WifiConfigManager: Change to NETWORK_SETTINGS permission check
Bug: 63911026
Test: Unit tests
Change-Id: Iaed6aceb8e8b4e586925a396a420d457d826d8ff
diff --git a/service/java/com/android/server/wifi/WifiConfigManager.java b/service/java/com/android/server/wifi/WifiConfigManager.java
index 8aaebb2..8d37746 100644
--- a/service/java/com/android/server/wifi/WifiConfigManager.java
+++ b/service/java/com/android/server/wifi/WifiConfigManager.java
@@ -682,10 +682,10 @@
final boolean isCreator = (config.creatorUid == uid);
- // Check if the |uid| holds the |OVERRIDE_CONFIG_WIFI| permission if the caller asks us to
+ // Check if the |uid| holds the |NETWORK_SETTINGS| permission if the caller asks us to
// bypass the lockdown checks.
if (ignoreLockdown) {
- return mWifiPermissionsUtil.checkConfigOverridePermission(uid);
+ return mWifiPermissionsUtil.checkNetworkSettingsPermission(uid);
}
// Check if device has DPM capability. If it has and |dpmi| is still null, then we
@@ -700,13 +700,14 @@
final boolean isConfigEligibleForLockdown = dpmi != null && dpmi.isActiveAdminWithPolicy(
config.creatorUid, DeviceAdminInfo.USES_POLICY_DEVICE_OWNER);
if (!isConfigEligibleForLockdown) {
- return isCreator || mWifiPermissionsUtil.checkConfigOverridePermission(uid);
+ return isCreator || mWifiPermissionsUtil.checkNetworkSettingsPermission(uid);
}
final ContentResolver resolver = mContext.getContentResolver();
final boolean isLockdownFeatureEnabled = Settings.Global.getInt(resolver,
Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, 0) != 0;
- return !isLockdownFeatureEnabled && mWifiPermissionsUtil.checkConfigOverridePermission(uid);
+ return !isLockdownFeatureEnabled
+ && mWifiPermissionsUtil.checkNetworkSettingsPermission(uid);
}
/**
@@ -979,7 +980,7 @@
if (WifiConfigurationUtil.hasProxyChanged(existingInternalConfig, newInternalConfig)
&& !canModifyProxySettings(uid)) {
Log.e(TAG, "UID " + uid + " does not have permission to modify proxy Settings "
- + config.configKey() + ". Must have OVERRIDE_WIFI_CONFIG,"
+ + config.configKey() + ". Must have NETWORK_SETTINGS,"
+ " or be device or profile owner.");
return new NetworkUpdateResult(WifiConfiguration.INVALID_NETWORK_ID);
}
@@ -1525,7 +1526,7 @@
* @return true if |uid| has the necessary permission to trigger explicit connection to the
* network, false otherwise.
* Note: This returns true only for the system settings/sysui app which holds the
- * {@link android.Manifest.permission#OVERRIDE_WIFI_CONFIG} permission. We don't want to let
+ * {@link android.Manifest.permission#NETWORK_SETTINGS} permission. We don't want to let
* any other app force connection to a network.
*/
public boolean checkAndUpdateLastConnectUid(int networkId, int uid) {
@@ -2886,15 +2887,15 @@
DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
final boolean isUidDeviceOwner = dpmi != null && dpmi.isActiveAdminWithPolicy(uid,
DeviceAdminInfo.USES_POLICY_DEVICE_OWNER);
- final boolean hasConfigOverridePermission =
- mWifiPermissionsUtil.checkConfigOverridePermission(uid);
+ final boolean hasNetworkSettingsPermission =
+ mWifiPermissionsUtil.checkNetworkSettingsPermission(uid);
// If |uid| corresponds to the device owner, allow all modifications.
- if (isUidDeviceOwner || isUidProfileOwner || hasConfigOverridePermission) {
+ if (isUidDeviceOwner || isUidProfileOwner || hasNetworkSettingsPermission) {
return true;
}
if (mVerboseLoggingEnabled) {
Log.v(TAG, "UID: " + uid + " cannot modify WifiConfiguration proxy settings."
- + " ConfigOverride=" + hasConfigOverridePermission
+ + " ConfigOverride=" + hasNetworkSettingsPermission
+ " DeviceOwner=" + isUidDeviceOwner
+ " ProfileOwner=" + isUidProfileOwner);
}
diff --git a/service/java/com/android/server/wifi/WifiServiceImpl.java b/service/java/com/android/server/wifi/WifiServiceImpl.java
index 1c0b640..97e5ee7 100644
--- a/service/java/com/android/server/wifi/WifiServiceImpl.java
+++ b/service/java/com/android/server/wifi/WifiServiceImpl.java
@@ -768,12 +768,6 @@
mWifiPermissionsUtil.enforceLocationPermission(pkgName, uid);
}
- private boolean checkNetworkSettingsPermission() {
- int result = mContext.checkCallingOrSelfPermission(
- android.Manifest.permission.NETWORK_SETTINGS);
- return result == PackageManager.PERMISSION_GRANTED;
- }
-
/**
* see {@link android.net.wifi.WifiManager#setWifiEnabled(boolean)}
* @param enable {@code true} to enable, {@code false} to disable.
@@ -792,7 +786,8 @@
// If SoftAp is enabled, only Settings is allowed to toggle wifi
boolean apEnabled =
mWifiStateMachine.syncGetWifiApState() != WifiManager.WIFI_AP_STATE_DISABLED;
- boolean isFromSettings = checkNetworkSettingsPermission();
+ boolean isFromSettings =
+ mWifiPermissionsUtil.checkNetworkSettingsPermission(Binder.getCallingUid());
if (apEnabled && !isFromSettings) {
mLog.trace("setWifiEnabled SoftAp not disabled: only Settings can enable wifi").flush();
return false;
diff --git a/service/java/com/android/server/wifi/util/WifiPermissionsUtil.java b/service/java/com/android/server/wifi/util/WifiPermissionsUtil.java
index 95529b1..c5eea7d 100644
--- a/service/java/com/android/server/wifi/util/WifiPermissionsUtil.java
+++ b/service/java/com/android/server/wifi/util/WifiPermissionsUtil.java
@@ -256,4 +256,13 @@
return (mSettingsStore.getLocationModeSetting(mContext)
!= Settings.Secure.LOCATION_MODE_OFF);
}
+
+ /**
+ * Returns true if the |uid| holds NETWORK_SETTINGS permission.
+ */
+ public boolean checkNetworkSettingsPermission(int uid) {
+ return mWifiPermissionsWrapper.getUidPermission(
+ android.Manifest.permission.NETWORK_SETTINGS, uid)
+ == PackageManager.PERMISSION_GRANTED;
+ }
}
diff --git a/service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java b/service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
index aa858c8..7509c18 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
@@ -176,7 +176,7 @@
when(mDevicePolicyManagerInternal.isActiveAdminWithPolicy(anyInt(), anyInt()))
.thenReturn(false);
- when(mWifiPermissionsUtil.checkConfigOverridePermission(anyInt())).thenReturn(true);
+ when(mWifiPermissionsUtil.checkNetworkSettingsPermission(anyInt())).thenReturn(true);
when(mWifiPermissionsWrapper.getDevicePolicyManagerInternal())
.thenReturn(mDevicePolicyManagerInternal);
createWifiConfigManager();
@@ -325,7 +325,7 @@
// Now change BSSID of the network.
assertAndSetNetworkBSSID(openNetwork, TEST_BSSID);
- when(mWifiPermissionsUtil.checkConfigOverridePermission(anyInt())).thenReturn(false);
+ when(mWifiPermissionsUtil.checkNetworkSettingsPermission(anyInt())).thenReturn(false);
// Update the same configuration and ensure that the operation failed.
NetworkUpdateResult result = updateNetworkToWifiConfigManager(openNetwork);
@@ -781,7 +781,7 @@
assertTrue(retrievedStatus.isNetworkEnabled());
verifyUpdateNetworkStatus(retrievedNetwork, WifiConfiguration.Status.ENABLED);
- when(mWifiPermissionsUtil.checkConfigOverridePermission(anyInt())).thenReturn(false);
+ when(mWifiPermissionsUtil.checkNetworkSettingsPermission(anyInt())).thenReturn(false);
// Now try to set it disabled with |TEST_UPDATE_UID|, it should fail and the network
// should remain enabled.
@@ -810,7 +810,7 @@
mWifiConfigManager.getConfiguredNetwork(result.getNetworkId());
assertEquals(TEST_CREATOR_UID, retrievedNetwork.lastConnectUid);
- when(mWifiPermissionsUtil.checkConfigOverridePermission(anyInt())).thenReturn(false);
+ when(mWifiPermissionsUtil.checkNetworkSettingsPermission(anyInt())).thenReturn(false);
// Now try to update the last connect UID with |TEST_UPDATE_UID|, it should fail and
// the lastConnectUid should remain the same.
@@ -2977,14 +2977,14 @@
@Test
public void testAddNetworkWithProxyFails() {
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithPacProxy(),
false, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithStaticProxy(),
@@ -2999,14 +2999,14 @@
@Test
public void testAddNetworkWithProxyWithConfOverride() {
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- true, // withConfOverride
+ true, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithPacProxy(),
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- true, // withConfOverride
+ true, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithStaticProxy(),
@@ -3021,14 +3021,14 @@
@Test
public void testAddNetworkWithProxyAsProfileOwner() {
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
true, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithPacProxy(),
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
true, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithStaticProxy(),
@@ -3042,14 +3042,14 @@
@Test
public void testAddNetworkWithProxyAsDeviceOwner() {
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
true, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithPacProxy(),
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
true, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithStaticProxy(),
@@ -3065,14 +3065,14 @@
WifiConfiguration network = WifiConfigurationTestUtil.createOpenHiddenNetwork();
NetworkUpdateResult result = verifyAddNetworkToWifiConfigManager(network);
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithPacProxy(),
false, // assertSuccess
result.getNetworkId()); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithStaticProxy(),
@@ -3092,7 +3092,7 @@
NetworkUpdateResult result = addNetworkToWifiConfigManager(network, TEST_CREATOR_UID);
assertTrue(result.getNetworkId() != WifiConfiguration.INVALID_NETWORK_ID);
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- true, // withConfOverride
+ true, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithPacProxy(),
@@ -3104,7 +3104,7 @@
result = addNetworkToWifiConfigManager(network, TEST_NO_PERM_UID);
assertTrue(result.getNetworkId() != WifiConfiguration.INVALID_NETWORK_ID);
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
true, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithPacProxy(),
@@ -3116,7 +3116,7 @@
result = addNetworkToWifiConfigManager(network, TEST_NO_PERM_UID);
assertTrue(result.getNetworkId() != WifiConfiguration.INVALID_NETWORK_ID);
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
true, // withDeviceOwnerPolicy
WifiConfigurationTestUtil.createDHCPIpConfigurationWithPacProxy(),
@@ -3133,7 +3133,7 @@
IpConfiguration ipConf = WifiConfigurationTestUtil.createDHCPIpConfigurationWithPacProxy();
// First create a WifiConfiguration with proxy
NetworkUpdateResult result = verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
true, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf,
@@ -3141,7 +3141,7 @@
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
// Update the network while using the same ipConf, and no proxy specific permissions
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf,
@@ -3175,14 +3175,14 @@
// Update with Conf Override
NetworkUpdateResult result = verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- true, // withConfOverride
+ true, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf1,
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- true, // withConfOverride
+ true, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf2,
@@ -3191,14 +3191,14 @@
// Update as Device Owner
result = verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
true, // withDeviceOwnerPolicy
ipConf1,
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
true, // withDeviceOwnerPolicy
ipConf2,
@@ -3207,14 +3207,14 @@
// Update as Profile Owner
result = verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
true, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf1,
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
true, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf2,
@@ -3223,14 +3223,14 @@
// Update with no permissions (should fail)
result = verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
true, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf1,
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf2,
@@ -3263,14 +3263,14 @@
// Update with Conf Override
NetworkUpdateResult result = verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- true, // withConfOverride
+ true, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf1,
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- true, // withConfOverride
+ true, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf2,
@@ -3279,14 +3279,14 @@
// Update as Device Owner
result = verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
true, // withDeviceOwnerPolicy
ipConf1,
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
true, // withDeviceOwnerPolicy
ipConf2,
@@ -3295,14 +3295,14 @@
// Update as Profile Owner
result = verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
true, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf1,
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
true, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf2,
@@ -3311,14 +3311,14 @@
// Update with no permissions (should fail)
result = verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
true, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf1,
true, // assertSuccess
WifiConfiguration.INVALID_NETWORK_ID); // Update networkID
verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- false, // withConfOverride
+ false, // withNetworkSettings
false, // withProfileOwnerPolicy
false, // withDeviceOwnerPolicy
ipConf2,
@@ -3345,7 +3345,7 @@
}
private NetworkUpdateResult verifyAddOrUpdateNetworkWithProxySettingsAndPermissions(
- boolean withConfOverride,
+ boolean withNetworkSettings,
boolean withProfileOwnerPolicy,
boolean withDeviceOwnerPolicy,
IpConfiguration ipConfiguration,
@@ -3364,9 +3364,9 @@
when(mDevicePolicyManagerInternal.isActiveAdminWithPolicy(anyInt(),
eq(DeviceAdminInfo.USES_POLICY_DEVICE_OWNER)))
.thenReturn(withDeviceOwnerPolicy);
- when(mWifiPermissionsUtil.checkConfigOverridePermission(anyInt()))
- .thenReturn(withConfOverride);
- int uid = withConfOverride ? TEST_CREATOR_UID : TEST_NO_PERM_UID;
+ when(mWifiPermissionsUtil.checkNetworkSettingsPermission(anyInt()))
+ .thenReturn(withNetworkSettings);
+ int uid = withNetworkSettings ? TEST_CREATOR_UID : TEST_NO_PERM_UID;
NetworkUpdateResult result = addNetworkToWifiConfigManager(network, uid);
assertEquals(assertSuccess, result.getNetworkId() != WifiConfiguration.INVALID_NETWORK_ID);
return result;
diff --git a/service/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java b/service/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
index f6115ce..ce4556d 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/WifiServiceImplTest.java
@@ -400,9 +400,7 @@
public void testSetWifiEnabledFromNetworkSettingsHolderWhenApEnabled() throws Exception {
when(mWifiStateMachine.syncGetWifiApState()).thenReturn(WifiManager.WIFI_AP_STATE_ENABLED);
when(mSettingsStore.handleWifiToggled(eq(true))).thenReturn(true);
- when(mContext.checkCallingOrSelfPermission(
- eq(android.Manifest.permission.NETWORK_SETTINGS)))
- .thenReturn(PackageManager.PERMISSION_GRANTED);
+ when(mWifiPermissionsUtil.checkNetworkSettingsPermission(anyInt())).thenReturn(true);
assertTrue(mWifiServiceImpl.setWifiEnabled(SYSUI_PACKAGE_NAME, true));
verify(mWifiController).sendMessage(eq(CMD_WIFI_TOGGLED));
}
@@ -413,9 +411,7 @@
@Test
public void testSetWifiEnabledFromAppFailsWhenApEnabled() throws Exception {
when(mWifiStateMachine.syncGetWifiApState()).thenReturn(WifiManager.WIFI_AP_STATE_ENABLED);
- when(mContext.checkCallingOrSelfPermission(
- eq(android.Manifest.permission.NETWORK_SETTINGS)))
- .thenReturn(PackageManager.PERMISSION_DENIED);
+ when(mWifiPermissionsUtil.checkNetworkSettingsPermission(anyInt())).thenReturn(false);
assertFalse(mWifiServiceImpl.setWifiEnabled(TEST_PACKAGE_NAME, true));
verify(mSettingsStore, never()).handleWifiToggled(anyBoolean());
verify(mWifiController, never()).sendMessage(eq(CMD_WIFI_TOGGLED));
