commit ea6a06c8e862cabe589cd6f4e2cb5f9672049d61
author Yanting Yang <yantingyang@google.com> Wed Aug 03 02:02:10 2022 +0800
committer Yanting Yang <yantingyang@google.com> Fri Aug 12 12:25:48 2022 +0000
tree 4aee3f1b739e339210341c0560ff303c6135e9e2
parent 00771290940cf0468b06815d044c1a4f5dcec390

Check DISALLOW_APPS_CONTROL before performing reset app preferences

When DISALLOW_APPS_CONTROL restriction is enabled, users should not be
able to enable/disable apps, clear app caches and clear app data.

The function of reset app preferences will re-enable the disabled apps,
it can let users bypass DISALLOW_APPS_CONTROL to enable an app disabled
by IT admin to see sensitive information.

To fix this vulnerability, we add a check for DISALLOW_APPS_CONTROL
restriction before users reset app preferences. Once the restriction is
enabled, it will show dialog “Blocked by your IT admin” instead.

Bug: 238745070
Test: Verify change by turning on/off DISALLOW_APPS_CONTROL with TestDPC.
Change-Id: Iffee73cf4952b686a78b4c7aaa54747971337d03
(cherry picked from commit 4356c9c65361481db16c393906bf46d8a0d44ef7)

src/com/android/settings/applications/manageapplications/ManageApplications.java

diff --git a/src/com/android/settings/applications/manageapplications/ManageApplications.java b/src/com/android/settings/applications/manageapplications/ManageApplications.java
index e12bc1c..30d4a71 100644
--- a/src/com/android/settings/applications/manageapplications/ManageApplications.java
+++ b/src/com/android/settings/applications/manageapplications/ManageApplications.java
@@ -126,6 +126,8 @@
 import com.android.settings.widget.LoadingViewController;
 import com.android.settings.wifi.AppStateChangeWifiStateBridge;
 import com.android.settings.wifi.ChangeWifiStateDetails;
+import com.android.settingslib.RestrictedLockUtils;
+import com.android.settingslib.RestrictedLockUtilsInternal;
 import com.android.settingslib.applications.AppIconCacheManager;
 import com.android.settingslib.applications.AppUtils;
 import com.android.settingslib.applications.ApplicationsState;
@@ -776,7 +778,18 @@
             mShowSystem = !mShowSystem;
             mApplications.rebuild();
         } else if (i == R.id.reset_app_preferences) {
-            mResetAppsHelper.buildResetDialog();
+            final boolean appsControlDisallowedBySystem =
+                    RestrictedLockUtilsInternal.hasBaseUserRestriction(getActivity(),
+                            UserManager.DISALLOW_APPS_CONTROL, UserHandle.myUserId());
+            final RestrictedLockUtils.EnforcedAdmin appsControlDisallowedAdmin =
+                    RestrictedLockUtilsInternal.checkIfRestrictionEnforced(getActivity(),
+                            UserManager.DISALLOW_APPS_CONTROL, UserHandle.myUserId());
+            if (appsControlDisallowedAdmin != null && !appsControlDisallowedBySystem) {
+                RestrictedLockUtils.sendShowAdminSupportDetailsIntent(
+                        getActivity(), appsControlDisallowedAdmin);
+            } else {
+                mResetAppsHelper.buildResetDialog();
+            }
             return true;
         } else if (i == R.id.advanced) {
             if (mListType == LIST_TYPE_NOTIFICATION) {