Appops permission monitoring for GET_USAGE_STATS.
This makes sure DataLoader won't be able to obtain read logs once user
denies access.
Bug: b/152633648
Test: atest PackageManagerShellCommandTest PackageManagerShellCommandIncrementalTest IncrementalServiceTest
Test: adb shell appops set 1000 GET_USAGE_STATS deny
Change-Id: Ibbb74933b4ef0dd8f5fe27732743e5820b8ee4dc
diff --git a/services/incremental/ServiceWrappers.h b/services/incremental/ServiceWrappers.h
index 449b457..84bf1ff 100644
--- a/services/incremental/ServiceWrappers.h
+++ b/services/incremental/ServiceWrappers.h
@@ -16,6 +16,8 @@
#pragma once
+#include "IncrementalServiceValidation.h"
+
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
#include <android/content/pm/DataLoaderParamsParcel.h>
@@ -85,7 +87,10 @@
class AppOpsManagerWrapper {
public:
virtual ~AppOpsManagerWrapper() = default;
+ virtual binder::Status checkPermission(const char* permission, const char* operation,
+ const char* package) const = 0;
virtual void startWatchingMode(int32_t op, const String16& packageName, const sp<IAppOpsCallback>& callback) = 0;
+ virtual void stopWatchingMode(const sp<IAppOpsCallback>& callback) = 0;
};
class ServiceManagerWrapper {
@@ -105,17 +110,19 @@
~RealVoldService() = default;
binder::Status mountIncFs(const std::string& backingPath, const std::string& targetDir,
int32_t flags,
- IncrementalFileSystemControlParcel* _aidl_return) const override {
+ IncrementalFileSystemControlParcel* _aidl_return) const final {
return mInterface->mountIncFs(backingPath, targetDir, flags, _aidl_return);
}
- binder::Status unmountIncFs(const std::string& dir) const override {
+ binder::Status unmountIncFs(const std::string& dir) const final {
return mInterface->unmountIncFs(dir);
}
binder::Status bindMount(const std::string& sourceDir,
- const std::string& targetDir) const override {
+ const std::string& targetDir) const final {
return mInterface->bindMount(sourceDir, targetDir);
}
- binder::Status setIncFsMountOptions(const ::android::os::incremental::IncrementalFileSystemControlParcel& control, bool enableReadLogs) const override {
+ binder::Status setIncFsMountOptions(
+ const ::android::os::incremental::IncrementalFileSystemControlParcel& control,
+ bool enableReadLogs) const final {
return mInterface->setIncFsMountOptions(control, enableReadLogs);
}
@@ -131,13 +138,13 @@
binder::Status initializeDataLoader(MountId mountId, const DataLoaderParamsParcel& params,
const FileSystemControlParcel& control,
const sp<IDataLoaderStatusListener>& listener,
- bool* _aidl_return) const override {
+ bool* _aidl_return) const final {
return mInterface->initializeDataLoader(mountId, params, control, listener, _aidl_return);
}
- binder::Status getDataLoader(MountId mountId, sp<IDataLoader>* _aidl_return) const override {
+ binder::Status getDataLoader(MountId mountId, sp<IDataLoader>* _aidl_return) const final {
return mInterface->getDataLoader(mountId, _aidl_return);
}
- binder::Status destroyDataLoader(MountId mountId) const override {
+ binder::Status destroyDataLoader(MountId mountId) const final {
return mInterface->destroyDataLoader(mountId);
}
@@ -148,9 +155,18 @@
class RealAppOpsManager : public AppOpsManagerWrapper {
public:
~RealAppOpsManager() = default;
- void startWatchingMode(int32_t op, const String16& packageName, const sp<IAppOpsCallback>& callback) override {
+ binder::Status checkPermission(const char* permission, const char* operation,
+ const char* package) const final {
+ return android::incremental::CheckPermissionForDataDelivery(permission, operation, package);
+ }
+ void startWatchingMode(int32_t op, const String16& packageName,
+ const sp<IAppOpsCallback>& callback) final {
mAppOpsManager.startWatchingMode(op, packageName, callback);
}
+ void stopWatchingMode(const sp<IAppOpsCallback>& callback) final {
+ mAppOpsManager.stopWatchingMode(callback);
+ }
+
private:
android::AppOpsManager mAppOpsManager;
};
@@ -174,36 +190,35 @@
public:
RealIncFs() = default;
~RealIncFs() = default;
- Control createControl(IncFsFd cmd, IncFsFd pendingReads, IncFsFd logs) const override {
+ Control createControl(IncFsFd cmd, IncFsFd pendingReads, IncFsFd logs) const final {
return incfs::createControl(cmd, pendingReads, logs);
}
ErrorCode makeFile(const Control& control, std::string_view path, int mode, FileId id,
- NewFileParams params) const override {
+ NewFileParams params) const final {
return incfs::makeFile(control, path, mode, id, params);
}
- ErrorCode makeDir(const Control& control, std::string_view path, int mode) const override {
+ ErrorCode makeDir(const Control& control, std::string_view path, int mode) const final {
return incfs::makeDir(control, path, mode);
}
- RawMetadata getMetadata(const Control& control, FileId fileid) const override {
+ RawMetadata getMetadata(const Control& control, FileId fileid) const final {
return incfs::getMetadata(control, fileid);
}
- RawMetadata getMetadata(const Control& control, std::string_view path) const override {
+ RawMetadata getMetadata(const Control& control, std::string_view path) const final {
return incfs::getMetadata(control, path);
}
- FileId getFileId(const Control& control, std::string_view path) const override {
+ FileId getFileId(const Control& control, std::string_view path) const final {
return incfs::getFileId(control, path);
}
- ErrorCode link(const Control& control, std::string_view from,
- std::string_view to) const override {
+ ErrorCode link(const Control& control, std::string_view from, std::string_view to) const final {
return incfs::link(control, from, to);
}
- ErrorCode unlink(const Control& control, std::string_view path) const override {
+ ErrorCode unlink(const Control& control, std::string_view path) const final {
return incfs::unlink(control, path);
}
- base::unique_fd openForSpecialOps(const Control& control, FileId id) const override {
+ base::unique_fd openForSpecialOps(const Control& control, FileId id) const final {
return base::unique_fd{incfs::openForSpecialOps(control, id).release()};
}
- ErrorCode writeBlocks(Span<const DataBlock> blocks) const override {
+ ErrorCode writeBlocks(Span<const DataBlock> blocks) const final {
return incfs::writeBlocks(blocks);
}
};