Enforce permission for print system APIs

The permission is preinstalled as we want to leave the PrintSpooler unpriviledged. Test: Checked that Settings, PrintSpooler and BuiltInPrintService still behave as expected. Fixes: 62350107 Change-Id: Id33896f2899533f2d05cafa926df29cf1c6bfa77
author: Philip P. Moltmann <moltmann@google.com> 2017-06-19 10:55:09 -0700
committer: Philip P. Moltmann <moltmann@google.com> 2017-07-14 16:16:13 -0700
commit: 6870033d374a15fd212675d570a2877c28f1cbf0 (patch)
tree: c338bdb0eb15205a50bcec7a1b82a5cd86e62f17 /services/print
parent: b8e4695fe8a2542bd3351ba96431d77dcc39dc5c (diff)
1 files changed, 15 insertions, 3 deletions
diff --git a/services/print/java/com/android/server/print/PrintManagerService.java b/services/print/java/com/android/server/print/PrintManagerService.java
index 3ec83800557a..6c417a9baf93 100644
--- a/services/print/java/com/android/server/print/PrintManagerService.java
+++ b/services/print/java/com/android/server/print/PrintManagerService.java
@@ -263,6 +263,8 @@ public final class PrintManagerService extends SystemService {
             Preconditions.checkFlagsArgument(selectionFlags,
                     PrintManager.DISABLED_SERVICES | PrintManager.ENABLED_SERVICES);
 
+            mContext.enforceCallingOrSelfPermission(
+                    android.Manifest.permission.READ_PRINT_SERVICES, null);
             final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId);
             final UserState userState;
             synchronized (mLock) {
@@ -316,6 +318,8 @@ public final class PrintManagerService extends SystemService {
 
         @Override
         public List<RecommendationInfo> getPrintServiceRecommendations(int userId) {
+            mContext.enforceCallingOrSelfPermission(
+                    android.Manifest.permission.READ_PRINT_SERVICE_RECOMMENDATIONS, null);
             final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId);
             final UserState userState;
             synchronized (mLock) {
@@ -538,6 +542,8 @@ public final class PrintManagerService extends SystemService {
                 int userId) throws RemoteException {
             listener = Preconditions.checkNotNull(listener);
 
+            mContext.enforceCallingOrSelfPermission(android.Manifest.permission.READ_PRINT_SERVICES,
+                    null);
             final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId);
             final UserState userState;
             synchronized (mLock) {
@@ -560,6 +566,8 @@ public final class PrintManagerService extends SystemService {
                 int userId) {
             listener = Preconditions.checkNotNull(listener);
 
+            mContext.enforceCallingOrSelfPermission(android.Manifest.permission.READ_PRINT_SERVICES,
+                    null);
             final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId);
             final UserState userState;
             synchronized (mLock) {
@@ -583,6 +591,8 @@ public final class PrintManagerService extends SystemService {
                 throws RemoteException {
             listener = Preconditions.checkNotNull(listener);
 
+            mContext.enforceCallingOrSelfPermission(
+                    android.Manifest.permission.READ_PRINT_SERVICE_RECOMMENDATIONS, null);
             final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId);
             final UserState userState;
             synchronized (mLock) {
@@ -605,6 +615,8 @@ public final class PrintManagerService extends SystemService {
                 IRecommendationsChangeListener listener, int userId) {
             listener = Preconditions.checkNotNull(listener);
 
+            mContext.enforceCallingOrSelfPermission(
+                    android.Manifest.permission.READ_PRINT_SERVICE_RECOMMENDATIONS, null);
             final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId);
             final UserState userState;
             synchronized (mLock) {
@@ -888,12 +900,12 @@ public final class PrintManagerService extends SystemService {
 
         private int resolveCallingAppEnforcingPermissions(int appId) {
             final int callingUid = Binder.getCallingUid();
-            if (callingUid == 0 || callingUid == Process.SYSTEM_UID
-                    || callingUid == Process.SHELL_UID) {
+            if (callingUid == 0) {
                 return appId;
             }
             final int callingAppId = UserHandle.getAppId(callingUid);
-            if (appId == callingAppId) {
+            if (appId == callingAppId || callingAppId == Process.SHELL_UID
+                    || callingAppId == Process.SYSTEM_UID) {
                 return appId;
             }
             if (mContext.checkCallingPermission(
author	Philip P. Moltmann <moltmann@google.com>	2017-06-19 10:55:09 -0700
committer	Philip P. Moltmann <moltmann@google.com>	2017-07-14 16:16:13 -0700
commit	6870033d374a15fd212675d570a2877c28f1cbf0 (patch)
tree	c338bdb0eb15205a50bcec7a1b82a5cd86e62f17 /services/print
parent	b8e4695fe8a2542bd3351ba96431d77dcc39dc5c (diff)