Add DISALLOW_DEBUGGING_FEATURES check
This change adds a check for the DISALLOW_DEBUGGING_FEATURES restriction
wherever a developer options or admin-privileges check exists.
Test: Apply this change to the relevant branches and verify that Traceur
cannot be opened through the researcher-provided APK.
Bug: 270050064
Bug: 270050191
Ignore-AOSP-First: Internal-first security fix.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:44480ce656dfa33a63bda978b4067bb4e67ee312)
Merged-In: I95d308f6e73a19e489f5eb09558275ca6fb3c4aa
Change-Id: I95d308f6e73a19e489f5eb09558275ca6fb3c4aa
(cherry picked from commit 5ee8f3111b73b5b6ddf2bb1a67590d24bb14045a)
diff --git a/src/com/android/traceur/MainActivity.java b/src/com/android/traceur/MainActivity.java
index 72e6aba..074c466 100644
--- a/src/com/android/traceur/MainActivity.java
+++ b/src/com/android/traceur/MainActivity.java
@@ -33,10 +33,14 @@
boolean developerOptionsIsEnabled =
Settings.Global.getInt(getApplicationContext().getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0;
- boolean isAdminUser = getApplicationContext()
- .getSystemService(UserManager.class).isAdminUser();
- if (!developerOptionsIsEnabled || !isAdminUser) {
+ UserManager userManager = getApplicationContext()
+ .getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+
+ if (!developerOptionsIsEnabled || !isAdminUser || debuggingDisallowed) {
finish();
}
}
diff --git a/src/com/android/traceur/MainTvActivity.java b/src/com/android/traceur/MainTvActivity.java
index d8cccde..decda76 100644
--- a/src/com/android/traceur/MainTvActivity.java
+++ b/src/com/android/traceur/MainTvActivity.java
@@ -33,10 +33,13 @@
boolean developerOptionsIsEnabled =
Settings.Global.getInt(getApplicationContext().getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0;
- boolean isAdminUser = getApplicationContext()
- .getSystemService(UserManager.class).isAdminUser();
+ UserManager userManager = getApplicationContext()
+ .getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
- if (!developerOptionsIsEnabled || !isAdminUser) {
+ if (!developerOptionsIsEnabled || !isAdminUser || debuggingDisallowed) {
finish();
}
diff --git a/src/com/android/traceur/Receiver.java b/src/com/android/traceur/Receiver.java
index 0533aa6..0aa4ac5 100644
--- a/src/com/android/traceur/Receiver.java
+++ b/src/com/android/traceur/Receiver.java
@@ -85,8 +85,12 @@
boolean developerOptionsEnabled = (1 ==
Settings.Global.getInt(context.getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED , 0));
- boolean isAdminUser = context.getSystemService(UserManager.class).isAdminUser();
- updateStorageProvider(context, developerOptionsEnabled && isAdminUser);
+ UserManager userManager = context.getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+ updateStorageProvider(context,
+ developerOptionsEnabled && isAdminUser && !debuggingDisallowed);
} else if (STOP_ACTION.equals(intent.getAction())) {
prefs.edit().putBoolean(context.getString(R.string.pref_key_tracing_on), false).commit();
updateTracing(context);
@@ -202,9 +206,12 @@
boolean developerOptionsEnabled = (1 ==
Settings.Global.getInt(context.getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED , 0));
- boolean isAdminUser = context.getSystemService(UserManager.class)
- .isAdminUser();
- updateStorageProvider(context, developerOptionsEnabled && isAdminUser);
+ UserManager userManager = context.getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+ updateStorageProvider(context,
+ developerOptionsEnabled && isAdminUser && !debuggingDisallowed);
if (!developerOptionsEnabled) {
SharedPreferences prefs =
diff --git a/src/com/android/traceur/SearchProvider.java b/src/com/android/traceur/SearchProvider.java
index 9098e89..8e96dc6 100644
--- a/src/com/android/traceur/SearchProvider.java
+++ b/src/com/android/traceur/SearchProvider.java
@@ -70,11 +70,14 @@
boolean developerOptionsIsEnabled =
Settings.Global.getInt(getContext().getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0;
- boolean isAdminUser = getContext().getSystemService(UserManager.class).isAdminUser();
+ UserManager userManager = getContext().getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
// System Tracing shouldn't be searchable if developer options are not enabled or if the
// user is not an admin.
- if (!developerOptionsIsEnabled || !isAdminUser) {
+ if (!developerOptionsIsEnabled || !isAdminUser || debuggingDisallowed) {
MatrixCursor cursor = new MatrixCursor(NON_INDEXABLES_KEYS_COLUMNS);
Object[] row = new Object[] {getContext().getString(R.string.system_tracing)};
cursor.addRow(row);
diff --git a/src/com/android/traceur/StopTraceService.java b/src/com/android/traceur/StopTraceService.java
index ed20906..ad48c54 100644
--- a/src/com/android/traceur/StopTraceService.java
+++ b/src/com/android/traceur/StopTraceService.java
@@ -50,8 +50,11 @@
EventLog.writeEvent(0x534e4554, "204992293", -1, "");
return;
}
- boolean isAdminUser = context.getSystemService(UserManager.class).isAdminUser();
- if (!isAdminUser) {
+ UserManager userManager = context.getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+ if (!isAdminUser || debuggingDisallowed) {
return;
}
SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
diff --git a/src/com/android/traceur/StorageProvider.java b/src/com/android/traceur/StorageProvider.java
index cec0c31..c766209 100644
--- a/src/com/android/traceur/StorageProvider.java
+++ b/src/com/android/traceur/StorageProvider.java
@@ -79,11 +79,14 @@
boolean developerOptionsIsEnabled =
Settings.Global.getInt(getContext().getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0;
- boolean isAdminUser = getContext().getSystemService(UserManager.class).isAdminUser();
+ UserManager userManager = getContext().getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
// If developer options is not enabled or the user is not an admin, return an empty root
// cursor. This removes the provider from the list entirely.
- if (!developerOptionsIsEnabled || !isAdminUser) {
+ if (!developerOptionsIsEnabled || !isAdminUser || debuggingDisallowed) {
return null;
}
diff --git a/src/com/android/traceur/TraceService.java b/src/com/android/traceur/TraceService.java
index 407b77c..d561122 100644
--- a/src/com/android/traceur/TraceService.java
+++ b/src/com/android/traceur/TraceService.java
@@ -111,8 +111,11 @@
EventLog.writeEvent(0x534e4554, "204992293", -1, "");
return;
}
- boolean isAdminUser = context.getSystemService(UserManager.class).isAdminUser();
- if (!isAdminUser) {
+ UserManager userManager = context.getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+ if (!isAdminUser || debuggingDisallowed) {
return;
}