Disallow shell to mutate always-on vpn when DISALLOW_CONFIG_VPN user restriction...

author Victor Chang <vichang@google.com>

Tue, 12 Jul 2016 22:47:29 +0000 (23:47 +0100)

committer Dennis Cagle <d-cagle@codeaurora.org>

Wed, 7 Sep 2016 19:22:13 +0000 (12:22 -0700)
author Victor Chang <vichang@google.com>
Tue, 12 Jul 2016 22:47:29 +0000 (23:47 +0100)
committer Dennis Cagle <d-cagle@codeaurora.org>
Wed, 7 Sep 2016 19:22:13 +0000 (12:22 -0700)
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java

index 76b81ad..b9320e9 100644 (file)
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -804,7 +804,8 @@ public class SettingsProvider extends ContentProvider {
  
          // If this is a setting that is currently restricted for this user, do not allow
          // unrestricting changes.
-        if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value)) {
+        if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value,
+                Binder.getCallingUid())) {
              return false;
          }
  
@@ -935,7 +936,8 @@ public class SettingsProvider extends ContentProvider {
  
          // If this is a setting that is currently restricted for this user, do not allow
          // unrestricting changes.
-        if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value)) {
+        if (isGlobalOrSecureSettingRestrictedForUser(name, callingUserId, value,
+                Binder.getCallingUid())) {
              return false;
          }
  
@@ -1158,7 +1160,7 @@ public class SettingsProvider extends ContentProvider {
       * @return true if the change is prohibited, false if the change is allowed.
       */
      private boolean isGlobalOrSecureSettingRestrictedForUser(String setting, int userId,
-            String value) {
+            String value, int callingUid) {
          String restriction;
          switch (setting) {
              case Settings.Secure.LOCATION_MODE:
@@ -1196,6 +1198,15 @@ public class SettingsProvider extends ContentProvider {
                  restriction = UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS;
                  break;
  
+            case Settings.Secure.ALWAYS_ON_VPN_APP:
+            case Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN:
+                // Whitelist system uid (ConnectivityService) and root uid to change always-on vpn
+                if (callingUid == Process.SYSTEM_UID || callingUid == Process.ROOT_UID) {
+                    return false;
+                }
+                restriction = UserManager.DISALLOW_CONFIG_VPN;
+                break;
+
              default:
                  if (setting != null && setting.startsWith(Settings.Global.DATA_ROAMING)) {
                      if ("0".equals(value)) return false;
author	Victor Chang <vichang@google.com>
	Tue, 12 Jul 2016 22:47:29 +0000 (23:47 +0100)
committer	Dennis Cagle <d-cagle@codeaurora.org>
	Wed, 7 Sep 2016 19:22:13 +0000 (12:22 -0700)