Google Git
Sign in
android / platform / frameworks / base / 2e606d7^! / .
commit2e606d7be5275f2bff4c5755351bc3191ecb1bf1[log] [tgz]
authorJeff Sharkey <jsharkey@android.com>Mon Jul 27 14:19:54 2015 -0700
committerJeff Sharkey <jsharkey@android.com>Mon Jul 27 14:25:11 2015 -0700
tree4450408e46b454987f6d98107ab33e15529abda7
parent71bfb27013f983bc4a54f1924af61c07732f994e [diff]
Enforce DISALLOW_MOUNT_PHYSICAL_MEDIA.

Bug: 22697024
Change-Id: Ib7277e8850a49909e5d8d5ad5502cd9315cddf0b

diff --git a/services/core/java/com/android/server/MountService.java b/services/core/java/com/android/server/MountService.java
index ed136e9..857394f 100644
--- a/services/core/java/com/android/server/MountService.java
+++ b/services/core/java/com/android/server/MountService.java

@@ -146,8 +146,6 @@
 class MountService extends IMountService.Stub
         implements INativeDaemonConnectorCallbacks, Watchdog.Monitor {
 
-    // TODO: finish enforcing UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA
-
     // Static direct instance pointer for the tightly-coupled idle service to use
     static MountService sSelf = null;
 
@@ -631,6 +629,10 @@
                 }
                 case H_VOLUME_MOUNT: {
                     final VolumeInfo vol = (VolumeInfo) msg.obj;
+                    if (isMountDisallowed(vol)) {
+                        Slog.i(TAG, "Ignoring mount " + vol.getId() + " due to policy");
+                        break;
+                    }
                     try {
                         mConnector.execute("volume", "mount", vol.id, vol.mountFlags,
                                 vol.mountUserId);
@@ -1305,10 +1307,16 @@
         mContext.enforceCallingOrSelfPermission(perm, perm);
     }
 
-    private void enforceUserRestriction(String restriction) {
-        UserManager um = (UserManager) mContext.getSystemService(Context.USER_SERVICE);
-        if (um.hasUserRestriction(restriction, Binder.getCallingUserHandle())) {
-            throw new SecurityException("User has restriction " + restriction);
+    /**
+     * Decide if volume is mountable per device policies.
+     */
+    private boolean isMountDisallowed(VolumeInfo vol) {
+        if (vol.type == VolumeInfo.TYPE_PUBLIC || vol.type == VolumeInfo.TYPE_PRIVATE) {
+            final UserManager userManager = mContext.getSystemService(UserManager.class);
+            return userManager.hasUserRestriction(UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA,
+                    Binder.getCallingUserHandle());
+        } else {
+            return false;
         }
     }
 
@@ -1586,8 +1594,8 @@
         waitForReady();
 
         final VolumeInfo vol = findVolumeByIdOrThrow(volId);
-        if (vol.type == VolumeInfo.TYPE_PUBLIC || vol.type == VolumeInfo.TYPE_PRIVATE) {
-            enforceUserRestriction(UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA);
+        if (isMountDisallowed(vol)) {
+            throw new SecurityException("Mounting " + volId + " restricted by policy");
         }
         try {
             mConnector.execute("volume", "mount", vol.id, vol.mountFlags, vol.mountUserId);