Grant notification Uri permissions as sending app.
For security reasons, the system UID can't make URI permission as
itself; it always needs to do so on behalf of a specific app. To
handle this, we grant notification Uri permissions as the UID that
sent a given notification.
To give meaningful debug messages to developers, check to see if the
caller has permissions to grant Uri access when they're enqueuing
a notification. If they're targeting P, throw any security issues
back at the caller; if older SDK, log and ignore that Uri.
Since multiple notifications can grant access to the same content,
we need unique UriPermissionOwner per active notification. For
example, consider these two notifications:
1. sound=content://sound, image=content://image1
2. sound=content://sound, image=content://image2
When #1 is cancelled, we still need to keep the content://sound
grant active until #2 is also cancelled. Using unique owners
means that ActivityManagerService tracks reference counting on
our behalf.
Optimizations to avoid allocations in hot code paths.
Test: atest frameworks/base/services/tests/uiservicestests/src/com/android/server/notification
Bug: 9069730
Change-Id: I69601793538adcbf06c4986a2fb1ea2dd9d876eb
8 files changed