Add permission to NetworkStackService

Require a permission to bind to NetworkStackService.
INetworkStackConnector already has permission (UID) checks on all calls
to the service, but callers should not even be able to bind to it.

The MAINLINE_NETWORK_STACK permission is appropriate as it is only held
by the network stack module. Only the system server (which is considered
as holding all permissions) and other network stack components should be
allowed to bind to the network stack service. Bluetooth gets the
connector through the ServiceManager and does not need to bind to it.

Bug: 139720667
Test: Flashed, booted, WiFi and bluetooth reverse tethering working.
Test: Also the above with a Go target (InProcessNetworkStack)
Test: atest FrameworksNetTests NetworkStackTests
Test: atest NetworkStackIntegrationTests
Change-Id: I5db6de782626e8ff2914e5840d3f8582e53ec9c2

1 files changed, 3 insertions, 1 deletions

diff --git a/AndroidManifest_InProcess.xml b/AndroidManifest_InProcess.xml
index 2778a2a5..723df09f 100644
--- a/AndroidManifest_InProcess.xml
+++ b/AndroidManifest_InProcess.xml
@@ -22,7 +22,9 @@
           android:process="system">
     <uses-sdk android:minSdkVersion="28" android:targetSdkVersion="28" />
     <application>
-        <service android:name="com.android.server.NetworkStackService" android:process="system">
+        <service android:name="com.android.server.NetworkStackService"
+                 android:process="system"
+                 android:permission="android.permission.MAINLINE_NETWORK_STACK">
             <intent-filter>
                 <action android:name="android.net.INetworkStackConnector.InProcess"/>
             </intent-filter>