Merge "Check calling user id against current user before setting navbar mode." into tm-qpr-dev am: 021e2eaee0 Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/20290266 Change-Id: I009481205d26b38dc52dc29b6cfc9af2fecb46aa Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

commit: f1945e7dc76839d9494f1bee010ea04db6028be8 [log] [tgz]
author: TreeHugger Robot <treehugger-gerrit@google.com> Tue Nov 01 14:03:09 2022 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Tue Nov 01 14:03:09 2022 +0000
tree: 82d1c91a0d4653e8d1b25c56e702ae32d07718eb
parent: d3c894ea3dc4e7d5994c30aca6ea1f774baeef60 [diff]
parent: 021e2eaee0d02f70e6d151a4129dcfce43d7acb3 [diff]
diff --git a/services/core/java/com/android/server/statusbar/StatusBarManagerService.java b/services/core/java/com/android/server/statusbar/StatusBarManagerService.java
index 3df8f58..16567d8 100644
--- a/services/core/java/com/android/server/statusbar/StatusBarManagerService.java
+++ b/services/core/java/com/android/server/statusbar/StatusBarManagerService.java

@@ -16,12 +16,15 @@
 
 package com.android.server.statusbar;
 
+import static android.Manifest.permission.INTERACT_ACROSS_USERS;
+import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL;
 import static android.app.StatusBarManager.DISABLE2_GLOBAL_ACTIONS;
 import static android.app.StatusBarManager.DISABLE2_NOTIFICATION_SHADE;
 import static android.app.StatusBarManager.NAV_BAR_MODE_DEFAULT;
 import static android.app.StatusBarManager.NAV_BAR_MODE_KIDS;
 import static android.app.StatusBarManager.NavBarMode;
 import static android.app.StatusBarManager.SessionFlags;
+import static android.content.pm.PackageManager.PERMISSION_GRANTED;
 import static android.view.Display.DEFAULT_DISPLAY;
 import static android.view.WindowManagerPolicyConstants.NAV_BAR_MODE_3BUTTON_OVERLAY;
 
@@ -1285,6 +1288,11 @@
                 "StatusBarManagerService");
     }
 
+    private boolean doesCallerHoldInteractAcrossUserPermission() {
+        return mContext.checkCallingPermission(INTERACT_ACROSS_USERS_FULL) == PERMISSION_GRANTED
+                || mContext.checkCallingPermission(INTERACT_ACROSS_USERS) == PERMISSION_GRANTED;
+    }
+
     /**
      *  For targetSdk S+ we require STATUS_BAR. For targetSdk < S, we only require EXPAND_STATUS_BAR
      *  but also require that it falls into one of the allowed use-cases to lock down abuse vector.
@@ -1296,7 +1304,7 @@
             enforceStatusBar();
         } else {
             if (mContext.checkPermission(Manifest.permission.STATUS_BAR, pid, uid)
-                    != PackageManager.PERMISSION_GRANTED) {
+                    != PERMISSION_GRANTED) {
                 enforceExpandStatusBar();
                 if (!mActivityTaskManager.canCloseSystemDialogs(pid, uid)) {
                     Slog.e(TAG, "Permission Denial: Method " + method + "() requires permission "
@@ -2002,6 +2010,11 @@
         }
 
         final int userId = mCurrentUserId;
+        final int callingUserId = UserHandle.getUserId(Binder.getCallingUid());
+        if (mCurrentUserId != callingUserId && !doesCallerHoldInteractAcrossUserPermission()) {
+            throw new SecurityException("Calling user id: " + callingUserId
+                    + ", cannot call on behalf of current user id: " + mCurrentUserId + ".");
+        }
         final long userIdentity = Binder.clearCallingIdentity();
         try {
             Settings.Secure.putIntForUser(mContext.getContentResolver(),
commit	f1945e7dc76839d9494f1bee010ea04db6028be8	[log] [tgz]
author	TreeHugger Robot <treehugger-gerrit@google.com>	Tue Nov 01 14:03:09 2022 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Tue Nov 01 14:03:09 2022 +0000
tree	82d1c91a0d4653e8d1b25c56e702ae32d07718eb
parent	d3c894ea3dc4e7d5994c30aca6ea1f774baeef60 [diff]
parent	021e2eaee0d02f70e6d151a4129dcfce43d7acb3 [diff]