UserManager.getUserName w/ GET_ACCOUNTS_PRIVILEGED
Previously, UserManager.getUserName() and getUserIcon()
required the MANAGE_USERS permission; this has been relaxed
so that the GET_ACCOUNTS_PRIVILEGED permission is also sufficient.
Test: atest UserManagerServiceUserInfoTest
Fixes: 127826840
Change-Id: If90b82313ecf23ea56dca3d24f23a4ca9caa939a
diff --git a/api/system-current.txt b/api/system-current.txt
index 447f576..4b32228 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -5615,7 +5615,7 @@
method @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public android.os.PersistableBundle getSeedAccountOptions();
method @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public String getSeedAccountType();
method @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public long[] getSerialNumbersOfUsers(boolean);
- method @Nullable @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public android.graphics.Bitmap getUserIcon();
+ method @Nullable @RequiresPermission(anyOf={android.Manifest.permission.MANAGE_USERS, android.Manifest.permission.GET_ACCOUNTS_PRIVILEGED}) public android.graphics.Bitmap getUserIcon();
method @Deprecated @android.os.UserManager.UserRestrictionSource @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public int getUserRestrictionSource(String, android.os.UserHandle);
method @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public java.util.List<android.os.UserManager.EnforcingUser> getUserRestrictionSources(String, android.os.UserHandle);
method public boolean hasRestrictedProfiles();
diff --git a/core/java/android/os/IUserManager.aidl b/core/java/android/os/IUserManager.aidl
index 3017f25..154ef5a70 100644
--- a/core/java/android/os/IUserManager.aidl
+++ b/core/java/android/os/IUserManager.aidl
@@ -100,6 +100,7 @@
boolean isUserNameSet(int userHandle);
boolean hasRestrictedProfiles();
boolean requestQuietModeEnabled(String callingPackage, boolean enableQuietMode, int userHandle, in IntentSender target);
+ String getUserName();
long getUserStartRealtime();
long getUserUnlockRealtime();
}
diff --git a/core/java/android/os/UserManager.java b/core/java/android/os/UserManager.java
index 4263377..951c10b 100644
--- a/core/java/android/os/UserManager.java
+++ b/core/java/android/os/UserManager.java
@@ -1256,12 +1256,16 @@
/**
* Returns the user name of the user making this call. This call is only
* available to applications on the system image; it requires the
- * MANAGE_USERS permission.
+ * {@code android.permission.MANAGE_USERS} or {@code android.permission.GET_ACCOUNTS_PRIVILEGED}
+ * permissions.
* @return the user name
*/
public String getUserName() {
- UserInfo user = getUserInfo(getUserHandle());
- return user == null ? "" : user.name;
+ try {
+ return mService.getUserName();
+ } catch (RemoteException re) {
+ throw re.rethrowFromSystemServer();
+ }
}
/**
@@ -2764,14 +2768,16 @@
/**
* Returns a Bitmap for the calling user's photo.
- * Requires {@link android.Manifest.permission#MANAGE_USERS} permission.
+ * Requires {@link android.Manifest.permission#MANAGE_USERS}
+ * or {@link android.Manifest.permission#GET_ACCOUNTS_PRIVILEGED} permissions.
*
* @return a {@link Bitmap} of the user's photo, or null if there's no photo.
* @see com.android.internal.util.UserIcons#getDefaultUserIcon for a default.
* @hide
*/
@SystemApi
- @RequiresPermission(android.Manifest.permission.MANAGE_USERS)
+ @RequiresPermission(anyOf = {android.Manifest.permission.MANAGE_USERS,
+ android.Manifest.permission.GET_ACCOUNTS_PRIVILEGED})
public @Nullable Bitmap getUserIcon() {
return getUserIcon(getUserHandle());
}
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index 3744f68..e55703e 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -1144,6 +1144,19 @@
}
@Override
+ public String getUserName() {
+ if (!hasManageUsersOrPermission(android.Manifest.permission.GET_ACCOUNTS_PRIVILEGED)) {
+ throw new SecurityException("You need MANAGE_USERS or GET_ACCOUNTS_PRIVILEGED "
+ + "permissions to: get user name");
+ }
+ final int userId = UserHandle.getUserId(Binder.getCallingUid());
+ synchronized (mUsersLock) {
+ UserInfo userInfo = userWithName(getUserInfoLU(userId));
+ return userInfo == null ? "" : userInfo.name;
+ }
+ }
+
+ @Override
public long getUserStartRealtime() {
final int userId = UserHandle.getUserId(Binder.getCallingUid());
synchronized (mUsersLock) {
@@ -1324,7 +1337,10 @@
@Override
public ParcelFileDescriptor getUserIcon(int targetUserId) {
- checkManageUsersPermission("get user icon");
+ if (!hasManageUsersOrPermission(android.Manifest.permission.GET_ACCOUNTS_PRIVILEGED)) {
+ throw new SecurityException("You need MANAGE_USERS or GET_ACCOUNTS_PRIVILEGED "
+ + "permissions to: get user icon");
+ }
String iconPath;
synchronized (mPackagesLock) {
UserInfo targetUserInfo = getUserInfoNoChecks(targetUserId);
@@ -1941,15 +1957,23 @@
/**
* @return whether the calling UID is system UID or root's UID or the calling app has the
- * {@link android.Manifest.permission#MANAGE_USERS MANAGE_USERS} or
- * {@link android.Manifest.permission#CREATE_USERS CREATE_USERS}.
+ * {@link android.Manifest.permission#MANAGE_USERS MANAGE_USERS} or the provided permission.
*/
- private static final boolean hasManageOrCreateUsersPermission() {
+ private static final boolean hasManageUsersOrPermission(String alternativePermission) {
final int callingUid = Binder.getCallingUid();
return UserHandle.isSameApp(callingUid, Process.SYSTEM_UID)
|| callingUid == Process.ROOT_UID
|| hasPermissionGranted(android.Manifest.permission.MANAGE_USERS, callingUid)
- || hasPermissionGranted(android.Manifest.permission.CREATE_USERS, callingUid);
+ || hasPermissionGranted(alternativePermission, callingUid);
+ }
+
+ /**
+ * @return whether the calling UID is system UID or root's UID or the calling app has the
+ * {@link android.Manifest.permission#MANAGE_USERS MANAGE_USERS} or
+ * {@link android.Manifest.permission#CREATE_USERS CREATE_USERS}.
+ */
+ private static final boolean hasManageOrCreateUsersPermission() {
+ return hasManageUsersOrPermission(android.Manifest.permission.CREATE_USERS);
}
/**