2 files changed, 82 insertions, 6 deletions

diff --git a/service/java/com/android/server/wifi/WifiServiceImpl.java b/service/java/com/android/server/wifi/WifiServiceImpl.java
index e57e465e3..19eaf5218 100644
--- a/service/java/com/android/server/wifi/WifiServiceImpl.java
+++ b/service/java/com/android/server/wifi/WifiServiceImpl.java
@@ -687,22 +687,39 @@ public class WifiServiceImpl extends IWifiManager.Stub {
     /**
      * see {@link WifiManager#getWifiApConfiguration()}
      * @return soft access point configuration
+     * @throws SecurityException if the caller does not have permission to retrieve the softap
+     * config
      */
     @Override
     public WifiConfiguration getWifiApConfiguration() {
         enforceAccessPermission();
-        mLog.trace("getWifiApConfiguration uid=%").c(Binder.getCallingUid()).flush();
+        int uid = Binder.getCallingUid();
+        // only allow Settings UI to get the saved SoftApConfig
+        if (!mWifiPermissionsUtil.checkConfigOverridePermission(uid)) {
+            // random apps should not be allowed to read the user specified config
+            throw new SecurityException("App not allowed to read or update stored WiFi Ap config "
+                    + "(uid = " + uid + ")");
+        }
+        mLog.trace("getWifiApConfiguration uid=%").c(uid).flush();
         return mWifiStateMachine.syncGetWifiApConfiguration();
     }
 
     /**
      * see {@link WifiManager#setWifiApConfiguration(WifiConfiguration)}
      * @param wifiConfig WifiConfiguration details for soft access point
+     * @throws SecurityException if the caller does not have permission to write the sotap config
      */
     @Override
     public void setWifiApConfiguration(WifiConfiguration wifiConfig) {
         enforceChangePermission();
-        mLog.trace("setWifiApConfiguration uid=%").c(Binder.getCallingUid()).flush();
+        int uid = Binder.getCallingUid();
+        // only allow Settings UI to write the stored SoftApConfig
+        if (!mWifiPermissionsUtil.checkConfigOverridePermission(uid)) {
+            // random apps should not be allowed to read the user specified config
+            throw new SecurityException("App not allowed to read or update stored WiFi AP config "
+                    + "(uid = " + uid + ")");
+        }
+        mLog.trace("setWifiApConfiguration uid=%").c(uid).flush();
         if (wifiConfig == null)
             return;
         if (isValid(wifiConfig)) {
diff --git a/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java b/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
index 4882682f9..4a4caec81 100644
--- a/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
@@ -20,13 +20,12 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyString;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.*;
 
 import android.content.Context;
 import android.content.res.Resources;
+import android.net.wifi.WifiConfiguration;
 import android.os.Handler;
 import android.os.HandlerThread;
 import android.os.Looper;
@@ -37,6 +36,7 @@ import android.test.suitebuilder.annotation.SmallTest;
 
 import com.android.internal.util.AsyncChannel;
 import com.android.server.wifi.util.WifiAsyncChannel;
+import com.android.server.wifi.util.WifiPermissionsUtil;
 
 import org.junit.Before;
 import org.junit.Test;
@@ -76,6 +76,7 @@ public class WifiServiceImplTest {
     @Mock WifiBackupRestore mWifiBackupRestore;
     @Mock WifiMetrics mWifiMetrics;
     @Spy FakeWifiLog mLog;
+    @Mock WifiPermissionsUtil mWifiPermissionsUtil;
 
     private class WifiAsyncChannelTester {
         private static final String TAG = "WifiAsyncChannelTester";
@@ -151,6 +152,7 @@ public class WifiServiceImplTest {
         WifiTrafficPoller wifiTrafficPoller = new WifiTrafficPoller(mContext,
                 mLooper.getLooper(), "mockWlan");
         when(mWifiInjector.getWifiTrafficPoller()).thenReturn(wifiTrafficPoller);
+        when(mWifiInjector.getWifiPermissionsUtil()).thenReturn(mWifiPermissionsUtil);
         mWifiServiceImpl = new WifiServiceImpl(mContext, mWifiInjector, mAsyncChannel);
         mWifiServiceImpl.setWifiHandlerLogForTest(mLog);
     }
@@ -186,4 +188,61 @@ public class WifiServiceImplTest {
         verify(mWifiStateMachine, never())
                 .dump(any(FileDescriptor.class), any(PrintWriter.class), any(String[].class));
     }
+
+    /**
+     * Ensure unpermitted callers cannot write the SoftApConfiguration.
+     *
+     * @throws SecurityException
+     */
+    @Test(expected = SecurityException.class)
+    public void testSetWifiApConfigurationNotSavedWithoutPermission() {
+        when(mWifiPermissionsUtil.checkConfigOverridePermission(anyInt())).thenReturn(false);
+        WifiConfiguration apConfig = new WifiConfiguration();
+        mWifiServiceImpl.setWifiApConfiguration(apConfig);
+        verify(mWifiStateMachine, never()).setWifiApConfiguration(eq(apConfig));
+    }
+
+    /**
+     * Ensure softap config is written when the caller has the correct permission.
+     */
+    @Test
+    public void testSetWifiApConfigurationSuccess() {
+        when(mWifiPermissionsUtil.checkConfigOverridePermission(anyInt())).thenReturn(true);
+        WifiConfiguration apConfig = new WifiConfiguration();
+        mWifiServiceImpl.setWifiApConfiguration(apConfig);
+        verify(mWifiStateMachine).setWifiApConfiguration(eq(apConfig));
+    }
+
+    /**
+     * Ensure that a null config does not overwrite the saved ap config.
+     */
+    @Test
+    public void testSetWifiApConfigurationNullConfigNotSaved() {
+        when(mWifiPermissionsUtil.checkConfigOverridePermission(anyInt())).thenReturn(true);
+        mWifiServiceImpl.setWifiApConfiguration(null);
+        verify(mWifiStateMachine, never()).setWifiApConfiguration(isNull(WifiConfiguration.class));
+    }
+
+    /**
+     * Ensure unpermitted callers are not able to retrieve the softap config.
+     *
+     * @throws SecurityException
+     */
+    @Test(expected = SecurityException.class)
+    public void testGetWifiApConfigurationNotReturnedWithoutPermission() {
+        when(mWifiPermissionsUtil.checkConfigOverridePermission(anyInt())).thenReturn(false);
+        mWifiServiceImpl.getWifiApConfiguration();
+        verify(mWifiStateMachine, never()).syncGetWifiApConfiguration();
+    }
+
+    /**
+     * Ensure permitted callers are able to retrieve the softap config.
+     */
+    @Test
+    public void testGetWifiApConfigurationSuccess() {
+        when(mWifiPermissionsUtil.checkConfigOverridePermission(anyInt())).thenReturn(true);
+        WifiConfiguration apConfig = new WifiConfiguration();
+        when(mWifiStateMachine.syncGetWifiApConfiguration()).thenReturn(apConfig);
+        assertEquals(apConfig, mWifiServiceImpl.getWifiApConfiguration());
+    }
 }