Loading core/java/android/app/admin/DevicePolicyManager.java +7 −0 Original line number Diff line number Diff line Loading @@ -13725,6 +13725,13 @@ public class DevicePolicyManager { * {@link #EXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT} in the provisioning parameters. * In that case the device owner's control will be limited to denying these permissions. * <p> * When sensor-related permissions aren't grantable due to the above cases, calling this method * to grant these permissions will silently fail, if device admins are built with * {@code targetSdkVersion} < {@link android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM}. If * they are built with {@code targetSdkVersion} >= * {@link android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM}, this method will throw a * {@link SecurityException}. * <p> * NOTE: On devices running {@link android.os.Build.VERSION_CODES#S} and above, control over * the following permissions are restricted for managed profile owners: * <ul> services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +17 −3 Original line number Diff line number Diff line Loading @@ -804,11 +804,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { public static final long EXPLICIT_WIPE_BEHAVIOUR = 242193913L; /** * Apps targetting U+ should now expect that attempts to grant sensor permissions without * Apps targeting V+ should now expect that attempts to grant sensor permissions without * authorisation will result in a security exception. */ @ChangeId @EnabledSince(targetSdkVersion = Build.VERSION_CODES.UPSIDE_DOWN_CAKE) @EnabledSince(targetSdkVersion = Build.VERSION_CODES.VANILLA_ICE_CREAM) public static final long THROW_SECURITY_EXCEPTION_FOR_SENSOR_PERMISSIONS = 277035314L; /** Loading Loading @@ -16736,7 +16736,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { caller.getUserId()); if (SENSOR_PERMISSIONS.contains(permission) && grantState == PERMISSION_GRANT_STATE_GRANTED && (!canAdminGrantSensorsPermissions() || isCallerDelegate(caller))) { && !canAdminGrantSensorsPermissions()) { if (mInjector.isChangeEnabled(THROW_SECURITY_EXCEPTION_FOR_SENSOR_PERMISSIONS, caller.getPackageName(), caller.getUserId())) { throw new SecurityException( Loading @@ -16759,6 +16759,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { || isFinancedDeviceOwner(caller))) || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_PERMISSION_GRANT))); if (SENSOR_PERMISSIONS.contains(permission) && grantState == PERMISSION_GRANT_STATE_GRANTED && !canAdminGrantSensorsPermissions()) { if (mInjector.isChangeEnabled(THROW_SECURITY_EXCEPTION_FOR_SENSOR_PERMISSIONS, caller.getPackageName(), caller.getUserId())) { throw new SecurityException( "Caller not permitted to grant sensor permissions."); } else { Slogf.e(LOG_TAG, "Caller attempted to grant sensor permissions but denied"); // This is to match the legacy behaviour. callback.sendResult(Bundle.EMPTY); return; } } synchronized (getLockObject()) { long ident = mInjector.binderClearCallingIdentity(); try { Loading
core/java/android/app/admin/DevicePolicyManager.java +7 −0 Original line number Diff line number Diff line Loading @@ -13725,6 +13725,13 @@ public class DevicePolicyManager { * {@link #EXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT} in the provisioning parameters. * In that case the device owner's control will be limited to denying these permissions. * <p> * When sensor-related permissions aren't grantable due to the above cases, calling this method * to grant these permissions will silently fail, if device admins are built with * {@code targetSdkVersion} < {@link android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM}. If * they are built with {@code targetSdkVersion} >= * {@link android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM}, this method will throw a * {@link SecurityException}. * <p> * NOTE: On devices running {@link android.os.Build.VERSION_CODES#S} and above, control over * the following permissions are restricted for managed profile owners: * <ul>
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +17 −3 Original line number Diff line number Diff line Loading @@ -804,11 +804,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { public static final long EXPLICIT_WIPE_BEHAVIOUR = 242193913L; /** * Apps targetting U+ should now expect that attempts to grant sensor permissions without * Apps targeting V+ should now expect that attempts to grant sensor permissions without * authorisation will result in a security exception. */ @ChangeId @EnabledSince(targetSdkVersion = Build.VERSION_CODES.UPSIDE_DOWN_CAKE) @EnabledSince(targetSdkVersion = Build.VERSION_CODES.VANILLA_ICE_CREAM) public static final long THROW_SECURITY_EXCEPTION_FOR_SENSOR_PERMISSIONS = 277035314L; /** Loading Loading @@ -16736,7 +16736,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { caller.getUserId()); if (SENSOR_PERMISSIONS.contains(permission) && grantState == PERMISSION_GRANT_STATE_GRANTED && (!canAdminGrantSensorsPermissions() || isCallerDelegate(caller))) { && !canAdminGrantSensorsPermissions()) { if (mInjector.isChangeEnabled(THROW_SECURITY_EXCEPTION_FOR_SENSOR_PERMISSIONS, caller.getPackageName(), caller.getUserId())) { throw new SecurityException( Loading @@ -16759,6 +16759,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { || isFinancedDeviceOwner(caller))) || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_PERMISSION_GRANT))); if (SENSOR_PERMISSIONS.contains(permission) && grantState == PERMISSION_GRANT_STATE_GRANTED && !canAdminGrantSensorsPermissions()) { if (mInjector.isChangeEnabled(THROW_SECURITY_EXCEPTION_FOR_SENSOR_PERMISSIONS, caller.getPackageName(), caller.getUserId())) { throw new SecurityException( "Caller not permitted to grant sensor permissions."); } else { Slogf.e(LOG_TAG, "Caller attempted to grant sensor permissions but denied"); // This is to match the legacy behaviour. callback.sendResult(Bundle.EMPTY); return; } } synchronized (getLockObject()) { long ident = mInjector.binderClearCallingIdentity(); try {
