Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6d20d75e authored by Michael Groover's avatar Michael Groover
Browse files

Protect Device Identifiers behind priv permission and DO/PO checks 

Bug: 110099294
Test: cts-tradefed run cts -m CtsDevicePolicyManagerTestCases \
      -t com.android.cts.devicepolicy.DeviceOwnerTest.testDeviceOwnerCanGetDeviceIdentifiers
Test: cts-tradefed run cts -m CtsDevicePolicyManagerTestCases \
      -t com.android.cts.devicepolicy.ManagedProfileTest#testGetDeviceIdentifiers
Test: cts-tradefed run cts -m CtsTelephonyTestCases -t android.telephony.cts.TelephonyManagerTest
Test: cts-tradefed run cts -m CtsPermissionTestCases -t android.permission.cts.TelephonyManagerPermissionTest

Change-Id: I3c82c53ec89cd17b34a61166ccc9e9747388efac
parent 42f4e79d

core/java/android/app/admin/DevicePolicyManager.java

+31 −0
Original line number Diff line number Diff line
@@ -5702,6 +5702,37 @@ public class DevicePolicyManager { 
        return null;

    }



    /**

     * Returns whether the specified package can read the device identifiers.

     *

     * @param packageName The package name of the app to check for device identifier access.

     * @return whether the package can read the device identifiers.

     *

     * @hide

     */

    public boolean checkDeviceIdentifierAccess(String packageName) {

        return checkDeviceIdentifierAccessAsUser(packageName, myUserId());

    }



    /**

     * @hide

     */

    @RequiresPermission(value = android.Manifest.permission.MANAGE_USERS, conditional = true)

    public boolean checkDeviceIdentifierAccessAsUser(String packageName, int userId) {

        throwIfParentInstance("checkDeviceIdentifierAccessAsUser");

        if (packageName == null) {

            return false;

        }

        if (mService != null) {

            try {

                return mService.checkDeviceIdentifierAccess(packageName, userId);

            } catch (RemoteException re) {

                throw re.rethrowFromSystemServer();

            }

        }

        return false;

    }



    /**

     * Called by a profile owner or device owner to set a default activity that the system selects

     * to handle intents that match the given {@link IntentFilter}. This activity will remain the

core/java/android/app/admin/IDevicePolicyManager.aidl

+2 −0
Original line number Diff line number Diff line
@@ -153,6 +153,8 @@ interface IDevicePolicyManager { 
    void clearProfileOwner(in ComponentName who);

    boolean hasUserSetupCompleted();



    boolean checkDeviceIdentifierAccess(in String packageName, int userHandle);



    void setDeviceOwnerLockScreenInfo(in ComponentName who, CharSequence deviceOwnerInfo);

    CharSequence getDeviceOwnerLockScreenInfo();

core/java/android/os/Build.java

+11 −2
Original line number Diff line number Diff line
@@ -18,8 +18,10 @@ package android.os; 


import android.Manifest;

import android.annotation.RequiresPermission;

import android.annotation.SuppressAutoDoc;

import android.annotation.SystemApi;

import android.annotation.TestApi;

import android.app.ActivityThread;

import android.app.Application;

import android.content.Context;

import android.text.TextUtils;
@@ -127,14 +129,21 @@ public class Build { 
     * <a href="/training/articles/security-key-attestation.html">key attestation</a> to obtain

     * proof of the device's original identifiers.

     *

     * <p>Requires Permission: READ_PRIVILEGED_PHONE_STATE or for the calling package to be the

     * device or profile owner. Profile owner access is deprecated and will be removed in a future

     * release.

     *

     * @return The serial number if specified.

     */

    @RequiresPermission(Manifest.permission.READ_PHONE_STATE)

    @SuppressAutoDoc // No support for device / profile owner.

    @RequiresPermission(Manifest.permission.READ_PRIVILEGED_PHONE_STATE)

    public static String getSerial() {

        IDeviceIdentifiersPolicyService service = IDeviceIdentifiersPolicyService.Stub

                .asInterface(ServiceManager.getService(Context.DEVICE_IDENTIFIERS_SERVICE));

        try {

            return service.getSerial();

            Application application = ActivityThread.currentApplication();

            String callingPackage = application != null ? application.getPackageName() : null;

            return service.getSerialForPackage(callingPackage);

        } catch (RemoteException e) {

            e.rethrowFromSystemServer();

        }

core/java/android/os/IDeviceIdentifiersPolicyService.aidl

+1 −0
Original line number Diff line number Diff line
@@ -21,4 +21,5 @@ package android.os; 
 */

interface IDeviceIdentifiersPolicyService {

    String getSerial();

    String getSerialForPackage(in String callingPackage);

}
 
 No newline at end of file

core/tests/bandwidthtests/src/com/android/bandwidthtest/BandwidthTest.java

+8 −1
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 


package com.android.bandwidthtest;



import android.app.UiAutomation;

import android.content.Context;

import android.net.ConnectivityManager;

import android.net.NetworkInfo.State;
@@ -74,7 +75,13 @@ public class BandwidthTest extends InstrumentationTestCase { 
        Log.v(LOG_TAG, "Initialized mConnectionUtil");

        mUid = Process.myUid();

        mTManager = (TelephonyManager)mContext.getSystemService(Context.TELEPHONY_SERVICE);

        final UiAutomation uiAutomation = getInstrumentation().getUiAutomation();

        try {

            uiAutomation.adoptShellPermissionIdentity();

            mDeviceId = mTManager.getDeviceId();

        } finally {

            uiAutomation.dropShellPermissionIdentity();

        }

    }



    @Override