Update permission check for offloadEngine registration
For an app to register itself as an offloadEngine, it must have either
of the following permissions: NETWORK_STACK,
PERMISSION_MAINLINE_NETWORK_STACK, NETWORK_SETTINGS,
REGISTER_NSD_OFFLOAD_ENGINE.
Bug: 294777050
Test: atest CtsNetTestCases FrameworksNetTests
Change-Id: I19fe9b996a02b1ae23116c02a1b8406d93b3ecf1
diff --git a/service-t/src/com/android/server/NsdService.java b/service-t/src/com/android/server/NsdService.java
index eb73ee5..415159d 100644
--- a/service-t/src/com/android/server/NsdService.java
+++ b/service-t/src/com/android/server/NsdService.java
@@ -17,15 +17,18 @@
package com.android.server;
import static android.Manifest.permission.NETWORK_SETTINGS;
+import static android.Manifest.permission.NETWORK_STACK;
import static android.net.ConnectivityManager.NETID_UNSET;
import static android.net.NetworkCapabilities.TRANSPORT_VPN;
import static android.net.NetworkCapabilities.TRANSPORT_WIFI;
+import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
import static android.net.nsd.NsdManager.MDNS_DISCOVERY_MANAGER_EVENT;
import static android.net.nsd.NsdManager.MDNS_SERVICE_EVENT;
import static android.net.nsd.NsdManager.RESOLVE_SERVICE_SUCCEEDED;
import static android.provider.DeviceConfig.NAMESPACE_TETHERING;
import static com.android.modules.utils.build.SdkLevel.isAtLeastU;
+import static com.android.networkstack.apishim.ConstantsShim.REGISTER_NSD_OFFLOAD_ENGINE;
import static com.android.server.connectivity.mdns.MdnsRecord.MAX_LABEL_LENGTH;
import static com.android.server.connectivity.mdns.util.MdnsUtils.Clock;
@@ -75,6 +78,7 @@
import com.android.internal.util.State;
import com.android.internal.util.StateMachine;
import com.android.metrics.NetworkNsdReportedMetrics;
+import com.android.modules.utils.build.SdkLevel;
import com.android.net.module.util.CollectionUtils;
import com.android.net.module.util.DeviceConfigUtils;
import com.android.net.module.util.InetAddressUtils;
@@ -2040,9 +2044,7 @@
public void registerOffloadEngine(String ifaceName, IOffloadEngine cb,
@OffloadEngine.OffloadCapability long offloadCapabilities,
@OffloadEngine.OffloadType long offloadTypes) {
- // TODO: Relax the permission because NETWORK_SETTINGS is a signature permission, and
- // it may not be possible for all the callers of this API to have it.
- PermissionUtils.enforceNetworkStackPermissionOr(mContext, NETWORK_SETTINGS);
+ checkOffloadEnginePermission(mContext);
Objects.requireNonNull(ifaceName);
Objects.requireNonNull(cb);
mNsdStateMachine.sendMessage(
@@ -2053,13 +2055,31 @@
@Override
public void unregisterOffloadEngine(IOffloadEngine cb) {
- // TODO: Relax the permission because NETWORK_SETTINGS is a signature permission, and
- // it may not be possible for all the callers of this API to have it.
- PermissionUtils.enforceNetworkStackPermissionOr(mContext, NETWORK_SETTINGS);
+ checkOffloadEnginePermission(mContext);
Objects.requireNonNull(cb);
mNsdStateMachine.sendMessage(
mNsdStateMachine.obtainMessage(NsdManager.UNREGISTER_OFFLOAD_ENGINE, cb));
}
+
+ private static void checkOffloadEnginePermission(Context context) {
+ if (!SdkLevel.isAtLeastT()) {
+ throw new SecurityException("API is not available in before API level 33");
+ }
+ // REGISTER_NSD_OFFLOAD_ENGINE was only added to the SDK in V, but may
+ // be back ported to older builds: accept it as long as it's signature-protected
+ if (PermissionUtils.checkAnyPermissionOf(context, REGISTER_NSD_OFFLOAD_ENGINE)
+ && (SdkLevel.isAtLeastV() || PermissionUtils.isSystemSignaturePermission(
+ context, REGISTER_NSD_OFFLOAD_ENGINE))) {
+ return;
+ }
+ if (PermissionUtils.checkAnyPermissionOf(context, NETWORK_STACK,
+ PERMISSION_MAINLINE_NETWORK_STACK, NETWORK_SETTINGS)) {
+ return;
+ }
+ throw new SecurityException("Requires one of the following permissions: "
+ + String.join(", ", List.of(REGISTER_NSD_OFFLOAD_ENGINE, NETWORK_STACK,
+ PERMISSION_MAINLINE_NETWORK_STACK, NETWORK_SETTINGS)) + ".");
+ }
}
private void sendNsdStateChangeBroadcast(boolean isEnabled) {