From 4356c9c65361481db16c393906bf46d8a0d44ef7 Mon Sep 17 00:00:00 2001
From: Yanting Yang <yantingyang@google.com>
Date: Wed, 3 Aug 2022 02:02:10 +0800
Subject: [PATCH] Check DISALLOW_APPS_CONTROL before performing reset app
 preferences
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When DISALLOW_APPS_CONTROL restriction is enabled, users should not be
able to enable/disable apps, clear app caches and clear app data.

The function of reset app preferences will re-enable the disabled apps,
it can let users bypass DISALLOW_APPS_CONTROL to enable an app disabled
by IT admin to see sensitive information.

To fix this vulnerability, we add a check for DISALLOW_APPS_CONTROL
restriction before users reset app preferences. Once the restriction is
enabled, it will show dialog “Blocked by your IT admin” instead.

Fixes: 238745070
Test: Verify change by turning on/off DISALLOW_APPS_CONTROL with TestDPC.
Change-Id: Iffee73cf4952b686a78b4c7aaa54747971337d03
---
 .../manageapplications/ManageApplications.java    | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/com/android/settings/applications/manageapplications/ManageApplications.java b/src/com/android/settings/applications/manageapplications/ManageApplications.java
index d020f3386ac..ec80f0b966f 100644
--- a/src/com/android/settings/applications/manageapplications/ManageApplications.java
+++ b/src/com/android/settings/applications/manageapplications/ManageApplications.java
@@ -133,6 +133,8 @@ import com.android.settings.notification.app.AppNotificationSettings;
 import com.android.settings.widget.LoadingViewController;
 import com.android.settings.wifi.AppStateChangeWifiStateBridge;
 import com.android.settings.wifi.ChangeWifiStateDetails;
+import com.android.settingslib.RestrictedLockUtils;
+import com.android.settingslib.RestrictedLockUtilsInternal;
 import com.android.settingslib.applications.AppIconCacheManager;
 import com.android.settingslib.applications.AppUtils;
 import com.android.settingslib.applications.ApplicationsState;
@@ -798,7 +800,18 @@ public class ManageApplications extends InstrumentedFragment
             mShowSystem = !mShowSystem;
             mApplications.rebuild();
         } else if (i == R.id.reset_app_preferences) {
-            mResetAppsHelper.buildResetDialog();
+            final boolean appsControlDisallowedBySystem =
+                    RestrictedLockUtilsInternal.hasBaseUserRestriction(getActivity(),
+                            UserManager.DISALLOW_APPS_CONTROL, UserHandle.myUserId());
+            final RestrictedLockUtils.EnforcedAdmin appsControlDisallowedAdmin =
+                    RestrictedLockUtilsInternal.checkIfRestrictionEnforced(getActivity(),
+                            UserManager.DISALLOW_APPS_CONTROL, UserHandle.myUserId());
+            if (appsControlDisallowedAdmin != null && !appsControlDisallowedBySystem) {
+                RestrictedLockUtils.sendShowAdminSupportDetailsIntent(
+                        getActivity(), appsControlDisallowedAdmin);
+            } else {
+                mResetAppsHelper.buildResetDialog();
+            }
             return true;
         } else if (i == R.id.advanced) {
             if (mListType == LIST_TYPE_NOTIFICATION) {