diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java index 0f614cad11274..4ff766734fbbc 100644 --- a/services/core/java/com/android/server/pm/UserManagerService.java +++ b/services/core/java/com/android/server/pm/UserManagerService.java @@ -930,6 +930,7 @@ public class UserManagerService extends IUserManager.Stub { /** @return a specific user restriction that's in effect currently. */ @Override public boolean hasUserRestriction(String restrictionKey, int userId) { + UserRestrictionsUtils.checkRestriction(restrictionKey); Bundle restrictions = getEffectiveUserRestrictions(userId); return restrictions != null && restrictions.getBoolean(restrictionKey); } @@ -946,6 +947,7 @@ public class UserManagerService extends IUserManager.Stub { @Override public boolean hasBaseUserRestriction(String restrictionKey, int userId) { checkManageUsersPermission("hasBaseUserRestriction"); + UserRestrictionsUtils.checkRestriction(restrictionKey); synchronized (mRestrictionsLock) { Bundle bundle = mBaseUserRestrictions.get(userId); return (bundle != null && bundle.getBoolean(restrictionKey, false)); @@ -955,6 +957,7 @@ public class UserManagerService extends IUserManager.Stub { @Override public void setUserRestriction(String key, boolean value, int userId) { checkManageUsersPermission("setUserRestriction"); + UserRestrictionsUtils.checkRestriction(key); synchronized (mRestrictionsLock) { // Note we can't modify Bundles stored in mBaseUserRestrictions directly, so create // a copy. diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java index 87f505d24ccd6..7ab071f2d0f6f 100644 --- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java +++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java @@ -56,7 +56,15 @@ public class UserRestrictionsUtils { private UserRestrictionsUtils() { } - public static final Set USER_RESTRICTIONS = Sets.newArraySet( + private static Set newSetWithUniqueCheck(String[] strings) { + final Set ret = Sets.newArraySet(strings); + + // Make sure there's no overlap. + Preconditions.checkState(ret.size() == strings.length); + return ret; + } + + public static final Set USER_RESTRICTIONS = newSetWithUniqueCheck(new String[] { UserManager.DISALLOW_CONFIG_WIFI, UserManager.DISALLOW_MODIFY_ACCOUNTS, UserManager.DISALLOW_INSTALL_APPS, @@ -94,7 +102,7 @@ public class UserRestrictionsUtils { UserManager.DISALLOW_RUN_IN_BACKGROUND, UserManager.DISALLOW_DATA_ROAMING, UserManager.DISALLOW_SET_USER_ICON - ); + }); /** * Set of user restriction which we don't want to persist. @@ -140,6 +148,15 @@ public class UserRestrictionsUtils { UserManager.DISALLOW_UNMUTE_MICROPHONE ); + /** + * Throws {@link IllegalArgumentException} if the given restriction name is invalid. + */ + public static void checkRestriction(@NonNull String restriction) { + if (!USER_RESTRICTIONS.contains(restriction)) { + throw new IllegalArgumentException("Unknown restriction: " + restriction); + } + } + public static void writeRestrictions(@NonNull XmlSerializer serializer, @Nullable Bundle restrictions, @NonNull String tag) throws IOException { if (restrictions == null) { diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index ca0b43a8e7ed9..7831c4d3a7fd5 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -6793,6 +6793,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void setUserRestriction(ComponentName who, String key, boolean enabledFromThisOwner) { Preconditions.checkNotNull(who, "ComponentName is null"); + UserRestrictionsUtils.checkRestriction(key); + final int userHandle = mInjector.userHandleGetCallingUserId(); synchronized (this) { ActiveAdmin activeAdmin =