OpenBasicChannel with UICC should not be allowed for non-privilege apps

Throw exception in setUpChannelAccess if this is not a privilege app.
author: Ganesh Deva <ganesh.deva_1@nxp.com> 2020-07-22 19:15:33 +0530
committer: nxf24591 <nanjesh.s_1@nxp.com> 2020-09-08 17:44:08 +0530
commit: e80b688eb7e17271b17bb6bd04dece2c3df5d1b5 (patch)
tree: 166163ef5577c192d98595ce5a60c42f65dcafed
parent: 136565c20c5787265a720c154f32f887603bcdb6 (diff)
1 files changed, 11 insertions, 6 deletions
diff --git a/src/com/android/se/Terminal.java b/src/com/android/se/Terminal.java
index 8147601..1108440 100755
--- a/src/com/android/se/Terminal.java
+++ b/src/com/android/se/Terminal.java
@@ -473,7 +473,9 @@ public class Terminal {
                     mName,
                     packageName);
             try {
-                channelAccess = setUpChannelAccess(aid, packageName, pid);
+                // For application without privilege permission or carrier privilege,
+                // openBasicChannel with UICC terminals should be rejected.
+                channelAccess = setUpChannelAccess(aid, packageName, pid, true);
             } catch (MissingResourceException e) {
                 return null;
             }
@@ -560,7 +562,7 @@ public class Terminal {
                     mName,
                     packageName);
             try {
-                channelAccess = setUpChannelAccess(aid, packageName, pid);
+                channelAccess = setUpChannelAccess(aid, packageName, pid, false);
             } catch (MissingResourceException e) {
                 return null;
             }
@@ -787,8 +789,8 @@ public class Terminal {
     /**
      * Initialize the Access Control and set up the channel access.
      */
-    private ChannelAccess setUpChannelAccess(byte[] aid, String packageName, int pid)
-            throws IOException, MissingResourceException {
+    private ChannelAccess setUpChannelAccess(byte[] aid, String packageName, int pid,
+            boolean isBasicChannel) throws IOException, MissingResourceException {
         boolean checkRefreshTag = true;
         if (isPrivilegedApplication(packageName)) {
             return ChannelAccess.getPrivilegeAccess(packageName, pid);
@@ -811,17 +813,20 @@ public class Terminal {
                 if (pm != null) {
                     PackageInfo pkgInfo =
                             pm.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
-                    if (mAccessControlEnforcer.checkCarrierPrivilege(pkgInfo, checkRefreshTag)) {
+                    // Do not check the refresh tag for carrier privilege
+                    if (mAccessControlEnforcer.checkCarrierPrivilege(pkgInfo, false)) {
                         Log.i(mTag, "setUp PrivilegeAccess for CarrierPrivilegeApplication. ");
                         return ChannelAccess.getCarrierPrivilegeAccess(packageName, pid);
                     }
-                    checkRefreshTag = false;
                 }
             } catch (NameNotFoundException ne) {
                 Log.e(mTag, "checkCarrierPrivilege(): packageInfo is not found. ");
             } catch (Exception e) {
                 Log.e(mTag, "checkCarrierPrivilege() Exception: " + e.getMessage());
             }
+            if (isBasicChannel) {
+                throw new MissingResourceException("openBasicChannel is not allowed.", "", "");
+            }
         }
 
         synchronized (mLock) {
author	Ganesh Deva <ganesh.deva_1@nxp.com>	2020-07-22 19:15:33 +0530
committer	nxf24591 <nanjesh.s_1@nxp.com>	2020-09-08 17:44:08 +0530
commit	e80b688eb7e17271b17bb6bd04dece2c3df5d1b5 (patch)
tree	166163ef5577c192d98595ce5a60c42f65dcafed
parent	136565c20c5787265a720c154f32f887603bcdb6 (diff)