commit f014ae2f2a58a7fc890956bbbec76afad0d2be11
author Junyu Lai <junyulai@google.com> Mon Oct 28 16:58:22 2024 +0800
committer Junyu Lai <junyulai@google.com> Mon Oct 28 17:31:22 2024 +0800
tree 6eb56c79575e0481c31182ba1b2dd7780095ecd3
parent 1193f08d69db3b3f1180aa892d098926cb973b60

Use MANAGE_USERS permission to check for admin user

The current implementation uses MANAGE_USERS, CREATE_USERS, or
QUERY_USERS to check if the user is an admin. However,
QUERY_USERS is not a privileged permission until Android U.
This can cause issues on devices running older Android versions
(e.g., T) where the tethering module requires this check but
doesn't have the necessary permission, leading to crashes.

This change updates the code to use MANAGE_USERS, a privileged
permission since 2015, to reliably determine if the user is
an admin across different Android versions.

Test: Manual on T device:
      1. Mock entitlement and enable hotspot
      2. Check granted permissions of android.uid.networkstack
Fix: 366816004
Change-Id: Iee060f0225d23c62d836f0211c63b649e539f77b

Tethering/AndroidManifest.xml

diff --git a/Tethering/AndroidManifest.xml b/Tethering/AndroidManifest.xml
index 2a6f6d5..32442f5 100644
--- a/Tethering/AndroidManifest.xml
+++ b/Tethering/AndroidManifest.xml
@@ -34,8 +34,10 @@
     <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
     <uses-permission android:name="android.permission.INTERACT_ACROSS_USERS"/>
     <uses-permission android:name="android.permission.MANAGE_USB" />
+    <!-- MANAGE_USERS is for accessing multi-user APIs, note that QUERY_USERS should
+         not be used since it is not a privileged permission until U. -->
+    <uses-permission android:name="android.permission.MANAGE_USERS"/>
     <uses-permission android:name="android.permission.MODIFY_PHONE_STATE" />
-    <uses-permission android:name="android.permission.QUERY_USERS"/>
     <uses-permission android:name="android.permission.READ_DEVICE_CONFIG" />
     <uses-permission android:name="android.permission.READ_NETWORK_USAGE_HISTORY" />
     <uses-permission android:name="android.permission.READ_PHONE_STATE"/>

Tethering/apex/permissions/permissions.xml

diff --git a/Tethering/apex/permissions/permissions.xml b/Tethering/apex/permissions/permissions.xml
index fcb287e..4051877 100644
--- a/Tethering/apex/permissions/permissions.xml
+++ b/Tethering/apex/permissions/permissions.xml
@@ -20,8 +20,8 @@
         <permission name="android.permission.BLUETOOTH_PRIVILEGED" />
         <permission name="android.permission.INTERACT_ACROSS_USERS"/>
         <permission name="android.permission.MANAGE_USB"/>
+        <permission name="android.permission.MANAGE_USERS"/>
         <permission name="android.permission.MODIFY_PHONE_STATE"/>
-        <permission name="android.permission.QUERY_USERS"/>
         <permission name="android.permission.READ_NETWORK_USAGE_HISTORY"/>
         <permission name="android.permission.TETHER_PRIVILEGED"/>
         <permission name="android.permission.UPDATE_APP_OPS_STATS"/>