Apply user restrictions to SettingsProvider.

Change-Id: If68c715bc688bf0df63591e0b8f8bf8a2b6dd118
author: Julia Reynolds <juliacr@google.com> 2014-07-07 16:07:01 -0400
committer: Julia Reynolds <juliacr@google.com> 2014-07-07 20:09:23 +0000
commit: 5e458dd6b4b92c369865e59c81a02c8ce8c342f6 (patch)
tree: 6fa2571130ecc1691025d267d2dd93854b0afffc /packages/SettingsProvider/src/com/android/providers/settings
parent: f9499b36e689dee5cec2cb7bb0b7d21f7c302d84 (diff)
download: frameworks_base-5e458dd6b4b92c369865e59c81a02c8ce8c342f6.zip
frameworks_base-5e458dd6b4b92c369865e59c81a02c8ce8c342f6.tar.gz
frameworks_base-5e458dd6b4b92c369865e59c81a02c8ce8c342f6.tar.bz2
1 files changed, 30 insertions, 0 deletions
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index 158227f..e6c6f9f 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -18,7 +18,9 @@ package com.android.providers.settings;
 
 import java.io.FileNotFoundException;
 import java.security.SecureRandom;
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Map;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicInteger;
 
@@ -112,6 +114,9 @@ public class SettingsProvider extends ContentProvider {
     static final HashSet<String> sSecureGlobalKeys;
     static final HashSet<String> sSystemGlobalKeys;
 
+    // Settings that cannot be modified if associated user restrictions are enabled.
+    static final Map<String, String> sRestrictedKeys;
+
     private static final String DROPBOX_TAG_USERLOG = "restricted_profile_ssaid";
 
     static {
@@ -125,6 +130,18 @@ public class SettingsProvider extends ContentProvider {
         // These must match Settings.System.MOVED_TO_GLOBAL
         sSystemGlobalKeys = new HashSet<String>();
         Settings.System.getNonLegacyMovedKeys(sSystemGlobalKeys);
+
+        sRestrictedKeys = new HashMap<String, String>();
+        sRestrictedKeys.put(Settings.Secure.LOCATION_MODE, UserManager.DISALLOW_SHARE_LOCATION);
+        sRestrictedKeys.put(Settings.Secure.LOCATION_PROVIDERS_ALLOWED,
+                UserManager.DISALLOW_SHARE_LOCATION);
+        sRestrictedKeys.put(Settings.Global.INSTALL_NON_MARKET_APPS,
+                UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
+        sRestrictedKeys.put(Settings.Global.ADB_ENABLED, UserManager.DISALLOW_DEBUGGING_FEATURES);
+        sRestrictedKeys.put(Settings.Global.PACKAGE_VERIFIER_ENABLE,
+                UserManager.ENSURE_VERIFY_APPS);
+        sRestrictedKeys.put(Settings.Global.PREFERRED_NETWORK_MODE,
+                UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS);
     }
 
     private boolean settingMovedToGlobal(final String name) {
@@ -285,6 +302,15 @@ public class SettingsProvider extends ContentProvider {
         }
     }
 
+    private void checkUserRestrictions(String setting) {
+        String userRestriction = sRestrictedKeys.get(setting);
+        if (!TextUtils.isEmpty(userRestriction)
+            && mUserManager.hasUserRestriction(userRestriction)) {
+            throw new SecurityException(
+                    "Permission denial: user is restricted from changing this setting.");
+        }
+    }
+
     // FileObserver for external modifications to the database file.
     // Note that this is for platform developers only with
     // userdebug/eng builds who should be able to tinker with the
@@ -783,6 +809,7 @@ public class SettingsProvider extends ContentProvider {
         try {
             int numValues = values.length;
             for (int i = 0; i < numValues; i++) {
+                checkUserRestrictions(values[i].getAsString(Settings.Secure.NAME));
                 if (db.insert(args.table, null, values[i]) < 0) return 0;
                 SettingsCache.populate(cache, values[i]);
                 if (LOCAL_LOGV) Log.v(TAG, args.table + " <- " + values[i]);
@@ -913,6 +940,8 @@ public class SettingsProvider extends ContentProvider {
         // Check write permissions only after determining which table the insert will touch
         checkWritePermissions(args);
 
+        checkUserRestrictions(name);
+
         // The global table is stored under the owner, always
         if (TABLE_GLOBAL.equals(args.table)) {
             desiredUserHandle = UserHandle.USER_OWNER;
@@ -987,6 +1016,7 @@ public class SettingsProvider extends ContentProvider {
             callingUser = UserHandle.USER_OWNER;
         }
         checkWritePermissions(args);
+        checkUserRestrictions(initialValues.getAsString(Settings.Secure.NAME));
 
         final AtomicInteger mutationCount = sKnownMutationsInFlight.get(callingUser);
         mutationCount.incrementAndGet();
author	Julia Reynolds <juliacr@google.com>	2014-07-07 16:07:01 -0400
committer	Julia Reynolds <juliacr@google.com>	2014-07-07 20:09:23 +0000
commit	5e458dd6b4b92c369865e59c81a02c8ce8c342f6 (patch)
tree	6fa2571130ecc1691025d267d2dd93854b0afffc /packages/SettingsProvider/src/com/android/providers/settings
parent	f9499b36e689dee5cec2cb7bb0b7d21f7c302d84 (diff)
download	frameworks_base-5e458dd6b4b92c369865e59c81a02c8ce8c342f6.zip frameworks_base-5e458dd6b4b92c369865e59c81a02c8ce8c342f6.tar.gz frameworks_base-5e458dd6b4b92c369865e59c81a02c8ce8c342f6.tar.bz2