Require AR permission to access step events
Requires that an application targeting Android Q and later has the AR
runtime permission in order to access the Step Detector and the Step
Counter. Applications that target pre-Q are not required to hold the
permission. If an application that targets pre-Q holds the GMS Core AR
install time permission and the user revokes the permission, then the
application will no longer be able to receive Step Detector or Step
Counter events.
The following scenarios were tested:
A = Receive events without explicitly granting permission
B = Receive events after granting runtime permission
C = Receive events after revoking any available permission
Install = GMS Core install time permission
Runtime = android.permission.ACTIVITY_RECOGNITION runtime permission
SDK Version: | Has Permission: | Could Receive:
Compile Target | Install Runtime | A B C
Q Q Yes Yes No Yes No
Q Q Yes No No N/A N/A
Q Q No Yes No Yes No
Q Q No No No N/A N/A
Q P Yes Yes Yes Yes No
Q P Yes No Yes Yes No
Q P No Yes Yes Yes No
Q P No No Yes Yes N/A
P P Yes Yes Yes Yes No
P P Yes No Yes Yes No
P P No Yes Yes Yes No
P P No No Yes Yes N/A
Bug: 130640415
Test: Builds
Test: Scenarios listed aboved
Change-Id: Iffe4aff731efd1fe20fa7b4a8245262db8b32d03
diff --git a/libs/sensor/Sensor.cpp b/libs/sensor/Sensor.cpp
index d9a986e..139987e 100644
--- a/libs/sensor/Sensor.cpp
+++ b/libs/sensor/Sensor.cpp
@@ -22,6 +22,13 @@
#include <binder/IPermissionController.h>
#include <binder/IServiceManager.h>
+/*
+ * The permission to use for activity recognition sensors (like step counter).
+ * See sensor types for more details on what sensors should require this
+ * permission.
+ */
+#define SENSOR_PERMISSION_ACTIVITY_RECOGNITION "android.permission.ACTIVITY_RECOGNITION"
+
// ----------------------------------------------------------------------------
namespace android {
// ----------------------------------------------------------------------------
@@ -116,7 +123,7 @@
mStringType = SENSOR_STRING_TYPE_HEART_RATE;
mRequiredPermission = SENSOR_PERMISSION_BODY_SENSORS;
AppOpsManager appOps;
- mRequiredAppOp = appOps.permissionToOpCode(String16(SENSOR_PERMISSION_BODY_SENSORS));
+ mRequiredAppOp = appOps.permissionToOpCode(String16(mRequiredPermission));
mFlags |= SENSOR_FLAG_ON_CHANGE_MODE;
} break;
case SENSOR_TYPE_LIGHT:
@@ -165,14 +172,22 @@
mFlags |= SENSOR_FLAG_WAKE_UP;
}
break;
- case SENSOR_TYPE_STEP_COUNTER:
+ case SENSOR_TYPE_STEP_COUNTER: {
mStringType = SENSOR_STRING_TYPE_STEP_COUNTER;
+ mRequiredPermission = SENSOR_PERMISSION_ACTIVITY_RECOGNITION;
+ AppOpsManager appOps;
+ mRequiredAppOp =
+ appOps.permissionToOpCode(String16(mRequiredPermission));
mFlags |= SENSOR_FLAG_ON_CHANGE_MODE;
- break;
- case SENSOR_TYPE_STEP_DETECTOR:
+ } break;
+ case SENSOR_TYPE_STEP_DETECTOR: {
mStringType = SENSOR_STRING_TYPE_STEP_DETECTOR;
+ mRequiredPermission = SENSOR_PERMISSION_ACTIVITY_RECOGNITION;
+ AppOpsManager appOps;
+ mRequiredAppOp =
+ appOps.permissionToOpCode(String16(mRequiredPermission));
mFlags |= SENSOR_FLAG_SPECIAL_REPORTING_MODE;
- break;
+ } break;
case SENSOR_TYPE_TEMPERATURE:
mStringType = SENSOR_STRING_TYPE_TEMPERATURE;
mFlags |= SENSOR_FLAG_ON_CHANGE_MODE;
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index 0269990..5efff92 100644
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -13,8 +13,8 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+#include <android/content/pm/IPackageManagerNative.h>
#include <binder/ActivityManager.h>
-#include <binder/AppOpsManager.h>
#include <binder/BinderService.h>
#include <binder/IServiceManager.h>
#include <binder/PermissionCache.h>
@@ -75,6 +75,9 @@
const char* SensorService::WAKE_LOCK_NAME = "SensorService_wakelock";
uint8_t SensorService::sHmacGlobalKey[128] = {};
bool SensorService::sHmacGlobalKeyIsValid = false;
+std::map<String16, int> SensorService::sPackageTargetVersion;
+Mutex SensorService::sPackageTargetVersionLock;
+AppOpsManager SensorService::sAppOpsManager;
#define SENSOR_SERVICE_DIR "/data/system/sensor_service"
#define SENSOR_SERVICE_HMAC_KEY_FILE SENSOR_SERVICE_DIR "/hmac_key"
@@ -1394,6 +1397,14 @@
checkWakeLockStateLocked();
}
+ {
+ Mutex::Autolock packageLock(sPackageTargetVersionLock);
+ auto iter = sPackageTargetVersion.find(c->mOpPackageName);
+ if (iter != sPackageTargetVersion.end()) {
+ sPackageTargetVersion.erase(iter);
+ }
+ }
+
SensorDevice& dev(SensorDevice::getInstance());
dev.notifyConnectionDestroyed(c);
}
@@ -1663,13 +1674,50 @@
bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
const String16& opPackageName) {
- const String8& requiredPermission = sensor.getRequiredPermission();
-
- if (requiredPermission.length() <= 0) {
+ // Check if a permission is required for this sensor
+ if (sensor.getRequiredPermission().length() <= 0) {
return true;
}
+ const int32_t opCode = sensor.getRequiredAppOp();
+ const int32_t appOpMode = sAppOpsManager.checkOp(opCode,
+ IPCThreadState::self()->getCallingUid(), opPackageName);
+
+ // Ensure that the AppOp is allowed
+ //
+ // This check is also required to ensure that the user hasn't revoked the necessary permissions
+ // to access the Step Detector and Step Counter when the application targets pre-Q. Without this
+ // check, if the user revokes the pre-Q install-time GMS Core AR permission, the app would
+ // still be able to receive Step Counter and Step Detector events.
+ bool canAccess = false;
+ if (opCode >= 0 && appOpMode == AppOpsManager::MODE_ALLOWED) {
+ if (hasPermissionForSensor(sensor)) {
+ canAccess = true;
+ } else if (sensor.getType() == SENSOR_TYPE_STEP_COUNTER ||
+ sensor.getType() == SENSOR_TYPE_STEP_DETECTOR) {
+ int targetSdkVersion = getTargetSdkVersion(opPackageName);
+ // Allow access to the sensor if the application targets pre-Q, which is before the
+ // requirement to hold the AR permission to access Step Counter and Step Detector events
+ // was introduced.
+ if (targetSdkVersion > 0 && targetSdkVersion <= __ANDROID_API_P__) {
+ canAccess = true;
+ }
+ }
+ }
+
+ if (canAccess) {
+ sAppOpsManager.noteOp(opCode, IPCThreadState::self()->getCallingUid(), opPackageName);
+ } else {
+ ALOGE("%s a sensor (%s) without holding its required permission: %s",
+ operation, sensor.getName().string(), sensor.getRequiredPermission().string());
+ }
+
+ return canAccess;
+}
+
+bool SensorService::hasPermissionForSensor(const Sensor& sensor) {
bool hasPermission = false;
+ const String8& requiredPermission = sensor.getRequiredPermission();
// Runtime permissions can't use the cache as they may change.
if (sensor.isRequiredPermissionRuntime()) {
@@ -1678,25 +1726,31 @@
} else {
hasPermission = PermissionCache::checkCallingPermission(String16(requiredPermission));
}
+ return hasPermission;
+}
- if (!hasPermission) {
- ALOGE("%s a sensor (%s) without holding its required permission: %s",
- operation, sensor.getName().string(), sensor.getRequiredPermission().string());
- return false;
- }
-
- const int32_t opCode = sensor.getRequiredAppOp();
- if (opCode >= 0) {
- AppOpsManager appOps;
- if (appOps.noteOp(opCode, IPCThreadState::self()->getCallingUid(), opPackageName)
- != AppOpsManager::MODE_ALLOWED) {
- ALOGE("%s a sensor (%s) without enabled required app op: %d",
- operation, sensor.getName().string(), opCode);
- return false;
+int SensorService::getTargetSdkVersion(const String16& opPackageName) {
+ Mutex::Autolock packageLock(sPackageTargetVersionLock);
+ int targetSdkVersion = -1;
+ auto entry = sPackageTargetVersion.find(opPackageName);
+ if (entry != sPackageTargetVersion.end()) {
+ targetSdkVersion = entry->second;
+ } else {
+ sp<IBinder> binder = defaultServiceManager()->getService(String16("package_native"));
+ if (binder != nullptr) {
+ sp<content::pm::IPackageManagerNative> packageManager =
+ interface_cast<content::pm::IPackageManagerNative>(binder);
+ if (packageManager != nullptr) {
+ binder::Status status = packageManager->getTargetSdkVersionForPackage(
+ opPackageName, &targetSdkVersion);
+ if (!status.isOk()) {
+ targetSdkVersion = -1;
+ }
+ }
}
+ sPackageTargetVersion[opPackageName] = targetSdkVersion;
}
-
- return true;
+ return targetSdkVersion;
}
void SensorService::checkWakeLockState() {
diff --git a/services/sensorservice/SensorService.h b/services/sensorservice/SensorService.h
index 5076967..e6ec96d 100644
--- a/services/sensorservice/SensorService.h
+++ b/services/sensorservice/SensorService.h
@@ -20,6 +20,7 @@
#include "SensorList.h"
#include "RecentEventLogger.h"
+#include <binder/AppOpsManager.h>
#include <binder/BinderService.h>
#include <binder/IUidObserver.h>
#include <cutils/compiler.h>
@@ -243,6 +244,8 @@
sensors_event_t const* buffer, const int count);
static bool canAccessSensor(const Sensor& sensor, const char* operation,
const String16& opPackageName);
+ static bool hasPermissionForSensor(const Sensor& sensor);
+ static int getTargetSdkVersion(const String16& opPackageName);
// SensorService acquires a partial wakelock for delivering events from wake up sensors. This
// method checks whether all the events from these wake up sensors have been delivered to the
// corresponding applications, if yes the wakelock is released.
@@ -343,6 +346,10 @@
sp<UidPolicy> mUidPolicy;
sp<SensorPrivacyPolicy> mSensorPrivacyPolicy;
+
+ static AppOpsManager sAppOpsManager;
+ static std::map<String16, int> sPackageTargetVersion;
+ static Mutex sPackageTargetVersionLock;
};
} // namespace android