Grant notification Uri permissions as sending app.
For security reasons, the system UID can't make URI permission as
itself; it always needs to do so on behalf of a specific app. To
handle this, we grant notification Uri permissions as the UID that
sent a given notification.
To give meaningful debug messages to developers, check to see if the
caller has permissions to grant Uri access when they're enqueuing
a notification. If they're targeting P, throw any security issues
back at the caller; if older SDK, log and ignore that Uri.
Since multiple notifications can grant access to the same content,
we need unique UriPermissionOwner per active notification. For
example, consider these two notifications:
1. sound=content://sound, image=content://image1
2. sound=content://sound, image=content://image2
When #1 is cancelled, we still need to keep the content://sound
grant active until #2 is also cancelled. Using unique owners
means that ActivityManagerService tracks reference counting on
our behalf.
Optimizations to avoid allocations in hot code paths.
Test: atest frameworks/base/services/tests/uiservicestests/src/com/android/server/notification
Bug: 9069730
Change-Id: I69601793538adcbf06c4986a2fb1ea2dd9d876eb
diff --git a/services/tests/uiservicestests/AndroidManifest.xml b/services/tests/uiservicestests/AndroidManifest.xml
index 4c70466..aa3135f 100644
--- a/services/tests/uiservicestests/AndroidManifest.xml
+++ b/services/tests/uiservicestests/AndroidManifest.xml
@@ -28,6 +28,7 @@
<uses-permission android:name="android.permission.ACCESS_VOICE_INTERACTION_SERVICE" />
<uses-permission android:name="android.permission.DEVICE_POWER" />
<uses-permission android:name="android.permission.ACCESS_CONTENT_PROVIDERS_EXTERNALLY" />
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<application android:debuggable="true">
<uses-library android:name="android.test.runner" />
