Merge "Correct which type of PO has the _LOCK_TASK permission." into udc-dev... (bf385d15) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+103 −31

Original line number	Original line	Diff line number	Diff line
	@@ -11051,17 +11051,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

	return true;		return true;
	}		}

	private void enforceCanCallLockTaskLocked(CallerIdentity caller) {
	Preconditions.checkCallAuthorization(isProfileOwner(caller)
	\|\| isDefaultDeviceOwner(caller) \|\| isFinancedDeviceOwner(caller));

	final int userId = caller.getUserId();
	if (!canUserUseLockTaskLocked(userId)) {
	throw new SecurityException("User " + userId + " is not allowed to use lock task");
	}
	}

	private void enforceCanQueryLockTaskLocked(ComponentName who, String callerPackageName) {		private void enforceCanQueryLockTaskLocked(ComponentName who, String callerPackageName) {
	CallerIdentity caller = getCallerIdentity(who, callerPackageName);		CallerIdentity caller = getCallerIdentity(who, callerPackageName);
	final int userId = caller.getUserId();		final int userId = caller.getUserId();
	@@ -11089,6 +11078,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	return enforcingAdmin;		return enforcingAdmin;
	}		}

			private void enforceCanCallLockTaskLocked(CallerIdentity caller) {
			Preconditions.checkCallAuthorization(isProfileOwner(caller)
			\|\| isDefaultDeviceOwner(caller) \|\| isFinancedDeviceOwner(caller));

			final int userId = caller.getUserId();
			if (!canUserUseLockTaskLocked(userId)) {
			throw new SecurityException("User " + userId + " is not allowed to use lock task");
			}
			}

	private boolean isSystemUid(CallerIdentity caller) {		private boolean isSystemUid(CallerIdentity caller) {
	return UserHandle.isSameApp(caller.getUid(), Process.SYSTEM_UID);		return UserHandle.isSameApp(caller.getUid(), Process.SYSTEM_UID);
	}		}
	@@ -14679,7 +14678,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	if (isPolicyEngineForFinanceFlagEnabled()) {		if (isPolicyEngineForFinanceFlagEnabled()) {
	EnforcingAdmin enforcingAdmin;		EnforcingAdmin enforcingAdmin;
	synchronized (getLockObject()) {		synchronized (getLockObject()) {
	enforcingAdmin = enforceCanCallLockTaskLocked(who, callerPackageName);		enforcingAdmin = enforceCanCallLockTaskLocked(who, caller.getPackageName());
	}		}
	if (packages.length == 0) {		if (packages.length == 0) {
	mDevicePolicyEngine.removeLocalPolicy(		mDevicePolicyEngine.removeLocalPolicy(
	@@ -14806,8 +14805,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	if (isPolicyEngineForFinanceFlagEnabled()) {		if (isPolicyEngineForFinanceFlagEnabled()) {
	EnforcingAdmin enforcingAdmin;		EnforcingAdmin enforcingAdmin;
	synchronized (getLockObject()) {		synchronized (getLockObject()) {
	enforcingAdmin = enforceCanCallLockTaskLocked(who,		enforcingAdmin = enforceCanCallLockTaskLocked(who, caller.getPackageName());
	callerPackageName);
	enforceCanSetLockTaskFeaturesOnFinancedDevice(caller, flags);		enforceCanSetLockTaskFeaturesOnFinancedDevice(caller, flags);
	}		}
	LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicySetByAdmin(		LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicySetByAdmin(
	@@ -22513,11 +22511,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	"manage_device_policy_microphone_toggle";		"manage_device_policy_microphone_toggle";

	// DPC types		// DPC types
			private static final int NOT_A_DPC = -1;
	private static final int DEFAULT_DEVICE_OWNER = 0;		private static final int DEFAULT_DEVICE_OWNER = 0;
	private static final int FINANCED_DEVICE_OWNER = 1;		private static final int FINANCED_DEVICE_OWNER = 1;
	private static final int PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2;		private static final int PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2;
	private static final int PROFILE_OWNER_ON_USER_0 = 3;		private static final int PROFILE_OWNER_ON_USER_0 = 3;
	private static final int PROFILE_OWNER = 4;		private static final int PROFILE_OWNER = 4;
			private static final int PROFILE_OWNER_ON_USER = 5;
			private static final int AFFILIATED_PROFILE_OWNER_ON_USER = 6;
			// DPC types
			@IntDef(value = {
			NOT_A_DPC,
			DEFAULT_DEVICE_OWNER,
			FINANCED_DEVICE_OWNER,
			PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE,
			PROFILE_OWNER_ON_USER_0,
			PROFILE_OWNER,
			PROFILE_OWNER_ON_USER,
			AFFILIATED_PROFILE_OWNER_ON_USER
			})
			private @interface DpcType {}

	// Permissions of existing DPC types.		// Permissions of existing DPC types.
	private static final List<String> DEFAULT_DEVICE_OWNER_PERMISSIONS = List.of(		private static final List<String> DEFAULT_DEVICE_OWNER_PERMISSIONS = List.of(
	@@ -22671,7 +22684,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	SET_TIME_ZONE		SET_TIME_ZONE
	);		);

			/**
			* All the additional permissions granted to a Profile Owner on user 0.
			*/
	private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS =		private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS =
	List.of(		List.of(
	MANAGE_DEVICE_POLICY_AIRPLANE_MODE,		MANAGE_DEVICE_POLICY_AIRPLANE_MODE,
	@@ -22695,6 +22710,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	SET_TIME_ZONE		SET_TIME_ZONE
	);		);

			/**
			* All the additional permissions granted to a Profile Owner on an unaffiliated user.
			*/
			private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS =
			List.of(
			MANAGE_DEVICE_POLICY_LOCK_TASK
			);

			/**
			* All the additional permissions granted to a Profile Owner on an affiliated user.
			*/
			private static final List<String> ADDITIONAL_AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS =
			List.of();

	/**		/**
	* Combination of {@link PROFILE_OWNER_PERMISSIONS} and		* Combination of {@link PROFILE_OWNER_PERMISSIONS} and
	* {@link ADDITIONAL_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS}.		* {@link ADDITIONAL_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS}.
	@@ -22709,6 +22738,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	private static final List<String> PROFILE_OWNER_ON_USER_0_PERMISSIONS =		private static final List<String> PROFILE_OWNER_ON_USER_0_PERMISSIONS =
	new ArrayList();		new ArrayList();

			/**
			* Combination of {@link PROFILE_OWNER_PERMISSIONS} and
			* {@link ADDITIONAL_AFFILIATED_PROFIL_OWNER_ON_USER_PERMISSIONS}.
			*/
			private static final List<String> AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS =
			new ArrayList();

			/**
			* Combination of {@link PROFILE_OWNER_PERMISSIONS} and
			* {@link ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS}.
			*/
			private static final List<String> PROFILE_OWNER_ON_USER_PERMISSIONS =
			new ArrayList();


	private static final HashMap<Integer, List<String>> DPC_PERMISSIONS = new HashMap<>();		private static final HashMap<Integer, List<String>> DPC_PERMISSIONS = new HashMap<>();
	{		{
	@@ -22721,6 +22764,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	// some extra permissions.		// some extra permissions.
	PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS);		PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS);
	PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS);		PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS);
			// Profile owners on users have all the permission of a profile owner plus
			// some extra permissions.
			PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS);
			PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(
			ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS);
			// Profile owners on affiliated users have all the permission of a profile owner on a user
			// plus some extra permissions.
			AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(PROFILE_OWNER_ON_USER_PERMISSIONS);
			AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(
			ADDITIONAL_AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS);

	DPC_PERMISSIONS.put(DEFAULT_DEVICE_OWNER, DEFAULT_DEVICE_OWNER_PERMISSIONS);		DPC_PERMISSIONS.put(DEFAULT_DEVICE_OWNER, DEFAULT_DEVICE_OWNER_PERMISSIONS);
	DPC_PERMISSIONS.put(FINANCED_DEVICE_OWNER, FINANCED_DEVICE_OWNER_PERMISSIONS);		DPC_PERMISSIONS.put(FINANCED_DEVICE_OWNER, FINANCED_DEVICE_OWNER_PERMISSIONS);
	@@ -22728,6 +22781,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS);		PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS);
	DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER_0, PROFILE_OWNER_ON_USER_0_PERMISSIONS);		DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER_0, PROFILE_OWNER_ON_USER_0_PERMISSIONS);
	DPC_PERMISSIONS.put(PROFILE_OWNER, PROFILE_OWNER_PERMISSIONS);		DPC_PERMISSIONS.put(PROFILE_OWNER, PROFILE_OWNER_PERMISSIONS);
			DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER, PROFILE_OWNER_ON_USER_PERMISSIONS);
			DPC_PERMISSIONS.put(AFFILIATED_PROFILE_OWNER_ON_USER,
			AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS);
	}		}
	//Map of Permission to Delegate Scope.		//Map of Permission to Delegate Scope.
	private static final HashMap<String, String> DELEGATE_SCOPES = new HashMap<>();		private static final HashMap<String, String> DELEGATE_SCOPES = new HashMap<>();
	@@ -23105,22 +23161,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	if (mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED) {		if (mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED) {
	return true;		return true;
	}		}
	// Check the permissions of DPCs		int dpcType = getDpcType(caller);
	if (isDefaultDeviceOwner(caller)) {		if (dpcType != NOT_A_DPC) {
	return DPC_PERMISSIONS.get(DEFAULT_DEVICE_OWNER).contains(permission);		return DPC_PERMISSIONS.get(dpcType).contains(permission);
	}
	if (isFinancedDeviceOwner(caller)) {
	return DPC_PERMISSIONS.get(FINANCED_DEVICE_OWNER).contains(permission);
	}
	if (isProfileOwnerOfOrganizationOwnedDevice(caller)) {
	return DPC_PERMISSIONS.get(PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE).contains(
	permission);
	}
	if (isProfileOwnerOnUser0(caller)) {
	return DPC_PERMISSIONS.get(PROFILE_OWNER_ON_USER_0).contains(permission);
	}
	if (isProfileOwner(caller)) {
	return DPC_PERMISSIONS.get(PROFILE_OWNER).contains(permission);
	}		}
	// Check the permission for the role-holder		// Check the permission for the role-holder
	if (isCallerDevicePolicyManagementRoleHolder(caller)) {		if (isCallerDevicePolicyManagementRoleHolder(caller)) {
	@@ -23190,6 +23233,35 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	return calledOnParent ? getProfileParentId(callingUserId) : callingUserId;		return calledOnParent ? getProfileParentId(callingUserId) : callingUserId;
	}		}

			/**
			* Return the DPC type of the given caller.
			*/
			private @DpcType int getDpcType(CallerIdentity caller) {
			// Check the permissions of DPCs
			if (isDefaultDeviceOwner(caller)) {
			return DEFAULT_DEVICE_OWNER;
			}
			if (isFinancedDeviceOwner(caller)) {
			return FINANCED_DEVICE_OWNER;
			}
			if (isProfileOwner(caller)) {
			if (isProfileOwnerOfOrganizationOwnedDevice(caller)) {
			return PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE;
			}
			if (isManagedProfile(caller.getUserId())) {
			return PROFILE_OWNER;
			}
			if (isProfileOwnerOnUser0(caller)) {
			return PROFILE_OWNER_ON_USER_0;
			}
			if (isUserAffiliatedWithDevice(caller.getUserId())) {
			return AFFILIATED_PROFILE_OWNER_ON_USER;
			}
			return PROFILE_OWNER_ON_USER;
			}
			return NOT_A_DPC;
			}

	private boolean isPermissionCheckFlagEnabled() {		private boolean isPermissionCheckFlagEnabled() {
	return DeviceConfig.getBoolean(		return DeviceConfig.getBoolean(
	NAMESPACE_DEVICE_POLICY_MANAGER,		NAMESPACE_DEVICE_POLICY_MANAGER,