Loading core/java/android/app/admin/DevicePolicyManager.java +4 −4 Original line number Diff line number Diff line Loading @@ -6388,10 +6388,10 @@ public class DevicePolicyManager { * management app can use {@link #ID_TYPE_BASE_INFO} to request inclusion of the general device * information including manufacturer, model, brand, device and product in the attestation * record. * Only device owner, profile owner on an organization-owned device and their delegated * certificate installers can use {@link #ID_TYPE_SERIAL}, {@link #ID_TYPE_IMEI} and * {@link #ID_TYPE_MEID} to request unique device identifiers to be attested (the serial number, * IMEI and MEID correspondingly), if supported by the device * Only device owner, profile owner on an organization-owned device or affiliated user, and * their delegated certificate installers can use {@link #ID_TYPE_SERIAL}, {@link #ID_TYPE_IMEI} * and {@link #ID_TYPE_MEID} to request unique device identifiers to be attested (the serial * number, IMEI and MEID correspondingly), if supported by the device * (see {@link #isDeviceIdAttestationSupported()}). * Additionally, device owner, profile owner on an organization-owned device and their delegated * certificate installers can also request the attestation record to be signed using an Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +19 −8 Original line number Diff line number Diff line Loading @@ -5894,6 +5894,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { * (1.1) The caller is the Device Owner * (1.2) The caller is another app in the same user as the device owner, AND * The caller is the delegated certificate installer. * (1.3) The caller is a Profile Owner and the calling user is affiliated. * (2) The user has a profile owner, AND: * (2.1) The profile owner has been granted access to Device IDs and one of the following * holds: Loading @@ -5919,12 +5920,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { * If the caller is from the work profile, then it must be the PO or the delegate, and * it must have the right permission to access device identifiers. */ if (hasProfileOwner(caller.getUserId())) { int callerUserId = caller.getUserId(); if (hasProfileOwner(callerUserId)) { // Make sure that the caller is the profile owner or delegate. Preconditions.checkCallAuthorization(canInstallCertificates(caller)); // Verify that the managed profile is on an organization-owned device and as such // the profile owner can access Device IDs. if (isProfileOwnerOfOrganizationOwnedDevice(caller.getUserId())) { // Verify that the managed profile is on an organization-owned device (or is affiliated // with the device owner user) and as such the profile owner can access Device IDs. if (isProfileOwnerOfOrganizationOwnedDevice(callerUserId) || isUserAffiliatedWithDevice(callerUserId)) { return; } throw new SecurityException( Loading Loading @@ -9305,7 +9308,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return false; } // Allow access to the device owner or delegate cert installer. // Allow access to the device owner or delegate cert installer or profile owner of an // affiliated user ComponentName deviceOwner = getDeviceOwnerComponent(true); if (deviceOwner != null && (deviceOwner.getPackageName().equals(packageName) || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL))) { Loading @@ -9318,7 +9322,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final boolean isCallerProfileOwnerOrDelegate = profileOwner != null && (profileOwner.getPackageName().equals(packageName) || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL)); if (isCallerProfileOwnerOrDelegate && isProfileOwnerOfOrganizationOwnedDevice(userId)) { if (isCallerProfileOwnerOrDelegate && (isProfileOwnerOfOrganizationOwnedDevice(userId) || isUserAffiliatedWithDevice(userId))) { return true; } Loading Loading @@ -14602,8 +14607,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final CallerIdentity caller = getCallerIdentity(); Preconditions.checkCallAuthorization(hasCrossUsersPermission(caller, userId)); return isUserAffiliatedWithDevice(userId); } private boolean isUserAffiliatedWithDevice(@UserIdInt int userId) { synchronized (getLockObject()) { return isUserAffiliatedWithDeviceLocked(userId); } } private boolean isUserAffiliatedWithDeviceLocked(@UserIdInt int userId) { if (!mOwners.hasDeviceOwner()) { Loading
core/java/android/app/admin/DevicePolicyManager.java +4 −4 Original line number Diff line number Diff line Loading @@ -6388,10 +6388,10 @@ public class DevicePolicyManager { * management app can use {@link #ID_TYPE_BASE_INFO} to request inclusion of the general device * information including manufacturer, model, brand, device and product in the attestation * record. * Only device owner, profile owner on an organization-owned device and their delegated * certificate installers can use {@link #ID_TYPE_SERIAL}, {@link #ID_TYPE_IMEI} and * {@link #ID_TYPE_MEID} to request unique device identifiers to be attested (the serial number, * IMEI and MEID correspondingly), if supported by the device * Only device owner, profile owner on an organization-owned device or affiliated user, and * their delegated certificate installers can use {@link #ID_TYPE_SERIAL}, {@link #ID_TYPE_IMEI} * and {@link #ID_TYPE_MEID} to request unique device identifiers to be attested (the serial * number, IMEI and MEID correspondingly), if supported by the device * (see {@link #isDeviceIdAttestationSupported()}). * Additionally, device owner, profile owner on an organization-owned device and their delegated * certificate installers can also request the attestation record to be signed using an Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +19 −8 Original line number Diff line number Diff line Loading @@ -5894,6 +5894,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { * (1.1) The caller is the Device Owner * (1.2) The caller is another app in the same user as the device owner, AND * The caller is the delegated certificate installer. * (1.3) The caller is a Profile Owner and the calling user is affiliated. * (2) The user has a profile owner, AND: * (2.1) The profile owner has been granted access to Device IDs and one of the following * holds: Loading @@ -5919,12 +5920,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { * If the caller is from the work profile, then it must be the PO or the delegate, and * it must have the right permission to access device identifiers. */ if (hasProfileOwner(caller.getUserId())) { int callerUserId = caller.getUserId(); if (hasProfileOwner(callerUserId)) { // Make sure that the caller is the profile owner or delegate. Preconditions.checkCallAuthorization(canInstallCertificates(caller)); // Verify that the managed profile is on an organization-owned device and as such // the profile owner can access Device IDs. if (isProfileOwnerOfOrganizationOwnedDevice(caller.getUserId())) { // Verify that the managed profile is on an organization-owned device (or is affiliated // with the device owner user) and as such the profile owner can access Device IDs. if (isProfileOwnerOfOrganizationOwnedDevice(callerUserId) || isUserAffiliatedWithDevice(callerUserId)) { return; } throw new SecurityException( Loading Loading @@ -9305,7 +9308,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return false; } // Allow access to the device owner or delegate cert installer. // Allow access to the device owner or delegate cert installer or profile owner of an // affiliated user ComponentName deviceOwner = getDeviceOwnerComponent(true); if (deviceOwner != null && (deviceOwner.getPackageName().equals(packageName) || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL))) { Loading @@ -9318,7 +9322,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final boolean isCallerProfileOwnerOrDelegate = profileOwner != null && (profileOwner.getPackageName().equals(packageName) || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL)); if (isCallerProfileOwnerOrDelegate && isProfileOwnerOfOrganizationOwnedDevice(userId)) { if (isCallerProfileOwnerOrDelegate && (isProfileOwnerOfOrganizationOwnedDevice(userId) || isUserAffiliatedWithDevice(userId))) { return true; } Loading Loading @@ -14602,8 +14607,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final CallerIdentity caller = getCallerIdentity(); Preconditions.checkCallAuthorization(hasCrossUsersPermission(caller, userId)); return isUserAffiliatedWithDevice(userId); } private boolean isUserAffiliatedWithDevice(@UserIdInt int userId) { synchronized (getLockObject()) { return isUserAffiliatedWithDeviceLocked(userId); } } private boolean isUserAffiliatedWithDeviceLocked(@UserIdInt int userId) { if (!mOwners.hasDeviceOwner()) {
