Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 78bcc2f3 authored by Elis Elliott's avatar Elis Elliott
Browse files

Fix APIs which use admin policies in permission check 

Fixes: 278635943

Test: atest com.android.cts.devicepolicy.ManagedProfileTest
Change-Id: I563550c2d5c36151c0c0f94f330fac2334779c10
parent 16e51ba1

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+24 −18
Original line number Diff line number Diff line
@@ -259,7 +259,6 @@ import android.Manifest.permission; 
import android.accessibilityservice.AccessibilityServiceInfo;

import android.accounts.Account;

import android.accounts.AccountManager;

import android.accounts.AccountManagerFuture;

import android.accounts.AuthenticatorException;

import android.accounts.OperationCanceledException;

import android.annotation.IntDef;
@@ -447,7 +446,6 @@ import android.util.AtomicFile; 
import android.util.DebugUtils;

import android.util.IndentingPrintWriter;

import android.util.IntArray;

import android.util.Log;

import android.util.Pair;

import android.util.Slog;

import android.util.SparseArray;
@@ -5562,7 +5560,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
            if (isPermissionCheckFlagEnabled()) {

                CallerIdentity caller = getCallerIdentity(who, callerPackageName);

                ap = enforcePermissionAndGetEnforcingAdmin(

                        who, MANAGE_DEVICE_POLICY_WIPE_DATA,

                        who,

                        /*permission=*/ MANAGE_DEVICE_POLICY_WIPE_DATA,

                        /* adminPolicy=*/ DeviceAdminInfo.USES_POLICY_WIPE_DATA,

                        caller.getPackageName(), affectedUserId).getActiveAdmin();

            } else {

                // This API can only be called by an active device admin,
@@ -5844,9 +5844,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
            ActiveAdmin ap;

            if (isPermissionCheckFlagEnabled()) {

                CallerIdentity caller = getCallerIdentity(who, callerPackageName);

                // TODO: Allow use of USES_POLICY_FORCE_LOCK

                ap = enforcePermissionAndGetEnforcingAdmin(

                        who, MANAGE_DEVICE_POLICY_LOCK, caller.getPackageName(),

                        who,

                        /*permission=*/ MANAGE_DEVICE_POLICY_LOCK,

                        /*AdminPolicy=*/DeviceAdminInfo.USES_POLICY_FORCE_LOCK,

                        caller.getPackageName(),

                        affectedUserId).getActiveAdmin();

            } else {

                ap = getActiveAdminForCallerLocked(
@@ -11803,9 +11805,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
            if (isPermissionCheckFlagEnabled()) {

                CallerIdentity caller = getCallerIdentity(admin, callerPackageName);

                int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle;

                // TODO: Support USES_POLICY_DISABLE_KEYGUARD_FEATURES

                ap = enforcePermissionAndGetEnforcingAdmin(

                        admin, MANAGE_DEVICE_POLICY_KEYGUARD,

                        admin,

                        /*permission=*/MANAGE_DEVICE_POLICY_KEYGUARD,

                        /*adminPolicy=*/DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES,

                        caller.getPackageName(), affectedUserId).getActiveAdmin();

            } else {

                ap = getActiveAdminForCallerLocked(admin,
@@ -13346,23 +13349,23 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
            caller = getCallerIdentity(who);

        }

        int userId = caller.getUserId();

        int affectedUserId = parent ? getProfileParentId(userId) : userId;















        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_USER_RESTRICTION);





























        if (isPolicyEngineForFinanceFlagEnabled()) {















            if (!isDeviceOwner(caller) && !isProfileOwner(caller)) {













                EnforcingAdmin admin = enforcePermissionForUserRestriction(













                        who,













                        key,













                        caller.getPackageName(),













                        affectedUserId);















                if (!mInjector.isChangeEnabled(ENABLE_COEXISTENCE_CHANGE, callerPackage, userId)) {















                    throw new IllegalStateException("Calling package is not targeting Android U.");















                }















                if (!UserRestrictionsUtils.isValidRestriction(key)) {















                    throw new IllegalArgumentException("Invalid restriction key: " + key);















                }













                int affectedUserId = parent ? getProfileParentId(userId) : userId;













                EnforcingAdmin admin = enforcePermissionForUserRestriction(













                        who,













                        key,













                        caller.getPackageName(),













                        affectedUserId);















                PolicyDefinition<Boolean> policyDefinition =















                        PolicyDefinition.getPolicyDefinitionForUserRestriction(key);















                if (enabledFromThisOwner) {










@@ -22979,6 +22982,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













            MANAGE_DEVICE_POLICY_FACTORY_RESET,















            MANAGE_DEVICE_POLICY_INSTALL_UNKNOWN_SOURCES,















            MANAGE_DEVICE_POLICY_KEYGUARD,













            MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS,















            MANAGE_DEVICE_POLICY_LOCK_TASK,















            MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY,















            MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS,









@@ -22986,7 +22990,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













            MANAGE_DEVICE_POLICY_SUPPORT_MESSAGE,















            MANAGE_DEVICE_POLICY_TIME,















            MANAGE_DEVICE_POLICY_USERS,













            MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS













            MANAGE_DEVICE_POLICY_WIPE_DATA















    );





























    /**










@@ -23506,14 +23510,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













     *















     * @param callerPackageName The package name  of the calling application.















     * @param adminPolicy The admin policy that should grant holders permission.













     * @param permission The name of the permission being checked.













     * @param permissions The names of the permissions being checked.















     * @param targetUserId The userId of the user which the caller needs permission to act on.















     * @throws SecurityException if the caller has not been granted the given permission,















     * the associated cross-user permission if the caller's user is different to the target user.















     */















    private void enforcePermissions(String[] permissions, int adminPolicy,















            String callerPackageName, int targetUserId) throws SecurityException {













        if (hasAdminPolicy(adminPolicy, callerPackageName)) {













        if (hasAdminPolicy(adminPolicy, callerPackageName)













                && mInjector.userHandleGetCallingUserId() == targetUserId) {















            return;















        }















        enforcePermissions(permissions, callerPackageName, targetUserId);










@@ -23542,8 +23547,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {



























    private boolean hasAdminPolicy(int adminPolicy, String callerPackageName) {















        CallerIdentity caller = getCallerIdentity(callerPackageName);













        ActiveAdmin deviceAdmin = getActiveAdminForCaller(null, caller);













        return deviceAdmin != null && deviceAdmin.info.usesPolicy(adminPolicy);













        ActiveAdmin deviceAdmin = getActiveAdminWithPolicyForUidLocked(













                null, adminPolicy, caller.getUid());













        return deviceAdmin != null;















    }





























    /**