Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 54dc06ab authored by kholoud mohamed's avatar kholoud mohamed
Browse files

Fix security vulnerability in DPMS 

Changed DPMS#getCrossProfileCalendarPackagesForUser to always require
INTERACT_ACROSS_USERS or INTERACT_ACROSS_USERS_FULL.

Bug: 187043444
Test: N/A
Change-Id: I53300bfe2e0481df0d473cc73a85857b5603a45e
parent 4e10425f

core/java/android/app/admin/DevicePolicyManager.java

+4 −0
Original line number Diff line number Diff line
@@ -13112,6 +13112,10 @@ public class DevicePolicyManager { 
     * @see #getCrossProfileCalendarPackages(ComponentName)

     * @hide

     */

    @RequiresPermission(anyOf = {

            permission.INTERACT_ACROSS_USERS_FULL,

            permission.INTERACT_ACROSS_USERS

    })

    public @Nullable Set<String> getCrossProfileCalendarPackages() {

        throwIfParentInstance("getCrossProfileCalendarPackages");

        if (mService != null) {

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+3 −3
Original line number Diff line number Diff line
@@ -16016,9 +16016,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
            return Collections.emptyList();

        }

        Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId");













        final CallerIdentity caller = getCallerIdentity();













        Preconditions.checkCallAuthorization(hasCrossUsersPermission(caller, userHandle));













        Preconditions.checkCallAuthorization(













                hasCallingOrSelfPermission(permission.INTERACT_ACROSS_USERS)













                        || hasCallingOrSelfPermission(permission.INTERACT_ACROSS_USERS_FULL));





























        synchronized (getLockObject()) {















            final ActiveAdmin admin = getProfileOwnerAdminLocked(userHandle);