diff options
author | Chad Brubaker <cbrubaker@google.com> | 2018-04-13 16:18:11 -0700 |
---|---|---|
committer | Chad Brubaker <cbrubaker@google.com> | 2018-04-13 17:04:43 -0700 |
commit | 49eff81262c3b85a1640d01e202a8067eae5be68 (patch) | |
tree | 5218794c49a34c60f44578aa8d472b2ecb6e450b | |
parent | a2b909b2f5a1d2f25f5b8ad810b49f56123999e6 (diff) | |
download | android_packages_providers_DownloadProvider-49eff81262c3b85a1640d01e202a8067eae5be68.tar.gz android_packages_providers_DownloadProvider-49eff81262c3b85a1640d01e202a8067eae5be68.tar.bz2 android_packages_providers_DownloadProvider-49eff81262c3b85a1640d01e202a8067eae5be68.zip |
Use the network security config's cleartext settings
Previously DownloadManager only respected the manifest attribute, this
change makes DownloadManager handle both the manifest and the network
security config
Change-Id: I5666a1eea6278acc3864620a0e5a4c3ae37635b8
Fixes: 78028215
Test: atest CtsNetSecConfigDownloadManagerTestCases
4 files changed, 14 insertions, 36 deletions
diff --git a/src/com/android/providers/downloads/DownloadThread.java b/src/com/android/providers/downloads/DownloadThread.java index fc00fdad..54cc1a5d 100644 --- a/src/com/android/providers/downloads/DownloadThread.java +++ b/src/com/android/providers/downloads/DownloadThread.java @@ -421,7 +421,8 @@ public class DownloadThread extends Thread { throw new StopRequestException(STATUS_BAD_REQUEST, e); } - boolean cleartextTrafficPermitted = mSystemFacade.isCleartextTrafficPermitted(mInfo.mUid); + boolean cleartextTrafficPermitted + = mSystemFacade.isCleartextTrafficPermitted(mInfo.mPackage, url.getHost()); SSLContext appContext; try { appContext = mSystemFacade.getSSLContextForPackage(mContext, mInfo.mPackage); @@ -435,7 +436,7 @@ public class DownloadThread extends Thread { // because of HTTP redirects which can change the protocol between HTTP and HTTPS. if ((!cleartextTrafficPermitted) && ("http".equalsIgnoreCase(url.getProtocol()))) { throw new StopRequestException(STATUS_BAD_REQUEST, - "Cleartext traffic not permitted for UID " + mInfo.mUid + ": " + "Cleartext traffic not permitted for package " + mInfo.mPackage + ": " + Uri.parse(url.toString()).toSafeString()); } diff --git a/src/com/android/providers/downloads/RealSystemFacade.java b/src/com/android/providers/downloads/RealSystemFacade.java index 9d07999b..a0ce92c3 100644 --- a/src/com/android/providers/downloads/RealSystemFacade.java +++ b/src/com/android/providers/downloads/RealSystemFacade.java @@ -90,25 +90,6 @@ class RealSystemFacade implements SystemFacade { } @Override - public boolean isCleartextTrafficPermitted(int uid) { - PackageManager packageManager = mContext.getPackageManager(); - String[] packageNames = packageManager.getPackagesForUid(uid); - if (ArrayUtils.isEmpty(packageNames)) { - // Unknown UID -- fail safe: cleartext traffic not permitted - return false; - } - - // Cleartext traffic is permitted from the UID if it's permitted for any of the packages - // belonging to that UID. - for (String packageName : packageNames) { - if (isCleartextTrafficPermitted(packageName)) { - return true; - } - } - return false; - } - - @Override public SSLContext getSSLContextForPackage(Context context, String packageName) throws GeneralSecurityException { ApplicationConfig appConfig; @@ -124,22 +105,17 @@ class RealSystemFacade implements SystemFacade { } /** - * Returns whether cleartext network traffic (HTTP) is permitted for the provided package. + * Returns whether cleartext network traffic (HTTP) is permitted for the provided package to + * {@code host}. */ - private boolean isCleartextTrafficPermitted(String packageName) { - PackageManager packageManager = mContext.getPackageManager(); - PackageInfo packageInfo; + public boolean isCleartextTrafficPermitted(String packageName, String host) { + ApplicationConfig appConfig; try { - packageInfo = packageManager.getPackageInfo(packageName, 0); + appConfig = NetworkSecurityPolicy.getApplicationConfigForPackage(mContext, packageName); } catch (NameNotFoundException e) { - // Unknown package -- fail safe: cleartext traffic not permitted - return false; - } - ApplicationInfo applicationInfo = packageInfo.applicationInfo; - if (applicationInfo == null) { - // No app info -- fail safe: cleartext traffic not permitted + // Unknown package -- fail for safety return false; } - return (applicationInfo.flags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0; + return appConfig.isCleartextTrafficPermitted(host); } } diff --git a/src/com/android/providers/downloads/SystemFacade.java b/src/com/android/providers/downloads/SystemFacade.java index 788ead64..14002a15 100644 --- a/src/com/android/providers/downloads/SystemFacade.java +++ b/src/com/android/providers/downloads/SystemFacade.java @@ -63,9 +63,10 @@ interface SystemFacade { public boolean userOwnsPackage(int uid, String pckg) throws NameNotFoundException; /** - * Returns true if cleartext network traffic is permitted for the specified UID. + * Returns true if cleartext network traffic is permitted from {@code packageName} to + * {@code host}. */ - public boolean isCleartextTrafficPermitted(int uid); + public boolean isCleartextTrafficPermitted(String packageName, String host); /** * Return a {@link SSLContext} configured using the specified package's configuration. diff --git a/tests/src/com/android/providers/downloads/FakeSystemFacade.java b/tests/src/com/android/providers/downloads/FakeSystemFacade.java index 7087ce6d..f381bd8a 100644 --- a/tests/src/com/android/providers/downloads/FakeSystemFacade.java +++ b/tests/src/com/android/providers/downloads/FakeSystemFacade.java @@ -133,7 +133,7 @@ public class FakeSystemFacade implements SystemFacade { } @Override - public boolean isCleartextTrafficPermitted(int uid) { + public boolean isCleartextTrafficPermitted(String packageName, String hostname) { return mCleartextTrafficPermitted; } |