Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 11d2fb77 authored by Ayush Sharma's avatar Ayush Sharma
Browse files

Refactor permission checks removeActiveAdmin 

Reorder permissions checks to not leak information about a package if
it's admin or not.

Bug: 192369136
Test: atest DevicePolicyManagerTest#testRemoveActiveAdmin_SecurityException
      atest DevicePolicyManagerTest#testRemoveActiveAdmin_userNotRunningOrLocked
      atest DevicePolicyManagerTest#testRemoveActiveAdmin_fromDifferentUserWithINTERACT_ACROSS_USERS_FULL
      atest DevicePolicyManagerTest#testRemoveActiveAdmin_sameUserNoMANAGE_DEVICE_ADMINS
      atest DevicePolicyManagerTest#testRemoveActiveAdmin_multipleAdminsInUser
      atest DevicePolicyManagerTest#testSetDeviceOwner
      atest DevicePolicyManagerTest#testSetDeviceOwner_headlessSystemUserMode
      atest DevicePolicyManagerTest#testSetProfileOwner
Change-Id: I132e09f680c06fb5068bdbe140c08cafcc13f102
parent 575c989c

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+3 −3
Original line number Diff line number Diff line
@@ -3786,7 +3786,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
        }

        Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId");













        final CallerIdentity caller = getCallerIdentity();













        final CallerIdentity caller = hasCallingOrSelfPermission(permission.MANAGE_DEVICE_ADMINS)













                ? getCallerIdentity() : getCallerIdentity(adminReceiver);















        Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));















        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN);















        enforceUserUnlocked(userHandle);









@@ -3803,8 +3804,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













                        + adminReceiver);















                return;















            }













            Preconditions.checkCallAuthorization(admin.getUid() == caller.getUid()













                    || hasCallingOrSelfPermission(permission.MANAGE_DEVICE_ADMINS));



























            mInjector.binderWithCleanCallingIdentity(() ->















                    removeActiveAdminLocked(adminReceiver, userHandle));















        }