Enforce file transfer restrictions for shell.
If we have a policy that says DISALLOW_USB_FILE_TRANSFER, then block
file transfers for that user through common ContentProviders.
Test: builds, boots
Bug: 64672411
Change-Id: I502b10c2c229727bc6b421f9db6d2d9e2e03845c
diff --git a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
index f844cc1..2a82fc9 100644
--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
@@ -19,7 +19,6 @@
import android.annotation.Nullable;
import android.app.usage.StorageStatsManager;
import android.content.ContentResolver;
-import android.content.Context;
import android.content.UriPermission;
import android.database.Cursor;
import android.database.MatrixCursor;
@@ -28,7 +27,9 @@
import android.os.Binder;
import android.os.Bundle;
import android.os.Environment;
+import android.os.IBinder;
import android.os.UserHandle;
+import android.os.UserManager;
import android.os.storage.DiskInfo;
import android.os.storage.StorageManager;
import android.os.storage.VolumeInfo;
@@ -95,6 +96,7 @@
private static final String ROOT_ID_HOME = "home";
private StorageManager mStorageManager;
+ private UserManager mUserManager;
private final Object mRootsLock = new Object();
@@ -105,12 +107,35 @@
public boolean onCreate() {
super.onCreate(DEFAULT_DOCUMENT_PROJECTION);
- mStorageManager = (StorageManager) getContext().getSystemService(Context.STORAGE_SERVICE);
+ mStorageManager = getContext().getSystemService(StorageManager.class);
+ mUserManager = getContext().getSystemService(UserManager.class);
updateVolumes();
return true;
}
+ private void enforceShellRestrictions() {
+ if (UserHandle.getCallingAppId() == android.os.Process.SHELL_UID
+ && mUserManager.hasUserRestriction(UserManager.DISALLOW_USB_FILE_TRANSFER)) {
+ throw new SecurityException(
+ "Shell user cannot access files for user " + UserHandle.myUserId());
+ }
+ }
+
+ @Override
+ protected int enforceReadPermissionInner(Uri uri, String callingPkg, IBinder callerToken)
+ throws SecurityException {
+ enforceShellRestrictions();
+ return super.enforceReadPermissionInner(uri, callingPkg, callerToken);
+ }
+
+ @Override
+ protected int enforceWritePermissionInner(Uri uri, String callingPkg, IBinder callerToken)
+ throws SecurityException {
+ enforceShellRestrictions();
+ return super.enforceWritePermissionInner(uri, callingPkg, callerToken);
+ }
+
public void updateVolumes() {
synchronized (mRootsLock) {
updateVolumesLocked();