to have a valid MAC address format.
423 * the anonymzation must be kept in sync with toAnonymizedAddress() in BluetoothUtils.java
424 *
425 * @param address input/output the char string contining the MAC address to anonymize.
426 */
427void anonymizeBluetoothAddress(char *address) {
428 if (address == nullptr || strlen(address) != strlen("AA:BB:CC:DD:EE:FF")) {
429 return;
430 }
431 memcpy(address, "XX:XX:XX:XX", strlen("XX:XX:XX:XX"));
432}
433
Oreste Salerno703ec262020-12-17 16:38:38 +0100434sp<content::pm::IPackageManagerNative> MediaPackageManager::retrievePackageManager() {
Kevin Rocard8be94972019-02-22 13:26:25 -0800435 const sp<IServiceManager> sm = defaultServiceManager();
436 if (sm == nullptr) {
437 ALOGW("%s: failed to retrieve defaultServiceManager", __func__);
Ricardo Correa57a37692020-03-23 17:27:25 -0700438 return nullptr;
Kevin Rocard8be94972019-02-22 13:26:25 -0800439 }
440 sp<IBinder> packageManager = sm->checkService(String16(nativePackageManagerName));
441 if (packageManager == nullptr) {
442 ALOGW("%s: failed to retrieve native package manager", __func__);
Ricardo Correa57a37692020-03-23 17:27:25 -0700443 return nullptr;
Kevin Rocard8be94972019-02-22 13:26:25 -0800444 }
Ricardo Correa57a37692020-03-23 17:27:25 -0700445 return interface_cast<content::pm::IPackageManagerNative>(packageManager);
Kevin Rocard8be94972019-02-22 13:26:25 -0800446}
447
448std::optional<bool> MediaPackageManager::doIsAllowed(uid_t uid) {
449 if (mPackageManager == nullptr) {
Ricardo Correa57a37692020-03-23 17:27:25 -0700450 /** Can not fetch package manager at construction it may not yet be registered. */
Oreste Salerno703ec262020-12-17 16:38:38 +0100451 mPackageManager = retrievePackageManager();
Ricardo Correa57a37692020-03-23 17:27:25 -0700452 if (mPackageManager == nullptr) {
453 ALOGW("%s: Playback capture is denied as package manager is not reachable", __func__);
454 return std::nullopt;
455 }
Kevin Rocard8be94972019-02-22 13:26:25 -0800456 }
457
Oreste Salerno703ec262020-12-17 16:38:38 +0100458 // Retrieve package names for the UID and transform to a std::vector<std::string>.
459 Vector<String16> str16PackageNames;
460 PermissionController{}.getPackagesForUid(uid, str16PackageNames);
Kevin Rocard8be94972019-02-22 13:26:25 -0800461 std::vector<std::string> packageNames;
Oreste Salerno703ec262020-12-17 16:38:38 +0100462 for (const auto& str16PackageName : str16PackageNames) {
Tomasz Wasilczyk833345b2023-08-15 20:59:35 +0000463 packageNames.emplace_back(String8(str16PackageName).c_str());
Kevin Rocard8be94972019-02-22 13:26:25 -0800464 }
465 if (packageNames.empty()) {
466 ALOGW("%s: Playback capture for uid %u is denied as no package name could be retrieved "
Oreste Salerno703ec262020-12-17 16:38:38 +0100467 "from the package manager.", __func__, uid);
Kevin Rocard8be94972019-02-22 13:26:25 -0800468 return std::nullopt;
469 }
470 std::vector<bool> isAllowed;
Oreste Salerno703ec262020-12-17 16:38:38 +0100471 auto status = mPackageManager->isAudioPlaybackCaptureAllowed(packageNames, &isAllowed);
Kevin Rocard8be94972019-02-22 13:26:25 -0800472 if (!status.isOk()) {
473 ALOGW("%s: Playback capture is denied for uid %u as the manifest property could not be "
474 "retrieved from the package manager: %s", __func__, uid, status.toString8().c_str());
475 return std::nullopt;
476 }
477 if (packageNames.size() != isAllowed.size()) {
478 ALOGW("%s: Playback capture is denied for uid %u as the package manager returned incoherent"
479 " response size: %zu != %zu", __func__, uid, packageNames.size(), isAllowed.size());
480 return std::nullopt;
481 }
482
483 // Zip together packageNames and isAllowed for debug logs
484 Packages& packages = mDebugLog[uid];
485 packages.resize(packageNames.size()); // Reuse all objects
486 std::transform(begin(packageNames), end(packageNames), begin(isAllowed),
487 begin(packages), [] (auto& name, bool isAllowed) -> Package {
488 return {std::move(name), isAllowed};
489 });
490
491 // Only allow playback record if all packages in this UID allow it
492 bool playbackCaptureAllowed = std::all_of(begin(isAllowed), end(isAllowed),
493 [](bool b) { return b; });
494
495 return playbackCaptureAllowed;
496}
497
498void MediaPackageManager::dump(int fd, int spaces) const {
499 dprintf(fd, "%*sAllow playback capture log:\n", spaces, "");
500 if (mPackageManager == nullptr) {
501 dprintf(fd, "%*sNo package manager\n", spaces + 2, "");
502 }
503 dprintf(fd, "%*sPackage manager errors: %u\n", spaces + 2, "", mPackageManagerErrors);
504
505 for (const auto& uidCache : mDebugLog) {
506 for (const auto& package : std::get<Packages>(uidCache)) {
507 dprintf(fd, "%*s- uid=%5u, allowPlaybackCapture=%s, packageName=%s\n", spaces + 2, "",
508 std::get<const uid_t>(uidCache),
509 package.playbackCaptureAllowed ? "true " : "false",
510 package.name.c_str());
511 }
512 }
513}
514
Andy Hunga85efab2019-12-23 11:41:29 -0800515// How long we hold info before we re-fetch it (24 hours) if we found it previously.
516static constexpr nsecs_t INFO_EXPIRATION_NS = 24 * 60 * 60 * NANOS_PER_SECOND;
517// Maximum info records we retain before clearing everything.
518static constexpr size_t INFO_CACHE_MAX = 1000;
519
520// The original code is from MediaMetricsService.cpp.
521mediautils::UidInfo::Info mediautils::UidInfo::getInfo(uid_t uid)
522{
523 const nsecs_t now = systemTime(SYSTEM_TIME_REALTIME);
524 struct mediautils::UidInfo::Info info;
525 {
526 std::lock_guard _l(mLock);
527 auto it = mInfoMap.find(uid);
528 if (it != mInfoMap.end()) {
529 info = it->second;
530 ALOGV("%s: uid %d expiration %lld now %lld",
531 __func__, uid, (long long)info.expirationNs, (long long)now);
532 if (info.expirationNs <= now) {
533 // purge the stale entry and fall into re-fetching
534 ALOGV("%s: entry for uid %d expired, now %lld",
535 __func__, uid, (long long)now);
536 mInfoMap.erase(it);
537 info.uid = (uid_t)-1; // this is always fully overwritten
538 }
539 }
540 }
541
542 // if we did not find it in our map, look it up
543 if (info.uid == (uid_t)(-1)) {
544 sp<IServiceManager> sm = defaultServiceManager();
545 sp<content::pm::IPackageManagerNative> package_mgr;
546 if (sm.get() == nullptr) {
547 ALOGE("%s: Cannot find service manager", __func__);
548 } else {
549 sp<IBinder> binder = sm->getService(String16("package_native"));
550 if (binder.get() == nullptr) {
551 ALOGE("%s: Cannot find package_native", __func__);
552 } else {
553 package_mgr = interface_cast<content::pm::IPackageManagerNative>(binder);
554 }
555 }
556
557 // find package name
558 std::string pkg;
559 if (package_mgr != nullptr) {
560 std::vector<std::string> names;
561 binder::Status status = package_mgr->getNamesForUids({(int)uid}, &names);
562 if (!status.isOk()) {
563 ALOGE("%s: getNamesForUids failed: %s",
564 __func__, status.exceptionMessage().c_str());
565 } else {
566 if (!names[0].empty()) {
567 pkg = names[0].c_str();
568 }
569 }
570 }
571
572 if (pkg.empty()) {
573 struct passwd pw{}, *result;
574 char buf[8192]; // extra buffer space - should exceed what is
575 // required in struct passwd_pw (tested),
576 // and even then this is only used in backup
577 // when the package manager is unavailable.
578 if (getpwuid_r(uid, &pw, buf, sizeof(buf), &result) == 0
579 && result != nullptr
580 && result->pw_name != nullptr) {
581 pkg = result->pw_name;
582 }
583 }
584
585 // strip any leading "shared:" strings that came back
586 if (pkg.compare(0, 7, "shared:") == 0) {
587 pkg.erase(0, 7);
588 }
589
590 // determine how pkg was installed and the versionCode
591 std::string installer;
592 int64_t versionCode = 0;
593 bool notFound = false;
594 if (pkg.empty()) {
595 pkg = std::to_string(uid); // not found
596 notFound = true;
597 } else if (strchr(pkg.c_str(), '.') == nullptr) {
598 // not of form 'com.whatever...'; assume internal
599 // so we don't need to look it up in package manager.
Andy Hunge6a65ac2020-01-08 16:56:17 -0800600 } else if (strncmp(pkg.c_str(), "android.", 8) == 0) {
601 // android.* packages are assumed fine
Andy Hunga85efab2019-12-23 11:41:29 -0800602 } else if (package_mgr.get() != nullptr) {
603 String16 pkgName16(pkg.c_str());
604 binder::Status status = package_mgr->getInstallerForPackage(pkgName16, &installer);
605 if (!status.isOk()) {
606 ALOGE("%s: getInstallerForPackage failed: %s",
607 __func__, status.exceptionMessage().c_str());
608 }
609
610 // skip if we didn't get an installer
611 if (status.isOk()) {
612 status = package_mgr->getVersionCodeForPackage(pkgName16, &versionCode);
613 if (!status.isOk()) {
614 ALOGE("%s: getVersionCodeForPackage failed: %s",
615 __func__, status.exceptionMessage().c_str());
616 }
617 }
618
619 ALOGV("%s: package '%s' installed by '%s' versioncode %lld",
620 __func__, pkg.c_str(), installer.c_str(), (long long)versionCode);
621 }
622
623 // add it to the map, to save a subsequent lookup
624 std::lock_guard _l(mLock);
625 // first clear if we have too many cached elements. This would be rare.
626 if (mInfoMap.size() >= INFO_CACHE_MAX) mInfoMap.clear();
627
628 // always overwrite
629 info.uid = uid;
630 info.package = std::move(pkg);
631 info.installer = std::move(installer);
632 info.versionCode = versionCode;
633 info.expirationNs = now + (notFound ? 0 : INFO_EXPIRATION_NS);
634 ALOGV("%s: adding uid %d package '%s' expirationNs: %lld",
635 __func__, uid, info.package.c_str(), (long long)info.expirationNs);
636 mInfoMap[uid] = info;
637 }
638 return info;
639}
640
Glenn Kasten44deb052012-02-05 18:09:08 -0800641} // namespace android