Prevent setting app op mode for device provisioning app through shell
command
For security reasons, device provisioning package should be restricted
from setting app op mode through shell command.
Bug: 330507809
Test: Manual through adb shell command
Flag: EXEMPT bug fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b3c3362bc4fbc654a3bc15e79c4b4159b0e5e79a)
Merged-In: Ifa2ea860054c90a69834e95c24307d2cc2d28a45
Change-Id: Ifa2ea860054c90a69834e95c24307d2cc2d28a45
diff --git a/services/core/java/com/android/server/appop/AppOpsService.java b/services/core/java/com/android/server/appop/AppOpsService.java
index e1ac6c8..ef72481 100644
--- a/services/core/java/com/android/server/appop/AppOpsService.java
+++ b/services/core/java/com/android/server/appop/AppOpsService.java
@@ -180,6 +180,7 @@
import com.android.server.companion.virtual.VirtualDeviceManagerInternal;
import com.android.server.pm.PackageList;
import com.android.server.pm.PackageManagerLocal;
+import com.android.server.pm.ProtectedPackages;
import com.android.server.pm.UserManagerInternal;
import com.android.server.pm.pkg.AndroidPackage;
import com.android.server.pm.pkg.PackageState;
@@ -308,6 +309,8 @@
private final IPlatformCompat mPlatformCompat = IPlatformCompat.Stub.asInterface(
ServiceManager.getService(Context.PLATFORM_COMPAT_SERVICE));
+ private ProtectedPackages mProtectedPackages;
+
/**
* Registered callbacks, called from {@link #collectAsyncNotedOp}.
*
@@ -2099,6 +2102,12 @@
enforceManageAppOpsModes(Binder.getCallingPid(), Binder.getCallingUid(), uid);
verifyIncomingOp(code);
+
+ if (isDeviceProvisioningPackage(uid, null)) {
+ Slog.w(TAG, "Cannot set uid mode for device provisioning app by Shell");
+ return;
+ }
+
code = AppOpsManager.opToSwitch(code);
if (permissionPolicyCallback == null) {
@@ -2409,6 +2418,11 @@
return;
}
+ if (isDeviceProvisioningPackage(uid, packageName)) {
+ Slog.w(TAG, "Cannot set op mode for device provisioning app by Shell");
+ return;
+ }
+
code = AppOpsManager.opToSwitch(code);
PackageVerificationResult pvr;
@@ -2439,6 +2453,36 @@
notifyStorageManagerOpModeChangedSync(code, uid, packageName, mode, previousMode);
}
+ // Device provisioning package is restricted from setting app op mode through shell command
+ private boolean isDeviceProvisioningPackage(int uid,
+ @Nullable String packageName) {
+ if (UserHandle.getAppId(Binder.getCallingUid()) == Process.SHELL_UID) {
+ ProtectedPackages protectedPackages = getProtectedPackages();
+
+ if (packageName != null && protectedPackages.isDeviceProvisioningPackage(packageName)) {
+ return true;
+ }
+
+ String[] packageNames = mContext.getPackageManager().getPackagesForUid(uid);
+ if (packageNames != null) {
+ for (String pkg : packageNames) {
+ if (protectedPackages.isDeviceProvisioningPackage(pkg)) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
+
+ // Race condition is allowed here for better performance
+ private ProtectedPackages getProtectedPackages() {
+ if (mProtectedPackages == null) {
+ mProtectedPackages = new ProtectedPackages(mContext);
+ }
+ return mProtectedPackages;
+ }
+
private void notifyOpChanged(ArraySet<OnOpModeChangedListener> callbacks, int code,
int uid, String packageName, String persistentDeviceId) {
for (int i = 0; i < callbacks.size(); i++) {
diff --git a/services/core/java/com/android/server/pm/ProtectedPackages.java b/services/core/java/com/android/server/pm/ProtectedPackages.java
index 524252c..e715881 100644
--- a/services/core/java/com/android/server/pm/ProtectedPackages.java
+++ b/services/core/java/com/android/server/pm/ProtectedPackages.java
@@ -20,6 +20,7 @@
import android.annotation.UserIdInt;
import android.content.Context;
import android.os.UserHandle;
+import android.text.TextUtils;
import android.util.ArraySet;
import android.util.SparseArray;
@@ -27,6 +28,7 @@
import com.android.internal.annotations.GuardedBy;
import java.util.List;
+import java.util.Objects;
import java.util.Set;
/**
@@ -164,4 +166,13 @@
return hasDeviceOwnerOrProfileOwner(userId, packageName)
|| isProtectedPackage(userId, packageName);
}
+
+ /**
+ * Returns {@code true} if a given package is the device provisioning package. Otherwise,
+ * returns {@code false}.
+ */
+ public synchronized boolean isDeviceProvisioningPackage(String packageName) {
+ return !TextUtils.isEmpty(mDeviceProvisioningPackage) && Objects.equals(
+ mDeviceProvisioningPackage, packageName);
+ }
}