commit c533b566ff60041d4964765ce09a3da78e8866ca
author Fyodor Kupolov <fkupolov@google.com> Fri Apr 01 14:37:07 2016 -0700
committer Fyodor Kupolov <fkupolov@google.com> Wed Apr 06 14:53:04 2016 -0700
tree f607cd7f0c0c179ccf5703b326e4368369e0668c
parent 50e229f1f45a1550ba13ec3f81e864630fc3dc1c

Lock down access to getProfiles for 3P apps

MANAGE_USERS permission is not required if calling userId is the same as
requested user id. Theoretically this allows any 3P app to read UserInfo
state including PII fields like name and icon. The change clears PII fields
if the caller doesn't have MANAGE_USERS permission.

Bug: 27705805
Change-Id: Ic69c8cc6aafb7ac72b4fc2b9691cb8e4bef3fb2c

services/core/java/com/android/server/pm/UserManagerService.java

diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index 06a91fb..60a0d62 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -467,13 +467,16 @@
 
     @Override
     public List<UserInfo> getProfiles(int userId, boolean enabledOnly) {
+        boolean returnFullInfo = true;
         if (userId != UserHandle.getCallingUserId()) {
             checkManageUsersPermission("getting profiles related to user " + userId);
+        } else {
+            returnFullInfo = hasManageUsersPermission();
         }
         final long ident = Binder.clearCallingIdentity();
         try {
             synchronized (mUsersLock) {
-                return getProfilesLU(userId, enabledOnly);
+                return getProfilesLU(userId, enabledOnly, returnFullInfo);
             }
         } finally {
             Binder.restoreCallingIdentity(ident);
@@ -481,7 +484,7 @@
     }
 
     /** Assume permissions already checked and caller's identity cleared */
-    private List<UserInfo> getProfilesLU(int userId, boolean enabledOnly) {
+    private List<UserInfo> getProfilesLU(int userId, boolean enabledOnly, boolean fullInfo) {
         UserInfo user = getUserInfoLU(userId);
         ArrayList<UserInfo> users = new ArrayList<UserInfo>(mUsers.size());
         if (user == null) {
@@ -503,7 +506,14 @@
             if (profile.partial) {
                 continue;
             }
-            users.add(userWithName(profile));
+            UserInfo userInfo = userWithName(profile);
+            // If full info is not required - clear PII data to prevent 3P apps from reading it
+            if (!fullInfo) {
+                userInfo = new UserInfo(userInfo);
+                userInfo.name = null;
+                userInfo.iconPath = null;
+            }
+            users.add(userInfo);
         }
         return users;
     }