Replace profile owner and device owner access checks DPMS (09e32e89) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+25 −40

Original line number	Diff line number	Diff line
		@@ -4255,18 +4255,18 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		mInjector.getPackageManager().getPackagesForUid(
		mInjector.binderGetCallingUid()))
		.write();
		final int callingUserId = mInjector.userHandleGetCallingUserId();
		final CallerIdentity caller = getCallerIdentity();

		if (parent) {
		enforceProfileOwnerOrSystemUser();
		}
		enforceUserUnlocked(callingUserId);
		Preconditions.checkCallAuthorization(!parent \|\| (isDeviceOwner(caller)
		\|\| isProfileOwner(caller) \|\| isSystemUid(caller)),
		"Only profile owner, device owner and system may call this method.");
		enforceUserUnlocked(caller.getUserId());
		mContext.enforceCallingOrSelfPermission(
		REQUEST_PASSWORD_COMPLEXITY,
		"Must have " + REQUEST_PASSWORD_COMPLEXITY + " permission.");

		synchronized (getLockObject()) {
		final int credentialOwner = getCredentialOwner(callingUserId, parent);
		final int credentialOwner = getCredentialOwner(caller.getUserId(), parent);
		PasswordMetrics metrics = mLockSettingsInternal.getUserPasswordMetrics(credentialOwner);
		return metrics == null ? PASSWORD_COMPLEXITY_NONE : metrics.determineComplexity();
		}
		@@ -7299,7 +7299,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		@Override
		public boolean hasDeviceOwner() {
		enforceDeviceOwnerOrManageUsers();
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(isDeviceOwner(caller) \|\| canManageUsers(caller));
		return mOwners.hasDeviceOwner();
		}

		@@ -8355,32 +8356,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		\|\| hasCallingOrSelfPermission(permission.INTERACT_ACROSS_USERS);
		}

		private void enforceDeviceOwnerOrManageUsers() {
		final CallerIdentity caller = getCallerIdentity();
		if (isDeviceOwner(caller)) {
		return;
		}
		Preconditions.checkCallAuthorization(canManageUsers(caller));
		}

		private void enforceProfileOwnerOrSystemUser() {
		final CallerIdentity caller = getCallerIdentity();
		if (isDeviceOwner(caller) \|\| isProfileOwner(caller)) {
		return;
		}
		Preconditions.checkState(isSystemUid(caller),
		"Only profile owner, device owner and system may call this method.");
		}

		private void enforceProfileOwnerOrFullCrossUsersPermission(CallerIdentity caller,
		int userId) {
		if ((userId == caller.getUserId()) && (isProfileOwner(caller) \|\| isDeviceOwner(caller))) {
		// Device Owner/Profile Owner may access the user it runs on.
		return;
		}
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userId));
		}

		private boolean canUserUseLockTaskLocked(int userId) {
		if (isUserAffiliatedWithDeviceLocked(userId)) {
		return true;
		@@ -12457,7 +12432,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		if (!mHasFeature) {
		return null;
		}
		enforceDeviceOwnerOrManageUsers();
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(isDeviceOwner(caller) \|\| canManageUsers(caller));
		synchronized (getLockObject()) {
		final ActiveAdmin deviceOwnerAdmin = getDeviceOwnerAdminLocked();
		return deviceOwnerAdmin == null ? null : deviceOwnerAdmin.organizationName;
		@@ -13604,19 +13580,22 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		@Override
		public long getLastSecurityLogRetrievalTime() {
		enforceDeviceOwnerOrManageUsers();
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(isDeviceOwner(caller) \|\| canManageUsers(caller));
		return getUserData(UserHandle.USER_SYSTEM).mLastSecurityLogRetrievalTime;
		}

		@Override
		public long getLastBugReportRequestTime() {
		enforceDeviceOwnerOrManageUsers();
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(isDeviceOwner(caller) \|\| canManageUsers(caller));
		return getUserData(UserHandle.USER_SYSTEM).mLastBugReportRequestTime;
		}

		@Override
		public long getLastNetworkLogRetrievalTime() {
		enforceDeviceOwnerOrManageUsers();
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(isDeviceOwner(caller) \|\| canManageUsers(caller));
		return getUserData(UserHandle.USER_SYSTEM).mLastNetworkLogsRetrievalTime;
		}

		@@ -13720,15 +13699,21 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		@Override
		public boolean isCurrentInputMethodSetByOwner() {
		enforceProfileOwnerOrSystemUser();
		return getUserData(mInjector.userHandleGetCallingUserId()).mCurrentInputMethodSet;
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(isDeviceOwner(caller)
		\|\| isProfileOwner(caller) \|\| isSystemUid(caller),
		"Only profile owner, device owner and system may call this method.");
		return getUserData(caller.getUserId()).mCurrentInputMethodSet;
		}

		@Override
		public StringParceledListSlice getOwnerInstalledCaCerts(@NonNull UserHandle user) {
		final int userId = user.getIdentifier();
		final CallerIdentity caller = getCallerIdentity();
		enforceProfileOwnerOrFullCrossUsersPermission(caller, userId);
		Preconditions.checkCallAuthorization((userId == caller.getUserId())
		\|\| isProfileOwner(caller) \|\| isDeviceOwner(caller)
		\|\| hasFullCrossUsersPermission(caller, userId));

		synchronized (getLockObject()) {
		return new StringParceledListSlice(
		new ArrayList<>(getUserData(userId).mOwnerInstalledCaCerts));