Appops permission monitoring for GET_USAGE_STATS.

This makes sure DataLoader won't be able to obtain read logs once user denies access. Bug: b/152633648 Test: atest PackageManagerShellCommandTest PackageManagerShellCommandIncrementalTest IncrementalServiceTest Test: adb shell appops set 1000 GET_USAGE_STATS deny Change-Id: Ibbb74933b4ef0dd8f5fe27732743e5820b8ee4dc
author: Alex Buynytskyy <alexbuy@google.com> 2020-04-03 23:00:19 -0700
committer: Alex Buynytskyy <alexbuy@google.com> 2020-04-06 12:22:49 -0700
commit: 1d89216eac8d5c122056165d77322151cc26a70c (patch)
tree: bad152666c0b2e0b2e4728b83418b19f1d73e498 /services/incremental/ServiceWrappers.h
parent: 3fc58ee5d501fc4a87455b690762207d8de52a32 (diff)
1 files changed, 34 insertions, 19 deletions
diff --git a/services/incremental/ServiceWrappers.h b/services/incremental/ServiceWrappers.h
index 449b457045c6..84bf1ffaf45c 100644
--- a/services/incremental/ServiceWrappers.h
+++ b/services/incremental/ServiceWrappers.h
@@ -16,6 +16,8 @@
 
 #pragma once
 
+#include "IncrementalServiceValidation.h"
+
 #include <android-base/strings.h>
 #include <android-base/unique_fd.h>
 #include <android/content/pm/DataLoaderParamsParcel.h>
@@ -85,7 +87,10 @@ public:
 class AppOpsManagerWrapper {
 public:
     virtual ~AppOpsManagerWrapper() = default;
+    virtual binder::Status checkPermission(const char* permission, const char* operation,
+                                           const char* package) const = 0;
     virtual void startWatchingMode(int32_t op, const String16& packageName, const sp<IAppOpsCallback>& callback) = 0;
+    virtual void stopWatchingMode(const sp<IAppOpsCallback>& callback) = 0;
 };
 
 class ServiceManagerWrapper {
@@ -105,17 +110,19 @@ public:
     ~RealVoldService() = default;
     binder::Status mountIncFs(const std::string& backingPath, const std::string& targetDir,
                               int32_t flags,
-                              IncrementalFileSystemControlParcel* _aidl_return) const override {
+                              IncrementalFileSystemControlParcel* _aidl_return) const final {
         return mInterface->mountIncFs(backingPath, targetDir, flags, _aidl_return);
     }
-    binder::Status unmountIncFs(const std::string& dir) const override {
+    binder::Status unmountIncFs(const std::string& dir) const final {
         return mInterface->unmountIncFs(dir);
     }
     binder::Status bindMount(const std::string& sourceDir,
-                             const std::string& targetDir) const override {
+                             const std::string& targetDir) const final {
         return mInterface->bindMount(sourceDir, targetDir);
     }
-    binder::Status setIncFsMountOptions(const ::android::os::incremental::IncrementalFileSystemControlParcel& control, bool enableReadLogs) const override {
+    binder::Status setIncFsMountOptions(
+            const ::android::os::incremental::IncrementalFileSystemControlParcel& control,
+            bool enableReadLogs) const final {
         return mInterface->setIncFsMountOptions(control, enableReadLogs);
     }
 
@@ -131,13 +138,13 @@ public:
     binder::Status initializeDataLoader(MountId mountId, const DataLoaderParamsParcel& params,
                                         const FileSystemControlParcel& control,
                                         const sp<IDataLoaderStatusListener>& listener,
-                                        bool* _aidl_return) const override {
+                                        bool* _aidl_return) const final {
         return mInterface->initializeDataLoader(mountId, params, control, listener, _aidl_return);
     }
-    binder::Status getDataLoader(MountId mountId, sp<IDataLoader>* _aidl_return) const override {
+    binder::Status getDataLoader(MountId mountId, sp<IDataLoader>* _aidl_return) const final {
         return mInterface->getDataLoader(mountId, _aidl_return);
     }
-    binder::Status destroyDataLoader(MountId mountId) const override {
+    binder::Status destroyDataLoader(MountId mountId) const final {
         return mInterface->destroyDataLoader(mountId);
     }
 
@@ -148,9 +155,18 @@ private:
 class RealAppOpsManager : public AppOpsManagerWrapper {
 public:
     ~RealAppOpsManager() = default;
-    void startWatchingMode(int32_t op, const String16& packageName, const sp<IAppOpsCallback>& callback) override {
+    binder::Status checkPermission(const char* permission, const char* operation,
+                                   const char* package) const final {
+        return android::incremental::CheckPermissionForDataDelivery(permission, operation, package);
+    }
+    void startWatchingMode(int32_t op, const String16& packageName,
+                           const sp<IAppOpsCallback>& callback) final {
         mAppOpsManager.startWatchingMode(op, packageName, callback);
     }
+    void stopWatchingMode(const sp<IAppOpsCallback>& callback) final {
+        mAppOpsManager.stopWatchingMode(callback);
+    }
+
 private:
     android::AppOpsManager mAppOpsManager;
 };
@@ -174,36 +190,35 @@ class RealIncFs : public IncFsWrapper {
 public:
     RealIncFs() = default;
     ~RealIncFs() = default;
-    Control createControl(IncFsFd cmd, IncFsFd pendingReads, IncFsFd logs) const override {
+    Control createControl(IncFsFd cmd, IncFsFd pendingReads, IncFsFd logs) const final {
         return incfs::createControl(cmd, pendingReads, logs);
     }
     ErrorCode makeFile(const Control& control, std::string_view path, int mode, FileId id,
-                       NewFileParams params) const override {
+                       NewFileParams params) const final {
         return incfs::makeFile(control, path, mode, id, params);
     }
-    ErrorCode makeDir(const Control& control, std::string_view path, int mode) const override {
+    ErrorCode makeDir(const Control& control, std::string_view path, int mode) const final {
         return incfs::makeDir(control, path, mode);
     }
-    RawMetadata getMetadata(const Control& control, FileId fileid) const override {
+    RawMetadata getMetadata(const Control& control, FileId fileid) const final {
         return incfs::getMetadata(control, fileid);
     }
-    RawMetadata getMetadata(const Control& control, std::string_view path) const override {
+    RawMetadata getMetadata(const Control& control, std::string_view path) const final {
         return incfs::getMetadata(control, path);
     }
-    FileId getFileId(const Control& control, std::string_view path) const override {
+    FileId getFileId(const Control& control, std::string_view path) const final {
         return incfs::getFileId(control, path);
     }
-    ErrorCode link(const Control& control, std::string_view from,
-                   std::string_view to) const override {
+    ErrorCode link(const Control& control, std::string_view from, std::string_view to) const final {
         return incfs::link(control, from, to);
     }
-    ErrorCode unlink(const Control& control, std::string_view path) const override {
+    ErrorCode unlink(const Control& control, std::string_view path) const final {
         return incfs::unlink(control, path);
     }
-    base::unique_fd openForSpecialOps(const Control& control, FileId id) const override {
+    base::unique_fd openForSpecialOps(const Control& control, FileId id) const final {
         return base::unique_fd{incfs::openForSpecialOps(control, id).release()};
     }
-    ErrorCode writeBlocks(Span<const DataBlock> blocks) const override {
+    ErrorCode writeBlocks(Span<const DataBlock> blocks) const final {
         return incfs::writeBlocks(blocks);
     }
 };
author	Alex Buynytskyy <alexbuy@google.com>	2020-04-03 23:00:19 -0700
committer	Alex Buynytskyy <alexbuy@google.com>	2020-04-06 12:22:49 -0700
commit	1d89216eac8d5c122056165d77322151cc26a70c (patch)
tree	bad152666c0b2e0b2e4728b83418b19f1d73e498 /services/incremental/ServiceWrappers.h
parent	3fc58ee5d501fc4a87455b690762207d8de52a32 (diff)