Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a418cf21 authored by Amith Yamasani's avatar Amith Yamasani
Browse files

New permission to manage device admins 

The previously used permission was doing double duty as the permission
that device admins to check for to ensure that calls are coming from valid
system components.

MANAGE_DEVICE_ADMINS is system|signature and is now required to add/remove
device admins.

Required for:
Bug: 9856348

Change-Id: I64385d2ec734c3957af21b5a5d9cffd8a3bcd299
parent 5846f7c9

api/current.txt

+1 −0
Original line number Diff line number Diff line
@@ -72,6 +72,7 @@ package android { 
    field public static final java.lang.String LOCATION_HARDWARE = "android.permission.LOCATION_HARDWARE";

    field public static final java.lang.String MANAGE_ACCOUNTS = "android.permission.MANAGE_ACCOUNTS";

    field public static final java.lang.String MANAGE_APP_TOKENS = "android.permission.MANAGE_APP_TOKENS";

    field public static final java.lang.String MANAGE_DEVICE_ADMINS = "android.permission.MANAGE_DEVICE_ADMINS";

    field public static final java.lang.String MANAGE_DOCUMENTS = "android.permission.MANAGE_DOCUMENTS";

    field public static final java.lang.String MASTER_CLEAR = "android.permission.MASTER_CLEAR";

    field public static final java.lang.String MODIFY_AUDIO_SETTINGS = "android.permission.MODIFY_AUDIO_SETTINGS";

core/res/AndroidManifest.xml

+7 −0
Original line number Diff line number Diff line
@@ -1901,6 +1901,13 @@ 
        android:description="@string/permdesc_bindDeviceAdmin"

        android:protectionLevel="signature" />



    <!-- Required to add or remove another application as a device admin.

         <p/>Not for use by third-party apps. -->

    <permission android:name="android.permission.MANAGE_DEVICE_ADMINS"

        android:label="@string/permlab_manageDeviceAdmins"

        android:description="@string/permdesc_manageDeviceAdmins"

        android:protectionLevel="signature|system" />



    <!-- Allows low-level access to setting the orientation (actually

         rotation) of the screen.

         <p>Not for use by third-party applications. -->

core/res/res/values/strings.xml

+6 −0
Original line number Diff line number Diff line
@@ -1020,6 +1020,12 @@ 
    <string name="permdesc_bindDeviceAdmin">Allows the holder to send intents to

        a device administrator. Should never be needed for normal apps.</string>



    <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->

    <string name="permlab_manageDeviceAdmins">add or remove a device admin</string>

    <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->

    <string name="permdesc_manageDeviceAdmins">Allows the holder to add or remove active device

        administrators. Should never be needed for normal apps.</string>



    <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->

    <string name="permlab_setOrientation">change screen orientation</string>

    <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->

packages/Keyguard/AndroidManifest.xml

+1 −0
Original line number Diff line number Diff line
@@ -35,6 +35,7 @@ 
    <uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" />

    <uses-permission android:name="android.permission.BIND_APPWIDGET" />

    <uses-permission android:name="android.permission.INTERNAL_SYSTEM_WINDOW" />

    <uses-permission android:name="android.permission.MANAGE_DEVICE_ADMINS" />

    <uses-permission android:name="android.permission.BIND_DEVICE_ADMIN" />

    <uses-permission android:name="android.permission.CHANGE_COMPONENT_ENABLED_STATE" />

services/java/com/android/server/DevicePolicyManagerService.java

+2 −2
Original line number Diff line number Diff line
@@ -1043,7 +1043,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
     */

    public void setActiveAdmin(ComponentName adminReceiver, boolean refreshing, int userHandle) {

        mContext.enforceCallingOrSelfPermission(

                android.Manifest.permission.BIND_DEVICE_ADMIN, null);

                android.Manifest.permission.MANAGE_DEVICE_ADMINS, null);

        enforceCrossUserPermission(userHandle);



        DevicePolicyData policy = getUserData(userHandle);
@@ -1146,7 +1146,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
                    return;

                }

                mContext.enforceCallingOrSelfPermission(

                        android.Manifest.permission.BIND_DEVICE_ADMIN, null);

                        android.Manifest.permission.MANAGE_DEVICE_ADMINS, null);

            }

            long ident = Binder.clearCallingIdentity();

            try {