commit 1d13eaea8380a43a31b12804f26d888f829feedf
author yuemingw <yuemingw@google.com> Tue Jan 30 17:27:54 2018 +0000
committer yuemingw <yuemingw@google.com> Wed Mar 07 11:04:34 2018 +0000
tree f0dc6afa0be79b462e87f6e7345495cdf247334a
parent be1033fda24a7c1ba9ef3ca590da30be56acc6d2

Block adb from changing certain settings value when corresponding user
restriction is on.

Check calling uid in isSettingRestrictedForUser(which is called by settingsprovider),
 and only allow system_uid when certain user restriction is on, so that user won't be
able to change these settings with adb:
Settings.Secure.LOCATION_MODE,
Settings.Secure.PROVIDERS_ALLOWED,
Settings.System.SCREEN_BRIGHTNESS,
Settings.System.SCREEN_BRIGHTNESS_MODE,
Settings.System.SCREEN_OFF_TIMEOUT,
Settings.Global.AUTO_TIME,
Settings.Global.AUTO_TIME_ZONE.
This check also prevents 3rd party apps from modifying system settings value
when corresponding user restriction is on.
In addition, any attempt to change AUTO_TIME will also go through the check
for dpm.getAutoTimeRequired().

Test: manually by running the adb command with restriction set and not set
Bug: 72549013
Bug: 72548203
Bug: 72548533
Bug: 72686466
Bug: 72687105
Bug: 72940551
Bug: 72940562
Change-Id: I1d1fd20d9fa0f76f27905d62873f6a6e9af0224e

services/core/java/com/android/server/pm/UserManagerService.java

diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index ced2a7e..dd0a5d2 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -31,6 +31,7 @@
 import android.app.IStopUserCallback;
 import android.app.KeyguardManager;
 import android.app.PendingIntent;
+import android.app.admin.DevicePolicyManager;
 import android.content.BroadcastReceiver;
 import android.content.Context;
 import android.content.Intent;
@@ -71,6 +72,7 @@
 import android.os.UserManagerInternal;
 import android.os.UserManagerInternal.UserRestrictionsListener;
 import android.os.storage.StorageManager;
+import android.provider.Settings;
 import android.security.GateKeeper;
 import android.service.gatekeeper.IGateKeeperService;
 import android.util.AtomicFile;
@@ -3971,6 +3973,13 @@
                 return profileParent.id;
             }
         }
+
+        @Override
+        public boolean isSettingRestrictedForUser(String setting, @UserIdInt int userId,
+                String value, int callingUid) {
+            return UserRestrictionsUtils.isSettingRestrictedForUser(mContext, setting, userId,
+                    value, callingUid);
+        }
     }
 
     /* Remove all the users except of the system one. */