diff options
author | Victor Chang <vichang@google.com> | 2016-07-12 23:47:29 +0100 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2016-08-01 19:13:25 -0700 |
commit | 335702d106797bce8a88044783fa1fc1d5f751d0 (patch) | |
tree | b6c9549805996706ba82f23d2a4c7633a1e70cad | |
parent | e206f02d46ae5e38c74d138b51f6e1637e261abe (diff) | |
download | base-335702d106797bce8a88044783fa1fc1d5f751d0.tar.gz |
Disallow shell to mutate always-on vpn when DISALLOW_CONFIG_VPN user restriction is set
Fix: 29899712
Change-Id: I38cc9d0e584c3f2674c9ff1d91f77a11479d8943
(cherry picked from commit 9c7b706cf4332b4aeea39c166abca04b56685280)
-rw-r--r-- | packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java index 774be60d082a..5c7221570053 100644 --- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java +++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java @@ -799,7 +799,8 @@ public class SettingsProvider extends ContentProvider { // If this is a setting that is currently restricted for this user, do not allow // unrestricting changes. - if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value)) { + if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value, + Binder.getCallingUid())) { return false; } @@ -930,7 +931,8 @@ public class SettingsProvider extends ContentProvider { // If this is a setting that is currently restricted for this user, do not allow // unrestricting changes. - if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value)) { + if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value, + Binder.getCallingUid())) { return false; } @@ -1153,7 +1155,7 @@ public class SettingsProvider extends ContentProvider { * @return true if the change is prohibited, false if the change is allowed. */ private boolean isGlobalOrSecureSettingRestrictedForUser(String setting, int userId, - String value) { + String value, int callingUid) { String restriction; switch (setting) { case Settings.Secure.LOCATION_MODE: @@ -1191,6 +1193,15 @@ public class SettingsProvider extends ContentProvider { restriction = UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS; break; + case Settings.Secure.ALWAYS_ON_VPN_APP: + case Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN: + // Whitelist system uid (ConnectivityService) and root uid to change always-on vpn + if (callingUid == Process.SYSTEM_UID || callingUid == Process.ROOT_UID) { + return false; + } + restriction = UserManager.DISALLOW_CONFIG_VPN; + break; + default: if (setting != null && setting.startsWith(Settings.Global.DATA_ROAMING)) { if ("0".equals(value)) return false; |