Enforce file transfer restrictions for shell.

If we have a policy that says DISALLOW_USB_FILE_TRANSFER, then block file transfers for that user through common ContentProviders. Test: builds, boots Bug: 64672411 Change-Id: I502b10c2c229727bc6b421f9db6d2d9e2e03845c
author: Jeff Sharkey <jsharkey@android.com> 2018-01-04 15:07:38 -0700
committer: Jeff Sharkey <jsharkey@android.com> 2018-01-04 15:07:41 -0700
commit: b78b754dc01cf7114b859ad7ab4494699edae6cb (patch)
tree: 0670dd2046fbe8e66034495b52cf3c7fc21bbd00 /packages/ExternalStorageProvider/src
parent: 60de82d1991a4ef810e44ea6f27a182c2a101e0c (diff)
1 files changed, 27 insertions, 2 deletions
diff --git a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
index f844cc163bbe..2a82fc9b28df 100644
--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
@@ -19,7 +19,6 @@ package com.android.externalstorage;
 import android.annotation.Nullable;
 import android.app.usage.StorageStatsManager;
 import android.content.ContentResolver;
-import android.content.Context;
 import android.content.UriPermission;
 import android.database.Cursor;
 import android.database.MatrixCursor;
@@ -28,7 +27,9 @@ import android.net.Uri;
 import android.os.Binder;
 import android.os.Bundle;
 import android.os.Environment;
+import android.os.IBinder;
 import android.os.UserHandle;
+import android.os.UserManager;
 import android.os.storage.DiskInfo;
 import android.os.storage.StorageManager;
 import android.os.storage.VolumeInfo;
@@ -95,6 +96,7 @@ public class ExternalStorageProvider extends FileSystemProvider {
     private static final String ROOT_ID_HOME = "home";
 
     private StorageManager mStorageManager;
+    private UserManager mUserManager;
 
     private final Object mRootsLock = new Object();
 
@@ -105,12 +107,35 @@ public class ExternalStorageProvider extends FileSystemProvider {
     public boolean onCreate() {
         super.onCreate(DEFAULT_DOCUMENT_PROJECTION);
 
-        mStorageManager = (StorageManager) getContext().getSystemService(Context.STORAGE_SERVICE);
+        mStorageManager = getContext().getSystemService(StorageManager.class);
+        mUserManager = getContext().getSystemService(UserManager.class);
 
         updateVolumes();
         return true;
     }
 
+    private void enforceShellRestrictions() {
+        if (UserHandle.getCallingAppId() == android.os.Process.SHELL_UID
+                && mUserManager.hasUserRestriction(UserManager.DISALLOW_USB_FILE_TRANSFER)) {
+            throw new SecurityException(
+                    "Shell user cannot access files for user " + UserHandle.myUserId());
+        }
+    }
+
+    @Override
+    protected int enforceReadPermissionInner(Uri uri, String callingPkg, IBinder callerToken)
+            throws SecurityException {
+        enforceShellRestrictions();
+        return super.enforceReadPermissionInner(uri, callingPkg, callerToken);
+    }
+
+    @Override
+    protected int enforceWritePermissionInner(Uri uri, String callingPkg, IBinder callerToken)
+            throws SecurityException {
+        enforceShellRestrictions();
+        return super.enforceWritePermissionInner(uri, callingPkg, callerToken);
+    }
+
     public void updateVolumes() {
         synchronized (mRootsLock) {
             updateVolumesLocked();
author	Jeff Sharkey <jsharkey@android.com>	2018-01-04 15:07:38 -0700
committer	Jeff Sharkey <jsharkey@android.com>	2018-01-04 15:07:41 -0700
commit	b78b754dc01cf7114b859ad7ab4494699edae6cb (patch)
tree	0670dd2046fbe8e66034495b52cf3c7fc21bbd00 /packages/ExternalStorageProvider/src
parent	60de82d1991a4ef810e44ea6f27a182c2a101e0c (diff)