Merge "Add a whitelist to control packages that can use Bugreporting API"
am: 17492d0691
Change-Id: If224c6522c89c53cb1d5e72a55d5aa051a4e0d02
diff --git a/core/java/com/android/server/SystemConfig.java b/core/java/com/android/server/SystemConfig.java
index a07c96c..9632d0d 100644
--- a/core/java/com/android/server/SystemConfig.java
+++ b/core/java/com/android/server/SystemConfig.java
@@ -175,6 +175,8 @@
final ArrayMap<String, ArrayMap<String, Boolean>> mOemPermissions = new ArrayMap<>();
+ private final ArraySet<String> mBugreportWhitelistedPackages = new ArraySet<>();
+
public static SystemConfig getInstance() {
synchronized (SystemConfig.class) {
if (sInstance == null) {
@@ -288,6 +290,10 @@
return Collections.emptyMap();
}
+ public ArraySet<String> getBugreportWhitelistedPackages() {
+ return mBugreportWhitelistedPackages;
+ }
+
SystemConfig() {
// Read configuration from system
readPermissions(Environment.buildPath(
@@ -707,6 +713,15 @@
mHiddenApiPackageWhitelist.add(pkgname);
}
XmlUtils.skipCurrentTag(parser);
+ } else if ("bugreport-whitelisted".equals(name)) {
+ String pkgname = parser.getAttributeValue(null, "package");
+ if (pkgname == null) {
+ Slog.w(TAG, "<" + name + "> without package in " + permFile
+ + " at " + parser.getPositionDescription());
+ } else {
+ mBugreportWhitelistedPackages.add(pkgname);
+ }
+ XmlUtils.skipCurrentTag(parser);
} else {
Slog.w(TAG, "Tag " + name + " is unknown or not allowed in "
+ permFile.getParent());
diff --git a/services/core/java/com/android/server/os/BugreportManagerServiceImpl.java b/services/core/java/com/android/server/os/BugreportManagerServiceImpl.java
index f4454ae..ba5ca9c 100644
--- a/services/core/java/com/android/server/os/BugreportManagerServiceImpl.java
+++ b/services/core/java/com/android/server/os/BugreportManagerServiceImpl.java
@@ -31,10 +31,12 @@
import android.os.SystemClock;
import android.os.SystemProperties;
import android.os.UserManager;
+import android.util.ArraySet;
import android.util.Slog;
import com.android.internal.annotations.GuardedBy;
import com.android.internal.util.Preconditions;
+import com.android.server.SystemConfig;
import java.io.FileDescriptor;
@@ -55,10 +57,13 @@
private final Object mLock = new Object();
private final Context mContext;
private final AppOpsManager mAppOps;
+ private final ArraySet<String> mBugreportWhitelistedPackages;
BugreportManagerServiceImpl(Context context) {
mContext = context;
mAppOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
+ mBugreportWhitelistedPackages =
+ SystemConfig.getInstance().getBugreportWhitelistedPackages();
}
@Override
@@ -83,6 +88,10 @@
int callingUid = Binder.getCallingUid();
mAppOps.checkPackage(callingUid, callingPackage);
+ if (!mBugreportWhitelistedPackages.contains(callingPackage)) {
+ throw new SecurityException(
+ callingPackage + " is not whitelisted to use Bugreport API");
+ }
synchronized (mLock) {
startBugreportLocked(callingUid, callingPackage, bugreportFd, screenshotFd,
bugreportMode, listener);