1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <android/content/AttributionSourceState.h>
20 #include <android/permission/IPermissionChecker.h>
21 
22 #include <utils/threads.h>
23 
24 #include <optional>
25 
26 #ifdef __ANDROID_VNDK__
27 #error "This header is not visible to vendors"
28 #endif
29 
30 // ---------------------------------------------------------------------------
31 namespace android {
32 
33 namespace permission {
34 
35 using android::content::AttributionSourceState;
36 using android::permission::IPermissionChecker;
37 
38 class PermissionChecker
39 {
40 public:
41 
42     enum PermissionResult {
43 
44         /**
45          * The permission is granted.
46          */
47         PERMISSION_GRANTED = IPermissionChecker::PERMISSION_GRANTED,
48 
49         /**
50          * The permission is denied. Applicable only to runtime and app op permissions.
51          *
52          * Returned when:
53          *   - the runtime permission is granted, but the corresponding app op is denied
54          *       for runtime permissions.
55          *   - the app ops is ignored for app op permissions.
56          *
57          */
58         PERMISSION_SOFT_DENIED = IPermissionChecker::PERMISSION_SOFT_DENIED,
59 
60         /**
61          * The permission is denied.
62          *
63          * Returned when:
64          *  - the permission is denied for non app op permissions.
65          *  - the app op is denied or app op is AppOpsManager#MODE_DEFAULT and permission is denied.
66          */
67         PERMISSION_HARD_DENIED = IPermissionChecker::PERMISSION_HARD_DENIED
68     };
69 
70     PermissionChecker();
71 
72     /**
73      * Checks whether a given data access chain described by the given attribution source
74      * has a given permission and whether the app op that corresponds to this permission
75      * is allowed. Call this method if you are the datasource which would not blame you for
76      * access to the data since you are the data.  Use this API if you are the datasource of
77      * the protected state.
78      *
79      * NOTE: The attribution source should be for yourself with its next attribution
80      * source being the app that would receive the data from you.
81      *
82      * NOTE: Use this method only for permission checks at the point where you will deliver
83      * the permission protected data to clients.
84      *
85      * @param permission The permission to check.
86      * @param attributionSource The attribution chain to check.
87      * @param message A message describing the reason the permission was checked.
88      * @param attributedOpCode The op code towards which to blame the access. If this
89      *     is a valid app op the op corresponding to the checked permission (if such)
90      *     would only be checked to ensure it is allowed and if that succeeds the
91      *     noting would be against the attributed op.
92      * @return The permission check result which is either PERMISSION_GRANTED,
93      *     or PERMISSION_SOFT_DENIED or PERMISSION_HARD_DENIED.
94      */
95     PermissionChecker::PermissionResult checkPermissionForDataDeliveryFromDatasource(
96             const String16& permission, const AttributionSourceState& attributionSource,
97             const String16& message, int32_t attributedOpCode);
98 
99    /**
100      * Checks whether a given data access chain described by the given attribution source
101      * has a given permission and whether the app op that corresponds to this permission
102      * is allowed. The app ops are not noted/started.
103      *
104      * NOTE: Use this method only for permission checks at the preflight point where you
105      * will not deliver the permission protected data to clients but schedule permission
106      * data delivery, apps register listeners, etc.
107      *
108      * @param permission The permission to check.
109      * @param attributionSource The attribution chain to check.
110      * @param message A message describing the reason the permission was checked.
111      * @param attributedOpCode The op code towards which to blame the access. If this
112      *     is a valid app op the op corresponding to the checked permission (if such)
113      *     would only be checked to ensure it is allowed and if that succeeds the
114      *     starting would be against the attributed op.
115      * @return The permission check result which is either PERMISSION_GRANTED,
116      *     or PERMISSION_SOFT_DENIED or PERMISSION_HARD_DENIED.
117      */
118     PermissionResult checkPermissionForPreflight(
119             const String16& permission, const AttributionSourceState& attributionSource,
120             const String16& message, int32_t attributedOpCode);
121 
122    /**
123      * Checks whether a given data access chain described by the given attribution source
124      * has a given permission and whether the app op that corresponds to this permission
125      * is allowed. The app ops are not noted/started.
126      *
127      * NOTE: The attribution source should be for yourself with its next attribution
128      * source being the app that would receive the data from you.
129      *
130      * NOTE: Use this method only for permission checks at the preflight point where you
131      * will not deliver the permission protected data to clients but schedule permission
132      * data delivery, apps register listeners, etc.
133      *
134      * @param permission The permission to check.
135      * @param attributionSource The attribution chain to check.
136      * @param message A message describing the reason the permission was checked.
137      * @param attributedOpCode The op code towards which to blame the access. If this
138      *     is a valid app op the op corresponding to the checked permission (if such)
139      *     would only be checked to ensure it is allowed and if that succeeds the
140      *     starting would be against the attributed op.
141      * @return The permission check result which is either PERMISSION_GRANTED,
142      *     or PERMISSION_SOFT_DENIED or PERMISSION_HARD_DENIED.
143      */
144     PermissionResult checkPermissionForPreflightFromDatasource(
145             const String16& permission, const AttributionSourceState& attributionSource,
146             const String16& message, int32_t attributedOpCode);
147 
148    /**
149      * Checks whether a given data access chain described by the given attribution source
150      * has a given permission and whether the app op that corresponds to this permission
151      * is allowed. The app ops are also marked as started. This is useful for long running
152      * permissions like camera and microphone. Use this API if you are the datasource of
153      * the protected state.
154      *
155      * NOTE: The attribution source should be for yourself with its next attribution
156      * source being the app that would receive the data from you.
157      *
158      * NOTE: Use this method only for permission checks at the point where you will deliver
159      * the permission protected data to clients.
160      *
161      * @param permission The permission to check.
162      * @param attributionSource The attribution chain to check.
163      * @param message A message describing the reason the permission was checked.
164      * @param attributedOpCode The op code towards which to blame the access. If this
165      *     is a valid app op the op corresponding to the checked permission (if such)
166      *     would only be checked to ensure it is allowed and if that succeeds the
167      *     starting would be against the attributed op.
168      * @return The permission check result which is either PERMISSION_GRANTED,
169      *     or PERMISSION_SOFT_DENIED or PERMISSION_HARD_DENIED.
170      */
171     PermissionResult checkPermissionForStartDataDeliveryFromDatasource(
172             const String16& permission, const AttributionSourceState& attributionSource,
173             const String16& message, int32_t attributedOpCode);
174 
175     /**
176      * Finishes an ongoing op for data access chain described by the given
177      * attribution source. Use this API if you are the datasource of the protected
178      * state. Use this API if you are the datasource of the protected state.
179      *
180      * NOTE: The attribution source should be for yourself with its next attribution
181      * source being the app that would receive the data from you.
182      *
183      * @param op The op to finish.
184      * @param attributionSource The attribution chain for which to finish data delivery.
185      * @param attributedOpCode The op code towards which to blame the access. If this
186      *     is a valid app op it is the op that would be finished.
187      */
188     void finishDataDeliveryFromDatasource(int32_t op,
189             const AttributionSourceState& attributionSource);
190 
191 private:
192     Mutex mLock;
193     sp<IPermissionChecker> mService;
194     sp<IPermissionChecker> getService();
195 
196     PermissionResult checkPermission(const String16& permission,
197             const AttributionSourceState& attributionSource,
198             const String16& message, bool forDataDelivery, bool startDataDelivery,
199             bool fromDatasource, int32_t attributedOpCode);
200 };
201 
202 } // namespace permission
203 
204 } // namespace android
205 
206 // ---------------------------------------------------------------------------
207