Add DISALLOW_DEBUGGING_FEATURES check
This change adds a check for the DISALLOW_DEBUGGING_FEATURES restriction
wherever a developer options or admin-privileges check exists.
Test: Apply this change to the relevant branches and verify that Traceur
cannot be opened through the researcher-provided APK.
Bug: 270050064
Bug: 270050191
Ignore-AOSP-First: Internal-first security fix.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:44480ce656dfa33a63bda978b4067bb4e67ee312)
Merged-In: I95d308f6e73a19e489f5eb09558275ca6fb3c4aa
Change-Id: I95d308f6e73a19e489f5eb09558275ca6fb3c4aa
diff --git a/src/com/android/traceur/MainActivity.java b/src/com/android/traceur/MainActivity.java
index 3342652..2d48923 100644
--- a/src/com/android/traceur/MainActivity.java
+++ b/src/com/android/traceur/MainActivity.java
@@ -35,10 +35,14 @@
boolean developerOptionsIsEnabled =
Settings.Global.getInt(getApplicationContext().getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0;
- boolean isAdminUser = getApplicationContext()
- .getSystemService(UserManager.class).isAdminUser();
- if (!developerOptionsIsEnabled || !isAdminUser) {
+ UserManager userManager = getApplicationContext()
+ .getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+
+ if (!developerOptionsIsEnabled || !isAdminUser || debuggingDisallowed) {
finish();
}
}
diff --git a/src/com/android/traceur/MainTvActivity.java b/src/com/android/traceur/MainTvActivity.java
index 7459b7a..de8c2bd 100644
--- a/src/com/android/traceur/MainTvActivity.java
+++ b/src/com/android/traceur/MainTvActivity.java
@@ -33,10 +33,14 @@
boolean developerOptionsIsEnabled =
Settings.Global.getInt(getApplicationContext().getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0;
- boolean isAdminUser = getApplicationContext()
- .getSystemService(UserManager.class).isAdminUser();
- if (!developerOptionsIsEnabled || !isAdminUser) {
+ UserManager userManager = getApplicationContext()
+ .getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+
+ if (!developerOptionsIsEnabled || !isAdminUser || debuggingDisallowed) {
finish();
}
}
diff --git a/src/com/android/traceur/Receiver.java b/src/com/android/traceur/Receiver.java
index 9a0e1c2..b720f8a 100644
--- a/src/com/android/traceur/Receiver.java
+++ b/src/com/android/traceur/Receiver.java
@@ -90,8 +90,12 @@
boolean developerOptionsEnabled = (1 ==
Settings.Global.getInt(context.getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED , 0));
- boolean isAdminUser = context.getSystemService(UserManager.class).isAdminUser();
- updateStorageProvider(context, developerOptionsEnabled && isAdminUser);
+ UserManager userManager = context.getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+ updateStorageProvider(context,
+ developerOptionsEnabled && isAdminUser && !debuggingDisallowed);
} else if (STOP_ACTION.equals(intent.getAction())) {
prefs.edit().putBoolean(
context.getString(R.string.pref_key_tracing_on), false).commit();
@@ -220,9 +224,12 @@
boolean developerOptionsEnabled = (1 ==
Settings.Global.getInt(context.getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED , 0));
- boolean isAdminUser = context.getSystemService(UserManager.class)
- .isAdminUser();
- updateStorageProvider(context, developerOptionsEnabled && isAdminUser);
+ UserManager userManager = context.getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+ updateStorageProvider(context,
+ developerOptionsEnabled && isAdminUser && !debuggingDisallowed);
if (!developerOptionsEnabled) {
SharedPreferences prefs =
diff --git a/src/com/android/traceur/SearchProvider.java b/src/com/android/traceur/SearchProvider.java
index 0d76e9f..8a20331 100644
--- a/src/com/android/traceur/SearchProvider.java
+++ b/src/com/android/traceur/SearchProvider.java
@@ -69,11 +69,14 @@
boolean developerOptionsIsEnabled =
Settings.Global.getInt(getContext().getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0;
- boolean isAdminUser = getContext().getSystemService(UserManager.class).isAdminUser();
+ UserManager userManager = getContext().getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
// System Tracing shouldn't be searchable if developer options are not enabled or if the
// user is not an admin.
- if (!developerOptionsIsEnabled || !isAdminUser) {
+ if (!developerOptionsIsEnabled || !isAdminUser || debuggingDisallowed) {
MatrixCursor cursor = new MatrixCursor(NON_INDEXABLES_KEYS_COLUMNS);
Object[] row = new Object[] {getContext().getString(R.string.system_tracing)};
cursor.addRow(row);
diff --git a/src/com/android/traceur/StopTraceService.java b/src/com/android/traceur/StopTraceService.java
index b0c941b..0e754ac 100644
--- a/src/com/android/traceur/StopTraceService.java
+++ b/src/com/android/traceur/StopTraceService.java
@@ -50,8 +50,11 @@
EventLog.writeEvent(0x534e4554, "204992293", -1, "");
return;
}
- boolean isAdminUser = context.getSystemService(UserManager.class).isAdminUser();
- if (!isAdminUser) {
+ UserManager userManager = context.getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+ if (!isAdminUser || debuggingDisallowed) {
return;
}
// Ensures that only intents that pertain to stopping a trace and need to be accessed from
diff --git a/src/com/android/traceur/StorageProvider.java b/src/com/android/traceur/StorageProvider.java
index a2a6c3a..0044a81 100644
--- a/src/com/android/traceur/StorageProvider.java
+++ b/src/com/android/traceur/StorageProvider.java
@@ -76,11 +76,14 @@
boolean developerOptionsIsEnabled =
Settings.Global.getInt(getContext().getContentResolver(),
Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0;
- boolean isAdminUser = getContext().getSystemService(UserManager.class).isAdminUser();
+ UserManager userManager = getContext().getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
// If developer options is not enabled or the user is not an admin, return an empty root
// cursor. This removes the provider from the list entirely.
- if (!developerOptionsIsEnabled || !isAdminUser) {
+ if (!developerOptionsIsEnabled || !isAdminUser || debuggingDisallowed) {
return null;
}
diff --git a/src/com/android/traceur/TraceService.java b/src/com/android/traceur/TraceService.java
index 0039f6f..9b6f69d 100644
--- a/src/com/android/traceur/TraceService.java
+++ b/src/com/android/traceur/TraceService.java
@@ -118,8 +118,11 @@
EventLog.writeEvent(0x534e4554, "204992293", -1, "");
return;
}
- boolean isAdminUser = context.getSystemService(UserManager.class).isAdminUser();
- if (!isAdminUser) {
+ UserManager userManager = context.getSystemService(UserManager.class);
+ boolean isAdminUser = userManager.isAdminUser();
+ boolean debuggingDisallowed = userManager.hasUserRestriction(
+ UserManager.DISALLOW_DEBUGGING_FEATURES);
+ if (!isAdminUser || debuggingDisallowed) {
return;
}
