OpenBasicChannel with UICC should not be allowed for non-privilege apps

Throw exception in setUpChannelAccess if this is not a privilege app. Bug: 153934978 Test: atest CtsOmapiTestCases Merged-In: Id39bcad679e856370b985bb77ca77aaadc84c7a0 Change-Id: Id39bcad679e856370b985bb77ca77aaadc84c7a0
author: Jack Yu <jackcwyu@google.com> 2020-04-14 20:56:49 +0800
committer: Jack Yu <jackcwyu@google.com> 2020-04-22 03:34:19 +0000
commit: 489369c42922b715d1c1984b33f167beeea94811 (patch)
tree: 854d8d44e396f398e7b223aa2c7c9c18dc72ca15
parent: 054af27cabc214a987804bc4be0e970896e8a002 (diff)
download: SecureElement-489369c42922b715d1c1984b33f167beeea94811.tar.gz
1 files changed, 11 insertions, 6 deletions
diff --git a/src/com/android/se/Terminal.java b/src/com/android/se/Terminal.java
index 69b8368..fb507e0 100644
--- a/src/com/android/se/Terminal.java
+++ b/src/com/android/se/Terminal.java
@@ -406,7 +406,9 @@ public class Terminal {
                     mName,
                     packageName);
             try {
-                channelAccess = setUpChannelAccess(aid, packageName, pid);
+                // For application without privilege permission or carrier privilege,
+                // openBasicChannel with UICC terminals should be rejected.
+                channelAccess = setUpChannelAccess(aid, packageName, pid, true);
             } catch (MissingResourceException e) {
                 return null;
             }
@@ -493,7 +495,7 @@ public class Terminal {
                     mName,
                     packageName);
             try {
-                channelAccess = setUpChannelAccess(aid, packageName, pid);
+                channelAccess = setUpChannelAccess(aid, packageName, pid, false);
             } catch (MissingResourceException e) {
                 return null;
             }
@@ -699,8 +701,8 @@ public class Terminal {
     /**
      * Initialize the Access Control and set up the channel access.
      */
-    private ChannelAccess setUpChannelAccess(byte[] aid, String packageName, int pid)
-            throws IOException, MissingResourceException {
+    private ChannelAccess setUpChannelAccess(byte[] aid, String packageName, int pid,
+            boolean isBasicChannel) throws IOException, MissingResourceException {
         boolean checkRefreshTag = true;
         if (isPrivilegedApplication(packageName)) {
             return ChannelAccess.getPrivilegeAccess(packageName, pid);
@@ -723,17 +725,20 @@ public class Terminal {
                 if (pm != null) {
                     PackageInfo pkgInfo =
                             pm.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
-                    if (mAccessControlEnforcer.checkCarrierPrivilege(pkgInfo, checkRefreshTag)) {
+                    // Do not check the refresh tag for carrier privilege
+                    if (mAccessControlEnforcer.checkCarrierPrivilege(pkgInfo, false)) {
                         Log.i(mTag, "setUp PrivilegeAccess for CarrierPrivilegeApplication. ");
                         return ChannelAccess.getCarrierPrivilegeAccess(packageName, pid);
                     }
-                    checkRefreshTag = false;
                 }
             } catch (NameNotFoundException ne) {
                 Log.e(mTag, "checkCarrierPrivilege(): packageInfo is not found. ");
             } catch (Exception e) {
                 Log.e(mTag, "checkCarrierPrivilege() Exception: " + e.getMessage());
             }
+            if (isBasicChannel) {
+                throw new MissingResourceException("openBasicChannel is not allowed.", "", "");
+            }
         }
 
         synchronized (mLock) {
author	Jack Yu <jackcwyu@google.com>	2020-04-14 20:56:49 +0800
committer	Jack Yu <jackcwyu@google.com>	2020-04-22 03:34:19 +0000
commit	489369c42922b715d1c1984b33f167beeea94811 (patch)
tree	854d8d44e396f398e7b223aa2c7c9c18dc72ca15
parent	054af27cabc214a987804bc4be0e970896e8a002 (diff)
download	SecureElement-489369c42922b715d1c1984b33f167beeea94811.tar.gz