Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7672301b authored by Eran Messeri's avatar Eran Messeri
Browse files

DPMS: Fix access control check for password sufficiency 

Fix access control check for isActivePasswordSufficient, such that the
DPC can call it on the parent profile DPM instance.

In Change-Id: I97ca0d40a01673939e64c23f357fc38ca5427a8f an additional access
control check was imposed as a result of a refactoring.

That check required the caller to hold the cross-user permission (which
is a system-privileged permission) to check password sufficiency.

This is fixed by introducing an uchecked internal variant of the
method for getting password metrics, since caller authorization is
checked prior to calling it.

Bug: 173484959
Bug: 173483046
Test: atest com.android.cts.devicepolicy.ManagedProfileTest#testDevicePolicyManagerParentSupport
Test: Manual, created a work profile with a google.com account.
Change-Id: Id23a8d9e70c1b438fc12cb3ea408273964dde97b
parent 6cdbca61

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+8 −4
Original line number Diff line number Diff line
@@ -4152,14 +4152,18 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
    public PasswordMetrics getPasswordMinimumMetrics(@UserIdInt int userHandle) {

        final CallerIdentity caller = getCallerIdentity();

        Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));

        return getPasswordMinimumMetricsUnchecked(userHandle);

    }













    private PasswordMetrics getPasswordMinimumMetricsUnchecked(@UserIdInt int userId) {















        if (!mHasFeature) {















            new PasswordMetrics(CREDENTIAL_TYPE_NONE);















        }













        Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId");













        Preconditions.checkArgumentNonnegative(userId, "Invalid userId");





























        ArrayList<PasswordMetrics> adminMetrics = new ArrayList<>();















        synchronized (getLockObject()) {













            List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userHandle);













            List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userId);















            for (ActiveAdmin admin : admins) {















                adminMetrics.add(admin.mPasswordPolicy.getMinMetrics());















            }










@@ -4293,7 +4297,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













    private boolean isPasswordSufficientForUserWithoutCheckpointLocked(















            @NonNull PasswordMetrics metrics, @UserIdInt int userId) {















        final int complexity = getEffectivePasswordComplexityRequirementLocked(userId);













        PasswordMetrics minMetrics = getPasswordMinimumMetrics(userId);













        PasswordMetrics minMetrics = getPasswordMinimumMetricsUnchecked(userId);















        final List<PasswordValidationError> passwordValidationErrors =















                PasswordMetrics.validatePasswordMetrics(















                        minMetrics, complexity, false, metrics);










@@ -4583,7 +4587,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        final int callingUid = caller.getUid();















        final int userHandle = UserHandle.getUserId(callingUid);















        synchronized (getLockObject()) {













            final PasswordMetrics minMetrics = getPasswordMinimumMetrics(userHandle);













            final PasswordMetrics minMetrics = getPasswordMinimumMetricsUnchecked(userHandle);















            final List<PasswordValidationError> validationErrors;















            final int complexity = getEffectivePasswordComplexityRequirementLocked(userHandle);















            // TODO: Consider changing validation API to take LockscreenCredential.