1 /* 2 * Copyright (C) 2024 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #ifndef ANDROID_SERVERS_CAMERA_ATTRIBUTION_AND_PERMISSION_UTILS_H 17 #define ANDROID_SERVERS_CAMERA_ATTRIBUTION_AND_PERMISSION_UTILS_H 18 19 #include <android/content/AttributionSourceState.h> 20 #include <android/permission/PermissionChecker.h> 21 #include <binder/BinderService.h> 22 #include <binder/IPermissionController.h> 23 #include <private/android_filesystem_config.h> 24 25 namespace android { 26 27 class CameraService; 28 29 using content::AttributionSourceState; 30 using permission::PermissionChecker; 31 32 class AttrSourceItr { 33 public: 34 using value_type = AttributionSourceState; 35 using pointer = const value_type*; 36 using reference = const value_type&; 37 AttrSourceItr()38 AttrSourceItr() : mAttr(nullptr) {} 39 AttrSourceItr(const AttributionSourceState & attr)40 AttrSourceItr(const AttributionSourceState& attr) : mAttr(&attr) {} 41 42 reference operator*() const { return *mAttr; } 43 pointer operator->() const { return mAttr; } 44 45 AttrSourceItr& operator++() { 46 mAttr = !mAttr->next.empty() ? mAttr->next.data() : nullptr; 47 return *this; 48 } 49 50 AttrSourceItr operator++(int) { 51 AttrSourceItr tmp = *this; 52 ++(*this); 53 return tmp; 54 } 55 56 friend bool operator==(const AttrSourceItr& a, const AttrSourceItr& b) = default; 57 end()58 static AttrSourceItr end() { return AttrSourceItr{}; } 59 private: 60 const AttributionSourceState * mAttr; 61 }; 62 63 /** 64 * Utility class consolidating methods/data for verifying permissions and the identity of the 65 * caller. 66 */ 67 class AttributionAndPermissionUtils { 68 public: AttributionAndPermissionUtils()69 AttributionAndPermissionUtils() {} ~AttributionAndPermissionUtils()70 virtual ~AttributionAndPermissionUtils() {} 71 setCameraService(wp<CameraService> cameraService)72 void setCameraService(wp<CameraService> cameraService) { mCameraService = cameraService; } 73 buildAttributionSource(int callingPid,int callingUid)74 static AttributionSourceState buildAttributionSource(int callingPid, int callingUid) { 75 AttributionSourceState attributionSource{}; 76 attributionSource.pid = callingPid; 77 attributionSource.uid = callingUid; 78 return attributionSource; 79 } 80 buildAttributionSource(int callingPid,int callingUid,int32_t deviceId)81 static AttributionSourceState buildAttributionSource(int callingPid, int callingUid, 82 int32_t deviceId) { 83 AttributionSourceState attributionSource = buildAttributionSource(callingPid, callingUid); 84 attributionSource.deviceId = deviceId; 85 return attributionSource; 86 } 87 88 // Utilities handling Binder calling identities (previously in CameraThreadState) 89 virtual int getCallingUid() const; 90 virtual int getCallingPid() const; 91 virtual int64_t clearCallingIdentity(); 92 virtual void restoreCallingIdentity(int64_t token); 93 94 /** 95 * If flags::data_delivery_permission_checks() is enabled, check the calling attribution 96 * source and resolve its package name, or fill in the pid/uid/package name if necessary. 97 * 98 * @param resolvedAttributionSource The resolved attribution source. 99 * @param methodName The name of the method calling this function (for logging only). 100 * @param cameraIdMaybe The camera ID, if applicable. 101 * @return The status of the operation. 102 */ 103 virtual binder::Status resolveAttributionSource( 104 /*inout*/ AttributionSourceState& resolvedAttributionSource, 105 const std::string& methodName, 106 const std::optional<std::string>& cameraIdMaybe = std::nullopt); 107 108 /** 109 * Pre-grants the permission if the attribution source uid is for an automotive 110 * privileged client. Otherwise uses system service permission checker to check 111 * for the appropriate permission. If this function is called for accessing a specific 112 * camera,then the cameraID must not be empty. CameraId is used only in case of automotive 113 * privileged client so that permission is pre-granted only to access system camera device 114 * which is located outside of the vehicle body frame because camera located inside the vehicle 115 * cabin would need user permission. 116 */ 117 virtual bool checkPermissionForPreflight(const std::string& cameraId, 118 const std::string& permission, 119 const AttributionSourceState& attributionSource, 120 const std::string& message, int32_t attributedOpCode); 121 virtual bool checkPermissionForDataDelivery(const std::string& cameraId, 122 const std::string& permission, 123 const AttributionSourceState& attributionSource, 124 const std::string& message, 125 int32_t attributedOpCode); 126 virtual PermissionChecker::PermissionResult checkPermissionForStartDataDelivery( 127 const std::string& cameraId, const std::string& permission, 128 const AttributionSourceState& attributionSource, const std::string& message, 129 int32_t attributedOpCode); 130 131 // Can camera service trust the caller based on the calling UID? 132 virtual bool isTrustedCallingUid(uid_t uid); 133 134 virtual bool isAutomotiveDevice(); 135 virtual bool isHeadlessSystemUserMode(); 136 137 /** 138 * Returns true if the client has uid AID_AUTOMOTIVE_EVS and the device is an automotive device. 139 */ 140 virtual bool isAutomotivePrivilegedClient(int32_t uid); 141 142 // In some cases the calling code has no access to the package it runs under. 143 // For example, NDK camera API. 144 // In this case we will get the packages for the calling UID and pick the first one 145 // for attributing the app op. This will work correctly for runtime permissions 146 // as for legacy apps we will toggle the app op for all packages in the UID. 147 // The caveat is that the operation may be attributed to the wrong package and 148 // stats based on app ops may be slightly off. 149 virtual std::string getPackageNameFromUid(int clientUid) const; 150 151 virtual status_t getUidForPackage(const std::string& packageName, int userId, 152 /*inout*/ uid_t& uid, int err); 153 virtual bool isCallerCameraServerNotDelegating(); 154 155 // Utils for checking specific permissions 156 virtual bool hasPermissionsForCamera(const std::string& cameraId, 157 const AttributionSourceState& attributionSource, 158 bool forDataDelivery = false, bool checkAutomotive = true); 159 virtual PermissionChecker::PermissionResult checkPermissionsForCameraForPreflight( 160 const std::string& cameraId, const AttributionSourceState& attributionSource); 161 virtual PermissionChecker::PermissionResult checkPermissionsForCameraForDataDelivery( 162 const std::string& cameraId, const AttributionSourceState& attributionSource); 163 virtual PermissionChecker::PermissionResult checkPermissionsForCameraForStartDataDelivery( 164 const std::string& cameraId, const AttributionSourceState& attributionSource); 165 virtual bool hasPermissionsForSystemCamera(const std::string& cameraId, 166 const AttributionSourceState& attributionSource, 167 bool checkCameraPermissions = true); 168 virtual bool hasPermissionsForCameraHeadlessSystemUser( 169 const std::string& cameraId, const AttributionSourceState& attributionSource); 170 virtual bool hasPermissionsForCameraPrivacyAllowlist( 171 const AttributionSourceState& attributionSource); 172 virtual bool hasPermissionsForOpenCloseListener( 173 const AttributionSourceState& attributionSource); 174 175 virtual void finishDataDelivery(const AttributionSourceState& attributionSource); 176 177 static const std::string sDumpPermission; 178 static const std::string sManageCameraPermission; 179 static const std::string sCameraPermission; 180 static const std::string sSystemCameraPermission; 181 static const std::string sCameraHeadlessSystemUserPermission; 182 static const std::string sCameraPrivacyAllowlistPermission; 183 static const std::string sCameraSendSystemEventsPermission; 184 static const std::string sCameraOpenCloseListenerPermission; 185 static const std::string sCameraInjectExternalCameraPermission; 186 187 protected: 188 wp<CameraService> mCameraService; 189 190 bool checkAutomotivePrivilegedClient(const std::string& cameraId, 191 const AttributionSourceState& attributionSource); 192 193 // If the package name is missing from the AttributionSource and a package name exists for the 194 // AttributionSource's uid, fills in the missing package name. 195 void resolveAttributionPackage(AttributionSourceState& resolvedAttributionSource); 196 197 virtual bool resolveClientUid(/*inout*/ int& clientUid); 198 virtual bool resolveClientPid(/*inout*/ int& clientPid); 199 200 virtual binder::Status errorNotTrusted(int clientPid, int clientUid, 201 const std::string& methodName, 202 const std::optional<std::string>& cameraIdMaybe, 203 const std::string& clientName, bool isPid) const; 204 205 private: 206 virtual const sp<IPermissionController>& getPermissionController() const; 207 208 virtual PermissionChecker::PermissionResult checkPermission( 209 const std::string& cameraId, const std::string& permission, 210 const AttributionSourceState& attributionSource, const std::string& message, 211 int32_t attributedOpCode, bool forDataDelivery, bool startDataDelivery, 212 bool checkAutomotive); 213 214 std::unique_ptr<permission::PermissionChecker> mPermissionChecker = 215 std::make_unique<permission::PermissionChecker>(); 216 }; 217 218 /** 219 * Class to be inherited by classes encapsulating AttributionAndPermissionUtils. Provides an 220 * additional utility layer above AttributionAndPermissionUtils calls, and avoids verbosity 221 * in the encapsulating class's methods. 222 */ 223 class AttributionAndPermissionUtilsEncapsulator { 224 protected: 225 std::shared_ptr<AttributionAndPermissionUtils> mAttributionAndPermissionUtils; 226 227 public: AttributionAndPermissionUtilsEncapsulator(std::shared_ptr<AttributionAndPermissionUtils> attributionAndPermissionUtils)228 AttributionAndPermissionUtilsEncapsulator( 229 std::shared_ptr<AttributionAndPermissionUtils> attributionAndPermissionUtils) 230 : mAttributionAndPermissionUtils(attributionAndPermissionUtils) {} 231 buildAttributionSource(int callingPid,int callingUid)232 static AttributionSourceState buildAttributionSource(int callingPid, int callingUid) { 233 return AttributionAndPermissionUtils::buildAttributionSource(callingPid, callingUid); 234 } 235 buildAttributionSource(int callingPid,int callingUid,int32_t deviceId)236 static AttributionSourceState buildAttributionSource(int callingPid, int callingUid, 237 int32_t deviceId) { 238 return AttributionAndPermissionUtils::buildAttributionSource(callingPid, callingUid, 239 deviceId); 240 } 241 buildAttributionSource(int callingPid,int callingUid,const std::string & packageName,int32_t deviceId)242 static AttributionSourceState buildAttributionSource(int callingPid, int callingUid, 243 const std::string& packageName, 244 int32_t deviceId) { 245 AttributionSourceState attributionSource = 246 buildAttributionSource(callingPid, callingUid, deviceId); 247 attributionSource.packageName = packageName; 248 return attributionSource; 249 } 250 getCallingUid()251 int getCallingUid() const { return mAttributionAndPermissionUtils->getCallingUid(); } 252 getCallingPid()253 int getCallingPid() const { return mAttributionAndPermissionUtils->getCallingPid(); } 254 clearCallingIdentity()255 int64_t clearCallingIdentity() const { 256 return mAttributionAndPermissionUtils->clearCallingIdentity(); 257 } 258 restoreCallingIdentity(int64_t token)259 void restoreCallingIdentity(int64_t token) const { 260 mAttributionAndPermissionUtils->restoreCallingIdentity(token); 261 } 262 resolveAttributionSource(AttributionSourceState & resolvedAttributionSource,const std::string & methodName,const std::optional<std::string> & cameraIdMaybe)263 binder::Status resolveAttributionSource(AttributionSourceState& resolvedAttributionSource, 264 const std::string& methodName, 265 const std::optional<std::string>& cameraIdMaybe) { 266 std::string passedPackageName; 267 if (resolvedAttributionSource.packageName.has_value()) { 268 passedPackageName = resolvedAttributionSource.packageName.value(); 269 } 270 auto ret = mAttributionAndPermissionUtils->resolveAttributionSource( 271 resolvedAttributionSource, methodName, cameraIdMaybe); 272 if (!ret.isOk()) { 273 return ret; 274 } 275 // Fix up package name 276 if (passedPackageName.size() != 0) { 277 resolvedAttributionSource.packageName = std::move(passedPackageName); 278 } 279 return ret; 280 } 281 282 // The word 'System' here does not refer to callers only on the system 283 // partition. They just need to have an android system uid. callerHasSystemUid()284 bool callerHasSystemUid() const { return (getCallingUid() < AID_APP_START); } 285 hasPermissionsForCamera(int callingPid,int callingUid,int32_t deviceId)286 bool hasPermissionsForCamera(int callingPid, int callingUid, int32_t deviceId) const { 287 return hasPermissionsForCamera(std::string(), callingPid, callingUid, deviceId); 288 } 289 hasPermissionsForCamera(int callingPid,int callingUid,const std::string & packageName,int32_t deviceId)290 bool hasPermissionsForCamera(int callingPid, int callingUid, const std::string& packageName, 291 int32_t deviceId) const { 292 auto attributionSource = 293 buildAttributionSource(callingPid, callingUid, packageName, deviceId); 294 return hasPermissionsForCamera(std::string(), attributionSource); 295 } 296 hasPermissionsForCamera(const std::string & cameraId,int callingPid,int callingUid,int32_t deviceId)297 bool hasPermissionsForCamera(const std::string& cameraId, int callingPid, int callingUid, 298 int32_t deviceId) const { 299 auto attributionSource = buildAttributionSource(callingPid, callingUid, deviceId); 300 return hasPermissionsForCamera(cameraId, attributionSource); 301 } 302 hasPermissionsForCamera(const std::string & cameraId,const AttributionSourceState & clientAttribution)303 bool hasPermissionsForCamera(const std::string& cameraId, 304 const AttributionSourceState& clientAttribution) const { 305 return mAttributionAndPermissionUtils->hasPermissionsForCamera(cameraId, clientAttribution, 306 /* forDataDelivery */ false, 307 /* checkAutomotive */ true); 308 } 309 hasPermissionsForCameraForDataDelivery(const std::string & cameraId,const AttributionSourceState & clientAttribution)310 bool hasPermissionsForCameraForDataDelivery( 311 const std::string& cameraId, const AttributionSourceState& clientAttribution) const { 312 return mAttributionAndPermissionUtils->hasPermissionsForCamera(cameraId, clientAttribution, 313 /* forDataDelivery */ true, 314 /* checkAutomotive */ false); 315 } 316 checkPermissionsForCameraForPreflight(const std::string & cameraId,const AttributionSourceState & clientAttribution)317 PermissionChecker::PermissionResult checkPermissionsForCameraForPreflight( 318 const std::string& cameraId, const AttributionSourceState& clientAttribution) const { 319 return mAttributionAndPermissionUtils->checkPermissionsForCameraForPreflight( 320 cameraId, clientAttribution); 321 } 322 checkPermissionsForCameraForDataDelivery(const std::string & cameraId,const AttributionSourceState & clientAttribution)323 PermissionChecker::PermissionResult checkPermissionsForCameraForDataDelivery( 324 const std::string& cameraId, const AttributionSourceState& clientAttribution) const { 325 return mAttributionAndPermissionUtils->checkPermissionsForCameraForDataDelivery( 326 cameraId, clientAttribution); 327 } 328 checkPermissionsForCameraForStartDataDelivery(const std::string & cameraId,const AttributionSourceState & clientAttribution)329 PermissionChecker::PermissionResult checkPermissionsForCameraForStartDataDelivery( 330 const std::string& cameraId, const AttributionSourceState& clientAttribution) const { 331 return mAttributionAndPermissionUtils->checkPermissionsForCameraForStartDataDelivery( 332 cameraId, clientAttribution); 333 } 334 335 bool hasPermissionsForSystemCamera(const std::string& cameraId, int callingPid, int callingUid, 336 bool checkCameraPermissions = true) const { 337 auto attributionSource = buildAttributionSource(callingPid, callingUid); 338 return mAttributionAndPermissionUtils->hasPermissionsForSystemCamera( 339 cameraId, attributionSource, checkCameraPermissions); 340 } 341 hasPermissionsForCameraHeadlessSystemUser(const std::string & cameraId,int callingPid,int callingUid)342 bool hasPermissionsForCameraHeadlessSystemUser(const std::string& cameraId, int callingPid, 343 int callingUid) const { 344 auto attributionSource = buildAttributionSource(callingPid, callingUid); 345 return mAttributionAndPermissionUtils->hasPermissionsForCameraHeadlessSystemUser( 346 cameraId, attributionSource); 347 } 348 hasPermissionsForCameraPrivacyAllowlist(int callingPid,int callingUid)349 bool hasPermissionsForCameraPrivacyAllowlist(int callingPid, int callingUid) const { 350 auto attributionSource = buildAttributionSource(callingPid, callingUid); 351 return mAttributionAndPermissionUtils->hasPermissionsForCameraPrivacyAllowlist( 352 attributionSource); 353 } 354 hasPermissionsForOpenCloseListener(int callingPid,int callingUid)355 bool hasPermissionsForOpenCloseListener(int callingPid, int callingUid) const { 356 auto attributionSource = buildAttributionSource(callingPid, callingUid); 357 return mAttributionAndPermissionUtils->hasPermissionsForOpenCloseListener( 358 attributionSource); 359 } 360 finishDataDelivery(const AttributionSourceState & attributionSource)361 void finishDataDelivery(const AttributionSourceState& attributionSource) { 362 mAttributionAndPermissionUtils->finishDataDelivery(attributionSource); 363 } 364 isAutomotiveDevice()365 bool isAutomotiveDevice() const { return mAttributionAndPermissionUtils->isAutomotiveDevice(); } 366 isAutomotivePrivilegedClient(int32_t uid)367 bool isAutomotivePrivilegedClient(int32_t uid) const { 368 return mAttributionAndPermissionUtils->isAutomotivePrivilegedClient(uid); 369 } 370 isTrustedCallingUid(uid_t uid)371 bool isTrustedCallingUid(uid_t uid) const { 372 return mAttributionAndPermissionUtils->isTrustedCallingUid(uid); 373 } 374 isHeadlessSystemUserMode()375 bool isHeadlessSystemUserMode() const { 376 return mAttributionAndPermissionUtils->isHeadlessSystemUserMode(); 377 } 378 getUidForPackage(const std::string & packageName,int userId,uid_t & uid,int err)379 status_t getUidForPackage(const std::string& packageName, int userId, 380 /*inout*/ uid_t& uid, int err) const { 381 return mAttributionAndPermissionUtils->getUidForPackage(packageName, userId, uid, err); 382 } 383 getPackageNameFromUid(int clientUid)384 std::string getPackageNameFromUid(int clientUid) const { 385 return mAttributionAndPermissionUtils->getPackageNameFromUid(clientUid); 386 } 387 isCallerCameraServerNotDelegating()388 bool isCallerCameraServerNotDelegating() const { 389 return mAttributionAndPermissionUtils->isCallerCameraServerNotDelegating(); 390 } 391 }; 392 393 } // namespace android 394 395 #endif // ANDROID_SERVERS_CAMERA_ATTRIBUTION_AND_PERMISSION_UTILS_H 396