Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6cbad8cf authored by Felipe Leme's avatar Felipe Leme Committed by Android (Google) Code Review
Browse files

Merge changes from topic "testDelegatedCertInstallerDeviceIdAttestation" into sc-v2-dev-plus-aosp 

* changes:
  [automerge] Allows DPM.generateKeyPair() to be called from PO of affiliated user. 2p: e8caa07e
  Allows DPM.generateKeyPair() to be called from PO of affiliated user.
parents a6ef7643 bce5c8c9

core/java/android/app/admin/DevicePolicyManager.java

+4 −4
Original line number Diff line number Diff line
@@ -6388,10 +6388,10 @@ public class DevicePolicyManager { 
     * management app can use {@link #ID_TYPE_BASE_INFO} to request inclusion of the general device

     * information including manufacturer, model, brand, device and product in the attestation

     * record.

     * Only device owner, profile owner on an organization-owned device and their delegated

     * certificate installers can use {@link #ID_TYPE_SERIAL}, {@link #ID_TYPE_IMEI} and

     * {@link #ID_TYPE_MEID} to request unique device identifiers to be attested (the serial number,

     * IMEI and MEID correspondingly), if supported by the device

     * Only device owner, profile owner on an organization-owned device or affiliated user, and

     * their delegated certificate installers can use {@link #ID_TYPE_SERIAL}, {@link #ID_TYPE_IMEI}

     * and {@link #ID_TYPE_MEID} to request unique device identifiers to be attested (the serial

     * number, IMEI and MEID correspondingly), if supported by the device

     * (see {@link #isDeviceIdAttestationSupported()}).

     * Additionally, device owner, profile owner on an organization-owned device and their delegated

     * certificate installers can also request the attestation record to be signed using an

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+19 −8
Original line number Diff line number Diff line
@@ -5898,6 +5898,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
     *   (1.1) The caller is the Device Owner

     *   (1.2) The caller is another app in the same user as the device owner, AND

     *         The caller is the delegated certificate installer.

     *   (1.3) The caller is a Profile Owner and the calling user is affiliated.

     * (2) The user has a profile owner, AND:

     *   (2.1) The profile owner has been granted access to Device IDs and one of the following

     *         holds:
@@ -5923,12 +5924,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
         *  If the caller is from the work profile, then it must be the PO or the delegate, and

         *  it must have the right permission to access device identifiers.

         */

        if (hasProfileOwner(caller.getUserId())) {

        int callerUserId = caller.getUserId();

        if (hasProfileOwner(callerUserId)) {

            // Make sure that the caller is the profile owner or delegate.

            Preconditions.checkCallAuthorization(canInstallCertificates(caller));

            // Verify that the managed profile is on an organization-owned device and as such

            // the profile owner can access Device IDs.

            if (isProfileOwnerOfOrganizationOwnedDevice(caller.getUserId())) {

            // Verify that the managed profile is on an organization-owned device (or is affiliated

            // with the device owner user) and as such the profile owner can access Device IDs.

            if (isProfileOwnerOfOrganizationOwnedDevice(callerUserId)

                    || isUserAffiliatedWithDevice(callerUserId)) {

                return;

            }

            throw new SecurityException(
@@ -9309,7 +9312,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
            return false;

        }













        // Allow access to the device owner or delegate cert installer.













        // Allow access to the device owner or delegate cert installer or profile owner of an













        // affiliated user















        ComponentName deviceOwner = getDeviceOwnerComponent(true);















        if (deviceOwner != null && (deviceOwner.getPackageName().equals(packageName)















                || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL))) {









@@ -9322,7 +9326,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        final boolean isCallerProfileOwnerOrDelegate = profileOwner != null















                && (profileOwner.getPackageName().equals(packageName)















                        || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL));













        if (isCallerProfileOwnerOrDelegate && isProfileOwnerOfOrganizationOwnedDevice(userId)) {













        if (isCallerProfileOwnerOrDelegate && (isProfileOwnerOfOrganizationOwnedDevice(userId)













                || isUserAffiliatedWithDevice(userId))) {















            return true;















        }
























@@ -14648,8 +14653,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        final CallerIdentity caller = getCallerIdentity();















        Preconditions.checkCallAuthorization(hasCrossUsersPermission(caller, userId));



























        return isUserAffiliatedWithDevice(userId);













    }

























    private boolean isUserAffiliatedWithDevice(@UserIdInt int userId) {













        synchronized (getLockObject()) {















            return isUserAffiliatedWithDeviceLocked(userId);















        }













    }





























    private boolean isUserAffiliatedWithDeviceLocked(@UserIdInt int userId) {















        if (!mOwners.hasDeviceOwner()) {