Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3d5d962a authored by Pavel Grafov's avatar Pavel Grafov
Browse files

Block uninstall if DMRH in a managed user 

Previous change introduced a bug - on a personal device with a work
profile the user could uninstall updates from the personal side, thus
downgrading DMRH in the work profile, breaking it. With this change if a
package is DMRH on any managed user, uninstall will be blocked

Bug: 360807442
Test: btest a.d.c.DevicePolicyManagementRoleHolderTest
Flag: EXEMPT bugfix
Change-Id: I9fd8bed4a8203f3dbfa8dc4ea1388e7c8d136d9a
parent 350d40e9

services/core/java/com/android/server/pm/PackageManagerService.java

+20 −7
Original line number Diff line number Diff line
@@ -3389,18 +3389,31 @@ public class PackageManagerService implements PackageSender, TestUtilityService 
                    return true;

                }

                // Does it contain a device admin for any user?

                int[] users;

                int[] allUsers = mUserManager.getUserIds();

                int[] targetUsers;

                if (userId == UserHandle.USER_ALL) {

                    users = mUserManager.getUserIds();

                    targetUsers = allUsers;

                } else {

                    users = new int[]{userId};

                    targetUsers = new int[]{userId};

                }

                for (int i = 0; i < users.length; ++i) {

                    if (dpm.packageHasActiveAdmins(packageName, users[i])) {



                for (int i = 0; i < targetUsers.length; ++i) {

                    if (dpm.packageHasActiveAdmins(packageName, targetUsers[i])) {

                        return true;

                    }

                    if (isDeviceManagementRoleHolder(packageName, users[i])

                            && dpmi.isUserOrganizationManaged(users[i])) {

                }



                // If a package is DMRH on a managed user, it should also be treated as an admin on

                // that user. If that package is also a system package, it should also be protected

                // on other users otherwise "uninstall updates" on an unmanaged user may break

                // management on other users because apk version is shared between all users.

                var packageState = snapshotComputer().getPackageStateInternal(packageName);

                if (packageState == null) {

                    return false;

                }

                for (int user : packageState.isSystem() ? allUsers : targetUsers) {

                    if (isDeviceManagementRoleHolder(packageName, user)

                            && dpmi.isUserOrganizationManaged(user)) {

                        return true;

                    }

                }