Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +14 −18 Original line number Diff line number Diff line Loading @@ -1995,13 +1995,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final DevicePolicyData policy = getUserData(UserHandle.getUserId(callerUid)); ActiveAdmin admin = policy.mAdminMap.get(adminComponent); if (admin == null) { throw new SecurityException(String.format( "No active admin for %s", adminComponent)); } if (admin.getUid() != callerUid) { // Throwing combined exception message for both the cases here, because from different // security exceptions it could be deduced if particular package is admin package. if (admin == null || admin.getUid() != callerUid) { throw new SecurityException(String.format( "Admin %s is not owned by uid %d", adminComponent, callerUid)); "Admin %s does not exist or is not owned by uid %d", adminComponent, callerUid)); } if (callerPackage != null) { Preconditions.checkArgument(callerPackage.equals(adminComponent.getPackageName())); Loading Loading @@ -8181,17 +8180,16 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { */ @Override public boolean getCameraDisabled(ComponentName who, int userHandle, boolean parent) { return getCameraDisabled(who, userHandle, /* mergeDeviceOwnerRestriction= */ true, parent); } private boolean getCameraDisabled(ComponentName who, int userHandle, boolean mergeDeviceOwnerRestriction, boolean parent) { if (!mHasFeature) { return false; } final CallerIdentity caller = getCallerIdentity(who); Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle)); if (parent) { Preconditions.checkCallAuthorization( isProfileOwnerOfOrganizationOwnedDevice(getCallerIdentity().getUserId())); isProfileOwnerOfOrganizationOwnedDevice(caller.getUserId())); } synchronized (getLockObject()) { Loading @@ -8200,12 +8198,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return (admin != null) && admin.disableCamera; } // First, see if DO has set it. If so, it's device-wide. if (mergeDeviceOwnerRestriction) { final ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked(); if (deviceOwner != null && deviceOwner.disableCamera) { return true; } } final int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; // Return the strictest policy across all participating admins. List<ActiveAdmin> admins = getActiveAdminsForAffectedUserLocked(affectedUserId); Loading services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +7 −3 Original line number Diff line number Diff line Loading @@ -102,6 +102,7 @@ import android.graphics.Color; import android.hardware.usb.UsbManager; import android.net.ConnectivityManager; import android.net.Uri; import android.os.Build; import android.os.Build.VERSION_CODES; import android.os.Bundle; import android.os.Process; Loading Loading @@ -2102,9 +2103,12 @@ public class DevicePolicyManagerTest extends DpmTestBase { mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS); mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL); setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID); setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID, null, Build.VERSION_CODES.Q); dpm.setActiveAdmin(admin1, /* replace =*/ false, UserHandle.USER_SYSTEM); mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; boolean originalCameraDisabled = dpm.getCameraDisabled(admin1); assertExpectException(SecurityException.class, /* messageRegex= */ null, () -> dpm.setCameraDisabled(admin1, true)); Loading Loading @@ -2674,8 +2678,8 @@ public class DevicePolicyManagerTest extends DpmTestBase { setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID); // Test 1. Caller doesn't have DO or DA. assertExpectException(SecurityException.class, /* messageRegex= */ "No active admin", () -> dpm.getWifiMacAddress(admin1)); assertExpectException(SecurityException.class, /* messageRegex= */ "does not exist or is not owned by uid", () -> dpm.getWifiMacAddress(admin1)); // DO needs to be an DA. dpm.setActiveAdmin(admin1, /* replace =*/ false); Loading Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +14 −18 Original line number Diff line number Diff line Loading @@ -1995,13 +1995,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final DevicePolicyData policy = getUserData(UserHandle.getUserId(callerUid)); ActiveAdmin admin = policy.mAdminMap.get(adminComponent); if (admin == null) { throw new SecurityException(String.format( "No active admin for %s", adminComponent)); } if (admin.getUid() != callerUid) { // Throwing combined exception message for both the cases here, because from different // security exceptions it could be deduced if particular package is admin package. if (admin == null || admin.getUid() != callerUid) { throw new SecurityException(String.format( "Admin %s is not owned by uid %d", adminComponent, callerUid)); "Admin %s does not exist or is not owned by uid %d", adminComponent, callerUid)); } if (callerPackage != null) { Preconditions.checkArgument(callerPackage.equals(adminComponent.getPackageName())); Loading Loading @@ -8181,17 +8180,16 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { */ @Override public boolean getCameraDisabled(ComponentName who, int userHandle, boolean parent) { return getCameraDisabled(who, userHandle, /* mergeDeviceOwnerRestriction= */ true, parent); } private boolean getCameraDisabled(ComponentName who, int userHandle, boolean mergeDeviceOwnerRestriction, boolean parent) { if (!mHasFeature) { return false; } final CallerIdentity caller = getCallerIdentity(who); Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle)); if (parent) { Preconditions.checkCallAuthorization( isProfileOwnerOfOrganizationOwnedDevice(getCallerIdentity().getUserId())); isProfileOwnerOfOrganizationOwnedDevice(caller.getUserId())); } synchronized (getLockObject()) { Loading @@ -8200,12 +8198,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return (admin != null) && admin.disableCamera; } // First, see if DO has set it. If so, it's device-wide. if (mergeDeviceOwnerRestriction) { final ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked(); if (deviceOwner != null && deviceOwner.disableCamera) { return true; } } final int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; // Return the strictest policy across all participating admins. List<ActiveAdmin> admins = getActiveAdminsForAffectedUserLocked(affectedUserId); Loading
services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +7 −3 Original line number Diff line number Diff line Loading @@ -102,6 +102,7 @@ import android.graphics.Color; import android.hardware.usb.UsbManager; import android.net.ConnectivityManager; import android.net.Uri; import android.os.Build; import android.os.Build.VERSION_CODES; import android.os.Bundle; import android.os.Process; Loading Loading @@ -2102,9 +2103,12 @@ public class DevicePolicyManagerTest extends DpmTestBase { mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS); mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL); setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID); setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID, null, Build.VERSION_CODES.Q); dpm.setActiveAdmin(admin1, /* replace =*/ false, UserHandle.USER_SYSTEM); mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; boolean originalCameraDisabled = dpm.getCameraDisabled(admin1); assertExpectException(SecurityException.class, /* messageRegex= */ null, () -> dpm.setCameraDisabled(admin1, true)); Loading Loading @@ -2674,8 +2678,8 @@ public class DevicePolicyManagerTest extends DpmTestBase { setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID); // Test 1. Caller doesn't have DO or DA. assertExpectException(SecurityException.class, /* messageRegex= */ "No active admin", () -> dpm.getWifiMacAddress(admin1)); assertExpectException(SecurityException.class, /* messageRegex= */ "does not exist or is not owned by uid", () -> dpm.getWifiMacAddress(admin1)); // DO needs to be an DA. dpm.setActiveAdmin(admin1, /* replace =*/ false); Loading
