Add + enforce new DeviceConfig permissions.
Adds these new permissions, and grants them to `adb`:
- `ALLOWLISTED_WRITE_DEVICE_CONFIG`
- `READ_WRITE_SYNC_DISABLED_MODE_CONFIG`
Uses `ALLOWLISTED_WRITE_DEVICE_CONFIG` to restrict writing flags to
DeviceConfig unless they are explicitly allowlisted.
Revokes `WRITE_DEVICE_CONFIG` from `adb`, and grants it
`ALLOWLISTED_WRITE_DEVICE_CONFIG`.
Bug: 251818659
Test: m
Change-Id: I0d6784a9437e0b0344f47d13dab0f838f63eaded
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index 7abace03..104d6e7 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -1175,7 +1175,7 @@
Slog.v(LOG_TAG, "setAllConfigSettings for prefix: " + prefix);
}
- enforceWritePermission(Manifest.permission.WRITE_DEVICE_CONFIG);
+ enforceDeviceConfigWritePermission(getContext(), keyValues.keySet());
final String callingPackage = resolveCallingPackage();
synchronized (mLock) {
@@ -1194,7 +1194,8 @@
Slog.v(LOG_TAG, "setSyncDisabledModeConfig(" + syncDisabledMode + ")");
}
- enforceWritePermission(Manifest.permission.WRITE_DEVICE_CONFIG);
+ enforceHasAtLeastOnePermission(Manifest.permission.WRITE_DEVICE_CONFIG,
+ Manifest.permission.READ_WRITE_SYNC_DISABLED_MODE_CONFIG);
synchronized (mLock) {
setSyncDisabledModeConfigLocked(syncDisabledMode);
@@ -1206,7 +1207,8 @@
Slog.v(LOG_TAG, "getSyncDisabledModeConfig");
}
- enforceWritePermission(Manifest.permission.WRITE_DEVICE_CONFIG);
+ enforceHasAtLeastOnePermission(Manifest.permission.WRITE_DEVICE_CONFIG,
+ Manifest.permission.READ_WRITE_SYNC_DISABLED_MODE_CONFIG);
synchronized (mLock) {
return getSyncDisabledModeConfigLocked();
@@ -1291,13 +1293,14 @@
private boolean mutateConfigSetting(String name, String value, String prefix,
boolean makeDefault, int operation, int mode) {
- enforceWritePermission(Manifest.permission.WRITE_DEVICE_CONFIG);
final String callingPackage = resolveCallingPackage();
boolean someSettingChanged = false;
// Perform the mutation.
synchronized (mLock) {
switch (operation) {
case MUTATION_OPERATION_INSERT: {
+ enforceDeviceConfigWritePermission(getContext(), Collections.singleton(name));
+
someSettingChanged = mSettingsRegistry.insertSettingLocked(SETTINGS_TYPE_CONFIG,
UserHandle.USER_SYSTEM, name, value, null, makeDefault, true,
callingPackage, false, null,
@@ -1306,12 +1309,17 @@
}
case MUTATION_OPERATION_DELETE: {
+ enforceDeviceConfigWritePermission(getContext(), Collections.singleton(name));
+
someSettingChanged = mSettingsRegistry.deleteSettingLocked(SETTINGS_TYPE_CONFIG,
UserHandle.USER_SYSTEM, name, false, null);
break;
}
case MUTATION_OPERATION_RESET: {
+ enforceDeviceConfigWritePermission(getContext(),
+ getAllConfigFlags(prefix).keySet());
+
someSettingChanged = mSettingsRegistry.resetSettingsLocked(SETTINGS_TYPE_CONFIG,
UserHandle.USER_SYSTEM, callingPackage, mode, null, prefix);
break;
@@ -1475,7 +1483,7 @@
boolean makeDefault, int requestingUserId, int operation, boolean forceNotify,
int mode, boolean overrideableByRestore) {
// Make sure the caller can change the settings - treated as secure.
- enforceWritePermission(Manifest.permission.WRITE_SECURE_SETTINGS);
+ enforceHasAtLeastOnePermission(Manifest.permission.WRITE_SECURE_SETTINGS);
// Resolve the userId on whose behalf the call is made.
final int callingUserId = resolveCallingUserIdEnforcingPermissionsLocked(requestingUserId);
@@ -1772,7 +1780,7 @@
boolean makeDefault, int requestingUserId, int operation, boolean forceNotify,
int mode, boolean overrideableByRestore) {
// Make sure the caller can change the settings.
- enforceWritePermission(Manifest.permission.WRITE_SECURE_SETTINGS);
+ enforceHasAtLeastOnePermission(Manifest.permission.WRITE_SECURE_SETTINGS);
// Resolve the userId on whose behalf the call is made.
final int callingUserId = resolveCallingUserIdEnforcingPermissionsLocked(requestingUserId);
@@ -2305,11 +2313,57 @@
}
}
- private void enforceWritePermission(String permission) {
- if (getContext().checkCallingOrSelfPermission(permission)
- != PackageManager.PERMISSION_GRANTED) {
- throw new SecurityException("Permission denial: writing to settings requires:"
- + permission);
+ private void enforceHasAtLeastOnePermission(String ...permissions) {
+ for (String permission : permissions) {
+ if (getContext().checkCallingOrSelfPermission(permission)
+ == PackageManager.PERMISSION_GRANTED) {
+ return;
+ }
+ }
+ throw new SecurityException("Permission denial, must have one of: "
+ + Arrays.toString(permissions));
+ }
+
+ /**
+ * Throws an exception if write permissions are not granted for {@code flags}.
+ * <p>
+ * Write permissions are granted if the calling UID is root, or the
+ * WRITE_DEVICE_CONFIG permission is granted, or the WRITE_DEVICE_CONFIG_ALLOWLIST
+ * permission is granted and each flag in {@code flags} is allowlisted in {@code
+ * WRITABLE_FLAG_ALLOWLIST_FLAG}.
+ *
+ * @param context the {@link Context} this is called in
+ * @param flags a list of flags to check, each one of the form 'namespace/flagName'
+ *
+ * @throws SecurityException if the above criteria are not met.
+ * @hide
+ */
+ private void enforceDeviceConfigWritePermission(
+ @NonNull Context context,
+ @NonNull Set<String> flags) {
+ boolean hasAllowlistPermission =
+ context.checkCallingOrSelfPermission(
+ Manifest.permission.ALLOWLISTED_WRITE_DEVICE_CONFIG)
+ == PackageManager.PERMISSION_GRANTED;
+ boolean hasWritePermission =
+ context.checkCallingOrSelfPermission(
+ Manifest.permission.WRITE_DEVICE_CONFIG)
+ == PackageManager.PERMISSION_GRANTED;
+ boolean isRoot = Binder.getCallingUid() == Process.ROOT_UID;
+
+ if (isRoot || hasWritePermission) {
+ return;
+ } else if (hasAllowlistPermission) {
+ for (String flag : flags) {
+ if (!DeviceConfig.getAdbWritableFlags().contains(flag)) {
+ throw new SecurityException("Permission denial for flag '"
+ + flag
+ + "'; allowlist permission granted, but must add flag to the allowlist.");
+ }
+ }
+ } else {
+ throw new SecurityException("Permission denial to mutate flag, must have root, "
+ + "WRITE_DEVICE_CONFIG, or ALLOWLISTED_WRITE_DEVICE_CONFIG");
}
}
diff --git a/packages/Shell/AndroidManifest.xml b/packages/Shell/AndroidManifest.xml
index 0664061..1a8fc0d 100644
--- a/packages/Shell/AndroidManifest.xml
+++ b/packages/Shell/AndroidManifest.xml
@@ -147,7 +147,8 @@
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" />
<uses-permission android:name="android.permission.LOCATION_BYPASS" />
<uses-permission android:name="android.permission.READ_DEVICE_CONFIG" />
- <uses-permission android:name="android.permission.WRITE_DEVICE_CONFIG" />
+ <uses-permission android:name="android.permission.ALLOWLISTED_WRITE_DEVICE_CONFIG" />
+ <uses-permission android:name="android.permission.READ_WRITE_SYNC_DISABLED_MODE_CONFIG" />
<uses-permission android:name="android.permission.MONITOR_DEVICE_CONFIG_ACCESS" />
<uses-permission android:name="android.permission.BROADCAST_STICKY" />
<uses-permission android:name="android.permission.MANAGE_ACCESSIBILITY" />