Merge "Revert "Revert "A few permission fixes.""" into udc-dev am: a57f466e57 (066b7ca5) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+20 −14

Original line number	Diff line number	Diff line
		@@ -39,6 +39,7 @@ import static android.Manifest.permission.MANAGE_DEVICE_POLICY_DEFAULT_SMS;
		import static android.Manifest.permission.MANAGE_DEVICE_POLICY_DISPLAY;
		import static android.Manifest.permission.MANAGE_DEVICE_POLICY_FACTORY_RESET;
		import static android.Manifest.permission.MANAGE_DEVICE_POLICY_FUN;
		import static android.Manifest.permission.MANAGE_DEVICE_POLICY_INPUT_METHODS;
		import static android.Manifest.permission.MANAGE_DEVICE_POLICY_INSTALL_UNKNOWN_SOURCES;
		import static android.Manifest.permission.MANAGE_DEVICE_POLICY_KEYGUARD;
		import static android.Manifest.permission.MANAGE_DEVICE_POLICY_LOCALE;
		@@ -12195,7 +12196,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		@@ -12205,7 +12206,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		int userId = getProfileParentUserIfRequested(
		caller.getUserId(), calledOnParentInstance);
		if (calledOnParentInstance) {
		if (!isPermissionCheckFlagEnabled()) {
		if (!isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(
		isProfileOwnerOfOrganizationOwnedDevice(caller));
		}
		@@ -12213,7 +12214,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		"Permitted input methods must allow all input methods or only "
		+ "system input methods when called on the parent instance of an "
		+ "organization-owned device");
		} else if (!isPermissionCheckFlagEnabled()) {
		} else if (!isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(
		isDefaultDeviceOwner(caller) \|\| isProfileOwner(caller));
		}
		@@ -12241,7 +12242,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		synchronized (getLockObject()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin admin = getEnforcingAdminForCaller(who, callerPackageName);
		EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(
		who, MANAGE_DEVICE_POLICY_INPUT_METHODS,
		caller.getPackageName(), userId);
		mDevicePolicyEngine.setLocalPolicy(
		PolicyDefinition.PERMITTED_INPUT_METHODS,
		admin,
		@@ -13436,6 +13439,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public void setUserRestrictionGlobally(String callerPackage, String key) {
		final CallerIdentity caller = getCallerIdentity(callerPackage);

		EnforcingAdmin admin = enforcePermissionForUserRestriction(
		/* who= */ null,
		key,
		caller.getPackageName(),
		UserHandle.USER_ALL
		);

		checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_USER_RESTRICTION);

		if (!isPolicyEngineForFinanceFlagEnabled()) {
		@@ -13452,13 +13462,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		throw new IllegalArgumentException("Invalid restriction key: " + key);
		}

		EnforcingAdmin admin = enforcePermissionForUserRestriction(
		/* who= */ null,
		key,
		caller.getPackageName(),
		UserHandle.USER_ALL
		);

		setGlobalUserRestrictionInternal(admin, key, /* enabled= */ true);

		logUserRestrictionCall(key, /* enabled= / true, / parent= */ false, caller);
		@@ -22839,6 +22842,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		MANAGE_DEVICE_POLICY_DISPLAY,
		MANAGE_DEVICE_POLICY_FACTORY_RESET,
		MANAGE_DEVICE_POLICY_FUN,
		MANAGE_DEVICE_POLICY_INPUT_METHODS,
		MANAGE_DEVICE_POLICY_INSTALL_UNKNOWN_SOURCES,
		MANAGE_DEVICE_POLICY_KEYGUARD,
		MANAGE_DEVICE_POLICY_LOCALE,
		@@ -22914,9 +22918,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		MANAGE_DEVICE_POLICY_BLUETOOTH,
		MANAGE_DEVICE_POLICY_CALLS,
		MANAGE_DEVICE_POLICY_CAMERA,
		MANAGE_DEVICE_POLICY_CERTIFICATES,
		MANAGE_DEVICE_POLICY_DEBUGGING_FEATURES,
		MANAGE_DEVICE_POLICY_DISPLAY,
		MANAGE_DEVICE_POLICY_FACTORY_RESET,
		MANAGE_DEVICE_POLICY_INPUT_METHODS,
		MANAGE_DEVICE_POLICY_INSTALL_UNKNOWN_SOURCES,
		MANAGE_DEVICE_POLICY_KEYGUARD,
		MANAGE_DEVICE_POLICY_LOCALE,
		@@ -22949,7 +22955,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		MANAGE_DEVICE_POLICY_ACROSS_USERS,
		MANAGE_DEVICE_POLICY_AIRPLANE_MODE,
		MANAGE_DEVICE_POLICY_APPS_CONTROL,
		MANAGE_DEVICE_POLICY_CERTIFICATES,
		MANAGE_DEVICE_POLICY_COMMON_CRITERIA_MODE,
		MANAGE_DEVICE_POLICY_DEFAULT_SMS,
		MANAGE_DEVICE_POLICY_LOCALE,
		@@ -23074,11 +23079,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		//Map of Permission to Delegate Scope.
		private static final HashMap<String, String> DELEGATE_SCOPES = new HashMap<>();
		{
		DELEGATE_SCOPES.put(MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, DELEGATION_PERMISSION_GRANT);
		DELEGATE_SCOPES.put(MANAGE_DEVICE_POLICY_APP_RESTRICTIONS, DELEGATION_APP_RESTRICTIONS);
		DELEGATE_SCOPES.put(MANAGE_DEVICE_POLICY_BLOCK_UNINSTALL, DELEGATION_BLOCK_UNINSTALL);
		DELEGATE_SCOPES.put(MANAGE_DEVICE_POLICY_SECURITY_LOGGING, DELEGATION_SECURITY_LOGGING);
		DELEGATE_SCOPES.put(MANAGE_DEVICE_POLICY_CERTIFICATES, DELEGATION_CERT_INSTALL);
		DELEGATE_SCOPES.put(MANAGE_DEVICE_POLICY_PACKAGE_STATE, DELEGATION_PACKAGE_ACCESS);
		DELEGATE_SCOPES.put(MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, DELEGATION_PERMISSION_GRANT);
		DELEGATE_SCOPES.put(MANAGE_DEVICE_POLICY_SECURITY_LOGGING, DELEGATION_SECURITY_LOGGING);
		}

		private static final HashMap<String, String> CROSS_USER_PERMISSIONS =