Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f03d0a6b authored by Rubin Xu's avatar Rubin Xu
Browse files

Require delegated cert installer and app restriction manager to exist 

Enforce that apps with delegated powers to exist on device before
empowering them. This is consistent with DevicePolicyManagerService's
internal logic to clear the delegation power once the package is removed.
For delegated cert installer, only enforce this new restriction on
device admins targeting N or later.

Bug: 26233778
Change-Id: Ia8f45dfd5290958cebb36991c4b6baa03e8c28ae
parent ff25528a

core/java/android/app/admin/DevicePolicyManager.java

+8 −0
Original line number Diff line number Diff line
@@ -2570,6 +2570,11 @@ public class DevicePolicyManager { 
     * Delegated certificate installer is a per-user state. The delegated access is persistent until

     * it is later cleared by calling this method with a null value or uninstallling the certificate

     * installer.

     *<p>

     * <b>Note:</b>Starting from {@link android.os.Build.VERSION_CODES#N}, if the caller

     * application's target SDK version is {@link android.os.Build.VERSION_CODES#N} or newer, the

     * supplied certificate installer package must be installed when calling this API,

     * otherwise an {@link IllegalArgumentException} will be thrown.

     *

     * @param admin Which {@link DeviceAdminReceiver} this request is associated with.

     * @param installerPackage The package name of the certificate installer which will be given
@@ -3650,6 +3655,9 @@ public class DevicePolicyManager { 
     * <p>

     * This permission is persistent until it is later cleared by calling this method with a

     * {@code null} value or uninstalling the managing package.

     * <p>

     * The supplied application restriction managing package must be installed when calling this

     * API, otherwise an {@link IllegalArgumentException} will be thrown.

     *

     * @param admin Which {@link DeviceAdminReceiver} this request is associated with.

     * @param packageName The package name which will be given access to application restrictions

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+22 −7
Original line number Diff line number Diff line
@@ -32,6 +32,7 @@ import android.Manifest.permission; 
import android.accessibilityservice.AccessibilityServiceInfo;

import android.accounts.AccountManager;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.app.Activity;

import android.app.ActivityManager;

import android.app.ActivityManagerNative;
@@ -2841,16 +2842,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
        }

    }



    private boolean isAdminApiLevelMOrBelow(@NonNull ComponentName who, int userHandle) {

        DeviceAdminInfo adminInfo = findAdmin(who, userHandle, false);

        return adminInfo.getActivityInfo().applicationInfo.targetSdkVersion

                <= Build.VERSION_CODES.M;

    }



    @Override

    public boolean isSeparateProfileChallengeAllowed(int userHandle) {

        ComponentName profileOwner = getProfileOwner(userHandle);

        return profileOwner != null && !isAdminApiLevelMOrBelow(profileOwner, userHandle);

        try {

            // Profile challenge is supported on N or newer release.

            return profileOwner != null &&

                    getTargetSdk(profileOwner.getPackageName(), userHandle) > Build.VERSION_CODES.M;

        } catch (RemoteException e) {

            return false;

        }

    }



    @Override
@@ -4195,6 +4196,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
        int userHandle = UserHandle.getCallingUserId();

        synchronized (this) {

            getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);

            try {

                if (getTargetSdk(who.getPackageName(), userHandle) >= Build.VERSION_CODES.N) {

                    if (installerPackage != null &&

                            !isPackageInstalledForUser(installerPackage, userHandle)) {

                        throw new IllegalArgumentException("Package " + installerPackage

                                + " is not installed on the current user");

                    }

                }

            } catch (RemoteException e) {

            }

            DevicePolicyData policy = getUserData(userHandle);

            policy.mDelegatedCertInstallerPackage = installerPackage;

            saveSettingsLocked(userHandle);
@@ -6096,6 +6107,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
        final int userHandle = mInjector.userHandleGetCallingUserId();

        synchronized (this) {

            getActiveAdminForCallerLocked(admin, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);

            if (packageName != null && !isPackageInstalledForUser(packageName, userHandle)) {

                throw new IllegalArgumentException("Package " + packageName + " is not installed "

                        + "on the current user");

            }

            DevicePolicyData policy = getUserData(userHandle);

            policy.mApplicationRestrictionsManagingPackage = packageName;

            saveSettingsLocked(userHandle);