Fix security vulnerability in DPMS (342fd834) · Commits · e / os / android_frameworks_base

core/java/android/app/admin/DevicePolicyManager.java

+4 −0

Original line number	Diff line number	Diff line
		@@ -13084,6 +13084,10 @@ public class DevicePolicyManager {
		* @see #getCrossProfileCalendarPackages(ComponentName)
		* @hide
		*/
		@RequiresPermission(anyOf = {
		permission.INTERACT_ACROSS_USERS_FULL,
		permission.INTERACT_ACROSS_USERS
		}, conditional = true)
		public boolean isPackageAllowedToAccessCalendar(@NonNull String packageName) {
		throwIfParentInstance("isPackageAllowedToAccessCalendar");
		if (mService != null) {

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+14 −1

Original line number	Diff line number	Diff line
		@@ -15992,7 +15992,20 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId");

		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(hasCrossUsersPermission(caller, userHandle));
		final int packageUid = mInjector.binderWithCleanCallingIdentity(() -> {
		try {
		return mInjector.getPackageManager().getPackageUidAsUser(packageName, userHandle);
		} catch (NameNotFoundException e) {
		Slogf.w(LOG_TAG, e,
		"Couldn't find package %s in user %d", packageName, userHandle);
		return -1;
		}
		});
		if (caller.getUid() != packageUid) {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.INTERACT_ACROSS_USERS)
		\|\| hasCallingOrSelfPermission(permission.INTERACT_ACROSS_USERS_FULL));
		}

		synchronized (getLockObject()) {
		if (mInjector.settingsSecureGetIntForUser(

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+31 −0

Original line number	Diff line number	Diff line
		@@ -6521,6 +6521,8 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		when(getServices().settings.settingsSecureGetIntForUser(
		Settings.Secure.CROSS_PROFILE_CALENDAR_ENABLED,
		0, CALLER_USER_HANDLE)).thenReturn(1);
		mContext.permissions.add(permission.INTERACT_ACROSS_USERS);

		assertThat(dpm.isPackageAllowedToAccessCalendar("TEST_PACKAGE")).isFalse();
		}

		@@ -6532,6 +6534,8 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		when(getServices().settings.settingsSecureGetIntForUser(
		Settings.Secure.CROSS_PROFILE_CALENDAR_ENABLED,
		0, CALLER_USER_HANDLE)).thenReturn(0);
		mContext.permissions.add(permission.INTERACT_ACROSS_USERS);

		assertThat(dpm.isPackageAllowedToAccessCalendar(testPackage)).isFalse();
		}

		@@ -6543,6 +6547,33 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		when(getServices().settings.settingsSecureGetIntForUser(
		Settings.Secure.CROSS_PROFILE_CALENDAR_ENABLED,
		0, CALLER_USER_HANDLE)).thenReturn(1);
		mContext.permissions.add(permission.INTERACT_ACROSS_USERS);

		assertThat(dpm.isPackageAllowedToAccessCalendar(testPackage)).isTrue();
		}

		@Test
		public void testIsPackageAllowedToAccessCalendar_requiresPermission() {
		final String testPackage = "TEST_PACKAGE";

		assertExpectException(SecurityException.class, /* messageRegex= */ null,
		() -> dpm.isPackageAllowedToAccessCalendar(testPackage));
		}

		@Test
		public void testIsPackageAllowedToAccessCalendar_samePackageAndSameUser_noPermissionRequired()
		throws Exception {
		final String testPackage = "TEST_PACKAGE";
		setAsProfileOwner(admin1);
		dpm.setCrossProfileCalendarPackages(admin1, null);
		when(getServices().settings.settingsSecureGetIntForUser(
		Settings.Secure.CROSS_PROFILE_CALENDAR_ENABLED,
		0, CALLER_USER_HANDLE)).thenReturn(1);
		doReturn(mContext.binder.callingUid)
		.when(getServices().packageManager).getPackageUidAsUser(
		eq(testPackage),
		anyInt());

		assertThat(dpm.isPackageAllowedToAccessCalendar(testPackage)).isTrue();
		}