Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fe739701 authored by Makoto Onuki's avatar Makoto Onuki
Browse files

DeviceAdminService must be protected with BIND_DEVICE_ADMIN. 

Bug: 37625902
Bug: 36226832

Test: cts-tradefed run cts-dev --skip-device-info --skip-preconditions --skip-system-status-check com.android.compatibility.common.tradefed.targetprep.NetworkConnectivityChecker -a armeabi-v7a -l DEBUG -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceAdminServiceDeviceOwnerTest
Test: cts-tradefed run cts-dev --skip-device-info --skip-preconditions --skip-system-status-check com.android.compatibility.common.tradefed.targetprep.NetworkConnectivityChecker -a armeabi-v7a -l DEBUG -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceAdminServiceProfileOwnerTest
Change-Id: I0bee75d758b565c6587d0e9cabf63bec351a0669
parent 011e07d7

core/java/android/app/admin/DevicePolicyManager.java

+2 −1
Original line number Original line Diff line number Diff line
@@ -1518,7 +1518,8 @@ public class DevicePolicyManager { 
     * Service action: Action for a service that device owner and profile owner can optionally

     * Service action: Action for a service that device owner and profile owner can optionally

     * own.  If a device owner or a profile owner has such a service, the system tries to keep

     * own.  If a device owner or a profile owner has such a service, the system tries to keep

     * a bound connection to it, in order to keep their process always running.

     * a bound connection to it, in order to keep their process always running.

     * The service must not be exported.

     * The service must be protected with the {@link android.Manifest.permission#BIND_DEVICE_ADMIN}

     * permission.

     */

     */

    @SdkConstant(SdkConstantType.SERVICE_ACTION)

    @SdkConstant(SdkConstantType.SERVICE_ACTION)

    public static final String ACTION_DEVICE_ADMIN_SERVICE

    public static final String ACTION_DEVICE_ADMIN_SERVICE

services/devicepolicy/java/com/android/server/devicepolicy/DeviceAdminServiceController.java

+6 −3
Original line number Original line Diff line number Diff line
@@ -15,6 +15,7 @@ 
 */

 */

package com.android.server.devicepolicy;

package com.android.server.devicepolicy;





import android.Manifest.permission;

import android.annotation.NonNull;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.annotation.Nullable;

import android.app.admin.DevicePolicyManager;

import android.app.admin.DevicePolicyManager;
@@ -115,10 +116,12 @@ public class DeviceAdminServiceController { 
                return null;

                return null;

            }

            }

            final ServiceInfo si = list.get(0).serviceInfo;

            final ServiceInfo si = list.get(0).serviceInfo;

            if (si.exported) {



                Log.e(TAG, "DeviceAdminService must not be exported: '"

            if (!permission.BIND_DEVICE_ADMIN.equals(si.permission)) {

                Log.e(TAG, "DeviceAdminService "

                        + si.getComponentName().flattenToShortString()

                        + si.getComponentName().flattenToShortString()

                        + "' will be ignored.");

                        + " must be protected with " + permission.BIND_DEVICE_ADMIN

                        + ".");

                return null;

                return null;

            }

            }

            return si;

            return si;