Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +15 −30 Original line number Diff line number Diff line Loading @@ -5786,29 +5786,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @VisibleForTesting public void enforceCallerCanRequestDeviceIdAttestation(CallerIdentity caller) throws SecurityException { /** * First check if there's a profile owner because the device could be in COMP mode (where * there's a device owner and profile owner on the same device). * If the caller is from the work profile, then it must be the PO or the delegate, and * it must have the right permission to access device identifiers. */ int callerUserId = caller.getUserId(); if (hasProfileOwner(callerUserId)) { // Make sure that the caller is the profile owner or delegate. Preconditions.checkCallAuthorization(canInstallCertificates(caller)); // Verify that the managed profile is on an organization-owned device (or is affiliated // with the device owner user) and as such the profile owner can access Device IDs. if (isProfileOwnerOfOrganizationOwnedDevice(callerUserId) || isUserAffiliatedWithDevice(callerUserId)) { return; } throw new SecurityException( "Profile Owner is not allowed to access Device IDs."); } // If not, fall back to the device owner check. Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isCallerDelegate(caller, DELEGATION_CERT_INSTALL)); Preconditions.checkCallAuthorization(hasDeviceIdAccessUnchecked(caller.getPackageName(), caller.getUid())); } @VisibleForTesting Loading Loading @@ -5856,7 +5835,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final boolean deviceIdAttestationRequired = attestationUtilsFlags != null; KeyGenParameterSpec keySpec = parcelableKeySpec.getSpec(); final String alias = keySpec.getKeystoreAlias(); Preconditions.checkStringNotEmpty(alias, "Empty alias provided"); Preconditions.checkArgument( !deviceIdAttestationRequired || keySpec.getAttestationChallenge() != null, Loading Loading @@ -9393,17 +9371,25 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { if (!hasPermission(permission.READ_PHONE_STATE, pid, uid)) { return false; } return hasDeviceIdAccessUnchecked(packageName, uid); } // Allow access to the device owner or delegate cert installer or profile owner of an // affiliated user /** * Check if caller is device owner, delegate cert installer or profile owner of * affiliated user. Or if caller is profile owner for a specified user or delegate cert * installer on an organization-owned device. */ private boolean hasDeviceIdAccessUnchecked(String packageName, int uid) { // Is the caller a device owner, delegate cert installer or profile owner of an // affiliated user. ComponentName deviceOwner = getDeviceOwnerComponent(true); if (deviceOwner != null && (deviceOwner.getPackageName().equals(packageName) || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL))) { return true; } final int userId = UserHandle.getUserId(uid); // Allow access to the profile owner for the specified user, or delegate cert installer // But only if this is an organization-owned device. // Is the caller the profile owner for the specified user, or delegate cert installer on an // organization-owned device. ComponentName profileOwner = getProfileOwnerAsUser(userId); final boolean isCallerProfileOwnerOrDelegate = profileOwner != null && (profileOwner.getPackageName().equals(packageName) Loading @@ -9412,7 +9398,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { || isUserAffiliatedWithDevice(userId))) { return true; } return false; } Loading Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +15 −30 Original line number Diff line number Diff line Loading @@ -5786,29 +5786,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @VisibleForTesting public void enforceCallerCanRequestDeviceIdAttestation(CallerIdentity caller) throws SecurityException { /** * First check if there's a profile owner because the device could be in COMP mode (where * there's a device owner and profile owner on the same device). * If the caller is from the work profile, then it must be the PO or the delegate, and * it must have the right permission to access device identifiers. */ int callerUserId = caller.getUserId(); if (hasProfileOwner(callerUserId)) { // Make sure that the caller is the profile owner or delegate. Preconditions.checkCallAuthorization(canInstallCertificates(caller)); // Verify that the managed profile is on an organization-owned device (or is affiliated // with the device owner user) and as such the profile owner can access Device IDs. if (isProfileOwnerOfOrganizationOwnedDevice(callerUserId) || isUserAffiliatedWithDevice(callerUserId)) { return; } throw new SecurityException( "Profile Owner is not allowed to access Device IDs."); } // If not, fall back to the device owner check. Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isCallerDelegate(caller, DELEGATION_CERT_INSTALL)); Preconditions.checkCallAuthorization(hasDeviceIdAccessUnchecked(caller.getPackageName(), caller.getUid())); } @VisibleForTesting Loading Loading @@ -5856,7 +5835,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final boolean deviceIdAttestationRequired = attestationUtilsFlags != null; KeyGenParameterSpec keySpec = parcelableKeySpec.getSpec(); final String alias = keySpec.getKeystoreAlias(); Preconditions.checkStringNotEmpty(alias, "Empty alias provided"); Preconditions.checkArgument( !deviceIdAttestationRequired || keySpec.getAttestationChallenge() != null, Loading Loading @@ -9393,17 +9371,25 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { if (!hasPermission(permission.READ_PHONE_STATE, pid, uid)) { return false; } return hasDeviceIdAccessUnchecked(packageName, uid); } // Allow access to the device owner or delegate cert installer or profile owner of an // affiliated user /** * Check if caller is device owner, delegate cert installer or profile owner of * affiliated user. Or if caller is profile owner for a specified user or delegate cert * installer on an organization-owned device. */ private boolean hasDeviceIdAccessUnchecked(String packageName, int uid) { // Is the caller a device owner, delegate cert installer or profile owner of an // affiliated user. ComponentName deviceOwner = getDeviceOwnerComponent(true); if (deviceOwner != null && (deviceOwner.getPackageName().equals(packageName) || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL))) { return true; } final int userId = UserHandle.getUserId(uid); // Allow access to the profile owner for the specified user, or delegate cert installer // But only if this is an organization-owned device. // Is the caller the profile owner for the specified user, or delegate cert installer on an // organization-owned device. ComponentName profileOwner = getProfileOwnerAsUser(userId); final boolean isCallerProfileOwnerOrDelegate = profileOwner != null && (profileOwner.getPackageName().equals(packageName) Loading @@ -9412,7 +9398,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { || isUserAffiliatedWithDevice(userId))) { return true; } return false; } Loading
