Add attributionTag to audio-recordings
... by replacing packageName/uid/pid by the Identity class.
This allows us to track which parts of the app trigger audio-recordings.
90% of the code is just sending around the additional parameters.
This adds it for the Java and native API.
Test: atest CtsAppOpsTestCases
CtsNativeMediaAAudioTestCases
Fixes: 160150145
Change-Id: Ibd7b884f7fcd4668a4e27f997e59cfc3217a9e89
diff --git a/media/utils/Android.bp b/media/utils/Android.bp
index ec77bd0..26cdc3a 100644
--- a/media/utils/Android.bp
+++ b/media/utils/Android.bp
@@ -39,6 +39,7 @@
"libc_malloc_debug_backtrace",
],
shared_libs: [
+ "libaudioclient_aidl_conversion",
"libaudioutils", // for clock.h
"libbinder",
"libcutils",
@@ -47,6 +48,7 @@
"libhidlbase",
"android.hardware.graphics.bufferqueue@1.0",
"android.hidl.token@1.0-utils",
+ "media_permission-aidl-cpp",
],
logtags: ["EventLogTags.logtags"],
@@ -62,6 +64,10 @@
"libmedia_headers",
],
+ export_shared_lib_headers: [
+ "media_permission-aidl-cpp"
+ ],
+
include_dirs: [
// For DEBUGGER_SIGNAL
"system/core/debuggerd/include",
diff --git a/media/utils/ServiceUtilities.cpp b/media/utils/ServiceUtilities.cpp
index 2c8a452..e2e1043 100644
--- a/media/utils/ServiceUtilities.cpp
+++ b/media/utils/ServiceUtilities.cpp
@@ -23,6 +23,9 @@
#include <binder/PermissionCache.h>
#include "mediautils/ServiceUtilities.h"
#include <system/audio-hal-enums.h>
+#include <media/AidlConversion.h>
+#include <media/AidlConversionUtil.h>
+#include <android/media/permission/Identity.h>
#include <iterator>
#include <algorithm>
@@ -37,14 +40,16 @@
namespace android {
+using media::permission::Identity;
+
static const String16 sAndroidPermissionRecordAudio("android.permission.RECORD_AUDIO");
static const String16 sModifyPhoneState("android.permission.MODIFY_PHONE_STATE");
static const String16 sModifyAudioRouting("android.permission.MODIFY_AUDIO_ROUTING");
static String16 resolveCallingPackage(PermissionController& permissionController,
- const String16& opPackageName, uid_t uid) {
- if (opPackageName.size() > 0) {
- return opPackageName;
+ const std::optional<String16> opPackageName, uid_t uid) {
+ if (opPackageName.has_value() && opPackageName.value().size() > 0) {
+ return opPackageName.value();
}
// In some cases the calling code has no access to the package it runs under.
// For example, code using the wilhelm framework's OpenSL-ES APIs. In this
@@ -57,7 +62,7 @@
permissionController.getPackagesForUid(uid, packages);
if (packages.isEmpty()) {
ALOGE("No packages for uid %d", uid);
- return opPackageName; // empty string
+ return String16();
}
return packages[0];
}
@@ -74,47 +79,52 @@
}
}
-static bool checkRecordingInternal(const String16& opPackageName, pid_t pid,
- uid_t uid, bool start, audio_source_t source) {
+static bool checkRecordingInternal(const Identity& identity, const String16& msg,
+ bool start, audio_source_t source) {
// Okay to not track in app ops as audio server or media server is us and if
// device is rooted security model is considered compromised.
// system_server loses its RECORD_AUDIO permission when a secondary
// user is active, but it is a core system service so let it through.
// TODO(b/141210120): UserManager.DISALLOW_RECORD_AUDIO should not affect system user 0
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
if (isAudioServerOrMediaServerOrSystemServerOrRootUid(uid)) return true;
// We specify a pid and uid here as mediaserver (aka MediaRecorder or StageFrightRecorder)
// may open a record track on behalf of a client. Note that pid may be a tid.
// IMPORTANT: DON'T USE PermissionCache - RUNTIME PERMISSIONS CHANGE.
PermissionController permissionController;
- const bool ok = permissionController.checkPermission(sAndroidPermissionRecordAudio, pid, uid);
+ const bool ok = permissionController.checkPermission(sAndroidPermissionRecordAudio,
+ identity.pid, identity.uid);
if (!ok) {
ALOGE("Request requires %s", String8(sAndroidPermissionRecordAudio).c_str());
return false;
}
String16 resolvedOpPackageName = resolveCallingPackage(
- permissionController, opPackageName, uid);
+ permissionController, VALUE_OR_FATAL(aidl2legacy_string_view_String16(
+ identity.packageName.value_or(""))), uid);
if (resolvedOpPackageName.size() == 0) {
return false;
}
+
AppOpsManager appOps;
const int32_t op = getOpForSource(source);
if (start) {
- if (int32_t mode = appOps.startOpNoThrow(
- op, uid, resolvedOpPackageName, /*startIfModeDefault*/ false);
- mode != AppOpsManager::MODE_ALLOWED) {
+ if (int32_t mode = appOps.startOpNoThrow(op, identity.uid,
+ resolvedOpPackageName, /*startIfModeDefault*/ false,
+ VALUE_OR_FATAL(aidl2legacy_optional_string_view_optional_String16(
+ identity.attributionTag)), msg) != AppOpsManager::MODE_ALLOWED) {
ALOGE("Request start for \"%s\" (uid %d) denied by app op: %d, mode: %d",
- String8(resolvedOpPackageName).c_str(), uid, op, mode);
+ String8(resolvedOpPackageName).c_str(), identity.uid, op, mode);
return false;
}
} else {
// Always use OP_RECORD_AUDIO for checks at creation time.
- if (int32_t mode = appOps.checkOp(op, uid, resolvedOpPackageName);
- mode != AppOpsManager::MODE_ALLOWED) {
+ if (int32_t mode = appOps.checkOp(op, uid,
+ resolvedOpPackageName) != AppOpsManager::MODE_ALLOWED) {
ALOGE("Request check for \"%s\" (uid %d) denied by app op: %d, mode: %d",
- String8(resolvedOpPackageName).c_str(), uid, op, mode);
+ String8(resolvedOpPackageName).c_str(), identity.uid, op, mode);
return false;
}
}
@@ -122,22 +132,25 @@
return true;
}
-bool recordingAllowed(const String16& opPackageName, pid_t pid, uid_t uid) {
- return checkRecordingInternal(opPackageName, pid, uid, /*start*/ false, AUDIO_SOURCE_DEFAULT);
+bool recordingAllowed(const Identity& identity) {
+ return checkRecordingInternal(identity, String16(), /*start*/ false, AUDIO_SOURCE_DEFAULT);
}
-bool startRecording(const String16& opPackageName, pid_t pid, uid_t uid, audio_source_t source) {
- return checkRecordingInternal(opPackageName, pid, uid, /*start*/ true, source);
+bool startRecording(const Identity& identity, const String16& msg, audio_source_t source) {
+ return checkRecordingInternal(identity, msg, /*start*/ true, source);
}
-void finishRecording(const String16& opPackageName, uid_t uid, audio_source_t source) {
+void finishRecording(const Identity& identity, audio_source_t source) {
// Okay to not track in app ops as audio server is us and if
// device is rooted security model is considered compromised.
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
if (isAudioServerOrRootUid(uid)) return;
PermissionController permissionController;
String16 resolvedOpPackageName = resolveCallingPackage(
- permissionController, opPackageName, uid);
+ permissionController,
+ VALUE_OR_FATAL(aidl2legacy_string_view_String16(identity.packageName.value_or(""))),
+ VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid)));
if (resolvedOpPackageName.size() == 0) {
return;
}
@@ -145,10 +158,14 @@
AppOpsManager appOps;
const int32_t op = getOpForSource(source);
- appOps.finishOp(op, uid, resolvedOpPackageName);
+ appOps.finishOp(op, identity.uid, resolvedOpPackageName,
+ VALUE_OR_FATAL(aidl2legacy_optional_string_view_optional_String16(
+ identity.attributionTag)));
}
-bool captureAudioOutputAllowed(pid_t pid, uid_t uid) {
+bool captureAudioOutputAllowed(const Identity& identity) {
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
+ pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(identity.pid));
if (isAudioServerOrRootUid(uid)) return true;
static const String16 sCaptureAudioOutput("android.permission.CAPTURE_AUDIO_OUTPUT");
bool ok = PermissionCache::checkPermission(sCaptureAudioOutput, pid, uid);
@@ -156,7 +173,9 @@
return ok;
}
-bool captureMediaOutputAllowed(pid_t pid, uid_t uid) {
+bool captureMediaOutputAllowed(const Identity& identity) {
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
+ pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(identity.pid));
if (isAudioServerOrRootUid(uid)) return true;
static const String16 sCaptureMediaOutput("android.permission.CAPTURE_MEDIA_OUTPUT");
bool ok = PermissionCache::checkPermission(sCaptureMediaOutput, pid, uid);
@@ -164,7 +183,9 @@
return ok;
}
-bool captureTunerAudioInputAllowed(pid_t pid, uid_t uid) {
+bool captureTunerAudioInputAllowed(const Identity& identity) {
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
+ pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(identity.pid));
if (isAudioServerOrRootUid(uid)) return true;
static const String16 sCaptureTunerAudioInput("android.permission.CAPTURE_TUNER_AUDIO_INPUT");
bool ok = PermissionCache::checkPermission(sCaptureTunerAudioInput, pid, uid);
@@ -172,7 +193,9 @@
return ok;
}
-bool captureVoiceCommunicationOutputAllowed(pid_t pid, uid_t uid) {
+bool captureVoiceCommunicationOutputAllowed(const Identity& identity) {
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
+ uid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(identity.pid));
if (isAudioServerOrRootUid(uid)) return true;
static const String16 sCaptureVoiceCommOutput(
"android.permission.CAPTURE_VOICE_COMMUNICATION_OUTPUT");
@@ -181,9 +204,11 @@
return ok;
}
-bool captureHotwordAllowed(const String16& opPackageName, pid_t pid, uid_t uid) {
+bool captureHotwordAllowed(const Identity& identity) {
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
+ uid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(identity.pid));
// CAPTURE_AUDIO_HOTWORD permission implies RECORD_AUDIO permission
- bool ok = recordingAllowed(opPackageName, pid, uid);
+ bool ok = recordingAllowed(identity);
if (ok) {
static const String16 sCaptureHotwordAllowed("android.permission.CAPTURE_AUDIO_HOTWORD");
@@ -205,11 +230,12 @@
}
bool modifyAudioRoutingAllowed() {
- return modifyAudioRoutingAllowed(
- IPCThreadState::self()->getCallingPid(), IPCThreadState::self()->getCallingUid());
+ return modifyAudioRoutingAllowed(getCallingIdentity());
}
-bool modifyAudioRoutingAllowed(pid_t pid, uid_t uid) {
+bool modifyAudioRoutingAllowed(const Identity& identity) {
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
+ pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(identity.pid));
if (isAudioServerUid(IPCThreadState::self()->getCallingUid())) return true;
// IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
bool ok = PermissionCache::checkPermission(sModifyAudioRouting, pid, uid);
@@ -219,11 +245,12 @@
}
bool modifyDefaultAudioEffectsAllowed() {
- return modifyDefaultAudioEffectsAllowed(
- IPCThreadState::self()->getCallingPid(), IPCThreadState::self()->getCallingUid());
+ return modifyDefaultAudioEffectsAllowed(getCallingIdentity());
}
-bool modifyDefaultAudioEffectsAllowed(pid_t pid, uid_t uid) {
+bool modifyDefaultAudioEffectsAllowed(const Identity& identity) {
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
+ pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(identity.pid));
if (isAudioServerUid(IPCThreadState::self()->getCallingUid())) return true;
static const String16 sModifyDefaultAudioEffectsAllowed(
@@ -244,14 +271,18 @@
return ok;
}
-bool modifyPhoneStateAllowed(pid_t pid, uid_t uid) {
+bool modifyPhoneStateAllowed(const Identity& identity) {
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
+ pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(identity.pid));
bool ok = PermissionCache::checkPermission(sModifyPhoneState, pid, uid);
ALOGE_IF(!ok, "Request requires %s", String8(sModifyPhoneState).c_str());
return ok;
}
// privileged behavior needed by Dialer, Settings, SetupWizard and CellBroadcastReceiver
-bool bypassInterruptionPolicyAllowed(pid_t pid, uid_t uid) {
+bool bypassInterruptionPolicyAllowed(const Identity& identity) {
+ uid_t uid = VALUE_OR_FATAL(aidl2legacy_int32_t_uid_t(identity.uid));
+ pid_t pid = VALUE_OR_FATAL(aidl2legacy_int32_t_pid_t(identity.pid));
static const String16 sWriteSecureSettings("android.permission.WRITE_SECURE_SETTINGS");
bool ok = PermissionCache::checkPermission(sModifyPhoneState, pid, uid)
|| PermissionCache::checkPermission(sWriteSecureSettings, pid, uid)
@@ -261,6 +292,13 @@
return ok;
}
+Identity getCallingIdentity() {
+ Identity identity = Identity();
+ identity.pid = VALUE_OR_FATAL(legacy2aidl_pid_t_int32_t(IPCThreadState::self()->getCallingPid()));
+ identity.uid = VALUE_OR_FATAL(legacy2aidl_uid_t_int32_t(IPCThreadState::self()->getCallingUid()));
+ return identity;
+}
+
status_t checkIMemory(const sp<IMemory>& iMemory)
{
if (iMemory == 0) {
diff --git a/media/utils/fuzzers/Android.bp b/media/utils/fuzzers/Android.bp
index 80882b2..187ef7c 100644
--- a/media/utils/fuzzers/Android.bp
+++ b/media/utils/fuzzers/Android.bp
@@ -15,6 +15,7 @@
"liblog",
"libmediautils",
"libutils",
+ "media_permission-aidl-cpp",
],
cflags: [
diff --git a/media/utils/fuzzers/ServiceUtilitiesFuzz.cpp b/media/utils/fuzzers/ServiceUtilitiesFuzz.cpp
index f4c815c..2f9e780 100644
--- a/media/utils/fuzzers/ServiceUtilitiesFuzz.cpp
+++ b/media/utils/fuzzers/ServiceUtilitiesFuzz.cpp
@@ -19,12 +19,15 @@
#include <functional>
#include <type_traits>
+#include <android/media/permission/Identity.h>
#include "fuzzer/FuzzedDataProvider.h"
#include "mediautils/ServiceUtilities.h"
static constexpr int kMaxOperations = 50;
static constexpr int kMaxStringLen = 256;
+using android::media::permission::Identity;
+
const std::vector<std::function<void(FuzzedDataProvider*, android::MediaPackageManager)>>
operations = {
[](FuzzedDataProvider* data_provider, android::MediaPackageManager pm) -> void {
@@ -43,27 +46,33 @@
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
FuzzedDataProvider data_provider(data, size);
- uid_t uid = data_provider.ConsumeIntegral<uid_t>();
- pid_t pid = data_provider.ConsumeIntegral<pid_t>();
+ int32_t uid = data_provider.ConsumeIntegral<int32_t>();
+ int32_t pid = data_provider.ConsumeIntegral<int32_t>();
audio_source_t source = static_cast<audio_source_t>(data_provider
.ConsumeIntegral<std::underlying_type_t<audio_source_t>>());
+ std::string packageNameStr = data_provider.ConsumeRandomLengthString(kMaxStringLen);
+ std::string msgStr = data_provider.ConsumeRandomLengthString(kMaxStringLen);
+ android::String16 msgStr16(packageNameStr.c_str());
+ Identity identity;
+ identity.packageName = packageNameStr;
+ identity.uid = uid;
+ identity.pid = pid;
+
// There is not state here, and order is not significant,
// so we can simply call all of the target functions
android::isServiceUid(uid);
android::isAudioServerUid(uid);
android::isAudioServerOrSystemServerUid(uid);
android::isAudioServerOrMediaServerUid(uid);
- std::string packageNameStr = data_provider.ConsumeRandomLengthString(kMaxStringLen);
- android::String16 opPackageName(packageNameStr.c_str());
- android::recordingAllowed(opPackageName, pid, uid);
- android::startRecording(opPackageName, pid, uid, source);
- android::finishRecording(opPackageName, uid, source);
- android::captureAudioOutputAllowed(pid, uid);
- android::captureMediaOutputAllowed(pid, uid);
- android::captureHotwordAllowed(opPackageName, pid, uid);
- android::modifyPhoneStateAllowed(uid, pid);
- android::bypassInterruptionPolicyAllowed(uid, pid);
+ android::recordingAllowed(identity);
+ android::startRecording(identity, msgStr16, source);
+ android::finishRecording(identity, source);
+ android::captureAudioOutputAllowed(identity);
+ android::captureMediaOutputAllowed(identity);
+ android::captureHotwordAllowed(identity);
+ android::modifyPhoneStateAllowed(identity);
+ android::bypassInterruptionPolicyAllowed(identity);
android::settingsAllowed();
android::modifyAudioRoutingAllowed();
android::modifyDefaultAudioEffectsAllowed();
diff --git a/media/utils/include/mediautils/ServiceUtilities.h b/media/utils/include/mediautils/ServiceUtilities.h
index 03965db..9a3c6fb 100644
--- a/media/utils/include/mediautils/ServiceUtilities.h
+++ b/media/utils/include/mediautils/ServiceUtilities.h
@@ -25,6 +25,7 @@
#include <cutils/multiuser.h>
#include <private/android_filesystem_config.h>
#include <system/audio-hal-enums.h>
+#include <android/media/permission/Identity.h>
#include <map>
#include <optional>
@@ -79,22 +80,25 @@
}
}
-bool recordingAllowed(const String16& opPackageName, pid_t pid, uid_t uid);
-bool startRecording(const String16& opPackageName, pid_t pid, uid_t uid, audio_source_t source);
-void finishRecording(const String16& opPackageName, uid_t uid, audio_source_t source);
-bool captureAudioOutputAllowed(pid_t pid, uid_t uid);
-bool captureMediaOutputAllowed(pid_t pid, uid_t uid);
-bool captureTunerAudioInputAllowed(pid_t pid, uid_t uid);
-bool captureVoiceCommunicationOutputAllowed(pid_t pid, uid_t uid);
-bool captureHotwordAllowed(const String16& opPackageName, pid_t pid, uid_t uid);
+bool recordingAllowed(const media::permission::Identity& identity);
+bool startRecording(const media::permission::Identity& identity,
+ const String16& msg, audio_source_t source);
+void finishRecording(const media::permission::Identity& identity, audio_source_t source);
+bool captureAudioOutputAllowed(const media::permission::Identity& identity);
+bool captureMediaOutputAllowed(const media::permission::Identity& identity);
+bool captureTunerAudioInputAllowed(const media::permission::Identity& identity);
+bool captureVoiceCommunicationOutputAllowed(const media::permission::Identity& identity);
+bool captureHotwordAllowed(const media::permission::Identity& identity);
bool settingsAllowed();
bool modifyAudioRoutingAllowed();
-bool modifyAudioRoutingAllowed(pid_t pid, uid_t uid);
+bool modifyAudioRoutingAllowed(const media::permission::Identity& identity);
bool modifyDefaultAudioEffectsAllowed();
-bool modifyDefaultAudioEffectsAllowed(pid_t pid, uid_t uid);
+bool modifyDefaultAudioEffectsAllowed(const media::permission::Identity& identity);
bool dumpAllowed();
-bool modifyPhoneStateAllowed(pid_t pid, uid_t uid);
-bool bypassInterruptionPolicyAllowed(pid_t pid, uid_t uid);
+bool modifyPhoneStateAllowed(const media::permission::Identity& identity);
+bool bypassInterruptionPolicyAllowed(const media::permission::Identity& identity);
+
+media::permission::Identity getCallingIdentity();
status_t checkIMemory(const sp<IMemory>& iMemory);