From 1d13eaea8380a43a31b12804f26d888f829feedf Mon Sep 17 00:00:00 2001
From: yuemingw <yuemingw@google.com>
Date: Tue, 30 Jan 2018 17:27:54 +0000
Subject: Block adb from changing certain settings value when corresponding
 user restriction is on.

Check calling uid in isSettingRestrictedForUser(which is called by settingsprovider),
 and only allow system_uid when certain user restriction is on, so that user won't be
able to change these settings with adb:
Settings.Secure.LOCATION_MODE,
Settings.Secure.PROVIDERS_ALLOWED,
Settings.System.SCREEN_BRIGHTNESS,
Settings.System.SCREEN_BRIGHTNESS_MODE,
Settings.System.SCREEN_OFF_TIMEOUT,
Settings.Global.AUTO_TIME,
Settings.Global.AUTO_TIME_ZONE.
This check also prevents 3rd party apps from modifying system settings value
when corresponding user restriction is on.
In addition, any attempt to change AUTO_TIME will also go through the check
for dpm.getAutoTimeRequired().

Test: manually by running the adb command with restriction set and not set
Bug: 72549013
Bug: 72548203
Bug: 72548533
Bug: 72686466
Bug: 72687105
Bug: 72940551
Bug: 72940562
Change-Id: I1d1fd20d9fa0f76f27905d62873f6a6e9af0224e
---
 core/java/android/os/UserManagerInternal.java | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'core/java/android/os/UserManagerInternal.java')

diff --git a/core/java/android/os/UserManagerInternal.java b/core/java/android/os/UserManagerInternal.java
index f09d5cee4e61..1f6c3cc76ddd 100644
--- a/core/java/android/os/UserManagerInternal.java
+++ b/core/java/android/os/UserManagerInternal.java
@@ -16,6 +16,7 @@
 package android.os;
 
 import android.annotation.Nullable;
+import android.content.Context;
 import android.content.pm.UserInfo;
 import android.graphics.Bitmap;
 
@@ -206,4 +207,18 @@ public abstract class UserManagerInternal {
      * itself.
      */
     public abstract int getProfileParentId(int userId);
+
+    /**
+     * Checks whether changing a setting to a value is prohibited by the corresponding user
+     * restriction.
+     *
+     * <p>See also {@link com.android.server.pm.UserRestrictionsUtils#applyUserRestriction(
+     * Context, int, String, boolean)}, which should be in sync with this method.
+     *
+     * @return {@code true} if the change is prohibited, {@code false} if the change is allowed.
+     *
+     * @hide
+     */
+    public abstract boolean isSettingRestrictedForUser(String setting, int userId, String value,
+            int callingUid);
 }
-- 
cgit v1.2.3