Check DISALLOW_APPS_CONTROL before performing reset app preferences
When DISALLOW_APPS_CONTROL restriction is enabled, users should not be
able to enable/disable apps, clear app caches and clear app data.
The function of reset app preferences will re-enable the disabled apps,
it can let users bypass DISALLOW_APPS_CONTROL to enable an app disabled
by IT admin to see sensitive information.
To fix this vulnerability, we add a check for DISALLOW_APPS_CONTROL
restriction before users reset app preferences. Once the restriction is
enabled, it will show dialog “Blocked by your IT admin” instead.
Bug: 238745070
Test: Verify change by turning on/off DISALLOW_APPS_CONTROL with TestDPC.
Change-Id: Iffee73cf4952b686a78b4c7aaa54747971337d03
(cherry picked from commit 4356c9c65361481db16c393906bf46d8a0d44ef7)
diff --git a/src/com/android/settings/applications/manageapplications/ManageApplications.java b/src/com/android/settings/applications/manageapplications/ManageApplications.java
index e12bc1c..30d4a71 100644
--- a/src/com/android/settings/applications/manageapplications/ManageApplications.java
+++ b/src/com/android/settings/applications/manageapplications/ManageApplications.java
@@ -126,6 +126,8 @@
import com.android.settings.widget.LoadingViewController;
import com.android.settings.wifi.AppStateChangeWifiStateBridge;
import com.android.settings.wifi.ChangeWifiStateDetails;
+import com.android.settingslib.RestrictedLockUtils;
+import com.android.settingslib.RestrictedLockUtilsInternal;
import com.android.settingslib.applications.AppIconCacheManager;
import com.android.settingslib.applications.AppUtils;
import com.android.settingslib.applications.ApplicationsState;
@@ -776,7 +778,18 @@
mShowSystem = !mShowSystem;
mApplications.rebuild();
} else if (i == R.id.reset_app_preferences) {
- mResetAppsHelper.buildResetDialog();
+ final boolean appsControlDisallowedBySystem =
+ RestrictedLockUtilsInternal.hasBaseUserRestriction(getActivity(),
+ UserManager.DISALLOW_APPS_CONTROL, UserHandle.myUserId());
+ final RestrictedLockUtils.EnforcedAdmin appsControlDisallowedAdmin =
+ RestrictedLockUtilsInternal.checkIfRestrictionEnforced(getActivity(),
+ UserManager.DISALLOW_APPS_CONTROL, UserHandle.myUserId());
+ if (appsControlDisallowedAdmin != null && !appsControlDisallowedBySystem) {
+ RestrictedLockUtils.sendShowAdminSupportDetailsIntent(
+ getActivity(), appsControlDisallowedAdmin);
+ } else {
+ mResetAppsHelper.buildResetDialog();
+ }
return true;
} else if (i == R.id.advanced) {
if (mListType == LIST_TYPE_NOTIFICATION) {