Add NetworkStackPermissionStub definitions

The NetworkStackPermissionStub package is used to enforce that
permissions used by the NetworkStack are only used in packages
sharing signature with NetworkStackPermissionStub.

Permissions defined in this package are intended to be used only by the
NetworkStack: both NetworkStack and the stub APK will be signed with
a dedicated certificate to ensure that, with permissions being signature
permissions.

This APK *must* be installed, even if the NetworkStack app is not
installed, because otherwise, any application will be able to define
this permission and the system will give that application full access
to the network stack.

Test: flashed, booted
Bug: 112869080
Change-Id: Ia13a9e6a703cb7b4403697a7f7bfff0f6f3b813e

2 files changed, 3 insertions, 0 deletions

diff --git a/Android.bp b/Android.bp
index b0522f2..d656593 100644
--- a/Android.bp
+++ b/Android.bp
@@ -41,4 +41,5 @@ android_app {
         "NetworkStackLib"
     ],
     manifest: "AndroidManifest.xml",
+    required: ["NetworkStackPermissionStub"],
 }
\ No newline at end of file
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 5ab833b..ac55bfa 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -25,6 +25,8 @@
     <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
     <uses-permission android:name="android.permission.CONNECTIVITY_INTERNAL" />
     <uses-permission android:name="android.permission.NETWORK_SETTINGS" />
+    <!-- Signature permission defined in NetworkStackStub -->
+    <uses-permission android:name="android.permission.MAINLINE_NETWORK_STACK" />
     <!-- Launch captive portal app as specific user -->
     <uses-permission android:name="android.permission.INTERACT_ACROSS_USERS_FULL" />
     <uses-permission android:name="android.permission.NETWORK_STACK" />