/*
|
* Copyright (C) 2018 The Android Open Source Project
|
*
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
* you may not use this file except in compliance with the License.
|
* You may obtain a copy of the License at
|
*
|
* http://www.apache.org/licenses/LICENSE-2.0
|
*
|
* Unless required by applicable law or agreed to in writing, software
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
* See the License for the specific language governing permissions and
|
* limitations under the License.
|
*/
|
|
package com.android.server.incident;
|
|
import android.app.ActivityManager;
|
import android.content.ComponentName;
|
import android.content.Context;
|
import android.content.Intent;
|
import android.content.pm.ApplicationInfo;
|
import android.content.pm.PackageManager;
|
import android.content.pm.UserInfo;
|
import android.content.res.Resources;
|
import android.os.Binder;
|
import android.os.Build;
|
import android.os.IBinder;
|
import android.os.IIncidentAuthListener;
|
import android.os.IIncidentCompanion;
|
import android.os.IIncidentManager;
|
import android.os.IncidentManager;
|
import android.os.RemoteException;
|
import android.os.ServiceManager;
|
import android.os.UserHandle;
|
import android.os.UserManager;
|
import android.util.Log;
|
|
import com.android.internal.util.DumpUtils;
|
import com.android.server.SystemService;
|
|
import java.io.FileDescriptor;
|
import java.io.PrintWriter;
|
import java.util.List;
|
|
/**
|
* Helper service for incidentd and dumpstated to provide user feedback
|
* and authorization for bug and inicdent reports to be taken.
|
*/
|
public class IncidentCompanionService extends SystemService {
|
static final String TAG = "IncidentCompanionService";
|
|
/**
|
* Dump argument for proxying restricted image dumps to the services
|
* listed in the config.
|
*/
|
private static String[] RESTRICTED_IMAGE_DUMP_ARGS = new String[] {
|
"--hal", "--restricted_image" };
|
|
/**
|
* The two permissions, for sendBroadcastAsUserMultiplePermissions.
|
*/
|
private static final String[] DUMP_AND_USAGE_STATS_PERMISSIONS = new String[] {
|
android.Manifest.permission.DUMP,
|
android.Manifest.permission.PACKAGE_USAGE_STATS
|
};
|
|
/**
|
* Tracker for reports pending approval.
|
*/
|
private PendingReports mPendingReports;
|
|
/**
|
* Implementation of the IIncidentCompanion binder interface.
|
*/
|
private final class BinderService extends IIncidentCompanion.Stub {
|
/**
|
* ONEWAY binder call to initiate authorizing the report. If you don't need
|
* IncidentCompanionService to check whether the calling UID matches then
|
* pass 0 for callingUid. Either way, the caller must have DUMP and USAGE_STATS
|
* permissions to retrieve the data, so it ends up being about the same.
|
*/
|
@Override
|
public void authorizeReport(int callingUid, final String callingPackage,
|
final String receiverClass, final String reportId,
|
final int flags, final IIncidentAuthListener listener) {
|
enforceRequestAuthorizationPermission();
|
|
final long ident = Binder.clearCallingIdentity();
|
try {
|
mPendingReports.authorizeReport(callingUid, callingPackage,
|
receiverClass, reportId, flags, listener);
|
} finally {
|
Binder.restoreCallingIdentity(ident);
|
}
|
}
|
|
/**
|
* ONEWAY binder call to cancel the inbound authorization request.
|
* <p>
|
* This is a oneway call, and so is authorizeReport, so the
|
* caller's ordering is preserved. The other calls on this object are synchronous, so
|
* their ordering is not guaranteed with respect to these calls. So the implementation
|
* sends out extra broadcasts to allow for eventual consistency.
|
*/
|
public void cancelAuthorization(final IIncidentAuthListener listener) {
|
enforceRequestAuthorizationPermission();
|
|
// Caller can cancel if they don't want it anymore, and mRequestQueue elides
|
// authorize/cancel pairs.
|
final long ident = Binder.clearCallingIdentity();
|
try {
|
mPendingReports.cancelAuthorization(listener);
|
} finally {
|
Binder.restoreCallingIdentity(ident);
|
}
|
}
|
|
/**
|
* ONEWAY implementation to send broadcast from incidentd, which is native.
|
*/
|
@Override
|
public void sendReportReadyBroadcast(String pkg, String cls) {
|
enforceRequestAuthorizationPermission();
|
|
final long ident = Binder.clearCallingIdentity();
|
try {
|
final Context context = getContext();
|
|
final int primaryUser = getAndValidateUser(context);
|
if (primaryUser == UserHandle.USER_NULL) {
|
return;
|
}
|
|
final Intent intent = new Intent(Intent.ACTION_INCIDENT_REPORT_READY);
|
intent.setComponent(new ComponentName(pkg, cls));
|
|
Log.d(TAG, "sendReportReadyBroadcast sending primaryUser=" + primaryUser
|
+ " userHandle=" + UserHandle.getUserHandleForUid(primaryUser)
|
+ " intent=" + intent);
|
|
// Send it to the primary user. Only they can do incident reports.
|
context.sendBroadcastAsUserMultiplePermissions(intent,
|
UserHandle.getUserHandleForUid(primaryUser),
|
DUMP_AND_USAGE_STATS_PERMISSIONS);
|
} finally {
|
Binder.restoreCallingIdentity(ident);
|
}
|
}
|
|
/**
|
* SYNCHRONOUS binder call to get the list of reports that are pending confirmation
|
* by the user.
|
*/
|
@Override
|
public List<String> getPendingReports() {
|
enforceAuthorizePermission();
|
return mPendingReports.getPendingReports();
|
}
|
|
/**
|
* SYNCHRONOUS binder call to mark a report as approved.
|
*/
|
@Override
|
public void approveReport(String uri) {
|
enforceAuthorizePermission();
|
|
final long ident = Binder.clearCallingIdentity();
|
try {
|
mPendingReports.approveReport(uri);
|
} finally {
|
Binder.restoreCallingIdentity(ident);
|
}
|
}
|
|
/**
|
* SYNCHRONOUS binder call to mark a report as NOT approved.
|
*/
|
@Override
|
public void denyReport(String uri) {
|
enforceAuthorizePermission();
|
|
final long ident = Binder.clearCallingIdentity();
|
try {
|
mPendingReports.denyReport(uri);
|
} finally {
|
Binder.restoreCallingIdentity(ident);
|
}
|
}
|
|
/**
|
* SYNCHRONOUS binder call to get the list of incident reports waiting for a receiver.
|
*/
|
@Override
|
public List<String> getIncidentReportList(String pkg, String cls) throws RemoteException {
|
enforceAccessReportsPermissions(null);
|
|
final long ident = Binder.clearCallingIdentity();
|
try {
|
return getIIncidentManager().getIncidentReportList(pkg, cls);
|
} finally {
|
Binder.restoreCallingIdentity(ident);
|
}
|
}
|
|
/**
|
* SYNCHRONOUS binder call to commit an incident report
|
*/
|
@Override
|
public void deleteIncidentReports(String pkg, String cls, String id)
|
throws RemoteException {
|
if (pkg == null || cls == null || id == null
|
|| pkg.length() == 0 || cls.length() == 0 || id.length() == 0) {
|
throw new RuntimeException("Invalid pkg, cls or id");
|
}
|
enforceAccessReportsPermissions(pkg);
|
|
final long ident = Binder.clearCallingIdentity();
|
try {
|
getIIncidentManager().deleteIncidentReports(pkg, cls, id);
|
} finally {
|
Binder.restoreCallingIdentity(ident);
|
}
|
}
|
|
/**
|
* SYNCHRONOUS binder call to delete all incident reports for a package.
|
*/
|
@Override
|
public void deleteAllIncidentReports(String pkg) throws RemoteException {
|
if (pkg == null || pkg.length() == 0) {
|
throw new RuntimeException("Invalid pkg");
|
}
|
enforceAccessReportsPermissions(pkg);
|
|
final long ident = Binder.clearCallingIdentity();
|
try {
|
getIIncidentManager().deleteAllIncidentReports(pkg);
|
} finally {
|
Binder.restoreCallingIdentity(ident);
|
}
|
}
|
|
/**
|
* SYNCHRONOUS binder call to get the IncidentReport object.
|
*/
|
@Override
|
public IncidentManager.IncidentReport getIncidentReport(String pkg, String cls, String id)
|
throws RemoteException {
|
if (pkg == null || cls == null || id == null
|
|| pkg.length() == 0 || cls.length() == 0 || id.length() == 0) {
|
throw new RuntimeException("Invalid pkg, cls or id");
|
}
|
enforceAccessReportsPermissions(pkg);
|
|
final long ident = Binder.clearCallingIdentity();
|
try {
|
return getIIncidentManager().getIncidentReport(pkg, cls, id);
|
} finally {
|
Binder.restoreCallingIdentity(ident);
|
}
|
}
|
|
/**
|
* SYNCHRONOUS implementation of adb shell dumpsys debugreportcompanion.
|
*/
|
@Override
|
protected void dump(FileDescriptor fd, final PrintWriter writer, String[] args) {
|
if (!DumpUtils.checkDumpPermission(getContext(), TAG, writer)) {
|
return;
|
}
|
|
if (args.length == 1 && "--restricted_image".equals(args[0])) {
|
// Does NOT clearCallingIdentity
|
dumpRestrictedImages(fd);
|
} else {
|
// Regular dump
|
mPendingReports.dump(fd, writer, args);
|
}
|
}
|
|
/**
|
* Proxy for the restricted images section.
|
*/
|
private void dumpRestrictedImages(FileDescriptor fd) {
|
// Only supported on eng or userdebug.
|
if (!(Build.IS_ENG || Build.IS_USERDEBUG)) {
|
return;
|
}
|
|
final Resources res = getContext().getResources();
|
final String[] services = res.getStringArray(
|
com.android.internal.R.array.config_restrictedImagesServices);
|
final int servicesCount = services.length;
|
for (int i = 0; i < servicesCount; i++) {
|
final String name = services[i];
|
Log.d(TAG, "Looking up service " + name);
|
final IBinder service = ServiceManager.getService(name);
|
if (service != null) {
|
Log.d(TAG, "Calling dump on service: " + name);
|
try {
|
service.dump(fd, RESTRICTED_IMAGE_DUMP_ARGS);
|
} catch (RemoteException ex) {
|
Log.w(TAG, "dump --restricted_image of " + name + " threw", ex);
|
}
|
}
|
}
|
}
|
|
/**
|
* Inside the binder interface class because we want to do all of the authorization
|
* here, before calling out to the helper objects.
|
*/
|
private void enforceRequestAuthorizationPermission() {
|
getContext().enforceCallingOrSelfPermission(
|
android.Manifest.permission.REQUEST_INCIDENT_REPORT_APPROVAL, null);
|
}
|
|
/**
|
* Inside the binder interface class because we want to do all of the authorization
|
* here, before calling out to the helper objects.
|
*/
|
private void enforceAuthorizePermission() {
|
getContext().enforceCallingOrSelfPermission(
|
android.Manifest.permission.APPROVE_INCIDENT_REPORTS, null);
|
}
|
|
/**
|
* Enforce that the calling process either has APPROVE_INCIDENT_REPORTS or
|
* (DUMP and PACKAGE_USAGE_STATS). This lets the approver get, because showing
|
* information about the report is a prerequisite for letting the user decide.
|
*
|
* If pkg is null, it is not checked, so make sure that you check it for null first
|
* if you do need the packages to match.
|
*
|
* Inside the binder interface class because we want to do all of the authorization
|
* here, before calling out to the helper objects.
|
*/
|
private void enforceAccessReportsPermissions(String pkg) {
|
if (getContext().checkCallingPermission(
|
android.Manifest.permission.APPROVE_INCIDENT_REPORTS)
|
!= PackageManager.PERMISSION_GRANTED) {
|
getContext().enforceCallingOrSelfPermission(
|
android.Manifest.permission.DUMP, null);
|
getContext().enforceCallingOrSelfPermission(
|
android.Manifest.permission.PACKAGE_USAGE_STATS, null);
|
if (pkg != null) {
|
enforceCallerIsSameApp(pkg);
|
}
|
}
|
}
|
|
/**
|
* Throw a SecurityException if the incoming binder call is not from pkg.
|
*/
|
private void enforceCallerIsSameApp(String pkg) throws SecurityException {
|
try {
|
final int uid = Binder.getCallingUid();
|
final int userId = UserHandle.getCallingUserId();
|
final ApplicationInfo ai = getContext().getPackageManager()
|
.getApplicationInfoAsUser(pkg, 0, userId);
|
if (ai == null) {
|
throw new SecurityException("Unknown package " + pkg);
|
}
|
if (!UserHandle.isSameApp(ai.uid, uid)) {
|
throw new SecurityException("Calling uid " + uid + " gave package "
|
+ pkg + " which is owned by uid " + ai.uid);
|
}
|
} catch (PackageManager.NameNotFoundException re) {
|
throw new SecurityException("Unknown package " + pkg + "\n" + re);
|
}
|
}
|
}
|
|
/**
|
* Construct new IncidentCompanionService with the context.
|
*/
|
public IncidentCompanionService(Context context) {
|
super(context);
|
mPendingReports = new PendingReports(context);
|
}
|
|
/**
|
* Initialize the service. It is still not safe to do UI until
|
* onBootPhase(SystemService.PHASE_BOOT_COMPLETED).
|
*/
|
@Override
|
public void onStart() {
|
publishBinderService(Context.INCIDENT_COMPANION_SERVICE, new BinderService());
|
}
|
|
/**
|
* Handle the boot process... Starts everything running once the system is
|
* up enough for us to do UI.
|
*/
|
@Override
|
public void onBootPhase(int phase) {
|
super.onBootPhase(phase);
|
switch (phase) {
|
case SystemService.PHASE_BOOT_COMPLETED:
|
mPendingReports.onBootCompleted();
|
break;
|
}
|
}
|
|
/**
|
* Looks up incidentd every time, so we don't need a complex handshake between
|
* incidentd and IncidentCompanionService.
|
*/
|
private IIncidentManager getIIncidentManager() throws RemoteException {
|
return IIncidentManager.Stub.asInterface(
|
ServiceManager.getService(Context.INCIDENT_SERVICE));
|
}
|
|
/**
|
* Check whether the current user is the primary user, and return the user id if they are.
|
* Returns UserHandle.USER_NULL if not valid.
|
*/
|
public static int getAndValidateUser(Context context) {
|
// Current user
|
UserInfo currentUser;
|
try {
|
currentUser = ActivityManager.getService().getCurrentUser();
|
} catch (RemoteException ex) {
|
// We're already inside the system process.
|
throw new RuntimeException(ex);
|
}
|
|
// Primary user
|
final UserManager um = UserManager.get(context);
|
final UserInfo primaryUser = um.getPrimaryUser();
|
|
// Check that we're using the right user.
|
if (currentUser == null) {
|
Log.w(TAG, "No current user. Nobody to approve the report."
|
+ " The report will be denied.");
|
return UserHandle.USER_NULL;
|
}
|
if (primaryUser == null) {
|
Log.w(TAG, "No primary user. Nobody to approve the report."
|
+ " The report will be denied.");
|
return UserHandle.USER_NULL;
|
}
|
if (primaryUser.id != currentUser.id) {
|
Log.w(TAG, "Only the primary user can approve bugreports, but they are not"
|
+ " the current user. The report will be denied.");
|
return UserHandle.USER_NULL;
|
}
|
|
return primaryUser.id;
|
}
|
}
|
