commit 92f128c51c7a063595abe1e142617e43a0231797
author paulhu <paulhu@google.com> Thu Jul 01 18:04:45 2021 +0800
committer paulhu <paulhu@google.com> Fri Jul 02 20:04:50 2021 +0800
tree 55e15f57b2b21b0e7ac32b3bf7402283d3e0c37f
parent 05752a5316465677ec35c2b0fe0251068aa99249

Force only system uid can set uids allowed on restricted networks

- Check whether calling UID/PID is system_server.
- For CTS test, enforce NETWORK_SETTINGS permission otherwise if
  it's a debug build.

Bug: 175199465
Test: atest FrameworksNetTests
Test: atest ConnectivityManagerTest#testUidsAllowedOnRestrictedNetworks
Merged-In: I175a831671d3e52460d28203b09f6c0dda56b61c

Change-Id: I175a831671d3e52460d28203b09f6c0dda56b61c

framework/src/android/net/ConnectivitySettingsManager.java

diff --git a/framework/src/android/net/ConnectivitySettingsManager.java b/framework/src/android/net/ConnectivitySettingsManager.java
index 085de6b..8fc0065 100644
--- a/framework/src/android/net/ConnectivitySettingsManager.java
+++ b/framework/src/android/net/ConnectivitySettingsManager.java
@@ -29,6 +29,8 @@
 import android.annotation.SystemApi;
 import android.content.Context;
 import android.net.ConnectivityManager.MultipathPreference;
+import android.os.Binder;
+import android.os.Build;
 import android.os.Process;
 import android.os.UserHandle;
 import android.provider.Settings;
@@ -1039,6 +1041,15 @@
         return getUidSetFromString(uidList);
     }
 
+    private static boolean isCallingFromSystem() {
+        final int uid = Binder.getCallingUid();
+        final int pid = Binder.getCallingPid();
+        if (uid == Process.SYSTEM_UID && pid == Process.myPid()) {
+            return true;
+        }
+        return false;
+    }
+
     /**
      * Set the list of uids(from {@link Settings}) that is allowed to use restricted networks.
      *
@@ -1047,6 +1058,15 @@
      */
     public static void setUidsAllowedOnRestrictedNetworks(@NonNull Context context,
             @NonNull Set<Integer> uidList) {
+        final boolean calledFromSystem = isCallingFromSystem();
+        if (!calledFromSystem) {
+            // Enforce NETWORK_SETTINGS check if it's debug build. This is for MTS test only.
+            if (!Build.isDebuggable()) {
+                throw new SecurityException("Only system can set this setting.");
+            }
+            context.enforceCallingOrSelfPermission(android.Manifest.permission.NETWORK_SETTINGS,
+                    "Requires NETWORK_SETTINGS permission");
+        }
         final String uids = getUidStringFromSet(uidList);
         Settings.Global.putString(context.getContentResolver(), UIDS_ALLOWED_ON_RESTRICTED_NETWORKS,
                 uids);