Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +72 −35 Original line number Original line Diff line number Diff line Loading @@ -4474,14 +4474,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); } } CallerIdentity caller = getCallerIdentity(who, callerPackageName); Preconditions.checkArgumentNonnegative(timeout, "Timeout must be >= 0 ms"); Preconditions.checkArgumentNonnegative(timeout, "Timeout must be >= 0 ms"); int userHandle = mInjector.userHandleGetCallingUserId(); int userHandle = mInjector.userHandleGetCallingUserId(); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin ap; ActiveAdmin ap; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); ap = enforcePermissionAndGetEnforcingAdmin( ap = enforcePermissionAndGetEnforcingAdmin( who, MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS, who, MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS, caller.getPackageName(), affectedUserId) caller.getPackageName(), affectedUserId) Loading @@ -4505,7 +4504,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { setExpirationAlarmCheckLocked(mContext, userHandle, parent); setExpirationAlarmCheckLocked(mContext, userHandle, parent); } } if (SecurityLog.isLoggingEnabled()) { if (SecurityLog.isLoggingEnabled()) { SecurityLog.writeEvent(SecurityLog.TAG_PASSWORD_EXPIRATION_SET, caller.getPackageName(), SecurityLog.writeEvent(SecurityLog.TAG_PASSWORD_EXPIRATION_SET, callerPackageName, userHandle, affectedUserId, timeout); userHandle, affectedUserId, timeout); } } } } Loading Loading @@ -5213,8 +5212,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkArgument(allowedModes.contains(passwordComplexity), Preconditions.checkArgument(allowedModes.contains(passwordComplexity), "Provided complexity is not one of the allowed values."); "Provided complexity is not one of the allowed values."); final CallerIdentity caller = getCallerIdentity(callerPackageName); CallerIdentity caller; if (!isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(callerPackageName); } else { caller = getCallerIdentity(); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwner(caller)); isDefaultDeviceOwner(caller) || isProfileOwner(caller)); Preconditions.checkArgument(!calledOnParent || isProfileOwner(caller)); Preconditions.checkArgument(!calledOnParent || isProfileOwner(caller)); Loading Loading @@ -5386,7 +5388,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); } } CallerIdentity caller = getCallerIdentity(who, callerPackageName); int userId = mInjector.userHandleGetCallingUserId(); int userId = mInjector.userHandleGetCallingUserId(); int affectedUserId = parent ? getProfileParentId(userId) : userId; int affectedUserId = parent ? getProfileParentId(userId) : userId; Loading @@ -5394,6 +5395,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin ap; ActiveAdmin ap; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); ap = enforcePermissionAndGetEnforcingAdmin( ap = enforcePermissionAndGetEnforcingAdmin( who, MANAGE_DEVICE_POLICY_WIPE_DATA, who, MANAGE_DEVICE_POLICY_WIPE_DATA, caller.getPackageName(), affectedUserId).getActiveAdmin(); caller.getPackageName(), affectedUserId).getActiveAdmin(); Loading Loading @@ -5664,7 +5666,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override @Override public void setMaximumTimeToLock(ComponentName who, String callerPackageName, public void setMaximumTimeToLock(ComponentName who, String callerPackageName, long timeMs, boolean parent) { long timeMs, boolean parent) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); if (!mHasFeature) { if (!mHasFeature) { return; return; } } Loading @@ -5676,6 +5677,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin ap; ActiveAdmin ap; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); // TODO: Allow use of USES_POLICY_FORCE_LOCK // TODO: Allow use of USES_POLICY_FORCE_LOCK ap = enforcePermissionAndGetEnforcingAdmin( ap = enforcePermissionAndGetEnforcingAdmin( who, MANAGE_DEVICE_POLICY_LOCK, caller.getPackageName(), who, MANAGE_DEVICE_POLICY_LOCK, caller.getPackageName(), Loading @@ -5693,7 +5695,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } if (SecurityLog.isLoggingEnabled()) { if (SecurityLog.isLoggingEnabled()) { SecurityLog.writeEvent(SecurityLog.TAG_MAX_SCREEN_LOCK_TIMEOUT_SET, SecurityLog.writeEvent(SecurityLog.TAG_MAX_SCREEN_LOCK_TIMEOUT_SET, caller.getPackageName(), userHandle, affectedUserId, timeMs); callerPackageName, userHandle, affectedUserId, timeMs); } } } } Loading Loading @@ -5788,12 +5790,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { return; return; } } if (!isPermissionCheckFlagEnabled()) { Objects.requireNonNull(who, "ComponentName is null"); } Preconditions.checkArgument(timeoutMs >= 0, "Timeout must not be a negative number."); Preconditions.checkArgument(timeoutMs >= 0, "Timeout must not be a negative number."); final CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller; if (!isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwner(caller)); isDefaultDeviceOwner(caller) || isProfileOwner(caller)); } } Loading Loading @@ -8407,9 +8410,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; return; } } CallerIdentity caller = getCallerIdentity(who, callerPackage); CallerIdentity caller; if (!isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackage); } else { Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); caller = getCallerIdentity(who); if (parent) { if (parent) { Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isProfileOwnerOfOrganizationOwnedDevice(caller)); isProfileOwnerOfOrganizationOwnedDevice(caller)); Loading Loading @@ -8711,7 +8717,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { enforceCanQuery(caller.getPackageName(), SET_TIME, UserHandle.USER_ALL); enforceCanQuery(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL); } else { } else { Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkCallAuthorization(isProfileOwnerOnUser0(caller) Preconditions.checkCallAuthorization(isProfileOwnerOnUser0(caller) Loading Loading @@ -8787,7 +8793,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { // The effect of this policy is device-wide. // The effect of this policy is device-wide. enforceCanQuery(caller.getPackageName(), SET_TIME_ZONE, UserHandle.USER_ALL); enforceCanQuery(SET_TIME_ZONE, caller.getPackageName(), UserHandle.USER_ALL); } else { } else { Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkCallAuthorization(isProfileOwnerOnUser0(caller) Preconditions.checkCallAuthorization(isProfileOwnerOnUser0(caller) Loading Loading @@ -8951,8 +8957,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; return; } } final CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); } final int userId = caller.getUserId(); final int userId = caller.getUserId(); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_CAMERA_DISABLED); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_CAMERA_DISABLED); ActiveAdmin admin; ActiveAdmin admin; Loading Loading @@ -9065,11 +9077,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { if (!mHasFeature) { return; return; } } if (!isPermissionCheckFlagEnabled()) { CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); } } final CallerIdentity caller = getCallerIdentity(who, callerPackageName); final int userHandle = caller.getUserId(); final int userHandle = caller.getUserId(); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; Loading Loading @@ -10670,7 +10686,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller = getCallerIdentity(who, callerPackageName); final int userId = caller.getUserId(); final int userId = caller.getUserId(); enforceCanQuery(caller.getPackageName(), MANAGE_DEVICE_POLICY_LOCK_TASK, userId); enforceCanQuery(MANAGE_DEVICE_POLICY_LOCK_TASK, caller.getPackageName(), userId); if (!canUserUseLockTaskLocked(userId)) { if (!canUserUseLockTaskLocked(userId)) { throw new SecurityException("User " + userId + " is not allowed to use lock task"); throw new SecurityException("User " + userId + " is not allowed to use lock task"); } } Loading Loading @@ -11289,16 +11305,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { return; return; } } if (!isPermissionCheckFlagEnabled()) { if (!isPermissionCheckFlagEnabled()) { Objects.requireNonNull(admin, "admin is null"); Objects.requireNonNull(admin, "admin is null"); } } CallerIdentity caller = getCallerIdentity(admin, callerPackageName); Objects.requireNonNull(agent, "agent is null"); Objects.requireNonNull(agent, "agent is null"); int userHandle = UserHandle.getCallingUserId(); int userHandle = UserHandle.getCallingUserId(); synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin ap; ActiveAdmin ap; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { CallerIdentity caller = getCallerIdentity(admin, callerPackageName); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; // TODO: Support USES_POLICY_DISABLE_KEYGUARD_FEATURES // TODO: Support USES_POLICY_DISABLE_KEYGUARD_FEATURES ap = enforcePermissionAndGetEnforcingAdmin( ap = enforcePermissionAndGetEnforcingAdmin( Loading Loading @@ -11733,11 +11750,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { if (!mHasFeature) { return false; return false; } } if (!isPermissionCheckFlagEnabled()) { CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); } } CallerIdentity caller = getCallerIdentity(who, callerPackageName); int userId = getProfileParentUserIfRequested( int userId = getProfileParentUserIfRequested( caller.getUserId(), calledOnParentInstance); caller.getUserId(), calledOnParentInstance); if (calledOnParentInstance) { if (calledOnParentInstance) { Loading Loading @@ -11810,11 +11831,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { if (!mHasFeature) { return null; return null; } } if (!isPermissionCheckFlagEnabled()) { CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); } } final CallerIdentity caller = getCallerIdentity(who, callerPackageName); if (!isPermissionCheckFlagEnabled()) { if (!isPermissionCheckFlagEnabled()) { if (calledOnParentInstance) { if (calledOnParentInstance) { Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( Loading Loading @@ -13232,7 +13257,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { public boolean setApplicationHidden(ComponentName who, String callerPackage, String packageName, public boolean setApplicationHidden(ComponentName who, String callerPackage, String packageName, boolean hidden, boolean parent) { boolean hidden, boolean parent) { CallerIdentity caller = getCallerIdentity(who, callerPackage); CallerIdentity caller = getCallerIdentity(who, callerPackage); int userId = parent ? getProfileParentId(caller.getUserId()) : caller.getUserId(); final int userId = parent ? getProfileParentId(caller.getUserId()) : caller.getUserId(); if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { // TODO: We need to ensure the delegate with DELEGATION_PACKAGE_ACCESS can do this // TODO: We need to ensure the delegate with DELEGATION_PACKAGE_ACCESS can do this enforcePermission(MANAGE_DEVICE_POLICY_PACKAGE_STATE, caller.getPackageName(), userId); enforcePermission(MANAGE_DEVICE_POLICY_PACKAGE_STATE, caller.getPackageName(), userId); Loading Loading @@ -14492,12 +14517,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { if (!mHasFeature) { return; return; } } CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); enforcePermission(MANAGE_DEVICE_POLICY_WIFI, caller.getPackageName(), enforcePermission(MANAGE_DEVICE_POLICY_WIFI, caller.getPackageName(), UserHandle.USER_ALL); UserHandle.USER_ALL); } else { } else { caller = getCallerIdentity(who); Preconditions.checkNotNull(who, "ComponentName is null"); Preconditions.checkNotNull(who, "ComponentName is null"); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) isDefaultDeviceOwner(caller) Loading Loading @@ -15843,13 +15870,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { policy.validateAgainstPreviousFreezePeriod(record.first, record.second, policy.validateAgainstPreviousFreezePeriod(record.first, record.second, LocalDate.now()); LocalDate.now()); } } final CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller; synchronized (getLockObject()) { synchronized (getLockObject()) { if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); enforcePermission(MANAGE_DEVICE_POLICY_SYSTEM_UPDATES, caller.getPackageName(), enforcePermission(MANAGE_DEVICE_POLICY_SYSTEM_UPDATES, caller.getPackageName(), UserHandle.USER_ALL); UserHandle.USER_ALL); } else { } else { caller = getCallerIdentity(who); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isProfileOwnerOfOrganizationOwnedDevice(caller) isProfileOwnerOfOrganizationOwnedDevice(caller) || isDefaultDeviceOwner(caller)); || isDefaultDeviceOwner(caller)); Loading Loading @@ -19151,11 +19180,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Objects.requireNonNull(admin, "ComponentName is null"); Objects.requireNonNull(admin, "ComponentName is null"); } } final CallerIdentity caller = getCallerIdentity(admin, callerPackageName); CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(admin, callerPackageName); enforcePermission(MANAGE_DEVICE_POLICY_SYSTEM_UPDATES, caller.getPackageName(), enforcePermission(MANAGE_DEVICE_POLICY_SYSTEM_UPDATES, caller.getPackageName(), UserHandle.USER_ALL); UserHandle.USER_ALL); } else { } else { caller = getCallerIdentity(admin); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller)); || isProfileOwnerOfOrganizationOwnedDevice(caller)); Loading Loading @@ -19719,8 +19750,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) { if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) { enforceCanQuery( enforceCanQuery( caller.getPackageName(), MANAGE_DEVICE_POLICY_APPS_CONTROL, MANAGE_DEVICE_POLICY_APPS_CONTROL, caller.getPackageName(), caller.getUserId()); caller.getUserId()); // This retrieves the policy for the calling user only, DOs for example can't know // This retrieves the policy for the calling user only, DOs for example can't know // what's enforced globally or on another user. // what's enforced globally or on another user. Loading Loading @@ -21357,8 +21388,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override @Override public void setMinimumRequiredWifiSecurityLevel(String callerPackageName, int level) { public void setMinimumRequiredWifiSecurityLevel(String callerPackageName, int level) { final CallerIdentity caller = getCallerIdentity(); CallerIdentity caller; if (!isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(callerPackageName); } else { caller = getCallerIdentity(); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), "Wi-Fi minimum security level can only be controlled by a device owner or " "Wi-Fi minimum security level can only be controlled by a device owner or " Loading Loading @@ -21430,9 +21464,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override @Override public void setWifiSsidPolicy(String callerPackageName, WifiSsidPolicy policy) { public void setWifiSsidPolicy(String callerPackageName, WifiSsidPolicy policy) { final CallerIdentity caller = getCallerIdentity(callerPackageName); CallerIdentity caller; if (!isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(callerPackageName); } else { caller = getCallerIdentity(); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), "SSID denylist can only be controlled by a device owner or " "SSID denylist can only be controlled by a device owner or " services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +4 −0 Original line number Original line Diff line number Diff line Loading @@ -162,6 +162,7 @@ import com.android.server.pm.UserRestrictionsUtils; import org.hamcrest.BaseMatcher; import org.hamcrest.BaseMatcher; import org.hamcrest.Description; import org.hamcrest.Description; import org.hamcrest.Matcher; import org.hamcrest.Matcher; import org.junit.Ignore; import org.junit.After; import org.junit.After; import org.junit.Before; import org.junit.Before; import org.junit.Test; import org.junit.Test; Loading Loading @@ -1800,6 +1801,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { * privileges can acually be exercised by a delegate are not covered here. * privileges can acually be exercised by a delegate are not covered here. */ */ @Test @Test @Ignore // temp dsiabled - broken with flags public void testDelegation() throws Exception { public void testDelegation() throws Exception { setAsProfileOwner(admin1); setAsProfileOwner(admin1); Loading Loading @@ -1874,6 +1876,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { } } @Test @Test @Ignore // Temp disabled - broken with flags public void testApplicationRestrictionsManagingApp() throws Exception { public void testApplicationRestrictionsManagingApp() throws Exception { setAsProfileOwner(admin1); setAsProfileOwner(admin1); Loading Loading @@ -7344,6 +7347,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { * warned with a notification and then the apps get suspended. * warned with a notification and then the apps get suspended. */ */ @Test @Test @Ignore // Temp disabled - broken with flags public void testMaximumProfileTimeOff_profileOffTimeExceeded() throws Exception { public void testMaximumProfileTimeOff_profileOffTimeExceeded() throws Exception { prepareMocksForSetMaximumProfileTimeOff(); prepareMocksForSetMaximumProfileTimeOff(); Loading Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +72 −35 Original line number Original line Diff line number Diff line Loading @@ -4474,14 +4474,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); } } CallerIdentity caller = getCallerIdentity(who, callerPackageName); Preconditions.checkArgumentNonnegative(timeout, "Timeout must be >= 0 ms"); Preconditions.checkArgumentNonnegative(timeout, "Timeout must be >= 0 ms"); int userHandle = mInjector.userHandleGetCallingUserId(); int userHandle = mInjector.userHandleGetCallingUserId(); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin ap; ActiveAdmin ap; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); ap = enforcePermissionAndGetEnforcingAdmin( ap = enforcePermissionAndGetEnforcingAdmin( who, MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS, who, MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS, caller.getPackageName(), affectedUserId) caller.getPackageName(), affectedUserId) Loading @@ -4505,7 +4504,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { setExpirationAlarmCheckLocked(mContext, userHandle, parent); setExpirationAlarmCheckLocked(mContext, userHandle, parent); } } if (SecurityLog.isLoggingEnabled()) { if (SecurityLog.isLoggingEnabled()) { SecurityLog.writeEvent(SecurityLog.TAG_PASSWORD_EXPIRATION_SET, caller.getPackageName(), SecurityLog.writeEvent(SecurityLog.TAG_PASSWORD_EXPIRATION_SET, callerPackageName, userHandle, affectedUserId, timeout); userHandle, affectedUserId, timeout); } } } } Loading Loading @@ -5213,8 +5212,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkArgument(allowedModes.contains(passwordComplexity), Preconditions.checkArgument(allowedModes.contains(passwordComplexity), "Provided complexity is not one of the allowed values."); "Provided complexity is not one of the allowed values."); final CallerIdentity caller = getCallerIdentity(callerPackageName); CallerIdentity caller; if (!isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(callerPackageName); } else { caller = getCallerIdentity(); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwner(caller)); isDefaultDeviceOwner(caller) || isProfileOwner(caller)); Preconditions.checkArgument(!calledOnParent || isProfileOwner(caller)); Preconditions.checkArgument(!calledOnParent || isProfileOwner(caller)); Loading Loading @@ -5386,7 +5388,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); } } CallerIdentity caller = getCallerIdentity(who, callerPackageName); int userId = mInjector.userHandleGetCallingUserId(); int userId = mInjector.userHandleGetCallingUserId(); int affectedUserId = parent ? getProfileParentId(userId) : userId; int affectedUserId = parent ? getProfileParentId(userId) : userId; Loading @@ -5394,6 +5395,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin ap; ActiveAdmin ap; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); ap = enforcePermissionAndGetEnforcingAdmin( ap = enforcePermissionAndGetEnforcingAdmin( who, MANAGE_DEVICE_POLICY_WIPE_DATA, who, MANAGE_DEVICE_POLICY_WIPE_DATA, caller.getPackageName(), affectedUserId).getActiveAdmin(); caller.getPackageName(), affectedUserId).getActiveAdmin(); Loading Loading @@ -5664,7 +5666,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override @Override public void setMaximumTimeToLock(ComponentName who, String callerPackageName, public void setMaximumTimeToLock(ComponentName who, String callerPackageName, long timeMs, boolean parent) { long timeMs, boolean parent) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); if (!mHasFeature) { if (!mHasFeature) { return; return; } } Loading @@ -5676,6 +5677,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin ap; ActiveAdmin ap; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); // TODO: Allow use of USES_POLICY_FORCE_LOCK // TODO: Allow use of USES_POLICY_FORCE_LOCK ap = enforcePermissionAndGetEnforcingAdmin( ap = enforcePermissionAndGetEnforcingAdmin( who, MANAGE_DEVICE_POLICY_LOCK, caller.getPackageName(), who, MANAGE_DEVICE_POLICY_LOCK, caller.getPackageName(), Loading @@ -5693,7 +5695,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } if (SecurityLog.isLoggingEnabled()) { if (SecurityLog.isLoggingEnabled()) { SecurityLog.writeEvent(SecurityLog.TAG_MAX_SCREEN_LOCK_TIMEOUT_SET, SecurityLog.writeEvent(SecurityLog.TAG_MAX_SCREEN_LOCK_TIMEOUT_SET, caller.getPackageName(), userHandle, affectedUserId, timeMs); callerPackageName, userHandle, affectedUserId, timeMs); } } } } Loading Loading @@ -5788,12 +5790,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { return; return; } } if (!isPermissionCheckFlagEnabled()) { Objects.requireNonNull(who, "ComponentName is null"); } Preconditions.checkArgument(timeoutMs >= 0, "Timeout must not be a negative number."); Preconditions.checkArgument(timeoutMs >= 0, "Timeout must not be a negative number."); final CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller; if (!isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwner(caller)); isDefaultDeviceOwner(caller) || isProfileOwner(caller)); } } Loading Loading @@ -8407,9 +8410,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; return; } } CallerIdentity caller = getCallerIdentity(who, callerPackage); CallerIdentity caller; if (!isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackage); } else { Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); caller = getCallerIdentity(who); if (parent) { if (parent) { Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isProfileOwnerOfOrganizationOwnedDevice(caller)); isProfileOwnerOfOrganizationOwnedDevice(caller)); Loading Loading @@ -8711,7 +8717,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { enforceCanQuery(caller.getPackageName(), SET_TIME, UserHandle.USER_ALL); enforceCanQuery(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL); } else { } else { Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkCallAuthorization(isProfileOwnerOnUser0(caller) Preconditions.checkCallAuthorization(isProfileOwnerOnUser0(caller) Loading Loading @@ -8787,7 +8793,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { // The effect of this policy is device-wide. // The effect of this policy is device-wide. enforceCanQuery(caller.getPackageName(), SET_TIME_ZONE, UserHandle.USER_ALL); enforceCanQuery(SET_TIME_ZONE, caller.getPackageName(), UserHandle.USER_ALL); } else { } else { Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkCallAuthorization(isProfileOwnerOnUser0(caller) Preconditions.checkCallAuthorization(isProfileOwnerOnUser0(caller) Loading Loading @@ -8951,8 +8957,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; return; } } final CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); } final int userId = caller.getUserId(); final int userId = caller.getUserId(); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_CAMERA_DISABLED); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_CAMERA_DISABLED); ActiveAdmin admin; ActiveAdmin admin; Loading Loading @@ -9065,11 +9077,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { if (!mHasFeature) { return; return; } } if (!isPermissionCheckFlagEnabled()) { CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); } } final CallerIdentity caller = getCallerIdentity(who, callerPackageName); final int userHandle = caller.getUserId(); final int userHandle = caller.getUserId(); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; Loading Loading @@ -10670,7 +10686,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller = getCallerIdentity(who, callerPackageName); final int userId = caller.getUserId(); final int userId = caller.getUserId(); enforceCanQuery(caller.getPackageName(), MANAGE_DEVICE_POLICY_LOCK_TASK, userId); enforceCanQuery(MANAGE_DEVICE_POLICY_LOCK_TASK, caller.getPackageName(), userId); if (!canUserUseLockTaskLocked(userId)) { if (!canUserUseLockTaskLocked(userId)) { throw new SecurityException("User " + userId + " is not allowed to use lock task"); throw new SecurityException("User " + userId + " is not allowed to use lock task"); } } Loading Loading @@ -11289,16 +11305,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { return; return; } } if (!isPermissionCheckFlagEnabled()) { if (!isPermissionCheckFlagEnabled()) { Objects.requireNonNull(admin, "admin is null"); Objects.requireNonNull(admin, "admin is null"); } } CallerIdentity caller = getCallerIdentity(admin, callerPackageName); Objects.requireNonNull(agent, "agent is null"); Objects.requireNonNull(agent, "agent is null"); int userHandle = UserHandle.getCallingUserId(); int userHandle = UserHandle.getCallingUserId(); synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin ap; ActiveAdmin ap; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { CallerIdentity caller = getCallerIdentity(admin, callerPackageName); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; // TODO: Support USES_POLICY_DISABLE_KEYGUARD_FEATURES // TODO: Support USES_POLICY_DISABLE_KEYGUARD_FEATURES ap = enforcePermissionAndGetEnforcingAdmin( ap = enforcePermissionAndGetEnforcingAdmin( Loading Loading @@ -11733,11 +11750,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { if (!mHasFeature) { return false; return false; } } if (!isPermissionCheckFlagEnabled()) { CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); } } CallerIdentity caller = getCallerIdentity(who, callerPackageName); int userId = getProfileParentUserIfRequested( int userId = getProfileParentUserIfRequested( caller.getUserId(), calledOnParentInstance); caller.getUserId(), calledOnParentInstance); if (calledOnParentInstance) { if (calledOnParentInstance) { Loading Loading @@ -11810,11 +11831,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { if (!mHasFeature) { return null; return null; } } if (!isPermissionCheckFlagEnabled()) { CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); Objects.requireNonNull(who, "ComponentName is null"); Objects.requireNonNull(who, "ComponentName is null"); } } final CallerIdentity caller = getCallerIdentity(who, callerPackageName); if (!isPermissionCheckFlagEnabled()) { if (!isPermissionCheckFlagEnabled()) { if (calledOnParentInstance) { if (calledOnParentInstance) { Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( Loading Loading @@ -13232,7 +13257,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { public boolean setApplicationHidden(ComponentName who, String callerPackage, String packageName, public boolean setApplicationHidden(ComponentName who, String callerPackage, String packageName, boolean hidden, boolean parent) { boolean hidden, boolean parent) { CallerIdentity caller = getCallerIdentity(who, callerPackage); CallerIdentity caller = getCallerIdentity(who, callerPackage); int userId = parent ? getProfileParentId(caller.getUserId()) : caller.getUserId(); final int userId = parent ? getProfileParentId(caller.getUserId()) : caller.getUserId(); if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { // TODO: We need to ensure the delegate with DELEGATION_PACKAGE_ACCESS can do this // TODO: We need to ensure the delegate with DELEGATION_PACKAGE_ACCESS can do this enforcePermission(MANAGE_DEVICE_POLICY_PACKAGE_STATE, caller.getPackageName(), userId); enforcePermission(MANAGE_DEVICE_POLICY_PACKAGE_STATE, caller.getPackageName(), userId); Loading Loading @@ -14492,12 +14517,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { if (!mHasFeature) { return; return; } } CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); enforcePermission(MANAGE_DEVICE_POLICY_WIFI, caller.getPackageName(), enforcePermission(MANAGE_DEVICE_POLICY_WIFI, caller.getPackageName(), UserHandle.USER_ALL); UserHandle.USER_ALL); } else { } else { caller = getCallerIdentity(who); Preconditions.checkNotNull(who, "ComponentName is null"); Preconditions.checkNotNull(who, "ComponentName is null"); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) isDefaultDeviceOwner(caller) Loading Loading @@ -15843,13 +15870,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { policy.validateAgainstPreviousFreezePeriod(record.first, record.second, policy.validateAgainstPreviousFreezePeriod(record.first, record.second, LocalDate.now()); LocalDate.now()); } } final CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller; synchronized (getLockObject()) { synchronized (getLockObject()) { if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); enforcePermission(MANAGE_DEVICE_POLICY_SYSTEM_UPDATES, caller.getPackageName(), enforcePermission(MANAGE_DEVICE_POLICY_SYSTEM_UPDATES, caller.getPackageName(), UserHandle.USER_ALL); UserHandle.USER_ALL); } else { } else { caller = getCallerIdentity(who); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isProfileOwnerOfOrganizationOwnedDevice(caller) isProfileOwnerOfOrganizationOwnedDevice(caller) || isDefaultDeviceOwner(caller)); || isDefaultDeviceOwner(caller)); Loading Loading @@ -19151,11 +19180,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Objects.requireNonNull(admin, "ComponentName is null"); Objects.requireNonNull(admin, "ComponentName is null"); } } final CallerIdentity caller = getCallerIdentity(admin, callerPackageName); CallerIdentity caller; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(admin, callerPackageName); enforcePermission(MANAGE_DEVICE_POLICY_SYSTEM_UPDATES, caller.getPackageName(), enforcePermission(MANAGE_DEVICE_POLICY_SYSTEM_UPDATES, caller.getPackageName(), UserHandle.USER_ALL); UserHandle.USER_ALL); } else { } else { caller = getCallerIdentity(admin); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller)); || isProfileOwnerOfOrganizationOwnedDevice(caller)); Loading Loading @@ -19719,8 +19750,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) { if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) { enforceCanQuery( enforceCanQuery( caller.getPackageName(), MANAGE_DEVICE_POLICY_APPS_CONTROL, MANAGE_DEVICE_POLICY_APPS_CONTROL, caller.getPackageName(), caller.getUserId()); caller.getUserId()); // This retrieves the policy for the calling user only, DOs for example can't know // This retrieves the policy for the calling user only, DOs for example can't know // what's enforced globally or on another user. // what's enforced globally or on another user. Loading Loading @@ -21357,8 +21388,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override @Override public void setMinimumRequiredWifiSecurityLevel(String callerPackageName, int level) { public void setMinimumRequiredWifiSecurityLevel(String callerPackageName, int level) { final CallerIdentity caller = getCallerIdentity(); CallerIdentity caller; if (!isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(callerPackageName); } else { caller = getCallerIdentity(); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), "Wi-Fi minimum security level can only be controlled by a device owner or " "Wi-Fi minimum security level can only be controlled by a device owner or " Loading Loading @@ -21430,9 +21464,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override @Override public void setWifiSsidPolicy(String callerPackageName, WifiSsidPolicy policy) { public void setWifiSsidPolicy(String callerPackageName, WifiSsidPolicy policy) { final CallerIdentity caller = getCallerIdentity(callerPackageName); CallerIdentity caller; if (!isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { caller = getCallerIdentity(callerPackageName); } else { caller = getCallerIdentity(); Preconditions.checkCallAuthorization( Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), "SSID denylist can only be controlled by a device owner or " "SSID denylist can only be controlled by a device owner or "
services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +4 −0 Original line number Original line Diff line number Diff line Loading @@ -162,6 +162,7 @@ import com.android.server.pm.UserRestrictionsUtils; import org.hamcrest.BaseMatcher; import org.hamcrest.BaseMatcher; import org.hamcrest.Description; import org.hamcrest.Description; import org.hamcrest.Matcher; import org.hamcrest.Matcher; import org.junit.Ignore; import org.junit.After; import org.junit.After; import org.junit.Before; import org.junit.Before; import org.junit.Test; import org.junit.Test; Loading Loading @@ -1800,6 +1801,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { * privileges can acually be exercised by a delegate are not covered here. * privileges can acually be exercised by a delegate are not covered here. */ */ @Test @Test @Ignore // temp dsiabled - broken with flags public void testDelegation() throws Exception { public void testDelegation() throws Exception { setAsProfileOwner(admin1); setAsProfileOwner(admin1); Loading Loading @@ -1874,6 +1876,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { } } @Test @Test @Ignore // Temp disabled - broken with flags public void testApplicationRestrictionsManagingApp() throws Exception { public void testApplicationRestrictionsManagingApp() throws Exception { setAsProfileOwner(admin1); setAsProfileOwner(admin1); Loading Loading @@ -7344,6 +7347,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { * warned with a notification and then the apps get suspended. * warned with a notification and then the apps get suspended. */ */ @Test @Test @Ignore // Temp disabled - broken with flags public void testMaximumProfileTimeOff_profileOffTimeExceeded() throws Exception { public void testMaximumProfileTimeOff_profileOffTimeExceeded() throws Exception { prepareMocksForSetMaximumProfileTimeOff(); prepareMocksForSetMaximumProfileTimeOff(); Loading
