Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +34 −28 Original line number Diff line number Diff line Loading @@ -629,6 +629,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { private static final String CREDENTIAL_MANAGEMENT_APP_INVALID_ALIAS_MSG = "The alias provided must be contained in the aliases specified in the credential " + "management app's authentication policy"; private static final String NOT_SYSTEM_CALLER_MSG = "Only the system can %s"; final Context mContext; final Injector mInjector; Loading Loading @@ -3631,7 +3632,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public boolean isSeparateProfileChallengeAllowed(int userHandle) { enforceSystemCaller("query separate challenge support"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query separate challenge support")); ComponentName profileOwner = getProfileOwnerAsUser(userHandle); // Profile challenge is supported on N or newer release. Loading Loading @@ -5987,7 +5989,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { public void choosePrivateKeyAlias(final int uid, final Uri uri, final String alias, final IBinder response) { final CallerIdentity caller = getCallerIdentity(); enforceSystemCaller("choose private key alias"); Preconditions.checkCallAuthorization(isSystemUid(caller), String.format(NOT_SYSTEM_CALLER_MSG, "choose private key alias")); // If there is a profile owner, redirect to that; otherwise query the device owner. ComponentName aliasChooser = getProfileOwnerAsUser(caller.getUserId()); Loading Loading @@ -6535,7 +6538,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public String getAlwaysOnVpnPackageForUser(int userHandle) { enforceSystemCaller("getAlwaysOnVpnPackageForUser"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "call getAlwaysOnVpnPackageForUser")); synchronized (getLockObject()) { ActiveAdmin admin = getDeviceOrProfileOwnerAdminLocked(userHandle); return admin != null ? admin.mAlwaysOnVpnPackage : null; Loading @@ -6561,7 +6565,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public boolean isAlwaysOnVpnLockdownEnabledForUser(int userHandle) { enforceSystemCaller("isAlwaysOnVpnLockdownEnabledForUser"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "call isAlwaysOnVpnLockdownEnabledForUser")); synchronized (getLockObject()) { ActiveAdmin admin = getDeviceOrProfileOwnerAdminLocked(userHandle); return admin != null ? admin.mAlwaysOnVpnLockdown : null; Loading Loading @@ -9160,10 +9165,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS)); if ((mIsWatch || hasUserSetupCompleted(userHandle))) { if (!isCallerWithSystemUid()) { throw new IllegalStateException("Cannot set the profile owner on a user which is " + "already set-up"); } Preconditions.checkState(isSystemUid(caller), "Cannot set the profile owner on a user which is already set-up"); if (!mIsWatch) { // Only the default supervision profile owner can be set as profile owner after SUW Loading Loading @@ -9318,10 +9321,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } } private boolean isCallerWithSystemUid() { return UserHandle.isSameApp(mInjector.binderGetCallingUid(), Process.SYSTEM_UID); } private boolean isSystemUid(CallerIdentity caller) { return UserHandle.isSameApp(caller.getUid(), Process.SYSTEM_UID); } Loading Loading @@ -9752,7 +9751,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public ComponentName getRestrictionsProvider(int userHandle) { enforceSystemCaller("query the permission provider"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query the permission provider")); synchronized (getLockObject()) { DevicePolicyData userData = getUserData(userHandle); return userData != null ? userData.mRestrictionsProvider : null; Loading Loading @@ -10022,7 +10022,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkStringNotEmpty(packageName, "packageName is null"); enforceSystemCaller("query if an accessibility service is disabled by admin"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query if an accessibility service is disabled by admin")); synchronized (getLockObject()) { ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle); Loading Loading @@ -10168,7 +10170,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkStringNotEmpty(packageName, "packageName is null"); enforceSystemCaller("query if an input method is disabled by admin"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query if an input method is disabled by admin")); synchronized (getLockObject()) { ActiveAdmin admin = getParentOfAdminIfRequired( Loading Loading @@ -10228,7 +10232,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } Preconditions.checkStringNotEmpty(packageName, "packageName is null or empty"); enforceSystemCaller("query if a notification listener service is permitted"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query if a notification listener service is permitted")); synchronized (getLockObject()) { ActiveAdmin profileOwner = getProfileOwnerAdminLocked(userId); Loading @@ -10241,12 +10247,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } } private void enforceSystemCaller(String action) { if (!isCallerWithSystemUid()) { throw new SecurityException("Only the system can " + action); } } private void maybeSendAdminEnabledBroadcastLocked(int userHandle) { DevicePolicyData policyData = getUserData(userHandle); if (policyData.mAdminBroadcastPending) { Loading Loading @@ -11790,7 +11790,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public void notifyLockTaskModeChanged(boolean isEnabled, String pkg, int userHandle) { enforceSystemCaller("call notifyLockTaskModeChanged"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "call notifyLockTaskModeChanged")); synchronized (getLockObject()) { final DevicePolicyData policy = getUserData(userHandle); Loading Loading @@ -13693,7 +13694,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return null; } Objects.requireNonNull(who, "ComponentName is null"); enforceSystemCaller("query support message for user"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query support message for user")); synchronized (getLockObject()) { ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle); Loading @@ -13710,7 +13712,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return null; } Objects.requireNonNull(who, "ComponentName is null"); enforceSystemCaller("query support message for user"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query support message for user")); synchronized (getLockObject()) { ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle); Loading Loading @@ -13940,7 +13943,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { if (!mHasFeature) { return false; } enforceSystemCaller("query restricted pkgs for a specific user"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query restricted pkgs for a specific user")); synchronized (getLockObject()) { final ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userId); Loading Loading @@ -14205,7 +14209,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } synchronized (getLockObject()) { if (!isCallerWithSystemUid()) { if (!isSystemUid(getCallerIdentity())) { final CallerIdentity caller = getCallerIdentity(admin, packageName); if (admin != null) { Preconditions.checkCallAuthorization( Loading Loading @@ -16603,7 +16607,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public boolean canProfileOwnerResetPasswordWhenLocked(int userId) { enforceSystemCaller("call canProfileOwnerResetPasswordWhenLocked"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "call canProfileOwnerResetPasswordWhenLocked")); synchronized (getLockObject()) { final ActiveAdmin poAdmin = getProfileOwnerAdminLocked(userId); if (poAdmin == null Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +34 −28 Original line number Diff line number Diff line Loading @@ -629,6 +629,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { private static final String CREDENTIAL_MANAGEMENT_APP_INVALID_ALIAS_MSG = "The alias provided must be contained in the aliases specified in the credential " + "management app's authentication policy"; private static final String NOT_SYSTEM_CALLER_MSG = "Only the system can %s"; final Context mContext; final Injector mInjector; Loading Loading @@ -3631,7 +3632,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public boolean isSeparateProfileChallengeAllowed(int userHandle) { enforceSystemCaller("query separate challenge support"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query separate challenge support")); ComponentName profileOwner = getProfileOwnerAsUser(userHandle); // Profile challenge is supported on N or newer release. Loading Loading @@ -5987,7 +5989,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { public void choosePrivateKeyAlias(final int uid, final Uri uri, final String alias, final IBinder response) { final CallerIdentity caller = getCallerIdentity(); enforceSystemCaller("choose private key alias"); Preconditions.checkCallAuthorization(isSystemUid(caller), String.format(NOT_SYSTEM_CALLER_MSG, "choose private key alias")); // If there is a profile owner, redirect to that; otherwise query the device owner. ComponentName aliasChooser = getProfileOwnerAsUser(caller.getUserId()); Loading Loading @@ -6535,7 +6538,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public String getAlwaysOnVpnPackageForUser(int userHandle) { enforceSystemCaller("getAlwaysOnVpnPackageForUser"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "call getAlwaysOnVpnPackageForUser")); synchronized (getLockObject()) { ActiveAdmin admin = getDeviceOrProfileOwnerAdminLocked(userHandle); return admin != null ? admin.mAlwaysOnVpnPackage : null; Loading @@ -6561,7 +6565,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public boolean isAlwaysOnVpnLockdownEnabledForUser(int userHandle) { enforceSystemCaller("isAlwaysOnVpnLockdownEnabledForUser"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "call isAlwaysOnVpnLockdownEnabledForUser")); synchronized (getLockObject()) { ActiveAdmin admin = getDeviceOrProfileOwnerAdminLocked(userHandle); return admin != null ? admin.mAlwaysOnVpnLockdown : null; Loading Loading @@ -9160,10 +9165,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS)); if ((mIsWatch || hasUserSetupCompleted(userHandle))) { if (!isCallerWithSystemUid()) { throw new IllegalStateException("Cannot set the profile owner on a user which is " + "already set-up"); } Preconditions.checkState(isSystemUid(caller), "Cannot set the profile owner on a user which is already set-up"); if (!mIsWatch) { // Only the default supervision profile owner can be set as profile owner after SUW Loading Loading @@ -9318,10 +9321,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } } private boolean isCallerWithSystemUid() { return UserHandle.isSameApp(mInjector.binderGetCallingUid(), Process.SYSTEM_UID); } private boolean isSystemUid(CallerIdentity caller) { return UserHandle.isSameApp(caller.getUid(), Process.SYSTEM_UID); } Loading Loading @@ -9752,7 +9751,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public ComponentName getRestrictionsProvider(int userHandle) { enforceSystemCaller("query the permission provider"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query the permission provider")); synchronized (getLockObject()) { DevicePolicyData userData = getUserData(userHandle); return userData != null ? userData.mRestrictionsProvider : null; Loading Loading @@ -10022,7 +10022,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkStringNotEmpty(packageName, "packageName is null"); enforceSystemCaller("query if an accessibility service is disabled by admin"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query if an accessibility service is disabled by admin")); synchronized (getLockObject()) { ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle); Loading Loading @@ -10168,7 +10170,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkStringNotEmpty(packageName, "packageName is null"); enforceSystemCaller("query if an input method is disabled by admin"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query if an input method is disabled by admin")); synchronized (getLockObject()) { ActiveAdmin admin = getParentOfAdminIfRequired( Loading Loading @@ -10228,7 +10232,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } Preconditions.checkStringNotEmpty(packageName, "packageName is null or empty"); enforceSystemCaller("query if a notification listener service is permitted"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query if a notification listener service is permitted")); synchronized (getLockObject()) { ActiveAdmin profileOwner = getProfileOwnerAdminLocked(userId); Loading @@ -10241,12 +10247,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } } private void enforceSystemCaller(String action) { if (!isCallerWithSystemUid()) { throw new SecurityException("Only the system can " + action); } } private void maybeSendAdminEnabledBroadcastLocked(int userHandle) { DevicePolicyData policyData = getUserData(userHandle); if (policyData.mAdminBroadcastPending) { Loading Loading @@ -11790,7 +11790,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public void notifyLockTaskModeChanged(boolean isEnabled, String pkg, int userHandle) { enforceSystemCaller("call notifyLockTaskModeChanged"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "call notifyLockTaskModeChanged")); synchronized (getLockObject()) { final DevicePolicyData policy = getUserData(userHandle); Loading Loading @@ -13693,7 +13694,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return null; } Objects.requireNonNull(who, "ComponentName is null"); enforceSystemCaller("query support message for user"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query support message for user")); synchronized (getLockObject()) { ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle); Loading @@ -13710,7 +13712,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return null; } Objects.requireNonNull(who, "ComponentName is null"); enforceSystemCaller("query support message for user"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query support message for user")); synchronized (getLockObject()) { ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle); Loading Loading @@ -13940,7 +13943,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { if (!mHasFeature) { return false; } enforceSystemCaller("query restricted pkgs for a specific user"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "query restricted pkgs for a specific user")); synchronized (getLockObject()) { final ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userId); Loading Loading @@ -14205,7 +14209,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } synchronized (getLockObject()) { if (!isCallerWithSystemUid()) { if (!isSystemUid(getCallerIdentity())) { final CallerIdentity caller = getCallerIdentity(admin, packageName); if (admin != null) { Preconditions.checkCallAuthorization( Loading Loading @@ -16603,7 +16607,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public boolean canProfileOwnerResetPasswordWhenLocked(int userId) { enforceSystemCaller("call canProfileOwnerResetPasswordWhenLocked"); Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), String.format(NOT_SYSTEM_CALLER_MSG, "call canProfileOwnerResetPasswordWhenLocked")); synchronized (getLockObject()) { final ActiveAdmin poAdmin = getProfileOwnerAdminLocked(userId); if (poAdmin == null
