Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +103 −31 Original line number Original line Diff line number Diff line Loading @@ -11051,17 +11051,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return true; return true; } } private void enforceCanCallLockTaskLocked(CallerIdentity caller) { Preconditions.checkCallAuthorization(isProfileOwner(caller) || isDefaultDeviceOwner(caller) || isFinancedDeviceOwner(caller)); final int userId = caller.getUserId(); if (!canUserUseLockTaskLocked(userId)) { throw new SecurityException("User " + userId + " is not allowed to use lock task"); } } private void enforceCanQueryLockTaskLocked(ComponentName who, String callerPackageName) { private void enforceCanQueryLockTaskLocked(ComponentName who, String callerPackageName) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller = getCallerIdentity(who, callerPackageName); final int userId = caller.getUserId(); final int userId = caller.getUserId(); Loading Loading @@ -11089,6 +11078,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return enforcingAdmin; return enforcingAdmin; } } private void enforceCanCallLockTaskLocked(CallerIdentity caller) { Preconditions.checkCallAuthorization(isProfileOwner(caller) || isDefaultDeviceOwner(caller) || isFinancedDeviceOwner(caller)); final int userId = caller.getUserId(); if (!canUserUseLockTaskLocked(userId)) { throw new SecurityException("User " + userId + " is not allowed to use lock task"); } } private boolean isSystemUid(CallerIdentity caller) { private boolean isSystemUid(CallerIdentity caller) { return UserHandle.isSameApp(caller.getUid(), Process.SYSTEM_UID); return UserHandle.isSameApp(caller.getUid(), Process.SYSTEM_UID); } } Loading Loading @@ -14679,7 +14678,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isPolicyEngineForFinanceFlagEnabled()) { if (isPolicyEngineForFinanceFlagEnabled()) { EnforcingAdmin enforcingAdmin; EnforcingAdmin enforcingAdmin; synchronized (getLockObject()) { synchronized (getLockObject()) { enforcingAdmin = enforceCanCallLockTaskLocked(who, callerPackageName); enforcingAdmin = enforceCanCallLockTaskLocked(who, caller.getPackageName()); } } if (packages.length == 0) { if (packages.length == 0) { mDevicePolicyEngine.removeLocalPolicy( mDevicePolicyEngine.removeLocalPolicy( Loading Loading @@ -14806,8 +14805,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isPolicyEngineForFinanceFlagEnabled()) { if (isPolicyEngineForFinanceFlagEnabled()) { EnforcingAdmin enforcingAdmin; EnforcingAdmin enforcingAdmin; synchronized (getLockObject()) { synchronized (getLockObject()) { enforcingAdmin = enforceCanCallLockTaskLocked(who, enforcingAdmin = enforceCanCallLockTaskLocked(who, caller.getPackageName()); callerPackageName); enforceCanSetLockTaskFeaturesOnFinancedDevice(caller, flags); enforceCanSetLockTaskFeaturesOnFinancedDevice(caller, flags); } } LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicySetByAdmin( LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicySetByAdmin( Loading Loading @@ -22516,11 +22514,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { "manage_device_policy_microphone_toggle"; "manage_device_policy_microphone_toggle"; // DPC types // DPC types private static final int NOT_A_DPC = -1; private static final int DEFAULT_DEVICE_OWNER = 0; private static final int DEFAULT_DEVICE_OWNER = 0; private static final int FINANCED_DEVICE_OWNER = 1; private static final int FINANCED_DEVICE_OWNER = 1; private static final int PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2; private static final int PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2; private static final int PROFILE_OWNER_ON_USER_0 = 3; private static final int PROFILE_OWNER_ON_USER_0 = 3; private static final int PROFILE_OWNER = 4; private static final int PROFILE_OWNER = 4; private static final int PROFILE_OWNER_ON_USER = 5; private static final int AFFILIATED_PROFILE_OWNER_ON_USER = 6; // DPC types @IntDef(value = { NOT_A_DPC, DEFAULT_DEVICE_OWNER, FINANCED_DEVICE_OWNER, PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, PROFILE_OWNER_ON_USER_0, PROFILE_OWNER, PROFILE_OWNER_ON_USER, AFFILIATED_PROFILE_OWNER_ON_USER }) private @interface DpcType {} // Permissions of existing DPC types. // Permissions of existing DPC types. private static final List<String> DEFAULT_DEVICE_OWNER_PERMISSIONS = List.of( private static final List<String> DEFAULT_DEVICE_OWNER_PERMISSIONS = List.of( Loading Loading @@ -22674,7 +22687,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { SET_TIME_ZONE SET_TIME_ZONE ); ); /** * All the additional permissions granted to a Profile Owner on user 0. */ private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS = private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS = List.of( List.of( MANAGE_DEVICE_POLICY_AIRPLANE_MODE, MANAGE_DEVICE_POLICY_AIRPLANE_MODE, Loading @@ -22698,6 +22713,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { SET_TIME_ZONE SET_TIME_ZONE ); ); /** * All the additional permissions granted to a Profile Owner on an unaffiliated user. */ private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS = List.of( MANAGE_DEVICE_POLICY_LOCK_TASK ); /** * All the additional permissions granted to a Profile Owner on an affiliated user. */ private static final List<String> ADDITIONAL_AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS = List.of(); /** /** * Combination of {@link PROFILE_OWNER_PERMISSIONS} and * Combination of {@link PROFILE_OWNER_PERMISSIONS} and * {@link ADDITIONAL_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS}. * {@link ADDITIONAL_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS}. Loading @@ -22712,6 +22741,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private static final List<String> PROFILE_OWNER_ON_USER_0_PERMISSIONS = private static final List<String> PROFILE_OWNER_ON_USER_0_PERMISSIONS = new ArrayList(); new ArrayList(); /** * Combination of {@link PROFILE_OWNER_PERMISSIONS} and * {@link ADDITIONAL_AFFILIATED_PROFIL_OWNER_ON_USER_PERMISSIONS}. */ private static final List<String> AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS = new ArrayList(); /** * Combination of {@link PROFILE_OWNER_PERMISSIONS} and * {@link ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS}. */ private static final List<String> PROFILE_OWNER_ON_USER_PERMISSIONS = new ArrayList(); private static final HashMap<Integer, List<String>> DPC_PERMISSIONS = new HashMap<>(); private static final HashMap<Integer, List<String>> DPC_PERMISSIONS = new HashMap<>(); { { Loading @@ -22724,6 +22767,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // some extra permissions. // some extra permissions. PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS); PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS); PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS); PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS); // Profile owners on users have all the permission of a profile owner plus // some extra permissions. PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS); PROFILE_OWNER_ON_USER_PERMISSIONS.addAll( ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS); // Profile owners on affiliated users have all the permission of a profile owner on a user // plus some extra permissions. AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(PROFILE_OWNER_ON_USER_PERMISSIONS); AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS.addAll( ADDITIONAL_AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS); DPC_PERMISSIONS.put(DEFAULT_DEVICE_OWNER, DEFAULT_DEVICE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(DEFAULT_DEVICE_OWNER, DEFAULT_DEVICE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(FINANCED_DEVICE_OWNER, FINANCED_DEVICE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(FINANCED_DEVICE_OWNER, FINANCED_DEVICE_OWNER_PERMISSIONS); Loading @@ -22731,6 +22784,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS); PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER_0, PROFILE_OWNER_ON_USER_0_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER_0, PROFILE_OWNER_ON_USER_0_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER, PROFILE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER, PROFILE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER, PROFILE_OWNER_ON_USER_PERMISSIONS); DPC_PERMISSIONS.put(AFFILIATED_PROFILE_OWNER_ON_USER, AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS); } } //Map of Permission to Delegate Scope. //Map of Permission to Delegate Scope. private static final HashMap<String, String> DELEGATE_SCOPES = new HashMap<>(); private static final HashMap<String, String> DELEGATE_SCOPES = new HashMap<>(); Loading Loading @@ -23108,22 +23164,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED) { if (mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED) { return true; return true; } } // Check the permissions of DPCs int dpcType = getDpcType(caller); if (isDefaultDeviceOwner(caller)) { if (dpcType != NOT_A_DPC) { return DPC_PERMISSIONS.get(DEFAULT_DEVICE_OWNER).contains(permission); return DPC_PERMISSIONS.get(dpcType).contains(permission); } if (isFinancedDeviceOwner(caller)) { return DPC_PERMISSIONS.get(FINANCED_DEVICE_OWNER).contains(permission); } if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { return DPC_PERMISSIONS.get(PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE).contains( permission); } if (isProfileOwnerOnUser0(caller)) { return DPC_PERMISSIONS.get(PROFILE_OWNER_ON_USER_0).contains(permission); } if (isProfileOwner(caller)) { return DPC_PERMISSIONS.get(PROFILE_OWNER).contains(permission); } } // Check the permission for the role-holder // Check the permission for the role-holder if (isCallerDevicePolicyManagementRoleHolder(caller)) { if (isCallerDevicePolicyManagementRoleHolder(caller)) { Loading Loading @@ -23193,6 +23236,35 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return calledOnParent ? getProfileParentId(callingUserId) : callingUserId; return calledOnParent ? getProfileParentId(callingUserId) : callingUserId; } } /** * Return the DPC type of the given caller. */ private @DpcType int getDpcType(CallerIdentity caller) { // Check the permissions of DPCs if (isDefaultDeviceOwner(caller)) { return DEFAULT_DEVICE_OWNER; } if (isFinancedDeviceOwner(caller)) { return FINANCED_DEVICE_OWNER; } if (isProfileOwner(caller)) { if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { return PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE; } if (isManagedProfile(caller.getUserId())) { return PROFILE_OWNER; } if (isProfileOwnerOnUser0(caller)) { return PROFILE_OWNER_ON_USER_0; } if (isUserAffiliatedWithDevice(caller.getUserId())) { return AFFILIATED_PROFILE_OWNER_ON_USER; } return PROFILE_OWNER_ON_USER; } return NOT_A_DPC; } private boolean isPermissionCheckFlagEnabled() { private boolean isPermissionCheckFlagEnabled() { return DeviceConfig.getBoolean( return DeviceConfig.getBoolean( NAMESPACE_DEVICE_POLICY_MANAGER, NAMESPACE_DEVICE_POLICY_MANAGER, Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +103 −31 Original line number Original line Diff line number Diff line Loading @@ -11051,17 +11051,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return true; return true; } } private void enforceCanCallLockTaskLocked(CallerIdentity caller) { Preconditions.checkCallAuthorization(isProfileOwner(caller) || isDefaultDeviceOwner(caller) || isFinancedDeviceOwner(caller)); final int userId = caller.getUserId(); if (!canUserUseLockTaskLocked(userId)) { throw new SecurityException("User " + userId + " is not allowed to use lock task"); } } private void enforceCanQueryLockTaskLocked(ComponentName who, String callerPackageName) { private void enforceCanQueryLockTaskLocked(ComponentName who, String callerPackageName) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); CallerIdentity caller = getCallerIdentity(who, callerPackageName); final int userId = caller.getUserId(); final int userId = caller.getUserId(); Loading Loading @@ -11089,6 +11078,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return enforcingAdmin; return enforcingAdmin; } } private void enforceCanCallLockTaskLocked(CallerIdentity caller) { Preconditions.checkCallAuthorization(isProfileOwner(caller) || isDefaultDeviceOwner(caller) || isFinancedDeviceOwner(caller)); final int userId = caller.getUserId(); if (!canUserUseLockTaskLocked(userId)) { throw new SecurityException("User " + userId + " is not allowed to use lock task"); } } private boolean isSystemUid(CallerIdentity caller) { private boolean isSystemUid(CallerIdentity caller) { return UserHandle.isSameApp(caller.getUid(), Process.SYSTEM_UID); return UserHandle.isSameApp(caller.getUid(), Process.SYSTEM_UID); } } Loading Loading @@ -14679,7 +14678,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isPolicyEngineForFinanceFlagEnabled()) { if (isPolicyEngineForFinanceFlagEnabled()) { EnforcingAdmin enforcingAdmin; EnforcingAdmin enforcingAdmin; synchronized (getLockObject()) { synchronized (getLockObject()) { enforcingAdmin = enforceCanCallLockTaskLocked(who, callerPackageName); enforcingAdmin = enforceCanCallLockTaskLocked(who, caller.getPackageName()); } } if (packages.length == 0) { if (packages.length == 0) { mDevicePolicyEngine.removeLocalPolicy( mDevicePolicyEngine.removeLocalPolicy( Loading Loading @@ -14806,8 +14805,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isPolicyEngineForFinanceFlagEnabled()) { if (isPolicyEngineForFinanceFlagEnabled()) { EnforcingAdmin enforcingAdmin; EnforcingAdmin enforcingAdmin; synchronized (getLockObject()) { synchronized (getLockObject()) { enforcingAdmin = enforceCanCallLockTaskLocked(who, enforcingAdmin = enforceCanCallLockTaskLocked(who, caller.getPackageName()); callerPackageName); enforceCanSetLockTaskFeaturesOnFinancedDevice(caller, flags); enforceCanSetLockTaskFeaturesOnFinancedDevice(caller, flags); } } LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicySetByAdmin( LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicySetByAdmin( Loading Loading @@ -22516,11 +22514,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { "manage_device_policy_microphone_toggle"; "manage_device_policy_microphone_toggle"; // DPC types // DPC types private static final int NOT_A_DPC = -1; private static final int DEFAULT_DEVICE_OWNER = 0; private static final int DEFAULT_DEVICE_OWNER = 0; private static final int FINANCED_DEVICE_OWNER = 1; private static final int FINANCED_DEVICE_OWNER = 1; private static final int PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2; private static final int PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2; private static final int PROFILE_OWNER_ON_USER_0 = 3; private static final int PROFILE_OWNER_ON_USER_0 = 3; private static final int PROFILE_OWNER = 4; private static final int PROFILE_OWNER = 4; private static final int PROFILE_OWNER_ON_USER = 5; private static final int AFFILIATED_PROFILE_OWNER_ON_USER = 6; // DPC types @IntDef(value = { NOT_A_DPC, DEFAULT_DEVICE_OWNER, FINANCED_DEVICE_OWNER, PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, PROFILE_OWNER_ON_USER_0, PROFILE_OWNER, PROFILE_OWNER_ON_USER, AFFILIATED_PROFILE_OWNER_ON_USER }) private @interface DpcType {} // Permissions of existing DPC types. // Permissions of existing DPC types. private static final List<String> DEFAULT_DEVICE_OWNER_PERMISSIONS = List.of( private static final List<String> DEFAULT_DEVICE_OWNER_PERMISSIONS = List.of( Loading Loading @@ -22674,7 +22687,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { SET_TIME_ZONE SET_TIME_ZONE ); ); /** * All the additional permissions granted to a Profile Owner on user 0. */ private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS = private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS = List.of( List.of( MANAGE_DEVICE_POLICY_AIRPLANE_MODE, MANAGE_DEVICE_POLICY_AIRPLANE_MODE, Loading @@ -22698,6 +22713,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { SET_TIME_ZONE SET_TIME_ZONE ); ); /** * All the additional permissions granted to a Profile Owner on an unaffiliated user. */ private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS = List.of( MANAGE_DEVICE_POLICY_LOCK_TASK ); /** * All the additional permissions granted to a Profile Owner on an affiliated user. */ private static final List<String> ADDITIONAL_AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS = List.of(); /** /** * Combination of {@link PROFILE_OWNER_PERMISSIONS} and * Combination of {@link PROFILE_OWNER_PERMISSIONS} and * {@link ADDITIONAL_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS}. * {@link ADDITIONAL_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS}. Loading @@ -22712,6 +22741,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private static final List<String> PROFILE_OWNER_ON_USER_0_PERMISSIONS = private static final List<String> PROFILE_OWNER_ON_USER_0_PERMISSIONS = new ArrayList(); new ArrayList(); /** * Combination of {@link PROFILE_OWNER_PERMISSIONS} and * {@link ADDITIONAL_AFFILIATED_PROFIL_OWNER_ON_USER_PERMISSIONS}. */ private static final List<String> AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS = new ArrayList(); /** * Combination of {@link PROFILE_OWNER_PERMISSIONS} and * {@link ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS}. */ private static final List<String> PROFILE_OWNER_ON_USER_PERMISSIONS = new ArrayList(); private static final HashMap<Integer, List<String>> DPC_PERMISSIONS = new HashMap<>(); private static final HashMap<Integer, List<String>> DPC_PERMISSIONS = new HashMap<>(); { { Loading @@ -22724,6 +22767,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // some extra permissions. // some extra permissions. PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS); PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS); PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS); PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS); // Profile owners on users have all the permission of a profile owner plus // some extra permissions. PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS); PROFILE_OWNER_ON_USER_PERMISSIONS.addAll( ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS); // Profile owners on affiliated users have all the permission of a profile owner on a user // plus some extra permissions. AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(PROFILE_OWNER_ON_USER_PERMISSIONS); AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS.addAll( ADDITIONAL_AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS); DPC_PERMISSIONS.put(DEFAULT_DEVICE_OWNER, DEFAULT_DEVICE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(DEFAULT_DEVICE_OWNER, DEFAULT_DEVICE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(FINANCED_DEVICE_OWNER, FINANCED_DEVICE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(FINANCED_DEVICE_OWNER, FINANCED_DEVICE_OWNER_PERMISSIONS); Loading @@ -22731,6 +22784,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS); PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER_0, PROFILE_OWNER_ON_USER_0_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER_0, PROFILE_OWNER_ON_USER_0_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER, PROFILE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER, PROFILE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER, PROFILE_OWNER_ON_USER_PERMISSIONS); DPC_PERMISSIONS.put(AFFILIATED_PROFILE_OWNER_ON_USER, AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS); } } //Map of Permission to Delegate Scope. //Map of Permission to Delegate Scope. private static final HashMap<String, String> DELEGATE_SCOPES = new HashMap<>(); private static final HashMap<String, String> DELEGATE_SCOPES = new HashMap<>(); Loading Loading @@ -23108,22 +23164,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED) { if (mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED) { return true; return true; } } // Check the permissions of DPCs int dpcType = getDpcType(caller); if (isDefaultDeviceOwner(caller)) { if (dpcType != NOT_A_DPC) { return DPC_PERMISSIONS.get(DEFAULT_DEVICE_OWNER).contains(permission); return DPC_PERMISSIONS.get(dpcType).contains(permission); } if (isFinancedDeviceOwner(caller)) { return DPC_PERMISSIONS.get(FINANCED_DEVICE_OWNER).contains(permission); } if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { return DPC_PERMISSIONS.get(PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE).contains( permission); } if (isProfileOwnerOnUser0(caller)) { return DPC_PERMISSIONS.get(PROFILE_OWNER_ON_USER_0).contains(permission); } if (isProfileOwner(caller)) { return DPC_PERMISSIONS.get(PROFILE_OWNER).contains(permission); } } // Check the permission for the role-holder // Check the permission for the role-holder if (isCallerDevicePolicyManagementRoleHolder(caller)) { if (isCallerDevicePolicyManagementRoleHolder(caller)) { Loading Loading @@ -23193,6 +23236,35 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return calledOnParent ? getProfileParentId(callingUserId) : callingUserId; return calledOnParent ? getProfileParentId(callingUserId) : callingUserId; } } /** * Return the DPC type of the given caller. */ private @DpcType int getDpcType(CallerIdentity caller) { // Check the permissions of DPCs if (isDefaultDeviceOwner(caller)) { return DEFAULT_DEVICE_OWNER; } if (isFinancedDeviceOwner(caller)) { return FINANCED_DEVICE_OWNER; } if (isProfileOwner(caller)) { if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { return PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE; } if (isManagedProfile(caller.getUserId())) { return PROFILE_OWNER; } if (isProfileOwnerOnUser0(caller)) { return PROFILE_OWNER_ON_USER_0; } if (isUserAffiliatedWithDevice(caller.getUserId())) { return AFFILIATED_PROFILE_OWNER_ON_USER; } return PROFILE_OWNER_ON_USER; } return NOT_A_DPC; } private boolean isPermissionCheckFlagEnabled() { private boolean isPermissionCheckFlagEnabled() { return DeviceConfig.getBoolean( return DeviceConfig.getBoolean( NAMESPACE_DEVICE_POLICY_MANAGER, NAMESPACE_DEVICE_POLICY_MANAGER,
