Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 95d9d9fb authored by Eran Messeri's avatar Eran Messeri
Browse files

Fix checking of admins in resetPassword 

Ensure resetPassword throws the right exception or returns the right
value when called by Device Owner, Profile Owner or Device Admin.

The methods for getting the ActiveAdmin associated with the DO/PO
did not work with a CallerIdentity object that had a null componentName.
Now they can cope with that.

Bug: 171407703
Bug: 171408165
Test: atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest com.android.cts.devicepolicy.MixedDeviceOwnerTest com.android.cts.devicepolicy.MixedProfileOwnerTest
Test: atest FrameworksServicesTests:DevicePolicyManagerTest
Test: atest  com.android.cts.devicepolicy.DeviceAdminHostSideTestApi23#testResetPasswordDeprecated com.android.cts.devicepolicy.MixedDeviceOwnerTestApi25#testResetPasswordDeprecated
Change-Id: Ibe5c8587f07f1416ffa72dd6f4a8c20a9ec06115
parent 617a0256

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+13 −10
Original line number Diff line number Diff line
@@ -2215,7 +2215,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
                            caller.getUid(), doAdmin.getUid());















        Preconditions.checkCallAuthorization(













                doAdmin.info.getComponent().equals(caller.getComponentName()),













                !caller.hasAdminComponent()













                || doAdmin.info.getComponent().equals(caller.getComponentName()),















                "Caller component %s is not device owner",















                        caller.getComponentName());























@@ -2238,7 +2239,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













                            caller.getUid());





























        Preconditions.checkCallAuthorization(













                poAdmin.info.getComponent().equals(caller.getComponentName()),













                !caller.hasAdminComponent()













                || poAdmin.info.getComponent().equals(caller.getComponentName()),















                "Caller component %s is not profile owner",















                        caller.getComponentName());
























@@ -4423,23 +4425,24 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        }





























        // If caller has PO (or DO) throw or fail silently depending on its target SDK level.













        Preconditions.checkCallAuthorization(













                isDeviceOwner(caller) || isProfileOwner(caller),













                String.format("UID %d is not a device or profile owner", caller.getUid()));

























        if (isDeviceOwner(caller) || isProfileOwner(caller)) {















            synchronized (getLockObject()) {













            ActiveAdmin admin = getDeviceOrProfileOwnerAdminLocked(userHandle);













            if (admin != null) {













                ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller);















                if (getTargetSdk(admin.info.getPackageName(), userHandle) < Build.VERSION_CODES.O) {















                    Slog.e(LOG_TAG, "DPC can no longer call resetPassword()");















                    return false;















                }















                throw new SecurityException("Device admin can no longer call resetPassword()");















            }













        }



























        // Caller is not DO or PO, could either be unauthorized or Device Admin.













        synchronized (getLockObject()) {















            // Legacy device admin cannot call resetPassword either













            admin = getActiveAdminForCallerLocked(













            ActiveAdmin admin = getActiveAdminForCallerLocked(















                    null, DeviceAdminInfo.USES_POLICY_RESET_PASSWORD, false);













            Preconditions.checkCallAuthorization(admin != null,













                    "Unauthorized caller cannot call resetPassword.");















            if (getTargetSdk(admin.info.getPackageName(),















                    userHandle) <= android.os.Build.VERSION_CODES.M) {















                Slog.e(LOG_TAG, "Device admin can no longer call resetPassword()");