Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 54dc06ab authored by kholoud mohamed's avatar kholoud mohamed
Browse files

Fix security vulnerability in DPMS

Changed DPMS#getCrossProfileCalendarPackagesForUser to always require
INTERACT_ACROSS_USERS or INTERACT_ACROSS_USERS_FULL.

Bug: 187043444
Test: N/A
Change-Id: I53300bfe2e0481df0d473cc73a85857b5603a45e
parent 4e10425f
Loading
Loading
Loading
Loading
+4 −0
Original line number Diff line number Diff line
@@ -13112,6 +13112,10 @@ public class DevicePolicyManager {
     * @see #getCrossProfileCalendarPackages(ComponentName)
     * @hide
     */
    @RequiresPermission(anyOf = {
            permission.INTERACT_ACROSS_USERS_FULL,
            permission.INTERACT_ACROSS_USERS
    })
    public @Nullable Set<String> getCrossProfileCalendarPackages() {
        throwIfParentInstance("getCrossProfileCalendarPackages");
        if (mService != null) {
+3 −3
Original line number Diff line number Diff line
@@ -16016,9 +16016,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
            return Collections.emptyList();
        }
        Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId");
        final CallerIdentity caller = getCallerIdentity();
        Preconditions.checkCallAuthorization(hasCrossUsersPermission(caller, userHandle));
        Preconditions.checkCallAuthorization(
                hasCallingOrSelfPermission(permission.INTERACT_ACROSS_USERS)
                        || hasCallingOrSelfPermission(permission.INTERACT_ACROSS_USERS_FULL));
        synchronized (getLockObject()) {
            final ActiveAdmin admin = getProfileOwnerAdminLocked(userHandle);