Check DISALLOW_APPS_CONTROL before performing reset app preferences

When DISALLOW_APPS_CONTROL restriction is enabled, users should not be able to enable/disable apps, clear app caches and clear app data. The function of reset app preferences will re-enable the disabled apps, it can let users bypass DISALLOW_APPS_CONTROL to enable an app disabled by IT admin to see sensitive information. To fix this vulnerability, we add a check for DISALLOW_APPS_CONTROL restriction before users reset app preferences. Once the restriction is enabled, it will show dialog “Blocked by your IT admin” instead. Fixes: 238745070 Test: Verify change by turning on/off DISALLOW_APPS_CONTROL with TestDPC. Change-Id: Iffee73cf4952b686a78b4c7aaa54747971337d03
2022-08-03 02:02:10 +08:00
parent 5e49a1ab34
commit 4356c9c653
1 changed files with 14 additions and 1 deletions
--- a/src/com/android/settings/applications/manageapplications/ManageApplications.java
+++ b/src/com/android/settings/applications/manageapplications/ManageApplications.java
@@ -133,6 +133,8 @@ import com.android.settings.notification.app.AppNotificationSettings;
 import com.android.settings.widget.LoadingViewController;
 import com.android.settings.wifi.AppStateChangeWifiStateBridge;
 import com.android.settings.wifi.ChangeWifiStateDetails;
+import com.android.settingslib.RestrictedLockUtils;
+import com.android.settingslib.RestrictedLockUtilsInternal;
 import com.android.settingslib.applications.AppIconCacheManager;
 import com.android.settingslib.applications.AppUtils;
 import com.android.settingslib.applications.ApplicationsState;
@@ -798,7 +800,18 @@ public class ManageApplications extends InstrumentedFragment
            mShowSystem = !mShowSystem;
            mApplications.rebuild();
        } else if (i == R.id.reset_app_preferences) {
-            mResetAppsHelper.buildResetDialog();
+            final boolean appsControlDisallowedBySystem =
+                    RestrictedLockUtilsInternal.hasBaseUserRestriction(getActivity(),
+                            UserManager.DISALLOW_APPS_CONTROL, UserHandle.myUserId());
+            final RestrictedLockUtils.EnforcedAdmin appsControlDisallowedAdmin =
+                    RestrictedLockUtilsInternal.checkIfRestrictionEnforced(getActivity(),
+                            UserManager.DISALLOW_APPS_CONTROL, UserHandle.myUserId());
+            if (appsControlDisallowedAdmin != null && !appsControlDisallowedBySystem) {
+                RestrictedLockUtils.sendShowAdminSupportDetailsIntent(
+                        getActivity(), appsControlDisallowedAdmin);
+            } else {
+                mResetAppsHelper.buildResetDialog();
+            }
            return true;
        } else if (i == R.id.advanced) {
            if (mListType == LIST_TYPE_NOTIFICATION) {