WifiServiceImpl: Additional permission checks for startScan

Only allow apps to scan if they have the necessary permissions to
retrieve scan results.

Bug: 78649632
Test: Unit tests
Test: Scans from settings still works.
Change-Id: I865967d6e411f0bed19b5ec592ada5a4c230f853

2 files changed, 32 insertions, 12 deletions

diff --git a/service/java/com/android/server/wifi/WifiServiceImpl.java b/service/java/com/android/server/wifi/WifiServiceImpl.java
index 4d9dbf7e7..04be38daa 100644
--- a/service/java/com/android/server/wifi/WifiServiceImpl.java
+++ b/service/java/com/android/server/wifi/WifiServiceImpl.java
@@ -611,6 +611,7 @@ public class WifiServiceImpl extends IWifiManager.Stub {
         }
 
         int callingUid = Binder.getCallingUid();
+        long ident = Binder.clearCallingIdentity();
         mLog.info("startScan uid=%").c(callingUid).flush();
         synchronized (this) {
             if (mInIdleMode) {
@@ -626,19 +627,26 @@ public class WifiServiceImpl extends IWifiManager.Stub {
                 return false;
             }
         }
-        Mutable<Boolean> scanSuccess = new Mutable<>();
-        boolean runWithScissorsSuccess = mWifiInjector.getWifiStateMachineHandler()
-                .runWithScissors(() -> {
-                    scanSuccess.value = mScanRequestProxy.startScan(callingUid, packageName);
-                }, RUN_WITH_SCISSORS_TIMEOUT_MILLIS);
-        if (!runWithScissorsSuccess) {
-            Log.e(TAG, "Failed to post runnable to start scan");
-            sendFailedScanBroadcast();
-            return false;
-        }
-        if (!scanSuccess.value) {
-            Log.e(TAG, "Failed to start scan");
+        try {
+            mWifiPermissionsUtil.enforceCanAccessScanResults(packageName, callingUid);
+            Mutable<Boolean> scanSuccess = new Mutable<>();
+            boolean runWithScissorsSuccess = mWifiInjector.getWifiStateMachineHandler()
+                    .runWithScissors(() -> {
+                        scanSuccess.value = mScanRequestProxy.startScan(callingUid, packageName);
+                    }, RUN_WITH_SCISSORS_TIMEOUT_MILLIS);
+            if (!runWithScissorsSuccess) {
+                Log.e(TAG, "Failed to post runnable to start scan");
+                sendFailedScanBroadcast();
+                return false;
+            }
+            if (!scanSuccess.value) {
+                Log.e(TAG, "Failed to start scan");
+                return false;
+            }
+        } catch (SecurityException e) {
             return false;
+        } finally {
+            Binder.restoreCallingIdentity(ident);
         }
         return true;
     }
diff --git a/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java b/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
index f64ce59e5..46b29a46b 100644
--- a/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
@@ -1038,6 +1038,18 @@ public class WifiServiceImplTest {
     }
 
     /**
+     * Ensure that we handle scan access permission check failure when handling scan request.
+     */
+    @Test
+    public void testStartScanFailureInCanAccessScanResultsPermission() {
+        setupWifiStateMachineHandlerForRunWithScissors();
+        doThrow(new SecurityException()).when(mWifiPermissionsUtil)
+                .enforceCanAccessScanResults(SCAN_PACKAGE_NAME, Process.myUid());
+        assertFalse(mWifiServiceImpl.startScan(SCAN_PACKAGE_NAME));
+        verify(mScanRequestProxy, never()).startScan(Process.myUid(), SCAN_PACKAGE_NAME);
+    }
+
+    /**
      * Ensure that we handle scan request failure when posting the runnable to handler fails.
      */
     @Ignore