• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2018 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.content;
18 
19 import android.annotation.IntDef;
20 import android.annotation.NonNull;
21 import android.annotation.Nullable;
22 import android.app.AppOpsManager;
23 import android.content.pm.PackageManager;
24 import android.os.Binder;
25 import android.os.Process;
26 
27 import java.lang.annotation.Retention;
28 import java.lang.annotation.RetentionPolicy;
29 
30 /**
31  * This class provides permission check APIs that verify both the
32  * permission and the associated app op for this permission if
33  * such is defined.
34  * <p>
35  * In the new permission model permissions with protection level
36  * dangerous are runtime permissions. For apps targeting {@link android.os.Build.VERSION_CODES#M}
37  * and above the user may not grant such permissions or revoke
38  * them at any time. For apps targeting API lower than {@link android.os.Build.VERSION_CODES#M}
39  * these permissions are always granted as such apps do not expect
40  * permission revocations and would crash. Therefore, when the
41  * user disables a permission for a legacy app in the UI the
42  * platform disables the APIs guarded by this permission making
43  * them a no-op which is doing nothing or returning an empty
44  * result or default error.
45  * </p>
46  * <p>
47  * It is important that when you perform an operation on behalf of
48  * another app you use these APIs to check for permissions as the
49  * app may be a legacy app that does not participate in the new
50  * permission model for which the user had disabled the "permission"
51  * which is achieved by disallowing the corresponding app op.
52  * </p>
53  * <p>
54  * This class has two types of methods and you should be careful which
55  * type to call based on whether permission protected data is being
56  * passed to the app or you are just checking whether the app holds a
57  * permission. The reason is that a permission check requires checking
58  * the runtime permission and if it is granted checking the corresponding
59  * app op as for apps not supporting the runtime mode we never revoke
60  * permissions but disable app ops. Since there are two types of app op
61  * checks, one that does not leave a record an action was performed and
62  * another the does, one needs to call the preflight flavor of the checks
63  * named xxxForPreflight only if no private data is being delivered but
64  * a permission check is what is needed and the xxxForDataDelivery where
65  * the permission check is right before private data delivery.
66  *
67  * @hide
68  */
69 public final class PermissionChecker {
70     /** Permission result: The permission is granted. */
71     public static final int PERMISSION_GRANTED =  PackageManager.PERMISSION_GRANTED;
72 
73     /** Permission result: The permission is denied. */
74     public static final int PERMISSION_DENIED =  PackageManager.PERMISSION_DENIED;
75 
76     /** Permission result: The permission is denied because the app op is not allowed. */
77     public static final int PERMISSION_DENIED_APP_OP =  PackageManager.PERMISSION_DENIED  - 1;
78 
79     /** Constant when the PID for which we check permissions is unknown. */
80     public static final int PID_UNKNOWN = -1;
81 
82     /** @hide */
83     @IntDef({PERMISSION_GRANTED,
84             PERMISSION_DENIED,
85             PERMISSION_DENIED_APP_OP})
86     @Retention(RetentionPolicy.SOURCE)
87     public @interface PermissionResult {}
88 
PermissionChecker()89     private PermissionChecker() {
90         /* do nothing */
91     }
92 
93     /**
94      * Checks whether a given package in a UID and PID has a given permission
95      * and whether the app op that corresponds to this permission is allowed.
96      *
97      * <strong>NOTE:</strong> Use this method only for permission checks at the
98      * point where you will deliver the permission protected data to clients.
99      *
100      * <p>For example, if an app registers a location listener it should have the location
101      * permission but no data is actually sent to the app at the moment of registration
102      * and you should use {@link #checkPermissionForPreflight(Context, String, int, int, String)}
103      * to determine if the app has or may have location permission (if app has only foreground
104      * location the grant state depends on the app's fg/gb state) and this check will not
105      * leave a trace that permission protected data was delivered. When you are about to
106      * deliver the location data to a registered listener you should use this method which
107      * will evaluate the permission access based on the current fg/bg state of the app and
108      * leave a record that the data was accessed.
109      *
110      * @param context Context for accessing resources.
111      * @param permission The permission to check.
112      * @param pid The process id for which to check. Use {@link #PID_UNKNOWN} if the PID
113      *    is not known.
114      * @param uid The uid for which to check.
115      * @param packageName The package name for which to check. If null the
116      *     the first package for the calling UID will be used.
117      * @return The permission check result which is either {@link #PERMISSION_GRANTED}
118      *     or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
119      *
120      * @see #checkPermissionForPreflight(Context, String, int, int, String)
121      */
122     @PermissionResult
checkPermissionForDataDelivery(@onNull Context context, @NonNull String permission, int pid, int uid, @Nullable String packageName)123     public static int checkPermissionForDataDelivery(@NonNull Context context,
124             @NonNull String permission, int pid, int uid, @Nullable String packageName) {
125         return checkPermissionCommon(context, permission, pid, uid, packageName,
126                 true /*forDataDelivery*/);
127     }
128 
129     /**
130      * Checks whether a given package in a UID and PID has a given permission
131      * and whether the app op that corresponds to this permission is allowed.
132      *
133      * <strong>NOTE:</strong> Use this method only for permission checks at the
134      * preflight point where you will not deliver the permission protected data
135      * to clients but schedule permission data delivery, apps register listeners,
136      * etc.
137      *
138      * <p>For example, if an app registers a location listener it should have the location
139      * permission but no data is actually sent to the app at the moment of registration
140      * and you should use this method to determine if the app has or may have location
141      * permission (if app has only foreground location the grant state depends on the app's
142      * fg/gb state) and this check will not leave a trace that permission protected data
143      * was delivered. When you are about to deliver the location data to a registered
144      * listener you should use {@link #checkPermissionForDataDelivery(Context, String,
145      * int, int, String)} which will evaluate the permission access based on the current
146      * fg/bg state of the app and leave a record that the data was accessed.
147      *
148      * @param context Context for accessing resources.
149      * @param permission The permission to check.
150      * @param pid The process id for which to check.
151      * @param uid The uid for which to check.
152      * @param packageName The package name for which to check. If null the
153      *     the first package for the calling UID will be used.
154      * @return The permission check result which is either {@link #PERMISSION_GRANTED}
155      *     or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
156      *
157      * @see #checkPermissionForDataDelivery(Context, String, int, int, String)
158      */
159     @PermissionResult
checkPermissionForPreflight(@onNull Context context, @NonNull String permission, int pid, int uid, @Nullable String packageName)160     public static int checkPermissionForPreflight(@NonNull Context context,
161             @NonNull String permission, int pid, int uid, @Nullable String packageName) {
162         return checkPermissionCommon(context, permission, pid, uid, packageName,
163                 false /*forDataDelivery*/);
164     }
165 
166     /**
167      * Checks whether your app has a given permission and whether the app op
168      * that corresponds to this permission is allowed.
169      *
170      * <strong>NOTE:</strong> Use this method only for permission checks at the
171      * point where you will deliver the permission protected data to clients.
172      *
173      * <p>For example, if an app registers a location listener it should have the location
174      * permission but no data is actually sent to the app at the moment of registration
175      * and you should use {@link #checkSelfPermissionForPreflight(Context, String)}
176      * to determine if the app has or may have location permission (if app has only foreground
177      * location the grant state depends on the app's fg/gb state) and this check will not
178      * leave a trace that permission protected data was delivered. When you are about to
179      * deliver the location data to a registered listener you should use this method
180      * which will evaluate the permission access based on the current fg/bg state of the
181      * app and leave a record that the data was accessed.
182      *
183      * <p>This API assumes the the {@link Binder#getCallingUid()} is the same as
184      * {@link Process#myUid()}.
185      *
186      * @param context Context for accessing resources.
187      * @param permission The permission to check.
188      * @return The permission check result which is either {@link #PERMISSION_GRANTED}
189      *     or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
190      *
191      * @see #checkSelfPermissionForPreflight(Context, String)
192      */
193     @PermissionResult
checkSelfPermissionForDataDelivery(@onNull Context context, @NonNull String permission)194     public static int checkSelfPermissionForDataDelivery(@NonNull Context context,
195             @NonNull String permission) {
196         return checkPermissionForDataDelivery(context, permission, Process.myPid(),
197                 Process.myUid(), context.getPackageName());
198     }
199 
200     /**
201      * Checks whether your app has a given permission and whether the app op
202      * that corresponds to this permission is allowed.
203      *
204      * <strong>NOTE:</strong> Use this method only for permission checks at the
205      * preflight point where you will not deliver the permission protected data
206      * to clients but schedule permission data delivery, apps register listeners,
207      * etc.
208      *
209      * <p>For example, if an app registers a location listener it should have the location
210      * permission but no data is actually sent to the app at the moment of registration
211      * and you should use this method to determine if the app has or may have location
212      * permission (if app has only foreground location the grant state depends on the
213      * app's fg/gb state) and this check will not leave a trace that permission protected
214      * data was delivered. When you are about to deliver the location data to a registered
215      * listener you should use this method which will evaluate the permission access based
216      * on the current fg/bg state of the app and leave a record that the data was accessed.
217      *
218      * <p>This API assumes the the {@link Binder#getCallingUid()} is the same as
219      * {@link Process#myUid()}.
220      *
221      * @param context Context for accessing resources.
222      * @param permission The permission to check.
223      * @return The permission check result which is either {@link #PERMISSION_GRANTED}
224      *     or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
225      *
226      * @see #checkSelfPermissionForDataDelivery(Context, String)
227      */
228     @PermissionResult
checkSelfPermissionForPreflight(@onNull Context context, @NonNull String permission)229     public static int checkSelfPermissionForPreflight(@NonNull Context context,
230             @NonNull String permission) {
231         return checkPermissionForPreflight(context, permission, Process.myPid(),
232                 Process.myUid(), context.getPackageName());
233     }
234 
235     /**
236      * Checks whether the IPC you are handling has a given permission and whether
237      * the app op that corresponds to this permission is allowed.
238      *
239      * <strong>NOTE:</strong> Use this method only for permission checks at the
240      * point where you will deliver the permission protected data to clients.
241      *
242      * <p>For example, if an app registers a location listener it should have the location
243      * permission but no data is actually sent to the app at the moment of registration
244      * and you should use {@link #checkCallingPermissionForPreflight(Context, String, String)}
245      * to determine if the app has or may have location permission (if app has only foreground
246      * location the grant state depends on the app's fg/gb state) and this check will not
247      * leave a trace that permission protected data was delivered. When you are about to
248      * deliver the location data to a registered listener you should use this method which
249      * will evaluate the permission access based on the current fg/bg state of the app and
250      * leave a record that the data was accessed.
251      *
252      * @param context Context for accessing resources.
253      * @param permission The permission to check.
254      * @param packageName The package name making the IPC. If null the
255      *     the first package for the calling UID will be used.
256      * @return The permission check result which is either {@link #PERMISSION_GRANTED}
257      *     or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
258      *
259      * @see #checkCallingPermissionForPreflight(Context, String, String)
260      */
261     @PermissionResult
checkCallingPermissionForDataDelivery(@onNull Context context, @NonNull String permission, @Nullable String packageName)262     public static int checkCallingPermissionForDataDelivery(@NonNull Context context,
263             @NonNull String permission, @Nullable String packageName) {
264         if (Binder.getCallingPid() == Process.myPid()) {
265             return PERMISSION_DENIED;
266         }
267         return checkPermissionForDataDelivery(context, permission, Binder.getCallingPid(),
268                 Binder.getCallingUid(), packageName);
269     }
270 
271     /**
272      * Checks whether the IPC you are handling has a given permission and whether
273      * the app op that corresponds to this permission is allowed.
274      *
275      * <strong>NOTE:</strong> Use this method only for permission checks at the
276      * preflight point where you will not deliver the permission protected data
277      * to clients but schedule permission data delivery, apps register listeners,
278      * etc.
279      *
280      * <p>For example, if an app registers a location listener it should have the location
281      * permission but no data is actually sent to the app at the moment of registration
282      * and you should use this method to determine if the app has or may have location
283      * permission (if app has only foreground location the grant state depends on the app's
284      * fg/gb state) and this check will not leave a trace that permission protected data
285      * was delivered. When you are about to deliver the location data to a registered
286      * listener you should use {@link #checkCallingOrSelfPermissionForDataDelivery(Context,
287      * String)} which will evaluate the permission access based on the current fg/bg state
288      * of the app and leave a record that the data was accessed.
289      *
290      * @param context Context for accessing resources.
291      * @param permission The permission to check.
292      * @param packageName The package name making the IPC. If null the
293      *     the first package for the calling UID will be used.
294      * @return The permission check result which is either {@link #PERMISSION_GRANTED}
295      *     or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
296      *
297      * @see #checkCallingPermissionForDataDelivery(Context, String, String)
298      */
299     @PermissionResult
checkCallingPermissionForPreflight(@onNull Context context, @NonNull String permission, @Nullable String packageName)300     public static int checkCallingPermissionForPreflight(@NonNull Context context,
301             @NonNull String permission, @Nullable String packageName) {
302         if (Binder.getCallingPid() == Process.myPid()) {
303             return PERMISSION_DENIED;
304         }
305         return checkPermissionForPreflight(context, permission, Binder.getCallingPid(),
306                 Binder.getCallingUid(), packageName);
307     }
308 
309     /**
310      * Checks whether the IPC you are handling or your app has a given permission
311      * and whether the app op that corresponds to this permission is allowed.
312      *
313      * <strong>NOTE:</strong> Use this method only for permission checks at the
314      * point where you will deliver the permission protected data to clients.
315      *
316      * <p>For example, if an app registers a location listener it should have the location
317      * permission but no data is actually sent to the app at the moment of registration
318      * and you should use {@link #checkCallingOrSelfPermissionForPreflight(Context, String)}
319      * to determine if the app has or may have location permission (if app has only foreground
320      * location the grant state depends on the app's fg/gb state) and this check will not
321      * leave a trace that permission protected data was delivered. When you are about to
322      * deliver the location data to a registered listener you should use this method which
323      * will evaluate the permission access based on the current fg/bg state of the app and
324      * leave a record that the data was accessed.
325      *
326      * @param context Context for accessing resources.
327      * @param permission The permission to check.
328      * @return The permission check result which is either {@link #PERMISSION_GRANTED}
329      *     or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
330      *
331      * @see #checkCallingOrSelfPermissionForPreflight(Context, String)
332      */
333     @PermissionResult
checkCallingOrSelfPermissionForDataDelivery(@onNull Context context, @NonNull String permission)334     public static int checkCallingOrSelfPermissionForDataDelivery(@NonNull Context context,
335             @NonNull String permission) {
336         String packageName = (Binder.getCallingPid() == Process.myPid())
337                 ? context.getPackageName() : null;
338         return checkPermissionForDataDelivery(context, permission, Binder.getCallingPid(),
339                 Binder.getCallingUid(), packageName);
340     }
341 
342     /**
343      * Checks whether the IPC you are handling or your app has a given permission
344      * and whether the app op that corresponds to this permission is allowed.
345      *
346      * <strong>NOTE:</strong> Use this method only for permission checks at the
347      * preflight point where you will not deliver the permission protected data
348      * to clients but schedule permission data delivery, apps register listeners,
349      * etc.
350      *
351      * <p>For example, if an app registers a location listener it should have the location
352      * permission but no data is actually sent to the app at the moment of registration
353      * and you should use this method to determine if the app has or may have location
354      * permission (if app has only foreground location the grant state depends on the
355      * app's fg/gb state) and this check will not leave a trace that permission protected
356      * data was delivered. When you are about to deliver the location data to a registered
357      * listener you should use {@link #checkCallingOrSelfPermissionForDataDelivery(Context,
358      * String)} which will evaluate the permission access based on the current fg/bg state
359      * of the app and leave a record that the data was accessed.
360      *
361      * @param context Context for accessing resources.
362      * @param permission The permission to check.
363      * @return The permission check result which is either {@link #PERMISSION_GRANTED}
364      *     or {@link #PERMISSION_DENIED} or {@link #PERMISSION_DENIED_APP_OP}.
365      *
366      * @see #checkCallingOrSelfPermissionForDataDelivery(Context, String)
367      */
368     @PermissionResult
checkCallingOrSelfPermissionForPreflight(@onNull Context context, @NonNull String permission)369     public static int checkCallingOrSelfPermissionForPreflight(@NonNull Context context,
370             @NonNull String permission) {
371         String packageName = (Binder.getCallingPid() == Process.myPid())
372                 ? context.getPackageName() : null;
373         return checkPermissionForPreflight(context, permission, Binder.getCallingPid(),
374                 Binder.getCallingUid(), packageName);
375     }
376 
checkPermissionCommon(@onNull Context context, @NonNull String permission, int pid, int uid, @Nullable String packageName, boolean forDataDelivery)377     private static int checkPermissionCommon(@NonNull Context context, @NonNull String permission,
378             int pid, int uid, @Nullable String packageName, boolean forDataDelivery) {
379         if (context.checkPermission(permission, pid, uid) == PackageManager.PERMISSION_DENIED) {
380             return PERMISSION_DENIED;
381         }
382 
383         AppOpsManager appOpsManager = context.getSystemService(AppOpsManager.class);
384         String op = appOpsManager.permissionToOp(permission);
385         if (op == null) {
386             return PERMISSION_GRANTED;
387         }
388 
389         if (packageName == null) {
390             String[] packageNames = context.getPackageManager().getPackagesForUid(uid);
391             if (packageNames == null || packageNames.length <= 0) {
392                 return PERMISSION_DENIED;
393             }
394             packageName = packageNames[0];
395         }
396 
397         if (forDataDelivery) {
398             if (appOpsManager.noteProxyOpNoThrow(op, packageName, uid)
399                     != AppOpsManager.MODE_ALLOWED) {
400                 return PERMISSION_DENIED_APP_OP;
401             }
402         } else {
403             final int mode = appOpsManager.unsafeCheckOpRawNoThrow(op, uid, packageName);
404             if (mode != AppOpsManager.MODE_ALLOWED && mode != AppOpsManager.MODE_FOREGROUND) {
405                 return PERMISSION_DENIED_APP_OP;
406             }
407         }
408 
409         return PERMISSION_GRANTED;
410     }
411 }
412