Protect usage data with OP_GET_USAGE_STATS.
APIs that return package usage data (such as the new StatsManager)
must ensure that callers hold both the PACKAGE_USAGE_STATS permission
and the OP_GET_USAGE_STATS app-op.
Add noteOp() method that can be called from native code.
Also add missing security checks on shell commands.
Bug: 77662908
Test: builds, boots
Change-Id: I15efd6f5dde61e807269b5132a052548ea4e800f
diff --git a/libs/binder/IPermissionController.cpp b/libs/binder/IPermissionController.cpp
index ef67ab8..89ebc6c 100644
--- a/libs/binder/IPermissionController.cpp
+++ b/libs/binder/IPermissionController.cpp
@@ -49,6 +49,19 @@
return reply.readInt32() != 0;
}
+ virtual int32_t noteOp(const String16& op, int32_t uid, const String16& packageName)
+ {
+ Parcel data, reply;
+ data.writeInterfaceToken(IPermissionController::getInterfaceDescriptor());
+ data.writeString16(op);
+ data.writeInt32(uid);
+ data.writeString16(packageName);
+ remote()->transact(NOTE_OP_TRANSACTION, data, &reply);
+ // fail on exception
+ if (reply.readExceptionCode() != 0) return 2; // MODE_ERRORED
+ return reply.readInt32();
+ }
+
virtual void getPackagesForUid(const uid_t uid, Vector<String16>& packages)
{
Parcel data, reply;
@@ -111,6 +124,17 @@
return NO_ERROR;
} break;
+ case NOTE_OP_TRANSACTION: {
+ CHECK_INTERFACE(IPermissionController, data, reply);
+ String16 op = data.readString16();
+ int32_t uid = data.readInt32();
+ String16 packageName = data.readString16();
+ int32_t res = noteOp(op, uid, packageName);
+ reply->writeNoException();
+ reply->writeInt32(res);
+ return NO_ERROR;
+ } break;
+
case GET_PACKAGES_FOR_UID_TRANSACTION: {
CHECK_INTERFACE(IPermissionController, data, reply);
int32_t uid = data.readInt32();