Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Disallow shell to mutate always-on vpn when DISALLOW_CONFIG_VPN user restriction is set" into nyc-dev

Browse Source
This commit is contained in:
Victor Chang
2016-07-14 22:04:10 +00:00
committed by Android (Google) Code Review
parent 9cdfb9d781 e293b0cd00
commit 488042fe3b
1 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
View File

@@ -799,7 +799,8 @@ public class SettingsProvider extends ContentProvider {
// If this is a setting that is currently restricted for this user, do not allow
// unrestricting changes.
if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value)) {
if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value,
Binder.getCallingUid())) {
return false;
}
@@ -930,7 +931,8 @@ public class SettingsProvider extends ContentProvider {
// If this is a setting that is currently restricted for this user, do not allow
// unrestricting changes.
if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value)) {
if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value,
Binder.getCallingUid())) {
return false;
}
@@ -1153,7 +1155,7 @@ public class SettingsProvider extends ContentProvider {
* @return true if the change is prohibited, false if the change is allowed.
*/
private boolean isGlobalOrSecureSettingRestrictedForUser(String setting, int userId,
String value) {
String value, int callingUid) {
String restriction;
switch (setting) {
case Settings.Secure.LOCATION_MODE:
@@ -1191,6 +1193,15 @@ public class SettingsProvider extends ContentProvider {
restriction = UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS;
break;
case Settings.Secure.ALWAYS_ON_VPN_APP:
case Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN:
// Whitelist system uid (ConnectivityService) and root uid to change always-on vpn
if (callingUid == Process.SYSTEM_UID || callingUid == Process.ROOT_UID) {
return false;
}
restriction = UserManager.DISALLOW_CONFIG_VPN;
break;
default:
if (setting != null && setting.startsWith(Settings.Global.DATA_ROAMING)) {
if ("0".equals(value)) return false;