/* * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.net.module.util; import static com.android.internal.annotations.VisibleForTesting.Visibility.PRIVATE; import android.Manifest; import android.annotation.IntDef; import android.annotation.Nullable; import android.app.ActivityManager; import android.app.AppOpsManager; import android.content.Context; import android.content.pm.PackageManager; import android.location.LocationManager; import android.net.NetworkStack; import android.os.Binder; import android.os.Build; import android.os.UserHandle; import android.util.Log; import androidx.annotation.RequiresApi; import com.android.internal.annotations.VisibleForTesting; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; /** * The methods used for location permission and location mode checking. * * @hide */ @RequiresApi(Build.VERSION_CODES.R) public class LocationPermissionChecker { private static final String TAG = "LocationPermissionChecker"; @Retention(RetentionPolicy.SOURCE) @IntDef(prefix = {"LOCATION_PERMISSION_CHECK_STATUS_"}, value = { SUCCEEDED, ERROR_LOCATION_MODE_OFF, ERROR_LOCATION_PERMISSION_MISSING, }) public @interface LocationPermissionCheckStatus{} // The location permission check succeeded. public static final int SUCCEEDED = 0; // The location mode turns off for the caller. public static final int ERROR_LOCATION_MODE_OFF = 1; // The location permission isn't granted for the caller. public static final int ERROR_LOCATION_PERMISSION_MISSING = 2; private final Context mContext; private final AppOpsManager mAppOpsManager; public LocationPermissionChecker(Context context) { if (Build.VERSION.SDK_INT < Build.VERSION_CODES.R) { throw new UnsupportedOperationException("This utility is not supported before R"); } mContext = context; mAppOpsManager = mContext.getSystemService(AppOpsManager.class); } /** * Check location permission granted by the caller. * * This API check if the location mode enabled for the caller and the caller has * ACCESS_COARSE_LOCATION permission is targetSDK<29, otherwise, has ACCESS_FINE_LOCATION. * * @param pkgName package name of the application requesting access * @param featureId The feature in the package * @param uid The uid of the package * @param message A message describing why the permission was checked. Only needed if this is * not inside of a two-way binder call from the data receiver * * @return {@code true} returns if the caller has location permission and the location mode is * enabled. */ public boolean checkLocationPermission(String pkgName, @Nullable String featureId, int uid, @Nullable String message) { return checkLocationPermissionInternal(pkgName, featureId, uid, message) == SUCCEEDED; } /** * Check location permission granted by the caller. * * This API check if the location mode enabled for the caller and the caller has * ACCESS_COARSE_LOCATION permission is targetSDK<29, otherwise, has ACCESS_FINE_LOCATION. * Compared with {@link #checkLocationPermission(String, String, int, String)}, this API returns * the detail information about the checking result, including the reason why it's failed and * logs the error for the caller. * * @param pkgName package name of the application requesting access * @param featureId The feature in the package * @param uid The uid of the package * @param message A message describing why the permission was checked. Only needed if this is * not inside of a two-way binder call from the data receiver * * @return {@link LocationPermissionCheckStatus} the result of the location permission check. */ @VisibleForTesting(visibility = PRIVATE) public @LocationPermissionCheckStatus int checkLocationPermissionInternal( String pkgName, @Nullable String featureId, int uid, @Nullable String message) { try { checkPackage(uid, pkgName); } catch (SecurityException e) { return ERROR_LOCATION_PERMISSION_MISSING; } // Apps with NETWORK_SETTINGS, NETWORK_SETUP_WIZARD, NETWORK_STACK & MAINLINE_NETWORK_STACK // are granted a bypass. if (checkNetworkSettingsPermission(uid) || checkNetworkSetupWizardPermission(uid) || checkNetworkStackPermission(uid) || checkMainlineNetworkStackPermission(uid)) { return SUCCEEDED; } // Location mode must be enabled if (!isLocationModeEnabled()) { return ERROR_LOCATION_MODE_OFF; } // LocationAccess by App: caller must have Coarse/Fine Location permission to have access to // location information. if (!checkCallersLocationPermission(pkgName, featureId, uid, true /* coarseForTargetSdkLessThanQ */, message)) { return ERROR_LOCATION_PERMISSION_MISSING; } return SUCCEEDED; } /** * Checks that calling process has android.Manifest.permission.ACCESS_FINE_LOCATION or * android.Manifest.permission.ACCESS_COARSE_LOCATION (depending on config/targetSDK level) * and a corresponding app op is allowed for this package and uid. * * @param pkgName PackageName of the application requesting access * @param featureId The feature in the package * @param uid The uid of the package * @param coarseForTargetSdkLessThanQ If true and the targetSDK < Q then will check for COARSE * else (false or targetSDK >= Q) then will check for FINE * @param message A message describing why the permission was checked. Only needed if this is * not inside of a two-way binder call from the data receiver */ public boolean checkCallersLocationPermission(@Nullable String pkgName, @Nullable String featureId, int uid, boolean coarseForTargetSdkLessThanQ, @Nullable String message) { boolean isTargetSdkLessThanQ = isTargetSdkLessThan(pkgName, Build.VERSION_CODES.Q, uid); String permissionType = Manifest.permission.ACCESS_FINE_LOCATION; if (coarseForTargetSdkLessThanQ && isTargetSdkLessThanQ) { // Having FINE permission implies having COARSE permission (but not the reverse) permissionType = Manifest.permission.ACCESS_COARSE_LOCATION; } if (getUidPermission(permissionType, uid) == PackageManager.PERMISSION_DENIED) { return false; } // Always checking FINE - even if will not enforce. This will record the request for FINE // so that a location request by the app is surfaced to the user. boolean isFineLocationAllowed = noteAppOpAllowed( AppOpsManager.OPSTR_FINE_LOCATION, pkgName, featureId, uid, message); if (isFineLocationAllowed) { return true; } if (coarseForTargetSdkLessThanQ && isTargetSdkLessThanQ) { return noteAppOpAllowed(AppOpsManager.OPSTR_COARSE_LOCATION, pkgName, featureId, uid, message); } return false; } /** * Retrieves a handle to LocationManager (if not already done) and check if location is enabled. */ private boolean isLocationModeEnabled() { final LocationManager LocationManager = mContext.getSystemService(LocationManager.class); try { return LocationManager.isLocationEnabledForUser(UserHandle.of( getCurrentUser())); } catch (Exception e) { Log.e(TAG, "Failure to get location mode via API, falling back to settings", e); return false; } } private boolean isTargetSdkLessThan(String packageName, int versionCode, int callingUid) { final long ident = Binder.clearCallingIdentity(); try { if (mContext.getPackageManager().getApplicationInfoAsUser( packageName, 0, UserHandle.getUserHandleForUid(callingUid)).targetSdkVersion < versionCode) { return true; } } catch (PackageManager.NameNotFoundException e) { // In case of exception, assume unknown app (more strict checking) // Note: This case will never happen since checkPackage is // called to verify validity before checking App's version. } finally { Binder.restoreCallingIdentity(ident); } return false; } private boolean noteAppOpAllowed(String op, String pkgName, @Nullable String featureId, int uid, @Nullable String message) { return mAppOpsManager.noteOp(op, uid, pkgName, featureId, message) == AppOpsManager.MODE_ALLOWED; } private void checkPackage(int uid, String pkgName) throws SecurityException { if (pkgName == null) { throw new SecurityException("Checking UID " + uid + " but Package Name is Null"); } mAppOpsManager.checkPackage(uid, pkgName); } @VisibleForTesting protected int getCurrentUser() { return ActivityManager.getCurrentUser(); } private int getUidPermission(String permissionType, int uid) { // We don't care about pid, pass in -1 return mContext.checkPermission(permissionType, -1, uid); } /** * Returns true if the |uid| holds NETWORK_SETTINGS permission. */ private boolean checkNetworkSettingsPermission(int uid) { return getUidPermission(android.Manifest.permission.NETWORK_SETTINGS, uid) == PackageManager.PERMISSION_GRANTED; } /** * Returns true if the |uid| holds NETWORK_SETUP_WIZARD permission. */ private boolean checkNetworkSetupWizardPermission(int uid) { return getUidPermission(android.Manifest.permission.NETWORK_SETUP_WIZARD, uid) == PackageManager.PERMISSION_GRANTED; } /** * Returns true if the |uid| holds NETWORK_STACK permission. */ private boolean checkNetworkStackPermission(int uid) { return getUidPermission(android.Manifest.permission.NETWORK_STACK, uid) == PackageManager.PERMISSION_GRANTED; } /** * Returns true if the |uid| holds MAINLINE_NETWORK_STACK permission. */ private boolean checkMainlineNetworkStackPermission(int uid) { return getUidPermission(NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, uid) == PackageManager.PERMISSION_GRANTED; } }