From e48fce6da7bd839d70cbf69abb2780c6d30ea7f6 Mon Sep 17 00:00:00 2001
From: Steve Kondik <shade@chemlab.org>
Date: Wed, 12 Jun 2013 00:47:55 -0700
Subject: framework: Privacy Guard

 * Introduce a new privacy feature which allows the user to run an
   application with reduced visibility into his or her personal data.
 * Adds a per-application flag and simple API to determine if this flag
   is enabled for the current or calling process.
 * This flag can be used by content providers to decide if they should
   return a limited/empty dataset.

Change-Id: Id7c54d728e63acb2b02a2a9322930b54949f6c5d
---
 .../com/android/server/LocationManagerService.java | 58 +++++++++++++++++++++-
 1 file changed, 57 insertions(+), 1 deletion(-)

(limited to 'services/java/com/android/server/LocationManagerService.java')

diff --git a/services/java/com/android/server/LocationManagerService.java b/services/java/com/android/server/LocationManagerService.java
index 0f08c56..4658156 100644
--- a/services/java/com/android/server/LocationManagerService.java
+++ b/services/java/com/android/server/LocationManagerService.java
@@ -16,6 +16,7 @@
 
 package com.android.server;
 
+import android.app.ActivityManagerNative;
 import android.app.PendingIntent;
 import android.content.BroadcastReceiver;
 import android.content.ContentResolver;
@@ -664,8 +665,20 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
         mProvidersByName.remove(provider.getName());
     }
 
+    private boolean isPrivacyGuardEnabled(int pid) {
+        try {
+            if (ActivityManagerNative.getDefault().isPrivacyGuardEnabledForProcess(pid)) {
+                Slog.i(TAG, "Location services unavailable under privacy guard for process pid=" + pid);
+                return true;
+            }
+        } catch (RemoteException e) {
+            // nothing
+        }
+        return false;
+    }
 
     private boolean isAllowedBySettingsLocked(String provider, int userId) {
+
         if (userId != mCurrentUserId) {
             return false;
         }
@@ -826,6 +839,9 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
      */
     @Override
     public List<String> getProviders(Criteria criteria, boolean enabledOnly) {
+        if (isPrivacyGuardEnabled(Binder.getCallingPid())) {
+            return new ArrayList<String>(0);
+        }
         int allowedResolutionLevel = getCallerAllowedResolutionLevel();
         ArrayList<String> out;
         int callingUserId = UserHandle.getCallingUserId();
@@ -1224,7 +1240,7 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
         }
 
         boolean isProviderEnabled = isAllowedBySettingsLocked(name, UserHandle.getUserId(uid));
-        if (isProviderEnabled) {
+        if (isProviderEnabled && !isPrivacyGuardEnabled(pid)) {
             applyRequirementsLocked(name);
         } else {
             // Notify the listener that updates are currently disabled
@@ -1238,6 +1254,9 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
         checkPackageName(packageName);
 
         final int pid = Binder.getCallingPid();
+        if (isPrivacyGuardEnabled(pid)) {
+            return;
+        }
         final int uid = Binder.getCallingUid();
         Receiver receiver = checkListenerOrIntent(listener, intent, pid, uid, packageName);
 
@@ -1297,6 +1316,9 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
         checkResolutionLevelIsSufficientForProviderUse(allowedResolutionLevel,
                 request.getProvider());
         // no need to sanitize this request, as only the provider name is used
+        if (isPrivacyGuardEnabled(Binder.getCallingPid())) {
+            return null;
+        }
 
         long identity = Binder.clearCallingIdentity();
         try {
@@ -1349,8 +1371,13 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
 
         if (D) Log.d(TAG, "requestGeofence: " + sanitizedRequest + " " + geofence + " " + intent);
 
+        if (isPrivacyGuardEnabled(Binder.getCallingPid())) {
+            return;
+        }
+
         // geo-fence manager uses the public location API, need to clear identity
         int uid = Binder.getCallingUid();
+
         if (UserHandle.getUserId(uid) != UserHandle.USER_OWNER) {
             // temporary measure until geofences work for secondary users
             Log.w(TAG, "proximity alerts are currently available only to the primary user");
@@ -1372,6 +1399,10 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
 
         if (D) Log.d(TAG, "removeGeofence: " + geofence + " " + intent);
 
+        if (isPrivacyGuardEnabled(Binder.getCallingPid())) {
+            return;
+        }
+
         // geo-fence manager uses the public location API, need to clear identity
         long identity = Binder.clearCallingIdentity();
         try {
@@ -1390,6 +1421,10 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
         checkResolutionLevelIsSufficientForProviderUse(getCallerAllowedResolutionLevel(),
                 LocationManager.GPS_PROVIDER);
 
+        if (isPrivacyGuardEnabled(Binder.getCallingPid())) {
+            return false;
+        }
+
         try {
             mGpsStatusProvider.addGpsStatusListener(listener);
         } catch (RemoteException e) {
@@ -1401,6 +1436,10 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
 
     @Override
     public void removeGpsStatusListener(IGpsStatusListener listener) {
+        if (isPrivacyGuardEnabled(Binder.getCallingPid())) {
+            return;
+        }
+
         synchronized (mLock) {
             try {
                 mGpsStatusProvider.removeGpsStatusListener(listener);
@@ -1419,6 +1458,10 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
         checkResolutionLevelIsSufficientForProviderUse(getCallerAllowedResolutionLevel(),
                 provider);
 
+        if (isPrivacyGuardEnabled(Binder.getCallingPid())) {
+            return false;
+        }
+
         // and check for ACCESS_LOCATION_EXTRA_COMMANDS
         if ((mContext.checkCallingOrSelfPermission(ACCESS_LOCATION_EXTRA_COMMANDS)
                 != PackageManager.PERMISSION_GRANTED)) {
@@ -1439,6 +1482,11 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
             throw new SecurityException(
                     "calling sendNiResponse from outside of the system is not allowed");
         }
+
+        if (isPrivacyGuardEnabled(Binder.getCallingPid())) {
+            return false;
+        }
+
         try {
             return mNetInitiatedListener.sendNiResponse(notifId, userResponse);
         } catch (RemoteException e) {
@@ -1461,6 +1509,10 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
         checkResolutionLevelIsSufficientForProviderUse(getCallerAllowedResolutionLevel(),
                 provider);
 
+        if (isPrivacyGuardEnabled(Binder.getCallingPid())) {
+            return null;
+        }
+
         LocationProviderInterface p;
         synchronized (mLock) {
             p = mProvidersByName.get(provider);
@@ -1476,6 +1528,10 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
                 provider);
         if (LocationManager.FUSED_PROVIDER.equals(provider)) return false;
 
+        if (isPrivacyGuardEnabled(Binder.getCallingPid())) {
+            return false;
+        }
+
         long identity = Binder.clearCallingIdentity();
         try {
             synchronized (mLock) {
-- 
cgit v1.1