Replace the permission of internal connectivity checks
A number of connectivity checks that protect system-only methods
check for CONNECTIVITY_INTERNAL, but CONNECTIVITY_INTERNAL is a
signature|privileged permission. We should audit the permission
checks, and convert checks that protect code that should not be
called outside the system to a signature permission. So replace
all CONNECTIVITY_INTERNAL to other proper permissions.
Bug: 32963470
Test: atest FrameworksNetTests NetworkPolicyManagerServiceTest
Change-Id: I8f2dd1cd0609056494eaf612d39820e273ae093f
diff --git a/api/system-current.txt b/api/system-current.txt
index 7cd31df..7a361c9 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -58,7 +58,7 @@
field public static final String CLEAR_APP_USER_DATA = "android.permission.CLEAR_APP_USER_DATA";
field public static final String CONFIGURE_DISPLAY_BRIGHTNESS = "android.permission.CONFIGURE_DISPLAY_BRIGHTNESS";
field public static final String CONFIGURE_WIFI_DISPLAY = "android.permission.CONFIGURE_WIFI_DISPLAY";
- field public static final String CONNECTIVITY_INTERNAL = "android.permission.CONNECTIVITY_INTERNAL";
+ field @Deprecated public static final String CONNECTIVITY_INTERNAL = "android.permission.CONNECTIVITY_INTERNAL";
field public static final String CONNECTIVITY_USE_RESTRICTED_NETWORKS = "android.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS";
field public static final String CONTROL_DISPLAY_COLOR_TRANSFORMS = "android.permission.CONTROL_DISPLAY_COLOR_TRANSFORMS";
field public static final String CONTROL_DISPLAY_SATURATION = "android.permission.CONTROL_DISPLAY_SATURATION";
@@ -126,6 +126,7 @@
field public static final String MODIFY_QUIET_MODE = "android.permission.MODIFY_QUIET_MODE";
field public static final String MOVE_PACKAGE = "android.permission.MOVE_PACKAGE";
field public static final String NETWORK_CARRIER_PROVISIONING = "android.permission.NETWORK_CARRIER_PROVISIONING";
+ field public static final String NETWORK_FACTORY = "android.permission.NETWORK_FACTORY";
field public static final String NETWORK_MANAGED_PROVISIONING = "android.permission.NETWORK_MANAGED_PROVISIONING";
field public static final String NETWORK_SCAN = "android.permission.NETWORK_SCAN";
field public static final String NETWORK_SETTINGS = "android.permission.NETWORK_SETTINGS";
@@ -135,6 +136,7 @@
field public static final String NOTIFICATION_DURING_SETUP = "android.permission.NOTIFICATION_DURING_SETUP";
field public static final String NOTIFY_TV_INPUTS = "android.permission.NOTIFY_TV_INPUTS";
field public static final String OBSERVE_APP_USAGE = "android.permission.OBSERVE_APP_USAGE";
+ field public static final String OBSERVE_NETWORK_POLICY = "android.permission.OBSERVE_NETWORK_POLICY";
field public static final String OBSERVE_ROLE_HOLDERS = "android.permission.OBSERVE_ROLE_HOLDERS";
field public static final String OPEN_ACCESSIBILITY_DETAILS_SETTINGS = "android.permission.OPEN_ACCESSIBILITY_DETAILS_SETTINGS";
field public static final String OVERRIDE_WIFI_CONFIG = "android.permission.OVERRIDE_WIFI_CONFIG";
@@ -4340,7 +4342,7 @@
public class ConnectivityManager {
method @NonNull @RequiresPermission(android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD) public android.net.SocketKeepalive createNattKeepalive(@NonNull android.net.Network, @NonNull android.os.ParcelFileDescriptor, @NonNull java.net.InetAddress, @NonNull java.net.InetAddress, @NonNull java.util.concurrent.Executor, @NonNull android.net.SocketKeepalive.Callback);
method @NonNull @RequiresPermission(android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD) public android.net.SocketKeepalive createSocketKeepalive(@NonNull android.net.Network, @NonNull java.net.Socket, @NonNull java.util.concurrent.Executor, @NonNull android.net.SocketKeepalive.Callback);
- method @RequiresPermission(android.Manifest.permission.LOCAL_MAC_ADDRESS) public String getCaptivePortalServerUrl();
+ method @Deprecated @RequiresPermission(android.Manifest.permission.NETWORK_SETTINGS) public String getCaptivePortalServerUrl();
method @RequiresPermission(android.Manifest.permission.TETHER_PRIVILEGED) public void getLatestTetheringEntitlementResult(int, boolean, @NonNull java.util.concurrent.Executor, @NonNull android.net.ConnectivityManager.OnTetheringEntitlementResultListener);
method @RequiresPermission(anyOf={android.Manifest.permission.TETHER_PRIVILEGED, android.Manifest.permission.WRITE_SETTINGS}) public boolean isTetheringSupported();
method @RequiresPermission(android.Manifest.permission.TETHER_PRIVILEGED) public void registerTetheringEventCallback(@NonNull java.util.concurrent.Executor, @NonNull android.net.ConnectivityManager.OnTetheringEventCallback);
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index 194068c..d95da91 100644
--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
@@ -1006,7 +1006,7 @@
*
* @hide
*/
- @RequiresPermission(android.Manifest.permission.CONNECTIVITY_INTERNAL)
+ @RequiresPermission(android.Manifest.permission.NETWORK_STACK)
@Nullable
public Network getActiveNetworkForUid(int uid) {
return getActiveNetworkForUid(uid, false);
@@ -1135,7 +1135,7 @@
*
* {@hide}
*/
- @RequiresPermission(android.Manifest.permission.CONNECTIVITY_INTERNAL)
+ @RequiresPermission(android.Manifest.permission.NETWORK_STACK)
@UnsupportedAppUsage
public NetworkInfo getActiveNetworkInfoForUid(int uid) {
return getActiveNetworkInfoForUid(uid, false);
@@ -1370,10 +1370,14 @@
* The system network validation may be using different strategies to detect captive portals,
* so this method does not necessarily return a URL used by the system. It only returns a URL
* that may be relevant for other components trying to detect captive portals.
+ *
* @hide
+ * @deprecated This API returns URL which is not guaranteed to be one of the URLs used by the
+ * system.
*/
+ @Deprecated
@SystemApi
- @RequiresPermission(android.Manifest.permission.LOCAL_MAC_ADDRESS)
+ @RequiresPermission(android.Manifest.permission.NETWORK_SETTINGS)
public String getCaptivePortalServerUrl() {
try {
return mService.getCaptivePortalServerUrl();
@@ -2399,6 +2403,7 @@
* @return an array of 0 or more {@code String} of tethered dhcp ranges.
* {@hide}
*/
+ @RequiresPermission(android.Manifest.permission.NETWORK_SETTINGS)
public String[] getTetheredDhcpRanges() {
try {
return mService.getTetheredDhcpRanges();
@@ -2978,7 +2983,7 @@
* HTTP proxy. A {@code null} value will clear the global HTTP proxy.
* @hide
*/
- @RequiresPermission(android.Manifest.permission.CONNECTIVITY_INTERNAL)
+ @RequiresPermission(android.Manifest.permission.NETWORK_STACK)
public void setGlobalProxy(ProxyInfo p) {
try {
mService.setGlobalProxy(p);
@@ -3123,6 +3128,7 @@
* Get the mobile provisioning url.
* {@hide}
*/
+ @RequiresPermission(android.Manifest.permission.NETWORK_SETTINGS)
public String getMobileProvisioningUrl() {
try {
return mService.getMobileProvisioningUrl();
@@ -3169,6 +3175,7 @@
/** {@hide} - returns the factory serial number */
@UnsupportedAppUsage
+ @RequiresPermission(android.Manifest.permission.NETWORK_FACTORY)
public int registerNetworkFactory(Messenger messenger, String name) {
try {
return mService.registerNetworkFactory(messenger, name);
@@ -3179,6 +3186,7 @@
/** {@hide} */
@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.P, trackingBug = 115609023)
+ @RequiresPermission(android.Manifest.permission.NETWORK_FACTORY)
public void unregisterNetworkFactory(Messenger messenger) {
try {
mService.unregisterNetworkFactory(messenger);
@@ -3196,6 +3204,7 @@
* Register a NetworkAgent with ConnectivityService.
* @return NetID corresponding to NetworkAgent.
*/
+ @RequiresPermission(android.Manifest.permission.NETWORK_FACTORY)
public int registerNetworkAgent(Messenger messenger, NetworkInfo ni, LinkProperties lp,
NetworkCapabilities nc, int score, NetworkMisc misc) {
return registerNetworkAgent(messenger, ni, lp, nc, score, misc,
@@ -3207,6 +3216,7 @@
* Register a NetworkAgent with ConnectivityService.
* @return NetID corresponding to NetworkAgent.
*/
+ @RequiresPermission(android.Manifest.permission.NETWORK_FACTORY)
public int registerNetworkAgent(Messenger messenger, NetworkInfo ni, LinkProperties lp,
NetworkCapabilities nc, int score, NetworkMisc misc, int factorySerialNumber) {
try {
@@ -4201,7 +4211,7 @@
*
* @hide
*/
- @RequiresPermission(android.Manifest.permission.CONNECTIVITY_INTERNAL)
+ @RequiresPermission(android.Manifest.permission.NETWORK_SETTINGS)
public void startCaptivePortalApp(Network network) {
try {
mService.startCaptivePortalApp(network);
@@ -4317,6 +4327,7 @@
* Resets all connectivity manager settings back to factory defaults.
* @hide
*/
+ @RequiresPermission(android.Manifest.permission.NETWORK_SETTINGS)
public void factoryReset() {
try {
mService.factoryReset();
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 936099f..4492fec 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1614,6 +1614,14 @@
<permission android:name="android.permission.NETWORK_STACK"
android:protectionLevel="signature" />
+ <!-- @SystemApi @hide Allows an application to observe network policy changes. -->
+ <permission android:name="android.permission.OBSERVE_NETWORK_POLICY"
+ android:protectionLevel="signature" />
+
+ <!-- @SystemApi @hide Allows applications to register network factory or agent -->
+ <permission android:name="android.permission.NETWORK_FACTORY"
+ android:protectionLevel="signature" />
+
<!-- Allows Settings and SystemUI to call methods in Networking services
<p>Not for use by third-party or privileged applications.
@SystemApi
@@ -1744,7 +1752,11 @@
<permission android:name="android.permission.NFC_TRANSACTION_EVENT"
android:protectionLevel="normal" />
- <!-- @SystemApi Allows an internal user to use privileged ConnectivityManager APIs.
+ <!-- @deprecated This permission used to allow too broad access to sensitive methods and all its
+ uses have been replaced by a more appropriate permission. Most uses have been replaced with
+ a NETWORK_STACK or NETWORK_SETTINGS check. Please look up the documentation of the
+ individual functions to figure out what permission now protects the individual function.
+ @SystemApi Allows an internal user to use privileged ConnectivityManager APIs.
@hide -->
<permission android:name="android.permission.CONNECTIVITY_INTERNAL"
android:protectionLevel="signature|privileged" />
diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
index 6741fea..dfe8034 100644
--- a/core/res/res/values/config.xml
+++ b/core/res/res/values/config.xml
@@ -508,7 +508,7 @@
-->
<string translatable="false" name="config_mobile_hotspot_provision_app_no_ui"></string>
<!-- Sent in response to a provisioning check. The caller must hold the
- permission android.permission.CONNECTIVITY_INTERNAL for Settings to
+ permission android.permission.TETHER_PRIVILEGED for Settings to
receive this response.
See config_mobile_hotspot_provision_response
diff --git a/core/tests/ConnectivityManagerTest/AndroidManifest.xml b/core/tests/ConnectivityManagerTest/AndroidManifest.xml
index a391e1f..796d7e8 100644
--- a/core/tests/ConnectivityManagerTest/AndroidManifest.xml
+++ b/core/tests/ConnectivityManagerTest/AndroidManifest.xml
@@ -73,9 +73,9 @@
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
<uses-permission android:name="android.permission.WRITE_SETTINGS" />
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" />
- <!-- This permission is added for API call setAirplaneMode() in ConnectivityManager -->
- <uses-permission android:name="android.permission.CONNECTIVITY_INTERNAL" />
<uses-permission android:name="android.permission.TETHER_PRIVILEGED" />
+ <!-- This permission is added for API call setAirplaneMode() in ConnectivityManager -->
+ <uses-permission android:name="android.permission.NETWORK_SETTINGS" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="android.permission.DEVICE_POWER" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
diff --git a/core/tests/utiltests/AndroidManifest.xml b/core/tests/utiltests/AndroidManifest.xml
index 4ef4b1f..8e0f1d2 100644
--- a/core/tests/utiltests/AndroidManifest.xml
+++ b/core/tests/utiltests/AndroidManifest.xml
@@ -30,7 +30,6 @@
<uses-permission android:name="android.permission.MANAGE_NETWORK_POLICY" />
<uses-permission android:name="android.permission.READ_NETWORK_USAGE_HISTORY" />
- <uses-permission android:name="android.permission.CONNECTIVITY_INTERNAL" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.MANAGE_USERS" />
<uses-permission android:name="android.permission.INTERACT_ACROSS_USERS_FULL" />
diff --git a/packages/VpnDialogs/AndroidManifest.xml b/packages/VpnDialogs/AndroidManifest.xml
index 469bdc6..e4de625 100644
--- a/packages/VpnDialogs/AndroidManifest.xml
+++ b/packages/VpnDialogs/AndroidManifest.xml
@@ -21,7 +21,6 @@
<uses-permission android:name="android.permission.CONTROL_VPN" />
<uses-permission android:name="android.permission.CONTROL_ALWAYS_ON_VPN" />
- <uses-permission android:name="android.permission.CONNECTIVITY_INTERNAL" />
<uses-permission android:name="android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS"/>
<application android:label="VpnDialogs"
diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java
index 36f44e4..b6e8db0 100644
--- a/services/core/java/com/android/server/ConnectivityService.java
+++ b/services/core/java/com/android/server/ConnectivityService.java
@@ -1395,7 +1395,7 @@
@Override
public Network getActiveNetworkForUid(int uid, boolean ignoreBlocked) {
- enforceConnectivityInternalPermission();
+ NetworkStack.checkNetworkStackPermission(mContext);
return getActiveNetworkForUidInternal(uid, ignoreBlocked);
}
@@ -1437,7 +1437,7 @@
@Override
public NetworkInfo getActiveNetworkInfoForUid(int uid, boolean ignoreBlocked) {
- enforceConnectivityInternalPermission();
+ NetworkStack.checkNetworkStackPermission(mContext);
final NetworkState state = getUnfilteredActiveNetworkState(uid);
filterNetworkStateForUid(state, uid, ignoreBlocked);
return state.networkInfo;
@@ -1656,8 +1656,8 @@
@Override
public NetworkState[] getAllNetworkState() {
- // Require internal since we're handing out IMSI details
- enforceConnectivityInternalPermission();
+ // This contains IMSI details, so make sure the caller is privileged.
+ NetworkStack.checkNetworkStackPermission(mContext);
final ArrayList<NetworkState> result = Lists.newArrayList();
for (Network network : getAllNetworks()) {
@@ -1735,7 +1735,7 @@
}
enforceChangePermission();
if (mProtectedNetworks.contains(networkType)) {
- enforceConnectivityInternalPermission();
+ enforceConnectivityRestrictedNetworksPermission();
}
InetAddress addr;
@@ -2005,6 +2005,12 @@
NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK);
}
+ private void enforceNetworkFactoryPermission() {
+ mContext.enforceCallingOrSelfPermission(
+ android.Manifest.permission.NETWORK_FACTORY,
+ "ConnectivityService");
+ }
+
private boolean checkSettingsPermission() {
return checkAnyPermissionOf(
android.Manifest.permission.NETWORK_SETTINGS,
@@ -2024,18 +2030,19 @@
"ConnectivityService");
}
- private void enforceConnectivityInternalPermission() {
- enforceAnyPermissionOf(
- android.Manifest.permission.CONNECTIVITY_INTERNAL,
- NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK);
- }
-
private void enforceControlAlwaysOnVpnPermission() {
mContext.enforceCallingOrSelfPermission(
android.Manifest.permission.CONTROL_ALWAYS_ON_VPN,
"ConnectivityService");
}
+ private void enforceNetworkStackOrSettingsPermission() {
+ enforceAnyPermissionOf(
+ android.Manifest.permission.NETWORK_SETTINGS,
+ android.Manifest.permission.NETWORK_STACK,
+ NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK);
+ }
+
private void enforceNetworkStackSettingsOrSetup() {
enforceAnyPermissionOf(
android.Manifest.permission.NETWORK_SETTINGS,
@@ -2063,7 +2070,11 @@
"ConnectivityService");
return;
} catch (SecurityException e) { /* fallback to ConnectivityInternalPermission */ }
- enforceConnectivityInternalPermission();
+ // TODO: Remove this fallback check after all apps have declared
+ // CONNECTIVITY_USE_RESTRICTED_NETWORKS.
+ mContext.enforceCallingOrSelfPermission(
+ android.Manifest.permission.CONNECTIVITY_INTERNAL,
+ "ConnectivityService");
}
private void enforceKeepalivePermission() {
@@ -2072,7 +2083,7 @@
// Public because it's used by mLockdownTracker.
public void sendConnectedBroadcast(NetworkInfo info) {
- enforceConnectivityInternalPermission();
+ NetworkStack.checkNetworkStackPermission(mContext);
sendGeneralBroadcast(info, CONNECTIVITY_ACTION);
}
@@ -3589,7 +3600,7 @@
@Override
public void startCaptivePortalApp(Network network) {
- enforceConnectivityInternalPermission();
+ enforceNetworkStackOrSettingsPermission();
mHandler.post(() -> {
NetworkAgentInfo nai = getNetworkAgentInfoForNetwork(network);
if (nai == null) return;
@@ -4080,7 +4091,7 @@
@Override
public String[] getTetheredDhcpRanges() {
- enforceConnectivityInternalPermission();
+ enforceSettingsPermission();
return mTetheringManager.getTetheredDhcpRanges();
}
@@ -4304,7 +4315,7 @@
@Override
public void setGlobalProxy(final ProxyInfo proxyProperties) {
- enforceConnectivityInternalPermission();
+ NetworkStack.checkNetworkStackPermission(mContext);
mProxyTracker.setGlobalProxy(proxyProperties);
}
@@ -4843,7 +4854,7 @@
@Override
public String getMobileProvisioningUrl() {
- enforceConnectivityInternalPermission();
+ enforceSettingsPermission();
String url = getProvisioningUrlBaseFromFile();
if (TextUtils.isEmpty(url)) {
url = mContext.getResources().getString(R.string.mobile_provisioning_url);
@@ -4869,7 +4880,7 @@
@Override
public void setProvisioningNotificationVisible(boolean visible, int networkType,
String action) {
- enforceConnectivityInternalPermission();
+ enforceSettingsPermission();
if (!ConnectivityManager.isNetworkTypeValid(networkType)) {
return;
}
@@ -5457,7 +5468,7 @@
@Override
public int registerNetworkFactory(Messenger messenger, String name) {
- enforceConnectivityInternalPermission();
+ enforceNetworkFactoryPermission();
NetworkFactoryInfo nfi = new NetworkFactoryInfo(name, messenger, new AsyncChannel(),
NetworkFactory.SerialNumber.nextSerialNumber());
mHandler.sendMessage(mHandler.obtainMessage(EVENT_REGISTER_NETWORK_FACTORY, nfi));
@@ -5472,7 +5483,7 @@
@Override
public void unregisterNetworkFactory(Messenger messenger) {
- enforceConnectivityInternalPermission();
+ enforceNetworkFactoryPermission();
mHandler.sendMessage(mHandler.obtainMessage(EVENT_UNREGISTER_NETWORK_FACTORY, messenger));
}
@@ -5571,7 +5582,7 @@
public int registerNetworkAgent(Messenger messenger, NetworkInfo networkInfo,
LinkProperties linkProperties, NetworkCapabilities networkCapabilities,
int currentScore, NetworkMisc networkMisc, int factorySerialNumber) {
- enforceConnectivityInternalPermission();
+ enforceNetworkFactoryPermission();
LinkProperties lp = new LinkProperties(linkProperties);
lp.ensureDirectlyConnectedRoutes();
@@ -6935,7 +6946,7 @@
@Override
public String getCaptivePortalServerUrl() {
- enforceConnectivityInternalPermission();
+ enforceNetworkStackOrSettingsPermission();
String settingUrl = mContext.getResources().getString(
R.string.config_networkCaptivePortalServerUrl);
@@ -6988,7 +6999,7 @@
@Override
public void factoryReset() {
- enforceConnectivityInternalPermission();
+ enforceSettingsPermission();
if (mUserManager.hasUserRestriction(UserManager.DISALLOW_NETWORK_RESET)) {
return;
diff --git a/services/core/java/com/android/server/NetworkManagementService.java b/services/core/java/com/android/server/NetworkManagementService.java
index 9efaad8..e79a289 100644
--- a/services/core/java/com/android/server/NetworkManagementService.java
+++ b/services/core/java/com/android/server/NetworkManagementService.java
@@ -16,9 +16,8 @@
package com.android.server;
-import static android.Manifest.permission.CONNECTIVITY_INTERNAL;
import static android.Manifest.permission.NETWORK_SETTINGS;
-import static android.Manifest.permission.NETWORK_STACK;
+import static android.Manifest.permission.OBSERVE_NETWORK_POLICY;
import static android.Manifest.permission.SHUTDOWN;
import static android.net.INetd.FIREWALL_BLACKLIST;
import static android.net.INetd.FIREWALL_CHAIN_DOZABLE;
@@ -54,6 +53,7 @@
import android.net.LinkAddress;
import android.net.Network;
import android.net.NetworkPolicyManager;
+import android.net.NetworkStack;
import android.net.NetworkStats;
import android.net.NetworkUtils;
import android.net.RouteInfo;
@@ -312,13 +312,13 @@
@Override
public void registerObserver(INetworkManagementEventObserver observer) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
mObservers.register(observer);
}
@Override
public void unregisterObserver(INetworkManagementEventObserver observer) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
mObservers.unregister(observer);
}
@@ -453,7 +453,7 @@
@Override
public void registerTetheringStatsProvider(ITetheringStatsProvider provider, String name) {
- mContext.enforceCallingOrSelfPermission(NETWORK_STACK, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
Preconditions.checkNotNull(provider);
synchronized(mTetheringStatsProviders) {
mTetheringStatsProviders.put(provider, name);
@@ -462,7 +462,7 @@
@Override
public void unregisterTetheringStatsProvider(ITetheringStatsProvider provider) {
- mContext.enforceCallingOrSelfPermission(NETWORK_STACK, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
synchronized(mTetheringStatsProviders) {
mTetheringStatsProviders.remove(provider);
}
@@ -470,7 +470,7 @@
@Override
public void tetherLimitReached(ITetheringStatsProvider provider) {
- mContext.enforceCallingOrSelfPermission(NETWORK_STACK, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
synchronized(mTetheringStatsProviders) {
if (!mTetheringStatsProviders.containsKey(provider)) {
return;
@@ -737,7 +737,7 @@
//
@Override
public String[] listInterfaces() {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
return mNetdService.interfaceGetList();
} catch (RemoteException | ServiceSpecificException e) {
@@ -787,7 +787,7 @@
@Override
public InterfaceConfiguration getInterfaceConfig(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
final InterfaceConfigurationParcel result;
try {
result = mNetdService.interfaceGetCfg(iface);
@@ -805,7 +805,7 @@
@Override
public void setInterfaceConfig(String iface, InterfaceConfiguration cfg) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
LinkAddress linkAddr = cfg.getLinkAddress();
if (linkAddr == null || linkAddr.getAddress() == null) {
throw new IllegalStateException("Null LinkAddress given");
@@ -822,7 +822,7 @@
@Override
public void setInterfaceDown(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
final InterfaceConfiguration ifcg = getInterfaceConfig(iface);
ifcg.setInterfaceDown();
setInterfaceConfig(iface, ifcg);
@@ -830,7 +830,7 @@
@Override
public void setInterfaceUp(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
final InterfaceConfiguration ifcg = getInterfaceConfig(iface);
ifcg.setInterfaceUp();
setInterfaceConfig(iface, ifcg);
@@ -838,7 +838,7 @@
@Override
public void setInterfaceIpv6PrivacyExtensions(String iface, boolean enable) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.interfaceSetIPv6PrivacyExtensions(iface, enable);
} catch (RemoteException | ServiceSpecificException e) {
@@ -850,7 +850,7 @@
IPv6 addresses on interface down, but we need to do full clean up here */
@Override
public void clearInterfaceAddresses(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.interfaceClearAddrs(iface);
} catch (RemoteException | ServiceSpecificException e) {
@@ -860,7 +860,7 @@
@Override
public void enableIpv6(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.interfaceSetEnableIPv6(iface, true);
} catch (RemoteException | ServiceSpecificException e) {
@@ -879,7 +879,7 @@
@Override
public void disableIpv6(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.interfaceSetEnableIPv6(iface, false);
} catch (RemoteException | ServiceSpecificException e) {
@@ -898,7 +898,7 @@
}
private void modifyRoute(boolean add, int netId, RouteInfo route) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
final String ifName = route.getInterface();
final String dst = route.getDestination().toString();
@@ -963,7 +963,7 @@
@Override
public void setMtu(String iface, int mtu) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.interfaceSetMtu(iface, mtu);
@@ -982,7 +982,7 @@
@Override
public boolean getIpForwardingEnabled() throws IllegalStateException{
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
final boolean isEnabled = mNetdService.ipfwdEnabled();
@@ -994,7 +994,7 @@
@Override
public void setIpForwardingEnabled(boolean enable) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
if (enable) {
mNetdService.ipfwdEnableForwarding("tethering");
@@ -1013,7 +1013,7 @@
@Override
public void startTetheringWithConfiguration(boolean usingLegacyDnsProxy, String[] dhcpRange) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
// an odd number of addrs will fail
try {
mNetdService.tetherStartWithConfiguration(usingLegacyDnsProxy, dhcpRange);
@@ -1024,7 +1024,7 @@
@Override
public void stopTethering() {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.tetherStop();
} catch (RemoteException | ServiceSpecificException e) {
@@ -1034,7 +1034,7 @@
@Override
public boolean isTetheringStarted() {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
final boolean isEnabled = mNetdService.tetherIsEnabled();
@@ -1046,7 +1046,7 @@
@Override
public void tetherInterface(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.tetherInterfaceAdd(iface);
} catch (RemoteException | ServiceSpecificException e) {
@@ -1061,7 +1061,7 @@
@Override
public void untetherInterface(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.tetherInterfaceRemove(iface);
} catch (RemoteException | ServiceSpecificException e) {
@@ -1073,7 +1073,7 @@
@Override
public String[] listTetheredInterfaces() {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
return mNetdService.tetherInterfaceList();
} catch (RemoteException | ServiceSpecificException e) {
@@ -1083,7 +1083,7 @@
@Override
public void setDnsForwarders(Network network, String[] dns) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
int netId = (network != null) ? network.netId : ConnectivityManager.NETID_UNSET;
@@ -1096,7 +1096,7 @@
@Override
public String[] getDnsForwarders() {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
return mNetdService.tetherDnsList();
} catch (RemoteException | ServiceSpecificException e) {
@@ -1127,19 +1127,19 @@
@Override
public void startInterfaceForwarding(String fromIface, String toIface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
modifyInterfaceForward(true, fromIface, toIface);
}
@Override
public void stopInterfaceForwarding(String fromIface, String toIface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
modifyInterfaceForward(false, fromIface, toIface);
}
@Override
public void enableNat(String internalInterface, String externalInterface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.tetherAddForward(internalInterface, externalInterface);
} catch (RemoteException | ServiceSpecificException e) {
@@ -1149,7 +1149,7 @@
@Override
public void disableNat(String internalInterface, String externalInterface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.tetherRemoveForward(internalInterface, externalInterface);
} catch (RemoteException | ServiceSpecificException e) {
@@ -1159,7 +1159,7 @@
@Override
public void addIdleTimer(String iface, int timeout, final int type) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
if (DBG) Slog.d(TAG, "Adding idletimer");
@@ -1189,7 +1189,7 @@
@Override
public void removeIdleTimer(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
if (DBG) Slog.d(TAG, "Removing idletimer");
@@ -1213,7 +1213,7 @@
@Override
public void setInterfaceQuota(String iface, long quotaBytes) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
synchronized (mQuotaLock) {
if (mActiveQuotas.containsKey(iface)) {
@@ -1244,7 +1244,7 @@
@Override
public void removeInterfaceQuota(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
synchronized (mQuotaLock) {
if (!mActiveQuotas.containsKey(iface)) {
@@ -1277,7 +1277,7 @@
@Override
public void setInterfaceAlert(String iface, long alertBytes) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
// quick sanity check
if (!mActiveQuotas.containsKey(iface)) {
@@ -1301,7 +1301,7 @@
@Override
public void removeInterfaceAlert(String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
synchronized (mQuotaLock) {
if (!mActiveAlerts.containsKey(iface)) {
@@ -1321,7 +1321,7 @@
@Override
public void setGlobalAlert(long alertBytes) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.bandwidthSetGlobalAlert(alertBytes);
@@ -1331,7 +1331,7 @@
}
private void setUidOnMeteredNetworkList(int uid, boolean blacklist, boolean enable) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
synchronized (mQuotaLock) {
boolean oldEnable;
@@ -1431,7 +1431,7 @@
@Override
public void setAllowOnlyVpnForUids(boolean add, UidRange[] uidRanges)
throws ServiceSpecificException {
- mContext.enforceCallingOrSelfPermission(NETWORK_STACK, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.networkRejectNonSecureVpn(add, toStableParcels(uidRanges));
} catch (ServiceSpecificException e) {
@@ -1472,7 +1472,7 @@
@Override
public void setUidCleartextNetworkPolicy(int uid, int policy) {
if (Binder.getCallingUid() != uid) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
}
synchronized (mQuotaLock) {
@@ -1506,7 +1506,6 @@
@Override
public boolean isBandwidthControlEnabled() {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
return true;
}
@@ -1557,7 +1556,7 @@
@Override
public NetworkStats getNetworkStatsTethering(int how) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
final NetworkStats stats = new NetworkStats(SystemClock.elapsedRealtime(), 1);
synchronized (mTetheringStatsProviders) {
@@ -1575,7 +1574,7 @@
@Override
public void addVpnUidRanges(int netId, UidRange[] ranges) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.networkAddUidRanges(netId, toStableParcels(ranges));
@@ -1586,7 +1585,7 @@
@Override
public void removeVpnUidRanges(int netId, UidRange[] ranges) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.networkRemoveUidRanges(netId, toStableParcels(ranges));
} catch (RemoteException | ServiceSpecificException e) {
@@ -2020,7 +2019,7 @@
}
private void modifyInterfaceInNetwork(boolean add, int netId, String iface) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
if (add) {
mNetdService.networkAddInterface(netId, iface);
@@ -2034,7 +2033,7 @@
@Override
public void addLegacyRouteForNetId(int netId, RouteInfo routeInfo, int uid) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
final LinkAddress la = routeInfo.getDestinationLinkAddress();
final String ifName = routeInfo.getInterface();
@@ -2055,7 +2054,7 @@
@Override
public void setDefaultNetId(int netId) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.networkSetDefault(netId);
@@ -2066,7 +2065,7 @@
@Override
public void clearDefaultNetId() {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.networkClearDefault();
@@ -2077,7 +2076,7 @@
@Override
public void setNetworkPermission(int netId, int permission) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.networkSetPermissionForNetwork(netId, permission);
@@ -2088,7 +2087,7 @@
@Override
public void allowProtect(int uid) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.networkSetProtectAllow(uid);
@@ -2099,7 +2098,7 @@
@Override
public void denyProtect(int uid) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
try {
mNetdService.networkSetProtectDeny(uid);
@@ -2145,7 +2144,7 @@
@Override
public boolean isNetworkRestricted(int uid) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ mContext.enforceCallingOrSelfPermission(OBSERVE_NETWORK_POLICY, TAG);
return isNetworkRestrictedInternal(uid);
}
diff --git a/services/core/java/com/android/server/NsdService.java b/services/core/java/com/android/server/NsdService.java
index 3efef01..b9b7bf7 100644
--- a/services/core/java/com/android/server/NsdService.java
+++ b/services/core/java/com/android/server/NsdService.java
@@ -16,19 +16,18 @@
package com.android.server;
-import android.content.Context;
import android.content.ContentResolver;
+import android.content.Context;
import android.content.Intent;
-import android.content.pm.PackageManager;
import android.database.ContentObserver;
+import android.net.NetworkStack;
import android.net.Uri;
-import android.net.nsd.NsdServiceInfo;
import android.net.nsd.DnsSdTxtRecord;
import android.net.nsd.INsdManager;
import android.net.nsd.NsdManager;
-import android.os.Binder;
-import android.os.HandlerThread;
+import android.net.nsd.NsdServiceInfo;
import android.os.Handler;
+import android.os.HandlerThread;
import android.os.Message;
import android.os.Messenger;
import android.os.UserHandle;
@@ -38,6 +37,12 @@
import android.util.SparseArray;
import android.util.SparseIntArray;
+import com.android.internal.annotations.VisibleForTesting;
+import com.android.internal.util.AsyncChannel;
+import com.android.internal.util.DumpUtils;
+import com.android.internal.util.State;
+import com.android.internal.util.StateMachine;
+
import java.io.FileDescriptor;
import java.io.PrintWriter;
import java.net.InetAddress;
@@ -45,13 +50,6 @@
import java.util.HashMap;
import java.util.concurrent.CountDownLatch;
-import com.android.internal.annotations.VisibleForTesting;
-import com.android.internal.util.AsyncChannel;
-import com.android.internal.util.DumpUtils;
-import com.android.internal.util.Protocol;
-import com.android.internal.util.State;
-import com.android.internal.util.StateMachine;
-
/**
* Network Service Discovery Service handles remote service discovery operation requests by
* implementing the INsdManager interface.
@@ -565,8 +563,7 @@
}
public void setEnabled(boolean isEnabled) {
- mContext.enforceCallingOrSelfPermission(android.Manifest.permission.CONNECTIVITY_INTERNAL,
- "NsdService");
+ NetworkStack.checkNetworkStackPermission(mContext);
mNsdSettings.putEnabledStatus(isEnabled);
notifyEnabled(isEnabled);
}
diff --git a/services/core/java/com/android/server/connectivity/IpConnectivityMetrics.java b/services/core/java/com/android/server/connectivity/IpConnectivityMetrics.java
index 79b56c6..33f6ed5 100644
--- a/services/core/java/com/android/server/connectivity/IpConnectivityMetrics.java
+++ b/services/core/java/com/android/server/connectivity/IpConnectivityMetrics.java
@@ -20,6 +20,7 @@
import android.net.ConnectivityMetricsEvent;
import android.net.IIpConnectivityMetrics;
import android.net.INetdEventCallback;
+import android.net.NetworkStack;
import android.net.metrics.ApfProgramEvent;
import android.net.metrics.IpConnectivityLog;
import android.os.Binder;
@@ -276,7 +277,7 @@
@Override
public int logEvent(ConnectivityMetricsEvent event) {
- enforceConnectivityInternalPermission();
+ NetworkStack.checkNetworkStackPermission(getContext());
return append(event);
}
@@ -299,10 +300,6 @@
}
}
- private void enforceConnectivityInternalPermission() {
- enforcePermission(android.Manifest.permission.CONNECTIVITY_INTERNAL);
- }
-
private void enforceDumpPermission() {
enforcePermission(android.Manifest.permission.DUMP);
}
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index 56f4959..f0b7150 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -17,7 +17,6 @@
package com.android.server.connectivity;
import static android.Manifest.permission.CHANGE_NETWORK_STATE;
-import static android.Manifest.permission.CONNECTIVITY_INTERNAL;
import static android.Manifest.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS;
import static android.Manifest.permission.INTERNET;
import static android.Manifest.permission.NETWORK_STACK;
@@ -25,6 +24,7 @@
import static android.content.pm.PackageInfo.REQUESTED_PERMISSION_GRANTED;
import static android.content.pm.PackageManager.GET_PERMISSIONS;
import static android.content.pm.PackageManager.MATCH_ANY_USER;
+import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
import static android.os.Process.INVALID_UID;
import static android.os.Process.SYSTEM_UID;
@@ -259,7 +259,8 @@
return true;
}
}
- return hasPermission(app, CONNECTIVITY_INTERNAL)
+
+ return hasPermission(app, PERMISSION_MAINLINE_NETWORK_STACK)
|| hasPermission(app, NETWORK_STACK)
|| hasPermission(app, CONNECTIVITY_USE_RESTRICTED_NETWORKS);
}
diff --git a/services/core/java/com/android/server/net/LockdownVpnTracker.java b/services/core/java/com/android/server/net/LockdownVpnTracker.java
index 77fbe41..4cb41da 100644
--- a/services/core/java/com/android/server/net/LockdownVpnTracker.java
+++ b/services/core/java/com/android/server/net/LockdownVpnTracker.java
@@ -16,7 +16,7 @@
package com.android.server.net;
-import static android.Manifest.permission.CONNECTIVITY_INTERNAL;
+import static android.Manifest.permission.NETWORK_STACK;
import static android.provider.Settings.ACTION_VPN_SETTINGS;
import android.annotation.NonNull;
@@ -202,8 +202,7 @@
mVpn.setLockdown(true);
final IntentFilter resetFilter = new IntentFilter(ACTION_LOCKDOWN_RESET);
- mContext.registerReceiver(mResetReceiver, resetFilter, CONNECTIVITY_INTERNAL, mHandler);
-
+ mContext.registerReceiver(mResetReceiver, resetFilter, NETWORK_STACK, mHandler);
handleStateChangedLocked();
}
diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
index 32d4b72..dfdc2c1 100644
--- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
+++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
@@ -20,6 +20,9 @@
import static android.Manifest.permission.CONNECTIVITY_INTERNAL;
import static android.Manifest.permission.MANAGE_NETWORK_POLICY;
import static android.Manifest.permission.MANAGE_SUBSCRIPTION_PLANS;
+import static android.Manifest.permission.NETWORK_SETTINGS;
+import static android.Manifest.permission.NETWORK_STACK;
+import static android.Manifest.permission.OBSERVE_NETWORK_POLICY;
import static android.Manifest.permission.READ_NETWORK_USAGE_HISTORY;
import static android.Manifest.permission.READ_PHONE_STATE;
import static android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE;
@@ -33,6 +36,7 @@
import static android.content.pm.PackageManager.MATCH_DIRECT_BOOT_UNAWARE;
import static android.content.pm.PackageManager.MATCH_DISABLED_COMPONENTS;
import static android.content.pm.PackageManager.MATCH_UNINSTALLED_PACKAGES;
+import static android.content.pm.PackageManager.PERMISSION_GRANTED;
import static android.net.ConnectivityManager.CONNECTIVITY_ACTION;
import static android.net.ConnectivityManager.RESTRICT_BACKGROUND_STATUS_DISABLED;
import static android.net.ConnectivityManager.RESTRICT_BACKGROUND_STATUS_ENABLED;
@@ -153,6 +157,7 @@
import android.net.NetworkQuotaInfo;
import android.net.NetworkRequest;
import android.net.NetworkSpecifier;
+import android.net.NetworkStack;
import android.net.NetworkState;
import android.net.NetworkStats;
import android.net.NetworkTemplate;
@@ -825,7 +830,7 @@
// watch for network interfaces to be claimed
final IntentFilter connFilter = new IntentFilter(CONNECTIVITY_ACTION);
- mContext.registerReceiver(mConnReceiver, connFilter, CONNECTIVITY_INTERNAL, mHandler);
+ mContext.registerReceiver(mConnReceiver, connFilter, NETWORK_STACK, mHandler);
// listen for package changes to update policy
final IntentFilter packageFilter = new IntentFilter();
@@ -1128,7 +1133,7 @@
@Override
public void limitReached(String limitName, String iface) {
// only someone like NMS should be calling us
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
if (!LIMIT_GLOBAL_ALERT.equals(limitName)) {
mHandler.obtainMessage(MSG_LIMIT_REACHED, iface).sendToTarget();
@@ -1483,7 +1488,7 @@
private BroadcastReceiver mConnReceiver = new BroadcastReceiver() {
@Override
public void onReceive(Context context, Intent intent) {
- // on background handler thread, and verified CONNECTIVITY_INTERNAL
+ // on background handler thread, and verified NETWORK_STACK
// permission above.
updateNetworksInternal();
}
@@ -2721,17 +2726,35 @@
return changed;
}
+ private boolean checkAnyPermissionOf(String... permissions) {
+ for (String permission : permissions) {
+ if (mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private void enforceAnyPermissionOf(String... permissions) {
+ if (!checkAnyPermissionOf(permissions)) {
+ throw new SecurityException("Requires one of the following permissions: "
+ + String.join(", ", permissions) + ".");
+ }
+ }
+
@Override
public void registerListener(INetworkPolicyListener listener) {
- // TODO: create permission for observing network policy
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ // TODO: Remove CONNECTIVITY_INTERNAL and the *AnyPermissionOf methods above after all apps
+ // have declared OBSERVE_NETWORK_POLICY.
+ enforceAnyPermissionOf(CONNECTIVITY_INTERNAL, OBSERVE_NETWORK_POLICY);
mListeners.register(listener);
}
@Override
public void unregisterListener(INetworkPolicyListener listener) {
- // TODO: create permission for observing network policy
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ // TODO: Remove CONNECTIVITY_INTERNAL and the *AnyPermissionOf methods above after all apps
+ // have declared OBSERVE_NETWORK_POLICY.
+ enforceAnyPermissionOf(CONNECTIVITY_INTERNAL, OBSERVE_NETWORK_POLICY);
mListeners.unregister(listener);
}
@@ -4965,7 +4988,7 @@
@Override
public void factoryReset(String subscriber) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ mContext.enforceCallingOrSelfPermission(NETWORK_SETTINGS, TAG);
if (mUserManager.hasUserRestriction(UserManager.DISALLOW_NETWORK_RESET)) {
return;
@@ -4998,7 +5021,7 @@
public boolean isUidNetworkingBlocked(int uid, boolean isNetworkMetered) {
final long startTime = mStatLogger.getTime();
- mContext.enforceCallingOrSelfPermission(MANAGE_NETWORK_POLICY, TAG);
+ mContext.enforceCallingOrSelfPermission(OBSERVE_NETWORK_POLICY, TAG);
final int uidRules;
final boolean isBackgroundRestricted;
synchronized (mUidRulesFirstLock) {
diff --git a/services/core/java/com/android/server/net/NetworkStatsService.java b/services/core/java/com/android/server/net/NetworkStatsService.java
index e473c96..16424f2 100644
--- a/services/core/java/com/android/server/net/NetworkStatsService.java
+++ b/services/core/java/com/android/server/net/NetworkStatsService.java
@@ -17,7 +17,6 @@
package com.android.server.net;
import static android.Manifest.permission.ACCESS_NETWORK_STATE;
-import static android.Manifest.permission.CONNECTIVITY_INTERNAL;
import static android.Manifest.permission.READ_NETWORK_USAGE_HISTORY;
import static android.content.Intent.ACTION_SHUTDOWN;
import static android.content.Intent.ACTION_UID_REMOVED;
@@ -91,6 +90,7 @@
import android.net.NetworkCapabilities;
import android.net.NetworkIdentity;
import android.net.NetworkInfo;
+import android.net.NetworkStack;
import android.net.NetworkState;
import android.net.NetworkStats;
import android.net.NetworkStats.NonMonotonicObserver;
@@ -1020,8 +1020,6 @@
private BroadcastReceiver mTetherReceiver = new BroadcastReceiver() {
@Override
public void onReceive(Context context, Intent intent) {
- // on background handler thread, and verified CONNECTIVITY_INTERNAL
- // permission above.
performPoll(FLAG_PERSIST_NETWORK);
}
};
@@ -1095,7 +1093,7 @@
@Override
public void limitReached(String limitName, String iface) {
// only someone like NMS should be calling us
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ NetworkStack.checkNetworkStackPermission(mContext);
if (LIMIT_GLOBAL_ALERT.equals(limitName)) {
// kick off background poll to collect network stats unless there is already
diff --git a/services/tests/servicestests/AndroidManifest.xml b/services/tests/servicestests/AndroidManifest.xml
index c1bbb30..fb42507 100644
--- a/services/tests/servicestests/AndroidManifest.xml
+++ b/services/tests/servicestests/AndroidManifest.xml
@@ -34,7 +34,7 @@
<uses-permission android:name="android.permission.REORDER_TASKS" />
<uses-permission android:name="android.permission.MANAGE_NETWORK_POLICY" />
<uses-permission android:name="android.permission.READ_NETWORK_USAGE_HISTORY" />
- <uses-permission android:name="android.permission.CONNECTIVITY_INTERNAL" />
+ <uses-permission android:name="android.permission.OBSERVE_NETWORK_POLICY" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.MANAGE_USERS" />
<uses-permission android:name="android.permission.INTERACT_ACROSS_USERS_FULL" />
diff --git a/services/tests/servicestests/test-apps/ConnTestApp/AndroidManifest.xml b/services/tests/servicestests/test-apps/ConnTestApp/AndroidManifest.xml
index 909e9bb..201cd05 100644
--- a/services/tests/servicestests/test-apps/ConnTestApp/AndroidManifest.xml
+++ b/services/tests/servicestests/test-apps/ConnTestApp/AndroidManifest.xml
@@ -18,8 +18,7 @@
package="com.android.servicestests.apps.conntestapp">
<uses-permission android:name="android.permission.INTERNET" />
- <uses-permission android:name="android.permission.MANAGE_NETWORK_POLICY" />
- <uses-permission android:name="android.permission.CONNECTIVITY_INTERNAL" />
+ <uses-permission android:name="android.permission.OBSERVE_NETWORK_POLICY" />
<application>
<activity android:name=".ConnTestActivity"
diff --git a/tests/net/AndroidManifest.xml b/tests/net/AndroidManifest.xml
index dcacb6d..638b6d1 100644
--- a/tests/net/AndroidManifest.xml
+++ b/tests/net/AndroidManifest.xml
@@ -32,7 +32,7 @@
<uses-permission android:name="android.permission.GET_DETAILED_TASKS" />
<uses-permission android:name="android.permission.MANAGE_NETWORK_POLICY" />
<uses-permission android:name="android.permission.READ_NETWORK_USAGE_HISTORY" />
- <uses-permission android:name="android.permission.CONNECTIVITY_INTERNAL" />
+ <uses-permission android:name="android.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.MANAGE_USERS" />
<uses-permission android:name="android.permission.INTERACT_ACROSS_USERS_FULL" />
@@ -45,6 +45,8 @@
<uses-permission android:name="android.permission.MANAGE_ACTIVITY_STACKS" />
<uses-permission android:name="android.permission.INSTALL_PACKAGES" />
<uses-permission android:name="android.permission.NETWORK_STACK" />
+ <uses-permission android:name="android.permission.OBSERVE_NETWORK_POLICY" />
+ <uses-permission android:name="android.permission.NETWORK_FACTORY" />
<application>
<uses-library android:name="android.test.runner" />
diff --git a/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java b/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
index 2738daa..39f849c 100644
--- a/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
+++ b/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
@@ -265,6 +265,8 @@
assertFalse(mPermissionMonitor.hasNetworkPermission(app));
app = systemPackageInfoWithPermissions(CONNECTIVITY_USE_RESTRICTED_NETWORKS);
assertFalse(mPermissionMonitor.hasNetworkPermission(app));
+ app = systemPackageInfoWithPermissions(CONNECTIVITY_INTERNAL);
+ assertFalse(mPermissionMonitor.hasNetworkPermission(app));
}
@Test
@@ -274,7 +276,7 @@
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CHANGE_NETWORK_STATE));
assertTrue(hasRestrictedNetworkPermission(
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, NETWORK_STACK));
- assertTrue(hasRestrictedNetworkPermission(
+ assertFalse(hasRestrictedNetworkPermission(
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CONNECTIVITY_INTERNAL));
assertTrue(hasRestrictedNetworkPermission(
PARTITION_SYSTEM, VERSION_P, MOCK_UID1, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
@@ -283,7 +285,7 @@
assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_Q, MOCK_UID1));
assertFalse(hasRestrictedNetworkPermission(
- PARTITION_SYSTEM, VERSION_Q, MOCK_UID1, CHANGE_WIFI_STATE));
+ PARTITION_SYSTEM, VERSION_Q, MOCK_UID1, CONNECTIVITY_INTERNAL));
}
@Test
@@ -291,14 +293,14 @@
doReturn(VERSION_P).when(mPermissionMonitor).getDeviceFirstSdkInt();
assertTrue(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_P, SYSTEM_UID));
assertTrue(hasRestrictedNetworkPermission(
- PARTITION_SYSTEM, VERSION_P, SYSTEM_UID, CHANGE_WIFI_STATE));
+ PARTITION_SYSTEM, VERSION_P, SYSTEM_UID, CONNECTIVITY_INTERNAL));
assertTrue(hasRestrictedNetworkPermission(
PARTITION_SYSTEM, VERSION_P, SYSTEM_UID, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
doReturn(VERSION_Q).when(mPermissionMonitor).getDeviceFirstSdkInt();
assertFalse(hasRestrictedNetworkPermission(PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID));
assertFalse(hasRestrictedNetworkPermission(
- PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID, CHANGE_WIFI_STATE));
+ PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID, CONNECTIVITY_INTERNAL));
assertTrue(hasRestrictedNetworkPermission(
PARTITION_SYSTEM, VERSION_Q, SYSTEM_UID, CONNECTIVITY_USE_RESTRICTED_NETWORKS));
}
@@ -319,7 +321,7 @@
assertFalse(hasRestrictedNetworkPermission(PARTITION_VENDOR, VERSION_Q, MOCK_UID1));
assertFalse(hasRestrictedNetworkPermission(
- PARTITION_VENDOR, VERSION_Q, MOCK_UID1, CHANGE_WIFI_STATE));
+ PARTITION_VENDOR, VERSION_Q, MOCK_UID1, CONNECTIVITY_INTERNAL));
assertFalse(hasRestrictedNetworkPermission(
PARTITION_VENDOR, VERSION_Q, MOCK_UID1, CHANGE_NETWORK_STATE));
}
@@ -337,7 +339,7 @@
public void testHasUseBackgroundNetworksPermission() throws Exception {
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(SYSTEM_UID));
assertBackgroundPermission(false, SYSTEM_PACKAGE1, SYSTEM_UID);
- assertBackgroundPermission(false, SYSTEM_PACKAGE1, SYSTEM_UID, CHANGE_WIFI_STATE);
+ assertBackgroundPermission(false, SYSTEM_PACKAGE1, SYSTEM_UID, CONNECTIVITY_INTERNAL);
assertBackgroundPermission(true, SYSTEM_PACKAGE1, SYSTEM_UID, CHANGE_NETWORK_STATE);
assertBackgroundPermission(true, SYSTEM_PACKAGE1, SYSTEM_UID, NETWORK_STACK);
@@ -348,8 +350,9 @@
assertFalse(mPermissionMonitor.hasUseBackgroundNetworksPermission(MOCK_UID2));
assertBackgroundPermission(false, MOCK_PACKAGE2, MOCK_UID2);
- assertBackgroundPermission(true, MOCK_PACKAGE2, MOCK_UID2,
+ assertBackgroundPermission(false, MOCK_PACKAGE2, MOCK_UID2,
CONNECTIVITY_INTERNAL);
+ assertBackgroundPermission(true, MOCK_PACKAGE2, MOCK_UID2, NETWORK_STACK);
}
private class NetdMonitor {