diff options
| author | Yerriswamy <yerriswamy.kurubathayanna@nxp.com> | 2020-04-14 08:17:29 +0530 |
|---|---|---|
| committer | nxf24591 <nanjesh.s_1@nxp.com> | 2020-05-01 00:48:12 +0530 |
| commit | 83fb85cafb113d5664680cb5aa221b929f5a01bc (patch) | |
| tree | 0e9638d006f8d1860c9a99d1d0a0703e8c1eddc4 | |
| parent | 954e4c89757339b6690d70e4ea449e5bb112b3fe (diff) | |
{R-DP1} Add Carrier Privilege support
Support Carrier Privilege rules.
Bug: 139701995
Test: Check carrier privilege rules could be parsed correctly
Change-Id: I2838d335f9993eb7e50323773ed52579f53766a3
| -rwxr-xr-x | src/com/android/se/Terminal.java | 68 | ||||
| -rwxr-xr-x | src/com/android/se/security/AccessControlEnforcer.java | 29 | ||||
| -rw-r--r-- | src/com/android/se/security/AccessRuleCache.java | 39 | ||||
| -rwxr-xr-x | src/com/android/se/security/ChannelAccess.java | 11 |
4 files changed, 134 insertions, 13 deletions
diff --git a/src/com/android/se/Terminal.java b/src/com/android/se/Terminal.java index ba8b69e..92dcec3 100755 --- a/src/com/android/se/Terminal.java +++ b/src/com/android/se/Terminal.java @@ -43,7 +43,9 @@ package com.android.se; import android.content.Context; +import android.content.pm.PackageInfo; import android.content.pm.PackageManager; +import android.content.pm.PackageManager.NameNotFoundException; import android.hardware.secure_element.V1_0.ISecureElement; import android.hardware.secure_element.V1_0.ISecureElementHalCallback; import android.hardware.secure_element.V1_0.LogicalChannelResponse; @@ -457,17 +459,19 @@ public class Terminal { throw new IOException("Secure Element is not connected"); } - Log.w(mTag, "Enable access control on basic channel for " + packageName); - StatsLog.write( - StatsLog.SE_OMAPI_REPORTED, - StatsLog.SE_OMAPI_REPORTED__OPERATION__OPEN_CHANNEL, - mName, - packageName); - ChannelAccess channelAccess; - try { - channelAccess = setUpChannelAccess(aid, packageName, pid); - } catch (MissingResourceException e) { - return null; + ChannelAccess channelAccess = null; + if (packageName != null) { + Log.w(mTag, "Enable access control on basic channel for " + packageName); + StatsLog.write( + StatsLog.SE_OMAPI_REPORTED, + StatsLog.SE_OMAPI_REPORTED__OPERATION__OPEN_CHANNEL, + mName, + packageName); + try { + channelAccess = setUpChannelAccess(aid, packageName, pid); + } catch (MissingResourceException e) { + return null; + } } synchronized (mLock) { @@ -771,6 +775,9 @@ public class Terminal { if (isPrivilegedApplication(packageName)) { return ChannelAccess.getPrivilegeAccess(packageName, pid); + } else if (getName().startsWith(SecureElementService.UICC_TERMINAL) + && isCarrierPrivilegeApplication(packageName)) { + return ChannelAccess.getCarrierPrivilegeAccess(packageName, pid); } synchronized (mLock) { @@ -830,6 +837,45 @@ public class Terminal { return mContext; } + /** + * Checks if Carrier Privilege exists for the given package + */ + private boolean isCarrierPrivilegeApplication(String packageName) { + try { + PackageManager pm = mContext.getPackageManager(); + if (pm != null) { + PackageInfo pkgInfo = pm.getPackageInfo(packageName, PackageManager.GET_SIGNATURES); + return checkCarrierPrivilegeRules(pkgInfo); + } + } catch (NameNotFoundException ne) { } + return false; + } + + /** + * Checks if Carrier Privilege exists for the given package + */ + public boolean checkCarrierPrivilegeRules(PackageInfo pInfo) { + boolean checkRefreshTag = true; + if (mAccessControlEnforcer == null || mAccessControlEnforcer.isNoRuleFound()) { + try { + initializeAccessControl(); + } catch (IOException e) { + return false; + } + checkRefreshTag = false; + } + mAccessControlEnforcer.setPackageManager(mContext.getPackageManager()); + + synchronized (mLock) { + try { + return mAccessControlEnforcer.checkCarrierPrivilege(pInfo, checkRefreshTag); + } catch (Exception e) { + Log.i(mTag, "checkCarrierPrivilege() Exception: " + e.getMessage()); + return false; + } + } + } + /** Dump data for debug purpose . */ public void dump(PrintWriter writer) { writer.println("SECURE ELEMENT SERVICE TERMINAL: " + mName); diff --git a/src/com/android/se/security/AccessControlEnforcer.java b/src/com/android/se/security/AccessControlEnforcer.java index a4ceb70..bcf3a9a 100755 --- a/src/com/android/se/security/AccessControlEnforcer.java +++ b/src/com/android/se/security/AccessControlEnforcer.java @@ -451,6 +451,35 @@ public class AccessControlEnforcer { } } + /** Returns true if the given package has Carrier Privileges */ + public synchronized boolean checkCarrierPrivilege(PackageInfo pInfo, boolean checkRefreshTag) { + if (!mUseAra && !mUseArf) { + return false; + } + if (checkRefreshTag) { + try { + updateAccessRuleIfNeed(); + } catch (IOException | MissingResourceException e) { + throw new AccessControlException("Access-Control not found in " + + mTerminal.getName()); + } + } + if (mRulesRead) { + return false; + } + try { + List<byte[]> appCertHashes = getAppCertHashes(pInfo.packageName); + if (appCertHashes == null || appCertHashes.size() == 0) { + return false; + } + + return mAccessRuleCache.checkCarrierPrivilege(pInfo.packageName, appCertHashes); + } catch (Exception e) { + Log.w(mTag, " checkCarrierPrivilege: " + e.getLocalizedMessage()); + } + return false; + } + /** Debug information to be used by dumpsys */ public void dump(PrintWriter writer) { writer.println(mTag + ":"); diff --git a/src/com/android/se/security/AccessRuleCache.java b/src/com/android/se/security/AccessRuleCache.java index 6d854c0..97c63bb 100644 --- a/src/com/android/se/security/AccessRuleCache.java +++ b/src/com/android/se/security/AccessRuleCache.java @@ -41,6 +41,7 @@ import android.util.Log; import com.android.se.security.gpac.AID_REF_DO; import com.android.se.security.gpac.AR_DO; import com.android.se.security.gpac.Hash_REF_DO; +import com.android.se.security.gpac.PKG_REF_DO; import com.android.se.security.gpac.REF_DO; import java.io.PrintWriter; @@ -65,6 +66,7 @@ public class AccessRuleCache { // recreated. private byte[] mRefreshTag = null; private Map<REF_DO, ChannelAccess> mRuleCache = new HashMap<REF_DO, ChannelAccess>(); + private ArrayList<REF_DO> mCarrierPrivilegeCache = new ArrayList<REF_DO>(); private static AID_REF_DO getAidRefDo(byte[] aid) { byte[] defaultAid = new byte[]{0x00, 0x00, 0x00, 0x00, 0x00}; @@ -132,17 +134,19 @@ public class AccessRuleCache { public void reset() { mRefreshTag = null; mRuleCache.clear(); + mCarrierPrivilegeCache.clear(); } /** Clears access rule cache only. */ public void clearCache() { mRuleCache.clear(); + mCarrierPrivilegeCache.clear(); } /** Adds the Rule to the Cache */ public void putWithMerge(REF_DO refDo, AR_DO arDo) { if (refDo.isCarrierPrivilegeRefDo()) { - // Ignore Carrier Privilege Rules + mCarrierPrivilegeCache.add(refDo); return; } ChannelAccess channelAccess = mapArDo2ChannelAccess(arDo); @@ -152,7 +156,7 @@ public class AccessRuleCache { /** Adds the Rule to the Cache */ public void putWithMerge(REF_DO refDo, ChannelAccess channelAccess) { if (refDo.isCarrierPrivilegeRefDo()) { - // Ignore Carrier Privilege Rules + mCarrierPrivilegeCache.add(refDo); return; } if (mRuleCache.containsKey(refDo)) { @@ -443,6 +447,27 @@ public class AccessRuleCache { return null; } + /** Check if the carrier privilege exists for the given package */ + public boolean checkCarrierPrivilege(String packageName, List<byte[]> appCertHashes) { + for (byte[] hash : appCertHashes) { + for (REF_DO ref_do : mCarrierPrivilegeCache) { + Hash_REF_DO hash_ref_do = ref_do.getHashDo(); + PKG_REF_DO pkg_ref_do = ref_do.getPkgDo(); + if (Hash_REF_DO.equals(hash_ref_do, new Hash_REF_DO(hash))) { + // If PKG_REF_DO exists then package name should match, otherwise allow + if (pkg_ref_do != null) { + if (packageName.equals(pkg_ref_do.getPackageName())) { + return true; + } + } else { + return true; + } + } + } + } + return false; + } + /** Check if the given Refresh Tag is equal to the last known */ public boolean isRefreshTagEqual(byte[] refreshTag) { if (refreshTag == null || mRefreshTag == null) return false; @@ -481,5 +506,15 @@ public class AccessRuleCache { writer.println(entry.getKey().toString() + " -> " + entry.getValue().toString()); } writer.println(); + + /* Dump the Carrier Privilege cache */ + writer.println("Carrier Privilege:"); + i = 0; + for (REF_DO ref_do : mCarrierPrivilegeCache) { + i++; + writer.print("carrier privilege " + i + ": "); + writer.println(ref_do.toString()); + } + writer.println(); } } diff --git a/src/com/android/se/security/ChannelAccess.java b/src/com/android/se/security/ChannelAccess.java index 31ca45e..d75ad15 100755 --- a/src/com/android/se/security/ChannelAccess.java +++ b/src/com/android/se/security/ChannelAccess.java @@ -144,6 +144,17 @@ public class ChannelAccess { return ca; } + /** Provides the ChannelAccess with CarrierPrivilege Access */ + public static ChannelAccess getCarrierPrivilegeAccess(String packageName, int pid) { + ChannelAccess ca = new ChannelAccess(); + ca.setPackageName(packageName); + ca.setCallingPid(pid); + ca.setAccess(ACCESS.ALLOWED, "Carrier-Privilege"); + ca.setApduAccess(ACCESS.ALLOWED); + + return ca; + } + @Override public String toString() { StringBuilder sb = new StringBuilder(); |