Permit access to certain get APIs for financed device owner (804e73f6) · Commits · e / os / android_frameworks_base

core/java/android/app/admin/DevicePolicyManager.java

+19 −1

Original line number	Diff line number	Diff line
		@@ -463,7 +463,9 @@ public class DevicePolicyManager {
		* <li>{@link #setUserControlDisabledPackages(ComponentName, List)}</li>
		* <li>{@link #getUserControlDisabledPackages(ComponentName)}</li>
		* <li>{@link #setOrganizationName(ComponentName, CharSequence)}</li>
		* <li>{@link #getOrganizationName(ComponentName)} </li>
		* <li>{@link #setShortSupportMessage(ComponentName, CharSequence)}</li>
		* <li>{@link #getShortSupportMessage(ComponentName)}</li>
		* <li>{@link #isBackupServiceEnabled(ComponentName)}</li>
		* <li>{@link #setBackupServiceEnabled(ComponentName, boolean)}</li>
		* <li>{@link #isLockTaskPermitted(String)}</li>
		@@ -476,7 +478,9 @@ public class DevicePolicyManager {
		* <li>{@link #LOCK_TASK_FEATURE_GLOBAL_ACTIONS}</li>
		* <li>{@link #LOCK_TASK_FEATURE_NOTIFICATIONS}</li>
		* </ul>
		* <li>{@link #getLockTaskFeatures(ComponentName)}</li>
		* <li>{@link #setLockTaskPackages(ComponentName, String[])}</li>
		* <li>{@link #getLockTaskPackages(ComponentName)}</li>
		* <li>{@link #addPersistentPreferredActivity(ComponentName, IntentFilter, ComponentName)}</li>
		* <li>{@link #clearPackagePersistentPreferredActivities(ComponentName, String)} </li>
		* <li>{@link #wipeData(int)}</li>
		@@ -487,6 +491,10 @@ public class DevicePolicyManager {
		* {@link #PERMISSION_GRANT_STATE_GRANTED}, {@link #PERMISSION_GRANT_STATE_DENIED}, or
		* {@link #PERMISSION_GRANT_STATE_DEFAULT} and can <b>only</b> be applied to the device admin
		* app (otherwise a {@link SecurityException} will be thrown)</li>
		* <li>{@link #getPermissionGrantState(ComponentName, String, String)}, where
		* {@link permission#READ_PHONE_STATE} is the <b>only</b> permission that can be
		* used and device admin app is the only package that can be used to retrieve the permission
		* permission grant state for (otherwise a {@link SecurityException} will be thrown)</li>
		* <li>{@link #addUserRestriction(ComponentName, String)}, where the following user restrictions
		* are permitted (otherwise a {@link SecurityException} will be thrown):</li>
		* <ul>
		@@ -497,7 +505,17 @@ public class DevicePolicyManager {
		* <li>{@link UserManager#DISALLOW_CONFIG_DATE_TIME}</li>
		* <li>{@link UserManager#DISALLOW_OUTGOING_CALLS}</li>
		* </ul>
		* <li>{@link #clearUserRestriction(ComponentName, String)}</li>
		* <li>{@link #getUserRestrictions(ComponentName)}</li>
		* <li>{@link #clearUserRestriction(ComponentName, String)}, where the following user
		* restrictions are permitted (otherwise a {@link SecurityException} will be thrown):</li>
		* <ul>
		* <li>{@link UserManager#DISALLOW_ADD_USER}</li>
		* <li>{@link UserManager#DISALLOW_DEBUGGING_FEATURES}</li>
		* <li>{@link UserManager#DISALLOW_INSTALL_UNKNOWN_SOURCES}</li>
		* <li>{@link UserManager#DISALLOW_SAFE_BOOT}</li>
		* <li>{@link UserManager#DISALLOW_CONFIG_DATE_TIME}</li>
		* <li>{@link UserManager#DISALLOW_OUTGOING_CALLS}</li>
		* </ul>
		* </ul>
		*
		* @hide

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+12 −7

Original line number	Diff line number	Diff line
		@@ -11600,6 +11600,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		final CallerIdentity caller = getCallerIdentity(who);
		Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller)
		\|\| isFinancedDeviceOwner(caller)
		\|\| isProfileOwner(caller)
		\|\| (parent && isProfileOwnerOfOrganizationOwnedDevice(caller)));

		@@ -13975,7 +13976,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		synchronized (getLockObject()) {
		if (isFinancedDeviceOwner(caller)) {
		enforceCanSetPermissionGrantOnFinancedDevice(packageName, permission);
		enforcePermissionGrantStateOnFinancedDevice(packageName, permission);
		}
		long ident = mInjector.binderClearCallingIdentity();
		try {
		@@ -14036,14 +14037,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		}
		}

		private void enforceCanSetPermissionGrantOnFinancedDevice(
		private void enforcePermissionGrantStateOnFinancedDevice(
		String packageName, String permission) {
		if (!Manifest.permission.READ_PHONE_STATE.equals(permission)) {
		throw new SecurityException("Cannot grant " + permission
		+ " when managing a financed device");
		throw new SecurityException(permission + " cannot be used when managing a financed"
		+ " device for permission grant state");
		} else if (!mOwners.getDeviceOwnerPackageName().equals(packageName)) {
		throw new SecurityException("Cannot grant permission to a package that is not"
		+ " the device owner");
		throw new SecurityException("Device owner package is the only package that can be used"
		+ " for permission grant state when managing a financed device");
		}
		}

		@@ -14052,10 +14053,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		String packageName, String permission) throws RemoteException {
		final CallerIdentity caller = getCallerIdentity(admin, callerPackage);
		Preconditions.checkCallAuthorization(isSystemUid(caller) \|\| (caller.hasAdminComponent()
		&& (isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller)))
		&& (isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller)
		\|\| isFinancedDeviceOwner(caller)))
		\|\| (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_PERMISSION_GRANT)));

		synchronized (getLockObject()) {
		if (isFinancedDeviceOwner(caller)) {
		enforcePermissionGrantStateOnFinancedDevice(packageName, permission);
		}
		return mInjector.binderWithCleanCallingIdentity(() -> {
		int granted;
		if (getTargetSdk(caller.getPackageName(), caller.getUserId())

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+26 −0

Original line number	Diff line number	Diff line
		@@ -7789,6 +7789,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {

		verify(getServices().userManagerInternal, never())
		.setDevicePolicyUserRestrictions(anyInt(), any(), any(), anyBoolean());
		DpmTestUtils.assertRestrictions(new Bundle(), dpm.getUserRestrictions(admin1));
		}
		}
		}
		@@ -7820,6 +7821,9 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		eq(true));
		reset(getServices().userManagerInternal);

		DpmTestUtils.assertRestrictions(DpmTestUtils.newRestrictions(restriction),
		dpm.getUserRestrictions(admin1));

		dpm.clearUserRestriction(admin1, restriction);
		reset(getServices().userManagerInternal);
		}
		@@ -8065,6 +8069,28 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED));
		}

		@Test
		public void testGetPermissionGrantState_financeDo_notReadPhoneStatePermission_throwsException()
		throws Exception {
		setDeviceOwner();
		dpm.setDeviceOwnerType(admin1, DEVICE_OWNER_TYPE_FINANCED);

		assertExpectException(SecurityException.class, /* messageRegex= */ null,
		() -> dpm.getPermissionGrantState(admin1, admin1.getPackageName(),
		permission.READ_CALENDAR));
		}

		@Test
		public void testGetPermissionGrantState_financeDo_notDeviceOwnerPackage_throwsException()
		throws Exception {
		setDeviceOwner();
		dpm.setDeviceOwnerType(admin1, DEVICE_OWNER_TYPE_FINANCED);

		assertExpectException(SecurityException.class, /* messageRegex= */ null,
		() -> dpm.getPermissionGrantState(admin1, "com.android.foo.package",
		permission.READ_PHONE_STATE));
		}

		@Test
		public void testSetUsbDataSignalingEnabled_noDeviceOwnerOrPoOfOrgOwnedDevice() {
		assertThrows(SecurityException.class,