| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Attribution source is the abstraction to capture the data
flows for private data across apps. Checking permissions
for an attribution source does this for all apps in the
chain that would receive the data as well as the relevant
app ops are checked/noted/started as needed.
Teach speech recognition service about attribution
chains. If an implementation does nothing the OS
would enforce permisisons and do blame as always.
This apporach leads to double blaming and doesn't
support attribition chains where app calls into
the default recognizer which calls into the on
device recognizer (this nests recursively). If the
implementer takes advantage of the attribution chain
mechanims the permissions for the entire chain are
checked at mic access time and all apps are blamed
only once.
Fixed a few bugs around finishing ops for attribution
chains. Also ensured that any app death in a started
attribution chain would lead to finishing the op for
this app
bug: 158792096
Test: ((added tests for speech reco))
atest CtsMediaTestCases
atest CtsPermissionTestCases
atest CtsPermission2TestCases
atest CtsPermission3TestCases
atest CtsPermission4TestCases
atest CtsPermission5TestCases
atest CtsAppOpsTestCases
atest CtsAppOps2TestCases
Change-Id: Ic92c7adc14bd2d135ac13b96f17a1b393dd562e4
|
| |
|
|
|
|
|
| |
Bug: 188525157
Test: atest android.content.PermissionCheckerTest
Change-Id: Id3f89189e3b81394db9eddf675726c4aca8c2a9d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Separate the internal state of AttributionSource from the
class to make it a simple AIDL we can translate automatically
to native - keeping Java and native parts in sync. This
would allow writing a thin native lib for checking attribution
source permissions which would be used to teach camera and
audio about attributions.
Deinfe an AIDL interface for passing around an attribution
source and opr performing permission checker oprations allowing
native and Java permission checks on attribution chains to be
handled. The Java side permission checker functions are in a dedicated
permisison checker service on top of which sits the PermissionChecker.
We expose similar PermissionChecker native APIs sitting on top
of the same remote interface. The nice thing is that we have
native and Java permisison checkers in sync sharing remoting
code and being close in shape.
For now the PermissionChecker in Java is divorced from the
PermissionManager but in T we will consider how to unify them,
either by an extension object on the PermmissionManager or
APIs on the PermissionManager, or another approach, and then
migrate clients off the PermissionChecker APIs.
Sync app ops were not tracked across multiple binder calls which
prevents moving the permission checks in the system server as
this adds one more hop. Now sync ops are propagated backed the
call stack and only the ops for the package are dispatched to
it and the rest are propagated back to the caller, recursively.
bug: 158792096
Test: atest CtsPermission5TestCases
atest CtsAppOps2TestCases
atest CtsPermissionTestCases
atest CtsPermission2TestCases
atest CtsPermission3TestCases
atest CtsPermission4TestCases
atest CtsPermission5TestCases
Change-Id: Ia5cbd2eb20a2da172a5960afdddd7e467f4bcb0d
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Revert "Prepare AttributionSource to expose to native - native"
Revert submission 14225527-bug-158792096-04/16/21-1
Reason for revert: b/186467053
Reverted Changes:
I16740cc2d:Prepare AttributionSource to expose to native - na...
I4e050e78b:Prepare AttributionSource to expose to native
Change-Id: I83e4091231241c2211edf5745735f4ee993c6680
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Separate the internal state of AttributionSource from the
class to make it a simple AIDL we can translate automatically
to native - keeping Java and native parts in sync. This
would allow writing a thin native lib for checking attribution
source permissions which would be used to teach camera and
audio about attributions.
Deinfe an AIDL interface for passing around an attribution
source and opr performing permission checker oprations allowing
native and Java permission checks on attribution chains to be
handled. The Java side permission checker functions are in a dedicated
permisison checker service on top of which sits the PermissionChecker.
We expose similar PermissionChecker native APIs sitting on top
of the same remote interface. The nice thing is that we have
native and Java permisison checkers in sync sharing remoting
code and being close in shape.
For now the PermissionChecker in Java is divorced from the
PermissionManager but in T we will consider how to unify them,
either by an extension object on the PermmissionManager or
APIs on the PermissionManager, or another approach, and then
migrate clients off the PermissionChecker APIs.
bug: 158792096
Test: atest CtsPermission5TestCases
Change-Id: I4e050e78b2361cbf524cc213802e0fef5b487f67
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the datasource is not in a trusted platform component then in would not
have UPDATE_APP_OPS_STATS. The problem is that an app is exposing runtime
permission protected data but cannot blame others in a trusted way which
would not properly show in permission usage UIs. As a fallback we are
adding a proxy op handling blaming the datasource and the caller.
bug: 183960997
Test: Assustant on auto projection works
Change-Id: I8a341a6c46c75eff86bac7a79c4219ebb7991071
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Propagate renounced permissions from context params
to the context attribution source. Throw if one
tries to request at runtime a renounced permission.
Also make the AttributionSource take null for the
setters to ease usage, otherwise folks should always
check for null before calling a builder method.
Additionally, we allow apps that have UPDATE_APP_OPS_STATS
to register arbitrary trusted AttributionSource for
testing. Note that this permission allows abritrary app
op operations, thus we are not relaxing the security
model.
bug: 158792096
Test: atest CtsPermission5TestCases
Change-Id: I4330684bb8695fb998cf31e9363b94ad981ba2cc
|
| |
|
|
|
|
|
|
|
|
| |
Also added some logging for runtime permissions with no app op
bug: 184093962
Test: Setting up device with work account
Change-Id: I85787367b11d57ed1240fcf484ad7d2efa13d406
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bug:158792096
bug:180647319
bug:184051153
bug:184027531
Test:atest CtsPermissionTestCases
atest CtsPermission2TestCases
atest CtsPermission3TestCases
atest CtsPermission4TestCases
atest CtsPermission5TestCases
atest CtsAppOpsTestCases
atest CtsAppOps2TestCases
atest CtsAlarmManagerTestCases
Change-Id: Id324ed0e2a653dface6ba273bba27e92bea14f99
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an app is proxying access to runtime permission protected
data it needs to check whether the calling app has a permission
to the data it is about to proxy which leaves a trace in app ops
that the requesting app perofmed a data access. However, then the
app doing the work needs to get the protected data itself from the
OS which access gets attributed only to itself. As a result there
are two data accesses in app ops where only the first one is a
proxy one that app A got access to Foo through app B - that is the
one we want to show in the permission tracking UIs - and one
for the data access - that is the one we would want to blame on
the calling app, and in fact, these two accesses should be one -
that app A accessed Foo though B. This limitation requires fragile
one off workarounds where both accesses use the same attribution
tag and sys UI has hardcoded rules to dedupe. Since this is not
documented we cannot expect that the ecosystem would reliably
do this workaround in apps that that the workaround in the OS
would be respected by every OEM.
This change adds a mechaism to resolve this issue. It allows for
an app to create an attribution context for another app and then
any private data access thorugh this context would result in a
single app op blame that A accessed Foo though B, i.e. we no longer
have double accounting. Also this can be nested through apps, e.g.
app A asks app B which asks app C for contacts. In this case app
B creates an attribution context for app A and calls into app C
which creates an attribution context for app B. When app C gets
contacts the entire attribution chain would get a porper, single
blame: that C accessed the data, that B got the data from C, and
that A got the data form B. Furthermore, this mechanism ensures
that apps cannot forget to check permissions for the caller
before proxying private data. In our example B and C don't need
to check the permisisons for A and B, respectively, since the
permisisons for the entire attribution chain are checked before
data delivery. Attribution chains are not forgeable preventing
a bad actor to create an arbitrary one - each attribution is
created by the app it refers to and points to a chain of
attributions created by their corresponding apps.
This change also fixes a bug where all content provider accesses
were double counted in app ops due to double noting. While at
this it also fixes that apps can now access their own last ops.
There was a bug where one could not pass null getting the attributed
ops from a historical package ops while this is a valid use case
since if there is no attribution everything is mapped to the null
tag. There were some app op APIs not being piped thorough the app
ops delegate and by extension through the app ops policy. Also
now that we have nice way to express the permission chain in a
call we no longer need the special casing in activity manager to
handle content provider accesses through the OS. Fixed a bug
where we don't properly handle the android.os.shell calls with
an invlaid tag which was failing while the shell can do any tag.
Finally, to ensure the mechanims is validated and works end-to-end
we are adding support for a voice recognizer to blame the client
app for the mic access. The recognition service can create a blaming
context when opening the mic and if the mic is open, which would
do all permission checks, we would not do so again. Since changes
to PermissionChercker for handling attribution sources were made
the CL also hooks up renounced permissoins in the request permission
flow and in the permission checks.
bug:158792096
bug:180647319
Test:atest CtsPermissionsTestCases
atest CtsPermissions2TestCases
atest CtsPermissions3TestCases
atest CtsPermissions4TestCases
atest CtsPermissions5TestCases
atest CtsAppOpsTestCases
atest CtsAppOps2TestCases
Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
|
| |
|
|
|
| |
Test: Docs only changes
Change-Id: I10bac140182db2de43399b45da683c45435ed828
|
| |
|
|
|
|
|
|
| |
restoring Q behavior
Bug: 160933537
Test: TH
Change-Id: I66e5b743f1e61f744f9aad2248a9b619fd9b97f7
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
noteOp always resolved MODE_FOREGROUND into IGNORED/ALLOWED
checkOp resolves it too, but checkOpRaw does not resolved it and might
return it.
Preflight checks should be independant of the uid state, hence treat
MODE_FOREGROUND similar to ALLOWED as MODE_FOREGROUND might allow it.
Bug: 150508177
Fixes: 148197098
Test: TH
Change-Id: I7b4f53c7ce638f92747d452f2d2f72d098e94b78
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the core functionality this changes everything including aidl's and
field names:
- Context
- ContentProvider
- AppOps*
- Package parsing
For the rest, this is a shallow change to only change to the changed
APIs. This keeps the change small-ish
Exempt-From-Owner-Approval: Rename
Fixes: 148792795
Test: TH
Change-Id: I2a2245fe76e09e62cb13d5785d2efb4a304ba54a
Merged-In: I2a2245fe76e09e62cb13d5785d2efb4a304ba54a
|
| |
|
|
|
|
|
|
|
|
|
| |
Changed APIs in PermissionChecker to check if the permission is an appop
permission or a runtime permission and treat it accordingly.
BUG: 140728653
BUG: 136249261
Test: atest PermissionCheckerTest
Change-Id: I742dad5b0e1e9cd65920f0366f1887ab33959f5b
|
| |
|
|
|
| |
Test: Built
Change-Id: I645d578ccecc27122d2d44be828a9dac6dda7600
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently only used by app-ops, but can be used by other modules too.
AppOps will collect app-ops based on feature. Only the most basic
parts of app-ops are supporting features yet. The rest will be added
later.
Test: atest CtsAppOpsTestCases
atest RunSettingsLibRoboTests
atest com.android.server.wm.ActivityStarterTests
m -j doc-comment-check-docs
Bug: 136595429
Change-Id: Ia664f4ff1c1c2ceea721d76dc491ec50c237e9ce
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We had accidental usages of the PermissionChecker for cases where no
private data was provided to the app but the checkPermission API on
the latter also did blame data access on the app. The PermissionChecker
was designed to handle IPC calls and not for generic API checks.
To avoid future accidental incorrect PermissionChecker usages this
change renames the existing APIs of the latter to clearly indicate
that they should be used for data delivery and also adds sibling
methods for doing the same permission checks for preflight purposes.
Also the documentation is improved to furhter assist developers.
In addition, this change fixes accidental permission checker usages
that blame when they should not by using the new preflight flavor
of the permission check APIs.
Test:
atest com.android.settingslib.location.RecentLocationAppsTest
atest CtsPermissionTestCases
added: LocationAccessCheckTest#notificationOnlyForAccessesSinceFeatureWasEnabled
added: LocationAccessCheckTest#noNotificationIfFeatureDisabled
added: LocationAccessCheckTest#noNotificationIfBlamerNotSystemOrLocationProvider
added: LocationAccessCheckTest#testOpeningLocationSettingsDoesNotTriggerAccess
bug:141028068
Exempt-From-Owner-Approval: merge
Change-Id: I65c71569d0dd8a40bc6fecabb22c5373dd6e806e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If private user data is send to an app the data provider should note an
app-op. This change adds a new API AppOpsManager#setNotedAppOpsCollector
that allows an app to get notified every time such an private data access
happens.
This will allow apps to monitor their own private data usage. Esp. with
big, old apps, distributed teams or 3rd party libraries it might not always
be clear what subsystems access private data.
There are three different situations how private data can be accessed and
an app op is noted:
1. Private data access inside a two-way binder call.
E.g. LocationManager#getLastKnownLocation. When we start a two way
binder transaction, we remember the calling uid via
AppOpsManager#collectNotedAppOps. Then when the data providing code
calls AppOpsManager#noteOp->AppOpsManager#markAppOpNoted the noted
app-op is remembered in
AppOpsManager#sAppOpsNotedInThisBinderTransaction. Then when returning
from the binder call, we add the list of noted app-ops to the
reply-parcel via AppOpsManager#prefixParcelWithAppOpsIfNeeded. On the
calling side we check if there were any app-ops noted in
AppOpsManager#readAndLogNotedAppops and then call the collector while
still in the binder code. This allows the collector e.g. collect a stack
trace which can be used to figure out what app code caused the
private data access.
2. Very complex apps might do permissions checks internal to themself.
I.e. an app notes an op for itself. We detect this case in
AppOpsManager#markAppOpNoted and immediately call the collector similar
to case (1).
3. Sometimes private data is accessed outside of a two-way binder call.
E.g. if an app registers a LocationListener an app-op is noted each time
a new location is send to the app. In this case it is not clear to the
framework which app-action triggered this app-op-note. Hence the data
provider has to describe in a AsyncNotedAppOp object when an why the
access happened. These objects are then send to the system server via
IAppOpsService#noteAsyncOp and then the collector in the app. There are
rare cases where a private data access happens before the app is running
(e.g. when a geo-fence is triggered). In this case we cache a small
amount of AsyncNotedAppOps (in AppOpsService#mUnforwardedAsyncNotedOps)
and deliver them when the app is ready for these events (in
AppOpsManager#setNotedAppOpsCollector).
Test: atest CtsAppOpsTestCases (includes new tests covering this
functionality)
Bug: 136505050
Change-Id: I96ded4a8d8d9bcb37a4555d9b1281cb57945ffa9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In permission checker we used to check the permission for the passed in
uid but the opp-op for the Binder.getCallingUid. In the case the calling
identity was cleared, PermissionChecker ended up checking the app-op of the
current process (often the system server).
Now we check the uid for both the permission and the app-op.
Test: Called PermissionChecker.checkPermission with the calling indentity
cleared.
Fixes: 124116218
Change-Id: Ic0b766f6c75bba1b9dae3e91c6adce85a76ae68f
|
|
|
Fixes: 73511076, 73311729
Test: presubmit
Change-Id: Ie98f67ffee4744050ac85d8b229370a16a76a194
|
