Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d5b03601 authored by Nicolas Prevot's avatar Nicolas Prevot
Browse files

Use affiliation ids when checking bind target users. 

BUG:32764274
Test: adb shell am instrument -e class
com.android.server.devicepolicy.DevicePolicyManagerTest -w
com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner

Change-Id: Ic79b58dcb583b1d9eb9e7af0d1501cf8cfd0ee86
parent 235117ac

core/java/android/app/admin/DevicePolicyManager.java

+1 −1
Original line number Diff line number Diff line
@@ -7040,7 +7040,7 @@ public class DevicePolicyManager { 
     * <li>The managed profile is a profile of the user where the device owner is set.

     *     See {@link UserManager#getUserProfiles()}

     * <li>Both users are affiliated.

     *         STOPSHIP(b/32326223) Add reference to setAffiliationIds here once public.

     *     See {@link #setAffiliationIds}.

     * </ul>

     */

    public @NonNull List<UserHandle> getBindDeviceAdminTargetUsers(@NonNull ComponentName admin) {

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+3 −5
Original line number Diff line number Diff line
@@ -9702,9 +9702,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
            final int callingUserId = mInjector.userHandleGetCallingUserId();

            final boolean isCallerDeviceOwner = isDeviceOwner(callingOwner);

            final boolean isCallerManagedProfile = isManagedProfile(callingUserId);

            if (!isCallerDeviceOwner && !isCallerManagedProfile

                    /* STOPSHIP(b/32326223) Reinstate when setAffiliationIds is public

                    ||   !isAffiliatedUser(callingUserId) */) {

            if ((!isCallerDeviceOwner && !isCallerManagedProfile)

                    || !isUserAffiliatedWithDevice(callingUserId)) {

                return targetUsers;

            }
@@ -9724,8 +9723,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 


                        // Both must be the same package and be affiliated in order to bind.

                        if (callingOwnerPackage.equals(targetOwnerPackage)

                            /* STOPSHIP(b/32326223) Reinstate when setAffiliationIds is public

                               && isAffiliatedUser(userId)*/) {

                               && isUserAffiliatedWithDevice(userId)) {

                            targetUsers.add(UserHandle.of(userId));

                        }

                    }

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+38 −0
Original line number Diff line number Diff line
@@ -2664,8 +2664,26 @@ public class DevicePolicyManagerTest extends DpmTestBase { 
        final int ANOTHER_USER_ID = 36;

        mContext.addUser(ANOTHER_USER_ID, 0);



        // Since the managed profile is not affiliated, they should not be allowed to talk to each

        // other.

        targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);

        MoreAsserts.assertEmpty(targetUsers);



        mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;

        targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);

        MoreAsserts.assertEmpty(targetUsers);



        // Setting affiliation ids

        final List<String> userAffiliationIds = Arrays.asList("some.affiliation-id");

        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;

        dpm.setAffiliationIds(admin1, userAffiliationIds);



        mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;

        dpm.setAffiliationIds(admin1, userAffiliationIds);



        // Calling from device owner admin, the result list should just contain the managed

        // profile user id.

        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;

        targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);

        MoreAsserts.assertContentsInAnyOrder(targetUsers, UserHandle.of(MANAGED_PROFILE_USER_ID));
@@ -2674,6 +2692,18 @@ public class DevicePolicyManagerTest extends DpmTestBase { 
        mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;

        targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);

        MoreAsserts.assertContentsInAnyOrder(targetUsers, UserHandle.SYSTEM);



        // Changing affiliation ids in one

        dpm.setAffiliationIds(admin1, Arrays.asList("some-different-affiliation-id"));



        // Since the managed profile is not affiliated any more, they should not be allowed to talk

        // to each other.

        targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);

        MoreAsserts.assertEmpty(targetUsers);



        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;

        targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);

        MoreAsserts.assertEmpty(targetUsers);

    }



    public void testGetBindDeviceAdminTargetUsers_differentPackage() throws Exception {
@@ -2688,8 +2718,16 @@ public class DevicePolicyManagerTest extends DpmTestBase { 
                new ComponentName("another.package", "whatever.class");

        addManagedProfile(adminDifferentPackage, MANAGED_PROFILE_ADMIN_UID, admin2);



        // Setting affiliation ids

        final List<String> userAffiliationIds = Arrays.asList("some-affiliation-id");

        dpm.setAffiliationIds(admin1, userAffiliationIds);



        mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;

        dpm.setAffiliationIds(adminDifferentPackage, userAffiliationIds);



        // Calling from device owner admin, we should get zero bind device admin target users as

        // their packages are different.

        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;

        List<UserHandle> targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);

        MoreAsserts.assertEmpty(targetUsers);