diff options
| author | Jeff Sharkey <jsharkey@android.com> | 2015-07-27 14:19:54 -0700 |
|---|---|---|
| committer | Jeff Sharkey <jsharkey@android.com> | 2015-07-27 14:25:11 -0700 |
| commit | 2e606d7be5275f2bff4c5755351bc3191ecb1bf1 (patch) | |
| tree | 4450408e46b454987f6d98107ab33e15529abda7 /services | |
| parent | 71bfb27013f983bc4a54f1924af61c07732f994e (diff) | |
| download | frameworks_base-2e606d7be5275f2bff4c5755351bc3191ecb1bf1.zip frameworks_base-2e606d7be5275f2bff4c5755351bc3191ecb1bf1.tar.gz frameworks_base-2e606d7be5275f2bff4c5755351bc3191ecb1bf1.tar.bz2 | |
Enforce DISALLOW_MOUNT_PHYSICAL_MEDIA.
Bug: 22697024
Change-Id: Ib7277e8850a49909e5d8d5ad5502cd9315cddf0b
Diffstat (limited to 'services')
| -rw-r--r-- | services/core/java/com/android/server/MountService.java | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/services/core/java/com/android/server/MountService.java b/services/core/java/com/android/server/MountService.java index ed136e9..857394f 100644 --- a/services/core/java/com/android/server/MountService.java +++ b/services/core/java/com/android/server/MountService.java @@ -146,8 +146,6 @@ import javax.crypto.spec.PBEKeySpec; class MountService extends IMountService.Stub implements INativeDaemonConnectorCallbacks, Watchdog.Monitor { - // TODO: finish enforcing UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA - // Static direct instance pointer for the tightly-coupled idle service to use static MountService sSelf = null; @@ -631,6 +629,10 @@ class MountService extends IMountService.Stub } case H_VOLUME_MOUNT: { final VolumeInfo vol = (VolumeInfo) msg.obj; + if (isMountDisallowed(vol)) { + Slog.i(TAG, "Ignoring mount " + vol.getId() + " due to policy"); + break; + } try { mConnector.execute("volume", "mount", vol.id, vol.mountFlags, vol.mountUserId); @@ -1305,10 +1307,16 @@ class MountService extends IMountService.Stub mContext.enforceCallingOrSelfPermission(perm, perm); } - private void enforceUserRestriction(String restriction) { - UserManager um = (UserManager) mContext.getSystemService(Context.USER_SERVICE); - if (um.hasUserRestriction(restriction, Binder.getCallingUserHandle())) { - throw new SecurityException("User has restriction " + restriction); + /** + * Decide if volume is mountable per device policies. + */ + private boolean isMountDisallowed(VolumeInfo vol) { + if (vol.type == VolumeInfo.TYPE_PUBLIC || vol.type == VolumeInfo.TYPE_PRIVATE) { + final UserManager userManager = mContext.getSystemService(UserManager.class); + return userManager.hasUserRestriction(UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA, + Binder.getCallingUserHandle()); + } else { + return false; } } @@ -1586,8 +1594,8 @@ class MountService extends IMountService.Stub waitForReady(); final VolumeInfo vol = findVolumeByIdOrThrow(volId); - if (vol.type == VolumeInfo.TYPE_PUBLIC || vol.type == VolumeInfo.TYPE_PRIVATE) { - enforceUserRestriction(UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA); + if (isMountDisallowed(vol)) { + throw new SecurityException("Mounting " + volId + " restricted by policy"); } try { mConnector.execute("volume", "mount", vol.id, vol.mountFlags, vol.mountUserId); |