Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit efae78ed authored Sep 24, 2021 by Rubin Xu

Lockdown DPMS.getOrganizationNameForUser()

Only allow system components to call this hidden API.

Bug: 192368508
Test: atest FrameworksServicesTests:DevicePolicyManagerTest
Change-Id: I740943195f016b30607d4103a54ca0fe04d31f8a

parent 4dd98007

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+1 −0

Original line number	Diff line number	Diff line
		@@ -14060,6 +14060,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));
		Preconditions.checkCallAuthorization(canManageUsers(caller));
		Preconditions.checkCallAuthorization(isManagedProfile(userHandle),
		"You can not get organization name outside a managed profile, userId = %d",
		userHandle);

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+6 −0

Original line number	Diff line number	Diff line
		@@ -7753,6 +7753,12 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		DpmMockContext.CALLER_SYSTEM_USER_UID, admin1.getPackageName(), MODE_DEFAULT);
		}

		@Test
		public void testGetOrganizationNameForUser_calledByNonPrivilegedApp_throwsException() {
		assertExpectException(SecurityException.class, "Calling identity is not authorized",
		() -> dpm.getOrganizationNameForUser(UserHandle.USER_SYSTEM));
		}

		private void setupVpnAuthorization(String userVpnPackage, int userVpnUid) {
		final AppOpsManager.PackageOps vpnOp = new AppOpsManager.PackageOps(userVpnPackage,
		userVpnUid, List.of(new AppOpsManager.OpEntry(