1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
|
/*
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.content;
import android.annotation.IntDef;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.app.AppOpsManager;
import android.content.pm.PackageManager;
import android.os.Binder;
import android.os.Process;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
/**
* This class provides permission check APIs that verify both the
* permission and the associated app op for this permission if
* such is defined.
* <p>
* In the new permission model permissions with protection level
* dangerous are runtime permissions. For apps targeting {@link android.os.Build.VERSION_CODES#M}
* and above the user may not grant such permissions or revoke
* them at any time. For apps targeting API lower than {@link android.os.Build.VERSION_CODES#M}
* these permissions are always granted as such apps do not expect
* permission revocations and would crash. Therefore, when the
* user disables a permission for a legacy app in the UI the
* platform disables the APIs guarded by this permission making
* them a no-op which is doing nothing or returning an empty
* result or default error.
* </p>
* <p>
* It is important that when you perform an operation on behalf of
* another app you use these APIs to check for permissions as the
* app may be a legacy app that does not participate in the new
* permission model for which the user had disabled the "permission"
* which is achieved by disallowing the corresponding app op.
* </p>
* <p>
* This class has two types of methods and you should be careful which
* type to call based on whether permission protected data is being
* passed to the app or you are just checking whether the app holds a
* permission. The reason is that a permission check requires checking
* the runtime permission and if it is granted checking the corresponding
* app op as for apps not supporting the runtime mode we never revoke
* permissions but disable app ops. Since there are two types of app op
* checks, one that does not leave a record an action was performed and
* another the does, one needs to call the preflight flavor of the checks
* named xxxForPreflight only if no private data is being delivered but
* a permission check is what is needed and the xxxForDataDelivery where
* the permission check is right before private data delivery.
*
* @hide
*/
public final class PermissionChecker {
/** Permission result: The permission is granted. */
public static final int PERMISSION_GRANTED = PackageManager.PERMISSION_GRANTED;
/** Permission result: The permission is denied. */
public static final int PERMISSION_DENIED = PackageManager.PERMISSION_DENIED;
/** Permission result: The permission is denied because the app op is not allowed. */
public static final int PERMISSION_DENIED_APP_OP = PackageManager.PERMISSION_DENIED - 1;
/** Constant when the PID for which we check permissions is unknown. */
public static final int PID_UNKNOWN = -1;
/** @hide */
@IntDef({PERMISSION_GRANTED,
PERMISSION_DENIED,
PERMISSION_DENIED_APP_OP})
@Retention(RetentionPolicy.SOURCE)
public @interface PermissionResult {}
private PermissionChecker() {
/* do nothing */
}
/**
* Checks whether a given package in a UID and PID has a given permission
* and whether the app op that corresponds to this permission is allowed.
*
* <strong>NOTE:</strong> Use this method only for permission checks at the
* point where you will deliver the permission protected data to clients.
*
* <p>For example, if an app registers a location listener it should have the location
* permission but no data is actually sent to the app at the moment of registration
* and you should use {@link #checkPermissionForPreflight(Context, String, int, int, String)}
* to determine if the app has or may have location permission (if app has only foreground
* location the grant state depends on the app's fg/gb state) and this check will not
* leave a trace that permission protected data was delivered. When you are about to
* deliver the location data to a registered listener you should use this method which
* will evaluate the permission access based on the current fg/bg state of the app and
* leave a record that the data was accessed.
*
* @param context Context for accessing resources.
* @param permission The permission to check.
* @param pid The process id for which to check. Use {@link #PID_UNKNOWN} if the PID
* is not known.
* @param uid The uid for which to check.
* @param packageName The package name for which to check. If null the
* the first package for the calling UID will be used.
* @return The permission check result which is either {@link #PERMISSION_GRANTED}
* or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
*
* @see #checkPermissionForPreflight(Context, String, int, int, String)
*/
@PermissionResult
public static int checkPermissionForDataDelivery(@NonNull Context context,
@NonNull String permission, int pid, int uid, @Nullable String packageName) {
return checkPermissionCommon(context, permission, pid, uid, packageName,
true /*forDataDelivery*/);
}
/**
* Checks whether a given package in a UID and PID has a given permission
* and whether the app op that corresponds to this permission is allowed.
*
* <strong>NOTE:</strong> Use this method only for permission checks at the
* preflight point where you will not deliver the permission protected data
* to clients but schedule permission data delivery, apps register listeners,
* etc.
*
* <p>For example, if an app registers a location listener it should have the location
* permission but no data is actually sent to the app at the moment of registration
* and you should use this method to determine if the app has or may have location
* permission (if app has only foreground location the grant state depends on the app's
* fg/gb state) and this check will not leave a trace that permission protected data
* was delivered. When you are about to deliver the location data to a registered
* listener you should use {@link #checkPermissionForDataDelivery(Context, String,
* int, int, String)} which will evaluate the permission access based on the current
* fg/bg state of the app and leave a record that the data was accessed.
*
* @param context Context for accessing resources.
* @param permission The permission to check.
* @param pid The process id for which to check.
* @param uid The uid for which to check.
* @param packageName The package name for which to check. If null the
* the first package for the calling UID will be used.
* @return The permission check result which is either {@link #PERMISSION_GRANTED}
* or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
*
* @see #checkPermissionForDataDelivery(Context, String, int, int, String)
*/
@PermissionResult
public static int checkPermissionForPreflight(@NonNull Context context,
@NonNull String permission, int pid, int uid, @Nullable String packageName) {
return checkPermissionCommon(context, permission, pid, uid, packageName,
false /*forDataDelivery*/);
}
/**
* Checks whether your app has a given permission and whether the app op
* that corresponds to this permission is allowed.
*
* <strong>NOTE:</strong> Use this method only for permission checks at the
* point where you will deliver the permission protected data to clients.
*
* <p>For example, if an app registers a location listener it should have the location
* permission but no data is actually sent to the app at the moment of registration
* and you should use {@link #checkSelfPermissionForPreflight(Context, String)}
* to determine if the app has or may have location permission (if app has only foreground
* location the grant state depends on the app's fg/gb state) and this check will not
* leave a trace that permission protected data was delivered. When you are about to
* deliver the location data to a registered listener you should use this method
* which will evaluate the permission access based on the current fg/bg state of the
* app and leave a record that the data was accessed.
*
* <p>This API assumes the the {@link Binder#getCallingUid()} is the same as
* {@link Process#myUid()}.
*
* @param context Context for accessing resources.
* @param permission The permission to check.
* @return The permission check result which is either {@link #PERMISSION_GRANTED}
* or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
*
* @see #checkSelfPermissionForPreflight(Context, String)
*/
@PermissionResult
public static int checkSelfPermissionForDataDelivery(@NonNull Context context,
@NonNull String permission) {
return checkPermissionForDataDelivery(context, permission, Process.myPid(),
Process.myUid(), context.getPackageName());
}
/**
* Checks whether your app has a given permission and whether the app op
* that corresponds to this permission is allowed.
*
* <strong>NOTE:</strong> Use this method only for permission checks at the
* preflight point where you will not deliver the permission protected data
* to clients but schedule permission data delivery, apps register listeners,
* etc.
*
* <p>For example, if an app registers a location listener it should have the location
* permission but no data is actually sent to the app at the moment of registration
* and you should use this method to determine if the app has or may have location
* permission (if app has only foreground location the grant state depends on the
* app's fg/gb state) and this check will not leave a trace that permission protected
* data was delivered. When you are about to deliver the location data to a registered
* listener you should use this method which will evaluate the permission access based
* on the current fg/bg state of the app and leave a record that the data was accessed.
*
* <p>This API assumes the the {@link Binder#getCallingUid()} is the same as
* {@link Process#myUid()}.
*
* @param context Context for accessing resources.
* @param permission The permission to check.
* @return The permission check result which is either {@link #PERMISSION_GRANTED}
* or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
*
* @see #checkSelfPermissionForDataDelivery(Context, String)
*/
@PermissionResult
public static int checkSelfPermissionForPreflight(@NonNull Context context,
@NonNull String permission) {
return checkPermissionForPreflight(context, permission, Process.myPid(),
Process.myUid(), context.getPackageName());
}
/**
* Checks whether the IPC you are handling has a given permission and whether
* the app op that corresponds to this permission is allowed.
*
* <strong>NOTE:</strong> Use this method only for permission checks at the
* point where you will deliver the permission protected data to clients.
*
* <p>For example, if an app registers a location listener it should have the location
* permission but no data is actually sent to the app at the moment of registration
* and you should use {@link #checkCallingPermissionForPreflight(Context, String, String)}
* to determine if the app has or may have location permission (if app has only foreground
* location the grant state depends on the app's fg/gb state) and this check will not
* leave a trace that permission protected data was delivered. When you are about to
* deliver the location data to a registered listener you should use this method which
* will evaluate the permission access based on the current fg/bg state of the app and
* leave a record that the data was accessed.
*
* @param context Context for accessing resources.
* @param permission The permission to check.
* @param packageName The package name making the IPC. If null the
* the first package for the calling UID will be used.
* @return The permission check result which is either {@link #PERMISSION_GRANTED}
* or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
*
* @see #checkCallingPermissionForPreflight(Context, String, String)
*/
@PermissionResult
public static int checkCallingPermissionForDataDelivery(@NonNull Context context,
@NonNull String permission, @Nullable String packageName) {
if (Binder.getCallingPid() == Process.myPid()) {
return PERMISSION_DENIED;
}
return checkPermissionForDataDelivery(context, permission, Binder.getCallingPid(),
Binder.getCallingUid(), packageName);
}
/**
* Checks whether the IPC you are handling has a given permission and whether
* the app op that corresponds to this permission is allowed.
*
* <strong>NOTE:</strong> Use this method only for permission checks at the
* preflight point where you will not deliver the permission protected data
* to clients but schedule permission data delivery, apps register listeners,
* etc.
*
* <p>For example, if an app registers a location listener it should have the location
* permission but no data is actually sent to the app at the moment of registration
* and you should use this method to determine if the app has or may have location
* permission (if app has only foreground location the grant state depends on the app's
* fg/gb state) and this check will not leave a trace that permission protected data
* was delivered. When you are about to deliver the location data to a registered
* listener you should use {@link #checkCallingOrSelfPermissionForDataDelivery(Context,
* String)} which will evaluate the permission access based on the current fg/bg state
* of the app and leave a record that the data was accessed.
*
* @param context Context for accessing resources.
* @param permission The permission to check.
* @param packageName The package name making the IPC. If null the
* the first package for the calling UID will be used.
* @return The permission check result which is either {@link #PERMISSION_GRANTED}
* or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
*
* @see #checkCallingPermissionForDataDelivery(Context, String, String)
*/
@PermissionResult
public static int checkCallingPermissionForPreflight(@NonNull Context context,
@NonNull String permission, @Nullable String packageName) {
if (Binder.getCallingPid() == Process.myPid()) {
return PERMISSION_DENIED;
}
return checkPermissionForPreflight(context, permission, Binder.getCallingPid(),
Binder.getCallingUid(), packageName);
}
/**
* Checks whether the IPC you are handling or your app has a given permission
* and whether the app op that corresponds to this permission is allowed.
*
* <strong>NOTE:</strong> Use this method only for permission checks at the
* point where you will deliver the permission protected data to clients.
*
* <p>For example, if an app registers a location listener it should have the location
* permission but no data is actually sent to the app at the moment of registration
* and you should use {@link #checkCallingOrSelfPermissionForPreflight(Context, String)}
* to determine if the app has or may have location permission (if app has only foreground
* location the grant state depends on the app's fg/gb state) and this check will not
* leave a trace that permission protected data was delivered. When you are about to
* deliver the location data to a registered listener you should use this method which
* will evaluate the permission access based on the current fg/bg state of the app and
* leave a record that the data was accessed.
*
* @param context Context for accessing resources.
* @param permission The permission to check.
* @return The permission check result which is either {@link #PERMISSION_GRANTED}
* or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
*
* @see #checkCallingOrSelfPermissionForPreflight(Context, String)
*/
@PermissionResult
public static int checkCallingOrSelfPermissionForDataDelivery(@NonNull Context context,
@NonNull String permission) {
String packageName = (Binder.getCallingPid() == Process.myPid())
? context.getPackageName() : null;
return checkPermissionForDataDelivery(context, permission, Binder.getCallingPid(),
Binder.getCallingUid(), packageName);
}
/**
* Checks whether the IPC you are handling or your app has a given permission
* and whether the app op that corresponds to this permission is allowed.
*
* <strong>NOTE:</strong> Use this method only for permission checks at the
* preflight point where you will not deliver the permission protected data
* to clients but schedule permission data delivery, apps register listeners,
* etc.
*
* <p>For example, if an app registers a location listener it should have the location
* permission but no data is actually sent to the app at the moment of registration
* and you should use this method to determine if the app has or may have location
* permission (if app has only foreground location the grant state depends on the
* app's fg/gb state) and this check will not leave a trace that permission protected
* data was delivered. When you are about to deliver the location data to a registered
* listener you should use {@link #checkCallingOrSelfPermissionForDataDelivery(Context,
* String)} which will evaluate the permission access based on the current fg/bg state
* of the app and leave a record that the data was accessed.
*
* @param context Context for accessing resources.
* @param permission The permission to check.
* @return The permission check result which is either {@link #PERMISSION_GRANTED}
* or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
*
* @see #checkCallingOrSelfPermissionForDataDelivery(Context, String)
*/
@PermissionResult
public static int checkCallingOrSelfPermissionForPreflight(@NonNull Context context,
@NonNull String permission) {
String packageName = (Binder.getCallingPid() == Process.myPid())
? context.getPackageName() : null;
return checkPermissionForPreflight(context, permission, Binder.getCallingPid(),
Binder.getCallingUid(), packageName);
}
private static int checkPermissionCommon(@NonNull Context context, @NonNull String permission,
int pid, int uid, @Nullable String packageName, boolean forDataDelivery) {
if (context.checkPermission(permission, pid, uid) == PackageManager.PERMISSION_DENIED) {
return PERMISSION_DENIED;
}
AppOpsManager appOpsManager = context.getSystemService(AppOpsManager.class);
String op = appOpsManager.permissionToOp(permission);
if (op == null) {
return PERMISSION_GRANTED;
}
if (packageName == null) {
String[] packageNames = context.getPackageManager().getPackagesForUid(uid);
if (packageNames == null || packageNames.length <= 0) {
return PERMISSION_DENIED;
}
packageName = packageNames[0];
}
if (forDataDelivery) {
if (appOpsManager.noteProxyOpNoThrow(op, packageName, uid)
!= AppOpsManager.MODE_ALLOWED) {
return PERMISSION_DENIED_APP_OP;
}
} else {
final int mode = appOpsManager.unsafeCheckOpRawNoThrow(op, uid, packageName);
if (mode != AppOpsManager.MODE_ALLOWED && mode != AppOpsManager.MODE_FOREGROUND) {
return PERMISSION_DENIED_APP_OP;
}
}
return PERMISSION_GRANTED;
}
}
|
