From f4274d887c5a26679849fd0e665207899e8bbad9 Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Wed, 16 Aug 2017 14:58:14 -0700 Subject: Enforce location permissions on Rtt APIs. Test: Manual Bug: 62264080 Bug: 62344058 Change-Id: I97a0bf2eda6669d858525b95ef72343e60f860ea --- .../java/com/android/server/wifi/RttService.java | 37 ++++++++++++++++++---- .../wifi/aware/WifiAwareRttStateManager.java | 5 ++- .../server/wifi/util/WifiPermissionsUtil.java | 33 +++++++++++-------- 3 files changed, 54 insertions(+), 21 deletions(-) (limited to 'service') diff --git a/service/java/com/android/server/wifi/RttService.java b/service/java/com/android/server/wifi/RttService.java index 89de870bb..2ea94576b 100644 --- a/service/java/com/android/server/wifi/RttService.java +++ b/service/java/com/android/server/wifi/RttService.java @@ -131,7 +131,9 @@ public final class RttService extends SystemService { case AsyncChannel.CMD_CHANNEL_FULL_CONNECTION: AsyncChannel ac = new AsyncChannel(); ac.connected(mContext, this, msg.replyTo); - ClientInfo client = new ClientInfo(ac, msg.sendingUid); + String packageName = msg.obj != null + ? ((RttManager.RttClient) msg.obj).getPackageName() : null; + ClientInfo client = new ClientInfo(ac, msg.sendingUid, packageName); synchronized (mLock) { mClients.put(msg.replyTo, client); } @@ -169,6 +171,12 @@ public final class RttService extends SystemService { "Client doesn't have LOCATION_HARDWARE permission"); return; } + if (!checkLocationPermission(ci)) { + replyFailed(msg, RttManager.REASON_PERMISSION_DENIED, + "Client doesn't have ACCESS_COARSE_LOCATION or " + + "ACCESS_FINE_LOCATION permission"); + return; + } final int validCommands[] = { RttManager.CMD_OP_START_RANGING, RttManager.CMD_OP_STOP_RANGING, @@ -201,9 +209,10 @@ public final class RttService extends SystemService { private final WifiNative mWifiNative; private final Context mContext; private final Looper mLooper; + private final WifiInjector mWifiInjector; + private RttStateMachine mStateMachine; private ClientHandler mClientHandler; - private WifiInjector mWifiInjector; RttServiceImpl(Context context, Looper looper, WifiInjector wifiInjector) { mContext = context; @@ -252,14 +261,16 @@ public final class RttService extends SystemService { private class ClientInfo { private final AsyncChannel mChannel; private final int mUid; + private final String mPackageName; ArrayMap mRequests = new ArrayMap<>(); // Client keys of all outstanding responders. Set mResponderRequests = new HashSet<>(); - ClientInfo(AsyncChannel channel, int uid) { + ClientInfo(AsyncChannel channel, int uid, String packageName) { mChannel = channel; mUid = uid; + mPackageName = packageName; } void addResponderRequest(int key) { @@ -594,8 +605,10 @@ public final class RttService extends SystemService { break; case CMD_RTT_RESPONSE: if (DBG) Log.d(TAG, "Received an RTT response from: " + msg.arg2); - mOutstandingRequest.ci.reportResult( - mOutstandingRequest, (RttManager.RttResult[])msg.obj); + if (checkLocationPermission(mOutstandingRequest.ci)) { + mOutstandingRequest.ci.reportResult( + mOutstandingRequest, (RttManager.RttResult[]) msg.obj); + } mOutstandingRequest = null; sendMessage(CMD_ISSUE_NEXT_REQUEST); break; @@ -719,7 +732,7 @@ public final class RttService extends SystemService { } } - boolean enforcePermissionCheck(Message msg) { + private boolean enforcePermissionCheck(Message msg) { try { mContext.enforcePermission(Manifest.permission.LOCATION_HARDWARE, -1, msg.sendingUid, "LocationRTT"); @@ -730,6 +743,15 @@ public final class RttService extends SystemService { return true; } + // Returns whether the client has location permission. + private boolean checkLocationPermission(ClientInfo clientInfo) { + if (clientInfo.mPackageName == null) { + return false; + } + return mWifiInjector.getWifiPermissionsUtil().checkCallersLocationPermission( + clientInfo.mPackageName, clientInfo.mUid); + } + @Override protected void dump(FileDescriptor fd, PrintWriter pw, String[] args) { if (mContext.checkCallingOrSelfPermission(android.Manifest.permission.DUMP) @@ -777,8 +799,11 @@ public final class RttService extends SystemService { if (DBG) Log.d(TAG, "No more requests left"); return null; } + @Override public RttManager.RttCapabilities getRttCapabilities() { + mContext.enforceCallingPermission(android.Manifest.permission.LOCATION_HARDWARE, + "Location Hardware permission not granted to access rtt capabilities"); return mWifiNative.getRttCapabilities(); } } diff --git a/service/java/com/android/server/wifi/aware/WifiAwareRttStateManager.java b/service/java/com/android/server/wifi/aware/WifiAwareRttStateManager.java index afc044c1b..9d0441f12 100644 --- a/service/java/com/android/server/wifi/aware/WifiAwareRttStateManager.java +++ b/service/java/com/android/server/wifi/aware/WifiAwareRttStateManager.java @@ -50,6 +50,7 @@ public class WifiAwareRttStateManager { private final SparseArray mPendingOperations = new SparseArray<>(); private AsyncChannel mAsyncChannel; + private Context mContext; /** * Initializes the connection to the RTT service. @@ -82,6 +83,7 @@ public class WifiAwareRttStateManager { mAsyncChannel = new AsyncChannel(); mAsyncChannel.connect(context, new AwareRttHandler(looper), messenger); + mContext = context; } private WifiAwareClientState getAndRemovePendingOperationClient(int rangingId) { @@ -125,7 +127,8 @@ public class WifiAwareRttStateManager { switch (msg.what) { case AsyncChannel.CMD_CHANNEL_HALF_CONNECTED: if (msg.arg1 == AsyncChannel.STATUS_SUCCESSFUL) { - mAsyncChannel.sendMessage(AsyncChannel.CMD_CHANNEL_FULL_CONNECTION); + mAsyncChannel.sendMessage(AsyncChannel.CMD_CHANNEL_FULL_CONNECTION, + new RttManager.RttClient(mContext.getPackageName())); } else { Log.e(TAG, "Failed to set up channel connection to RTT service"); mAsyncChannel = null; diff --git a/service/java/com/android/server/wifi/util/WifiPermissionsUtil.java b/service/java/com/android/server/wifi/util/WifiPermissionsUtil.java index 6caca46dd..069e5a823 100644 --- a/service/java/com/android/server/wifi/util/WifiPermissionsUtil.java +++ b/service/java/com/android/server/wifi/util/WifiPermissionsUtil.java @@ -114,6 +114,25 @@ public class WifiPermissionsUtil { } } + + /** + * Checks that calling process has android.Manifest.permission.ACCESS_COARSE_LOCATION + * and a corresponding app op is allowed for this package and uid. + * + * @param pkgName PackageName of the application requesting access + * @param uid The uid of the package + */ + public boolean checkCallersLocationPermission(String pkgName, int uid) { + // Coarse Permission implies Fine permission + if ((mWifiPermissionsWrapper.getUidPermission( + Manifest.permission.ACCESS_COARSE_LOCATION, uid) + == PackageManager.PERMISSION_GRANTED) + && checkAppOpAllowed(AppOpsManager.OP_COARSE_LOCATION, pkgName, uid)) { + return true; + } + return false; + } + /** * API to determine if the caller has permissions to get * scan results. @@ -243,20 +262,6 @@ public class WifiPermissionsUtil { return pkgName.equals(mWifiPermissionsWrapper.getTopPkgName()); } - /** - * Checks that calling process has android.Manifest.permission.ACCESS_COARSE_LOCATION - * and a corresponding app op is allowed for this package and uid. - */ - private boolean checkCallersLocationPermission(String pkgName, int uid) { - // Coarse Permission implies Fine permission - if ((mWifiPermissionsWrapper.getUidPermission( - Manifest.permission.ACCESS_COARSE_LOCATION, uid) - == PackageManager.PERMISSION_GRANTED) - && checkAppOpAllowed(AppOpsManager.OP_COARSE_LOCATION, pkgName, uid)) { - return true; - } - return false; - } private boolean isLocationModeEnabled(String pkgName) { // Location mode check on applications that are later than version. return (mSettingsStore.getLocationModeSetting(mContext) -- cgit v1.2.3