Ensure access to mobile network configs is restricted.
This CL check if access to mobile network configurations are restricted before initializing and enabling CallFeaturesSetting, PhoneAccountSettingsActivity, and VoicemailSettingsActivity. This reolves a security vulnerability where users were able to configure the various mobile network settings (Call, voicemail, phone accounts, FDN, etc.) even after the device owner had applied the no_config_mobile_networks restriction.
Fixes: 277589443
Test: Manual using the POC apks
Flag: com.android.internal.telephony.flags.ensure_access_to_call_settings_is_restricted
Change-Id: Id288879bfe9384472e3701e455c5ed607430a967
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 97f5858..09258a4 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -271,7 +271,7 @@
<activity android:name="GsmUmtsCallOptions"
android:label="@string/gsm_umts_options"
- android:exported="true"
+ android:exported="false"
android:theme="@style/DialerSettingsLight">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
@@ -280,7 +280,7 @@
<activity android:name="CdmaCallOptions"
android:label="@string/cdma_options"
- android:exported="true"
+ android:exported="false"
android:theme="@style/DialerSettingsLight">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
@@ -330,7 +330,7 @@
<!-- fdn setting -->
<activity android:name="com.android.phone.settings.fdn.FdnSetting"
android:label="@string/fdn"
- android:exported="true"
+ android:exported="false"
android:theme="@style/CallSettingsWithoutDividerTheme">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 05bcbc1..f2511d1 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -291,6 +291,8 @@
<string name="call_settings_admin_user_only">Call settings can only be changed by the admin user.</string>
<!-- Toast in Phone Account settings when asked to launch settings for a secondary/guest user -->
<string name="phone_account_settings_user_restriction">Phone account settings can only be changed by the admin or work user.</string>
+ <!-- Toast in Phone Account settings when asked to launch settings when DISALLOW_CONFIG_MOBILE_NETWORKS is true -->
+ <string name="phone_account_no_config_mobile_networks">The device owner has restricted the ability to change mobile network settings.</string>
<!-- Title of the "Call settings" settings screen, with a text label identifying which SIM the settings are for. -->
<string name="call_settings_with_label">Settings (<xliff:g id="subscriptionlabel" example="Mock Carrier">%s</xliff:g>)</string>
<!-- Title of the alert dialog displayed if an error occurs while updating Call settings -->
diff --git a/src/com/android/phone/CallFeaturesSetting.java b/src/com/android/phone/CallFeaturesSetting.java
index 145df41..1dfcde7 100644
--- a/src/com/android/phone/CallFeaturesSetting.java
+++ b/src/com/android/phone/CallFeaturesSetting.java
@@ -58,6 +58,7 @@
import com.android.ims.ImsManager;
import com.android.internal.telephony.Phone;
import com.android.internal.telephony.PhoneConstants;
+import com.android.internal.telephony.flags.Flags;
import com.android.phone.settings.PhoneAccountSettingsFragment;
import com.android.phone.settings.SuppServicesUiUtil;
import com.android.phone.settings.VoicemailSettingsActivity;
@@ -113,6 +114,7 @@
private PreferenceScreen mVoicemailSettingsScreen;
private SwitchPreference mEnableVideoCalling;
private Preference mButtonWifiCalling;
+ private boolean mDisallowedConfig = false;
/*
* Click Listeners, handle click based on objects attached to UI.
@@ -263,6 +265,14 @@
return;
}
+ // Check if mobile network configs are restricted.
+ if (Flags.ensureAccessToCallSettingsIsRestricted() &&
+ userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS)) {
+ mDisallowedConfig = true;
+ Log.i(LOG_TAG, "Mobile network configs are restricted, disabling mobile network "
+ + "settings");
+ }
+
mSubscriptionInfoHelper = new SubscriptionInfoHelper(this, getIntent());
mPhone = mSubscriptionInfoHelper.getPhone();
mSubscriptionInfoHelper.setActionBarTitle(
@@ -467,7 +477,7 @@
if (mImsMgr.isVtEnabledByPlatform() && mImsMgr.isVtProvisionedOnDevice()
&& (carrierConfig.getBoolean(
CarrierConfigManager.KEY_IGNORE_DATA_ENABLED_CHANGED_FOR_VIDEO_CALLS)
- || isDataEnabled)) {
+ || isDataEnabled) && !mDisallowedConfig) {
boolean currentValue =
mImsMgr.isEnhanced4gLteModeSettingEnabledByUser()
? mImsMgr.isVtEnabledByUser() : false;
diff --git a/src/com/android/phone/settings/PhoneAccountSettingsActivity.java b/src/com/android/phone/settings/PhoneAccountSettingsActivity.java
index 12cc667..5617a0b 100644
--- a/src/com/android/phone/settings/PhoneAccountSettingsActivity.java
+++ b/src/com/android/phone/settings/PhoneAccountSettingsActivity.java
@@ -20,12 +20,15 @@
import android.os.Bundle;
import android.os.UserManager;
import android.preference.PreferenceActivity;
+import android.util.Log;
import android.view.MenuItem;
import android.widget.Toast;
+import com.android.internal.telephony.flags.Flags;
import com.android.phone.R;
public class PhoneAccountSettingsActivity extends PreferenceActivity {
+ private static final String LOG_TAG = "PhoneAccountSettingsActivity";
@Override
protected void onCreate(Bundle icicle) {
@@ -40,6 +43,17 @@
return;
}
+ // Make sure mobile network configs are not restricted.
+ if (Flags.ensureAccessToCallSettingsIsRestricted() &&
+ userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS)) {
+ Log.i(LOG_TAG, "Mobile network configs are restricted, disabling phone account "
+ + "settings");
+ Toast.makeText(this, R.string.phone_account_no_config_mobile_networks,
+ Toast.LENGTH_SHORT).show();
+ finish();
+ return;
+ }
+
getWindow().addSystemFlags(
android.view.WindowManager.LayoutParams
.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java
index c940748..817ca4c 100644
--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java
+++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java
@@ -50,6 +50,7 @@
import com.android.internal.telephony.CommandsInterface;
import com.android.internal.telephony.Phone;
import com.android.internal.telephony.PhoneConstants;
+import com.android.internal.telephony.flags.Flags;
import com.android.internal.telephony.util.NotificationChannelController;
import com.android.phone.EditPhoneNumberPreference;
import com.android.phone.PhoneGlobals;
@@ -200,6 +201,7 @@
private boolean mShowVoicemailPreference = false;
private boolean mForeground;
+ private boolean mDisallowedConfig = false;
private Phone mPhone;
private SubscriptionInfoHelper mSubscriptionInfoHelper;
@@ -221,11 +223,20 @@
// Make sure we are running as the primary user only
UserManager userManager = getApplicationContext().getSystemService(UserManager.class);
if (!userManager.isPrimaryUser()) {
- Toast.makeText(this, R.string.voice_number_setting_primary_user_only,
- Toast.LENGTH_SHORT).show();
- finish();
- return;
+ Toast.makeText(this, R.string.voice_number_setting_primary_user_only,
+ Toast.LENGTH_SHORT).show();
+ finish();
+ return;
}
+
+ // Check if mobile network configs are restricted.
+ if (Flags.ensureAccessToCallSettingsIsRestricted() &&
+ userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS)) {
+ mDisallowedConfig = true;
+ Log.i(LOG_TAG, "Mobile network configs are restricted, disabling voicemail "
+ + "settings");
+ }
+
// Show the voicemail preference in onResume if the calling intent specifies the
// ACTION_ADD_VOICEMAIL action.
mShowVoicemailPreference = (icicle == null) &&
@@ -266,7 +277,8 @@
mSubMenuVoicemailSettings.setDialogOnClosedListener(this);
mSubMenuVoicemailSettings.setDialogTitle(R.string.voicemail_settings_number_label);
if (!getBooleanCarrierConfig(
- CarrierConfigManager.KEY_EDITABLE_VOICEMAIL_NUMBER_SETTING_BOOL)) {
+ CarrierConfigManager.KEY_EDITABLE_VOICEMAIL_NUMBER_SETTING_BOOL) ||
+ mDisallowedConfig) {
mSubMenuVoicemailSettings.setEnabled(false);
}
}
diff --git a/src/com/android/phone/settings/fdn/FdnSetting.java b/src/com/android/phone/settings/fdn/FdnSetting.java
index e347dec..ddbcc99 100644
--- a/src/com/android/phone/settings/fdn/FdnSetting.java
+++ b/src/com/android/phone/settings/fdn/FdnSetting.java
@@ -33,6 +33,7 @@
import com.android.internal.telephony.CommandException;
import com.android.internal.telephony.Phone;
+import com.android.internal.telephony.flags.Flags;
import com.android.phone.CallFeaturesSetting;
import com.android.phone.PhoneGlobals;
import com.android.phone.R;