Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 07a7d871 authored by Alex Johnston's avatar Alex Johnston
Browse files

Give the PO the MANAGE_DEVICE_POLICY_CERTIFICATES permission 

Also, do not allow a BYOD PO have device ID access even if it
has the MANAGE_DEVICE_POLICY_CERTIFICATES permission

Bug: 272588294
Test: android.devicepolicy.cts.KeyManagementTest
Change-Id: I2658ccbe112940f096986d2dcbd24ba5bd81637a
parent 0f74f7d7

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+4 −2
Original line number Diff line number Diff line
@@ -10737,7 +10737,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
    @VisibleForTesting

    boolean hasDeviceIdAccessUnchecked(String packageName, int uid) {

        final int userId = UserHandle.getUserId(uid);

        if (isPermissionCheckFlagEnabled()) {

        // TODO(b/280048070): Introduce a permission to handle device ID access

        if (isPermissionCheckFlagEnabled()

                && !(isUidProfileOwnerLocked(uid) || isUidDeviceOwnerLocked(uid))) {

            return hasPermission(MANAGE_DEVICE_POLICY_CERTIFICATES, packageName, userId);

        } else {

            ComponentName deviceOwner = getDeviceOwnerComponent(true);
@@ -22836,6 +22838,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
                    MANAGE_DEVICE_POLICY_LOCATION,

                    MANAGE_DEVICE_POLICY_LOCK,

                    MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS,

                    MANAGE_DEVICE_POLICY_CERTIFICATES,

                    MANAGE_DEVICE_POLICY_NEARBY_COMMUNICATION,

                    MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY,

                    MANAGE_DEVICE_POLICY_PACKAGE_STATE,
@@ -22862,7 +22865,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
                    MANAGE_DEVICE_POLICY_ACROSS_USERS,

                    MANAGE_DEVICE_POLICY_AIRPLANE_MODE,

                    MANAGE_DEVICE_POLICY_APPS_CONTROL,

                    MANAGE_DEVICE_POLICY_CERTIFICATES,

                    MANAGE_DEVICE_POLICY_COMMON_CRITERIA_MODE,

                    MANAGE_DEVICE_POLICY_DEFAULT_SMS,

                    MANAGE_DEVICE_POLICY_LOCALE,