Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cc5d2c82 authored by Momoko Hattori's avatar Momoko Hattori
Browse files

Reject profiles, guest users and restricted profiles in setUserAdmin() 

These users should not be allowed to become admin.

Bug: 411194997
Test: atest FrameworksServicesTests
          --test-filter=".UserManagerTest#testSetUserAdmin.*"
Test: Manually test with CL:33082444 as follows:
  $ adb shell pm create-user --profileOf cur --managed "User11"
  Success: created user id 11
  $ adb shell cmd user set-user-admin 11
  $ adb shell cmd user list -v | grep id=11
  2: id=11, ... flags=MANAGED_PROFILE|PROFILE (parentId=10)
  $ adb shell pm create-user --guest "User12"
  $ adb shell cmd user set-user-admin 12
  $ adb shell cmd user list -v | grep id=12
  3: id=12, ... flags=EPHEMERAL|EPHEMERAL_ON_CREATE|FULL|GUEST
  $ adb shell pm create-user --profileOf cur --restricted "User13"
  $ adb shell cmd user set-user-admin 13
  $ adb shell cmd user list -v | grep id=13
  4: id=13, ... flag=FULL|RESTRICTED
Flag: EXEMPT bug fix

Change-Id: Icd65f536a71c7e18dae6bacebaae09aa09a3794f
parent 6c97f898

services/core/java/com/android/server/pm/UserJourneyLogger.java

+3 −1
Original line number Original line Diff line number Diff line
@@ -68,6 +68,7 @@ public class UserJourneyLogger { 
    public static final int ERROR_CODE_NULL_USER_INFO = 4;

    public static final int ERROR_CODE_NULL_USER_INFO = 4;

    public static final int ERROR_CODE_USER_ALREADY_AN_ADMIN = 5;

    public static final int ERROR_CODE_USER_ALREADY_AN_ADMIN = 5;

    public static final int ERROR_CODE_USER_IS_NOT_AN_ADMIN = 6;

    public static final int ERROR_CODE_USER_IS_NOT_AN_ADMIN = 6;

    public static final int ERROR_CODE_INVALID_USER_TYPE = 7;





    @IntDef(prefix = {"ERROR_CODE"}, value = {

    @IntDef(prefix = {"ERROR_CODE"}, value = {

            ERROR_CODE_UNSPECIFIED,

            ERROR_CODE_UNSPECIFIED,
@@ -76,7 +77,8 @@ public class UserJourneyLogger { 
            ERROR_CODE_NULL_USER_INFO,

            ERROR_CODE_NULL_USER_INFO,

            ERROR_CODE_USER_ALREADY_AN_ADMIN,

            ERROR_CODE_USER_ALREADY_AN_ADMIN,

            ERROR_CODE_USER_IS_NOT_AN_ADMIN,

            ERROR_CODE_USER_IS_NOT_AN_ADMIN,

            ERROR_CODE_INVALID_SESSION_ID

            ERROR_CODE_INVALID_SESSION_ID,

            ERROR_CODE_INVALID_USER_TYPE

    })

    })

    public @interface UserJourneyErrorCode {

    public @interface UserJourneyErrorCode {

    }

    }

services/core/java/com/android/server/pm/UserManagerService.java

+11 −3
Original line number Original line Diff line number Diff line
@@ -42,6 +42,7 @@ import static com.android.server.pm.UserJourneyLogger.ERROR_CODE_ABORTED; 
import static com.android.server.pm.UserJourneyLogger.ERROR_CODE_UNSPECIFIED;

import static com.android.server.pm.UserJourneyLogger.ERROR_CODE_UNSPECIFIED;

import static com.android.server.pm.UserJourneyLogger.ERROR_CODE_USER_ALREADY_AN_ADMIN;

import static com.android.server.pm.UserJourneyLogger.ERROR_CODE_USER_ALREADY_AN_ADMIN;

import static com.android.server.pm.UserJourneyLogger.ERROR_CODE_USER_IS_NOT_AN_ADMIN;

import static com.android.server.pm.UserJourneyLogger.ERROR_CODE_USER_IS_NOT_AN_ADMIN;

import static com.android.server.pm.UserJourneyLogger.ERROR_CODE_INVALID_USER_TYPE;

import static com.android.server.pm.UserJourneyLogger.USER_JOURNEY_GRANT_ADMIN;

import static com.android.server.pm.UserJourneyLogger.USER_JOURNEY_GRANT_ADMIN;

import static com.android.server.pm.UserJourneyLogger.USER_JOURNEY_REVOKE_ADMIN;

import static com.android.server.pm.UserJourneyLogger.USER_JOURNEY_REVOKE_ADMIN;

import static com.android.server.pm.UserJourneyLogger.USER_JOURNEY_USER_CREATE;

import static com.android.server.pm.UserJourneyLogger.USER_JOURNEY_USER_CREATE;
@@ -2311,26 +2312,33 @@ public class UserManagerService extends IUserManager.Stub { 




        mUserJourneyLogger.logUserJourneyBegin(userId, USER_JOURNEY_GRANT_ADMIN);

        mUserJourneyLogger.logUserJourneyBegin(userId, USER_JOURNEY_GRANT_ADMIN);

        UserData user;

        UserData user;

        int currentUserId = getCurrentUserId();

        synchronized (mPackagesLock) {

        synchronized (mPackagesLock) {

            synchronized (mUsersLock) {

            synchronized (mUsersLock) {

                user = getUserDataLU(userId);

                user = getUserDataLU(userId);

                if (user == null) {

                if (user == null) {

                    // Exit if no user found with that id,

                    // Exit if no user found with that id,

                    mUserJourneyLogger.logNullUserJourneyError(USER_JOURNEY_GRANT_ADMIN,

                    mUserJourneyLogger.logNullUserJourneyError(USER_JOURNEY_GRANT_ADMIN,

                        getCurrentUserId(), userId, /* userType */ "", /* userFlags */ -1);

                            currentUserId, userId, /* userType */ "", /* userFlags */ -1);

                    return;

                    return;

                } else if (user.info.isAdmin()) {

                } else if (user.info.isAdmin()) {

                    // Exit if the user is already an Admin.

                    // Exit if the user is already an Admin.

                    mUserJourneyLogger.logUserJourneyFinishWithError(getCurrentUserId(),

                    mUserJourneyLogger.logUserJourneyFinishWithError(currentUserId,

                        user.info, USER_JOURNEY_GRANT_ADMIN,

                        user.info, USER_JOURNEY_GRANT_ADMIN,

                        ERROR_CODE_USER_ALREADY_AN_ADMIN);

                        ERROR_CODE_USER_ALREADY_AN_ADMIN);

                    return;

                    return;

                } else if (user.info.isProfile() || user.info.isGuest()

                        || user.info.isRestricted()) {

                    // Profiles, guest users or restricted profiles cannot become an Admin.

                    mUserJourneyLogger.logUserJourneyFinishWithError(currentUserId,

                            user.info, USER_JOURNEY_GRANT_ADMIN, ERROR_CODE_INVALID_USER_TYPE);

                    return;

                }

                }

                user.info.flags ^= UserInfo.FLAG_ADMIN;

                user.info.flags ^= UserInfo.FLAG_ADMIN;

                writeUserLP(user);

                writeUserLP(user);

            }

            }

        }

        }

        mUserJourneyLogger.logUserJourneyFinishWithError(getCurrentUserId(), user.info,

        mUserJourneyLogger.logUserJourneyFinishWithError(currentUserId, user.info,

                USER_JOURNEY_GRANT_ADMIN, ERROR_CODE_UNSPECIFIED);

                USER_JOURNEY_GRANT_ADMIN, ERROR_CODE_UNSPECIFIED);

    }

    }

services/tests/servicestests/src/com/android/server/pm/UserManagerTest.java

+36 −0
Original line number Original line Diff line number Diff line
@@ -1137,6 +1137,42 @@ public final class UserManagerTest { 
        }

        }

    }

    }





    @MediumTest

    @Test

    public void testSetUserAdminFailsForGuest() throws Exception {

        UserInfo userInfo = createUser("GuestUser", UserInfo.FLAG_GUEST);

        assertThat(userInfo).isNotNull();



        mUserManager.setUserAdmin(userInfo.id);

        userInfo = mUserManager.getUserInfo(userInfo.id);

        assertThat(userInfo.isAdmin()).isFalse();

    }



    @MediumTest

    @Test

    public void testSetUserAdminFailsForProfile() throws Exception {

        UserHandle mainUser = mUserManager.getMainUser();

        assertThat(mainUser).isNotNull();

        UserInfo userInfo = createProfileForUser("Profile",

                UserManager.USER_TYPE_PROFILE_MANAGED, mainUser.getIdentifier());

        assertThat(userInfo).isNotNull();



        mUserManager.setUserAdmin(userInfo.id);

        userInfo = mUserManager.getUserInfo(userInfo.id);

        assertThat(userInfo.isAdmin()).isFalse();

    }



    @MediumTest

    @Test

    public void testSetUserAdminFailsForRestrictedProfile() throws Exception {

        UserInfo userInfo = createRestrictedProfile("Profile");

        assertThat(userInfo).isNotNull();



        mUserManager.setUserAdmin(userInfo.id);

        userInfo = mUserManager.getUserInfo(userInfo.id);

        assertThat(userInfo.isAdmin()).isFalse();

    }



    @MediumTest

    @MediumTest

    @Test

    @Test

    public void testRevokeUserAdmin() throws Exception {

    public void testRevokeUserAdmin() throws Exception {