Merge "[Permissions] Add temporary logging to debug Bluetooth security exception" into main

commit: 8d4680ecf819cba62dbccd6870825d0ee458f589 [log] [tgz]
author: Karishma Vakil <kvakil@google.com> Sat Dec 23 15:21:08 2023 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Sat Dec 23 15:21:08 2023 +0000
tree: 640798df7d8869544725b89442ff14c97c8ebe16
parent: b55243ae8e480bd205af6eb6908042d2b9455ab0 [diff]
parent: c39b0d2ccf3b9a7e505136109403c0a857f9f9f5 [diff]
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index d3931a3..10e6edc 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java

@@ -26,6 +26,7 @@
 import static android.app.AppOpsManager.MODE_ALLOWED;
 import static android.app.AppOpsManager.MODE_ERRORED;
 import static android.app.AppOpsManager.MODE_IGNORED;
+import static android.app.AppOpsManager.OP_BLUETOOTH_CONNECT;
 import static android.content.pm.ApplicationInfo.AUTO_REVOKE_DISALLOWED;
 import static android.content.pm.ApplicationInfo.AUTO_REVOKE_DISCOURAGED;
 
@@ -1228,6 +1229,11 @@
                         sPlatformPermissions.put(permission, permissionInfo);
                     }
                 } catch (PackageManager.NameNotFoundException ignored) {
+                    // TODO(b/302609140): Remove extra logging after this issue is diagnosed.
+                    if (permission.equals(Manifest.permission.BLUETOOTH_CONNECT)) {
+                        Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as package"
+                                + " not found when retrieving permission info");
+                    }
                     return PermissionChecker.PERMISSION_HARD_DENIED;
                 }
             }
@@ -1347,17 +1353,34 @@
                 // way we can avoid the datasource creating an attribution context for every call.
                 if (!(fromDatasource && current.equals(attributionSource))
                         && next != null && !current.isTrusted(context)) {
+                    // TODO(b/302609140): Remove extra logging after this issue is diagnosed.
+                    if (permission.equals(Manifest.permission.BLUETOOTH_CONNECT)) {
+                        Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as "
+                                + current + " attribution source isn't a data source and "
+                                + current + " isn't trusted");
+                    }
                     return PermissionChecker.PERMISSION_HARD_DENIED;
                 }
 
                 // If we already checked the permission for this one, skip the work
                 if (!skipCurrentChecks && !checkPermission(context, permissionManagerServiceInt,
                         permission, current)) {
+                    // TODO(b/302609140): Remove extra logging after this issue is diagnosed.
+                    if (permission.equals(Manifest.permission.BLUETOOTH_CONNECT)) {
+                        Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as we"
+                                + " aren't skipping permission checks and permission check returns"
+                                + " false for " + current);
+                    }
                     return PermissionChecker.PERMISSION_HARD_DENIED;
                 }
 
                 if (next != null && !checkPermission(context, permissionManagerServiceInt,
                         permission, next)) {
+                    // TODO(b/302609140): Remove extra logging after this issue is diagnosed.
+                    if (permission.equals(Manifest.permission.BLUETOOTH_CONNECT)) {
+                        Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as"
+                                + " permission check returns false for next source " + next);
+                    }
                     return PermissionChecker.PERMISSION_HARD_DENIED;
                 }
 
@@ -1402,6 +1425,10 @@
 
                 switch (opMode) {
                     case AppOpsManager.MODE_ERRORED: {
+                        if (permission.equals(Manifest.permission.BLUETOOTH_CONNECT)) {
+                            Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as op"
+                                    + " mode is MODE_ERRORED for " + attributionSource);
+                        }
                         return PermissionChecker.PERMISSION_HARD_DENIED;
                     }
                     case AppOpsManager.MODE_IGNORED: {
@@ -1670,6 +1697,12 @@
                 final AttributionSource resolvedAttributionSource = resolveAttributionSource(
                         context, accessorSource);
                 if (resolvedAttributionSource.getPackageName() == null) {
+                    // TODO(b/302609140): Remove extra logging after this issue is diagnosed.
+                    if (op == OP_BLUETOOTH_CONNECT) {
+                        Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as resolved"
+                                + "package name for " + resolvedAttributionSource + " returned"
+                                + " null");
+                    }
                     return AppOpsManager.MODE_ERRORED;
                 }
                 int notedOp = op;
@@ -1683,6 +1716,13 @@
                 if (attributedOp != AppOpsManager.OP_NONE && attributedOp != op) {
                     checkedOpResult = appOpsManager.checkOpNoThrow(op, resolvedAttributionSource);
                     if (checkedOpResult == MODE_ERRORED) {
+                        // TODO(b/302609140): Remove extra logging after this issue is diagnosed.
+                        if (op == OP_BLUETOOTH_CONNECT) {
+                            Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as"
+                                    + " checkOp for resolvedAttributionSource "
+                                    + resolvedAttributionSource + " and op " + op
+                                    + " returned MODE_ERRORED");
+                        }
                         return checkedOpResult;
                     }
                     notedOp = attributedOp;
@@ -1722,7 +1762,22 @@
                         throw new SecurityException(msg + ":" + e.getMessage());
                     }
                 }
-                return Math.max(checkedOpResult, notedOpResult);
+                int result = Math.max(checkedOpResult, notedOpResult);
+                // TODO(b/302609140): Remove extra logging after this issue is diagnosed.
+                if (op == OP_BLUETOOTH_CONNECT && result == MODE_ERRORED) {
+                    if (result == checkedOpResult) {
+                        Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as"
+                                + " checkOp for resolvedAttributionSource "
+                                + resolvedAttributionSource + " and op " + op
+                                + " returned MODE_ERRORED");
+                    } else {
+                        Slog.e(LOG_TAG, "BLUETOOTH_CONNECT permission hard denied as"
+                                + " noteOp for resolvedAttributionSource "
+                                + resolvedAttributionSource + " and op " + notedOp
+                                + " returned MODE_ERRORED");
+                    }
+                }
+                return result;
             }
         }
commit	8d4680ecf819cba62dbccd6870825d0ee458f589	[log] [tgz]
author	Karishma Vakil <kvakil@google.com>	Sat Dec 23 15:21:08 2023 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Sat Dec 23 15:21:08 2023 +0000
tree	640798df7d8869544725b89442ff14c97c8ebe16
parent	b55243ae8e480bd205af6eb6908042d2b9455ab0 [diff]
parent	c39b0d2ccf3b9a7e505136109403c0a857f9f9f5 [diff]