Enforce file transfer restrictions for shell.

If we have a policy that says DISALLOW_USB_FILE_TRANSFER, then block file transfers for that user through common ContentProviders. Test: builds, boots Bug: 64672411 Change-Id: I502b10c2c229727bc6b421f9db6d2d9e2e03845c
2018-01-04 15:07:38 -07:00
parent 60de82d199
commit b78b754dc0
1 changed files with 27 additions and 2 deletions
--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
@@ -19,7 +19,6 @@ package com.android.externalstorage;
 import android.annotation.Nullable;
 import android.app.usage.StorageStatsManager;
 import android.content.ContentResolver;
-import android.content.Context;
 import android.content.UriPermission;
 import android.database.Cursor;
 import android.database.MatrixCursor;
@@ -28,7 +27,9 @@ import android.net.Uri;
 import android.os.Binder;
 import android.os.Bundle;
 import android.os.Environment;
+import android.os.IBinder;
 import android.os.UserHandle;
+import android.os.UserManager;
 import android.os.storage.DiskInfo;
 import android.os.storage.StorageManager;
 import android.os.storage.VolumeInfo;
@@ -95,6 +96,7 @@ public class ExternalStorageProvider extends FileSystemProvider {
    private static final String ROOT_ID_HOME = "home";

    private StorageManager mStorageManager;
+    private UserManager mUserManager;

    private final Object mRootsLock = new Object();

@@ -105,12 +107,35 @@ public class ExternalStorageProvider extends FileSystemProvider {
    public boolean onCreate() {
        super.onCreate(DEFAULT_DOCUMENT_PROJECTION);

-        mStorageManager = (StorageManager) getContext().getSystemService(Context.STORAGE_SERVICE);
+        mStorageManager = getContext().getSystemService(StorageManager.class);
+        mUserManager = getContext().getSystemService(UserManager.class);

        updateVolumes();
        return true;
    }

+    private void enforceShellRestrictions() {
+        if (UserHandle.getCallingAppId() == android.os.Process.SHELL_UID
+                && mUserManager.hasUserRestriction(UserManager.DISALLOW_USB_FILE_TRANSFER)) {
+            throw new SecurityException(
+                    "Shell user cannot access files for user " + UserHandle.myUserId());
+        }
+    }
+
+    @Override
+    protected int enforceReadPermissionInner(Uri uri, String callingPkg, IBinder callerToken)
+            throws SecurityException {
+        enforceShellRestrictions();
+        return super.enforceReadPermissionInner(uri, callingPkg, callerToken);
+    }
+
+    @Override
+    protected int enforceWritePermissionInner(Uri uri, String callingPkg, IBinder callerToken)
+            throws SecurityException {
+        enforceShellRestrictions();
+        return super.enforceWritePermissionInner(uri, callingPkg, callerToken);
+    }
+
    public void updateVolumes() {
        synchronized (mRootsLock) {
            updateVolumesLocked();