Merge "Permit access to certain get APIs for financed device owner" (411c2f45) · Commits · e / os / android_frameworks_base

core/java/android/app/admin/DevicePolicyManager.java

+19 −1

Original line number	Diff line number	Diff line
		@@ -465,7 +465,9 @@ public class DevicePolicyManager {
		* <li>{@link #setUserControlDisabledPackages(ComponentName, List)}</li>
		* <li>{@link #getUserControlDisabledPackages(ComponentName)}</li>
		* <li>{@link #setOrganizationName(ComponentName, CharSequence)}</li>
		* <li>{@link #getOrganizationName(ComponentName)} </li>
		* <li>{@link #setShortSupportMessage(ComponentName, CharSequence)}</li>
		* <li>{@link #getShortSupportMessage(ComponentName)}</li>
		* <li>{@link #isBackupServiceEnabled(ComponentName)}</li>
		* <li>{@link #setBackupServiceEnabled(ComponentName, boolean)}</li>
		* <li>{@link #isLockTaskPermitted(String)}</li>
		@@ -478,7 +480,9 @@ public class DevicePolicyManager {
		* <li>{@link #LOCK_TASK_FEATURE_GLOBAL_ACTIONS}</li>
		* <li>{@link #LOCK_TASK_FEATURE_NOTIFICATIONS}</li>
		* </ul>
		* <li>{@link #getLockTaskFeatures(ComponentName)}</li>
		* <li>{@link #setLockTaskPackages(ComponentName, String[])}</li>
		* <li>{@link #getLockTaskPackages(ComponentName)}</li>
		* <li>{@link #addPersistentPreferredActivity(ComponentName, IntentFilter, ComponentName)}</li>
		* <li>{@link #clearPackagePersistentPreferredActivities(ComponentName, String)} </li>
		* <li>{@link #wipeData(int)}</li>
		@@ -489,6 +493,10 @@ public class DevicePolicyManager {
		* {@link #PERMISSION_GRANT_STATE_GRANTED}, {@link #PERMISSION_GRANT_STATE_DENIED}, or
		* {@link #PERMISSION_GRANT_STATE_DEFAULT} and can <b>only</b> be applied to the device admin
		* app (otherwise a {@link SecurityException} will be thrown)</li>
		* <li>{@link #getPermissionGrantState(ComponentName, String, String)}, where
		* {@link permission#READ_PHONE_STATE} is the <b>only</b> permission that can be
		* used and device admin app is the only package that can be used to retrieve the permission
		* permission grant state for (otherwise a {@link SecurityException} will be thrown)</li>
		* <li>{@link #addUserRestriction(ComponentName, String)}, where the following user restrictions
		* are permitted (otherwise a {@link SecurityException} will be thrown):</li>
		* <ul>
		@@ -499,7 +507,17 @@ public class DevicePolicyManager {
		* <li>{@link UserManager#DISALLOW_CONFIG_DATE_TIME}</li>
		* <li>{@link UserManager#DISALLOW_OUTGOING_CALLS}</li>
		* </ul>
		* <li>{@link #clearUserRestriction(ComponentName, String)}</li>
		* <li>{@link #getUserRestrictions(ComponentName)}</li>
		* <li>{@link #clearUserRestriction(ComponentName, String)}, where the following user
		* restrictions are permitted (otherwise a {@link SecurityException} will be thrown):</li>
		* <ul>
		* <li>{@link UserManager#DISALLOW_ADD_USER}</li>
		* <li>{@link UserManager#DISALLOW_DEBUGGING_FEATURES}</li>
		* <li>{@link UserManager#DISALLOW_INSTALL_UNKNOWN_SOURCES}</li>
		* <li>{@link UserManager#DISALLOW_SAFE_BOOT}</li>
		* <li>{@link UserManager#DISALLOW_CONFIG_DATE_TIME}</li>
		* <li>{@link UserManager#DISALLOW_OUTGOING_CALLS}</li>
		* </ul>
		* </ul>
		*
		* @hide

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+12 −7

Original line number	Diff line number	Diff line
		@@ -11615,6 +11615,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		final CallerIdentity caller = getCallerIdentity(who);
		Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller)
		\|\| isFinancedDeviceOwner(caller)
		\|\| isProfileOwner(caller)
		\|\| (parent && isProfileOwnerOfOrganizationOwnedDevice(caller)));

		@@ -13990,7 +13991,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		synchronized (getLockObject()) {
		if (isFinancedDeviceOwner(caller)) {
		enforceCanSetPermissionGrantOnFinancedDevice(packageName, permission);
		enforcePermissionGrantStateOnFinancedDevice(packageName, permission);
		}
		long ident = mInjector.binderClearCallingIdentity();
		try {
		@@ -14051,14 +14052,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		}
		}

		private void enforceCanSetPermissionGrantOnFinancedDevice(
		private void enforcePermissionGrantStateOnFinancedDevice(
		String packageName, String permission) {
		if (!Manifest.permission.READ_PHONE_STATE.equals(permission)) {
		throw new SecurityException("Cannot grant " + permission
		+ " when managing a financed device");
		throw new SecurityException(permission + " cannot be used when managing a financed"
		+ " device for permission grant state");
		} else if (!mOwners.getDeviceOwnerPackageName().equals(packageName)) {
		throw new SecurityException("Cannot grant permission to a package that is not"
		+ " the device owner");
		throw new SecurityException("Device owner package is the only package that can be used"
		+ " for permission grant state when managing a financed device");
		}
		}

		@@ -14067,10 +14068,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		String packageName, String permission) throws RemoteException {
		final CallerIdentity caller = getCallerIdentity(admin, callerPackage);
		Preconditions.checkCallAuthorization(isSystemUid(caller) \|\| (caller.hasAdminComponent()
		&& (isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller)))
		&& (isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller)
		\|\| isFinancedDeviceOwner(caller)))
		\|\| (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_PERMISSION_GRANT)));

		synchronized (getLockObject()) {
		if (isFinancedDeviceOwner(caller)) {
		enforcePermissionGrantStateOnFinancedDevice(packageName, permission);
		}
		return mInjector.binderWithCleanCallingIdentity(() -> {
		int granted;
		if (getTargetSdk(caller.getPackageName(), caller.getUserId())

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+26 −0

Original line number	Diff line number	Diff line
		@@ -7781,6 +7781,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {

		verify(getServices().userManagerInternal, never())
		.setDevicePolicyUserRestrictions(anyInt(), any(), any(), anyBoolean());
		DpmTestUtils.assertRestrictions(new Bundle(), dpm.getUserRestrictions(admin1));
		}
		}
		}
		@@ -7812,6 +7813,9 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		eq(true));
		reset(getServices().userManagerInternal);

		DpmTestUtils.assertRestrictions(DpmTestUtils.newRestrictions(restriction),
		dpm.getUserRestrictions(admin1));

		dpm.clearUserRestriction(admin1, restriction);
		reset(getServices().userManagerInternal);
		}
		@@ -8057,6 +8061,28 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED));
		}

		@Test
		public void testGetPermissionGrantState_financeDo_notReadPhoneStatePermission_throwsException()
		throws Exception {
		setDeviceOwner();
		dpm.setDeviceOwnerType(admin1, DEVICE_OWNER_TYPE_FINANCED);

		assertExpectException(SecurityException.class, /* messageRegex= */ null,
		() -> dpm.getPermissionGrantState(admin1, admin1.getPackageName(),
		permission.READ_CALENDAR));
		}

		@Test
		public void testGetPermissionGrantState_financeDo_notDeviceOwnerPackage_throwsException()
		throws Exception {
		setDeviceOwner();
		dpm.setDeviceOwnerType(admin1, DEVICE_OWNER_TYPE_FINANCED);

		assertExpectException(SecurityException.class, /* messageRegex= */ null,
		() -> dpm.getPermissionGrantState(admin1, "com.android.foo.package",
		permission.READ_PHONE_STATE));
		}

		@Test
		public void testSetUsbDataSignalingEnabled_noDeviceOwnerOrPoOfOrgOwnedDevice() {
		assertThrows(SecurityException.class,