Merge "Check caller owns admin for per-admin getters." (fe8e6b1b) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+29 −11

Original line number	Diff line number	Diff line
		@@ -3998,6 +3998,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));
		// System caller can query policy for a particular admin.
		Preconditions.checkCallAuthorization(
		who == null \|\| isCallingFromPackage(who.getPackageName(), caller.getUid())
		\|\| canQueryAdminPolicy(caller));

		synchronized (getLockObject()) {
		int mode = PASSWORD_QUALITY_UNSPECIFIED;
		@@ -4213,7 +4217,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		}
		Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId");

		final CallerIdentity caller = getCallerIdentity();
		final CallerIdentity caller = getCallerIdentity(who);
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));

		synchronized (getLockObject()) {
		@@ -4363,7 +4367,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		}
		Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId");

		final CallerIdentity caller = getCallerIdentity();
		final CallerIdentity caller = getCallerIdentity(who);
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));

		synchronized (getLockObject()) {
		@@ -4576,7 +4580,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		}
		Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId");

		final CallerIdentity caller = getCallerIdentity();
		final CallerIdentity caller = getCallerIdentity(who);
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));

		synchronized (getLockObject()) {
		@@ -4996,6 +5000,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));
		// System caller can query policy for a particular admin.
		Preconditions.checkCallAuthorization(
		who == null \|\| isCallingFromPackage(who.getPackageName(), caller.getUid())
		\|\| canQueryAdminPolicy(caller));

		synchronized (getLockObject()) {
		ActiveAdmin admin = (who != null)
		@@ -5307,6 +5315,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));
		// System caller can query policy for a particular admin.
		Preconditions.checkCallAuthorization(
		who == null \|\| isCallingFromPackage(who.getPackageName(), caller.getUid())
		\|\| canQueryAdminPolicy(caller));

		synchronized (getLockObject()) {
		if (who != null) {
		@@ -5384,7 +5396,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		}
		Preconditions.checkArgumentNonnegative(userId, "Invalid userId");

		final CallerIdentity caller = getCallerIdentity();
		final CallerIdentity caller = getCallerIdentity(who);
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userId));

		if (!mLockPatternUtils.hasSecureLockScreen()) {
		@@ -7727,6 +7739,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		if (!mHasFeature) {
		return false;
		}

		final CallerIdentity caller = getCallerIdentity(who);
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));

		if (parent) {
		Preconditions.checkCallAuthorization(
		isProfileOwnerOfOrganizationOwnedDevice(getCallerIdentity().getUserId()));
		@@ -9509,8 +9525,11 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		}

		private boolean canManageUsers(CallerIdentity caller) {
		return isSystemUid(caller) \|\| isRootUid(caller)
		\|\| hasCallingOrSelfPermission(permission.MANAGE_USERS);
		return hasCallingOrSelfPermission(permission.MANAGE_USERS);
		}

		private boolean canQueryAdminPolicy(CallerIdentity caller) {
		return hasCallingOrSelfPermission(permission.QUERY_ADMIN_POLICY);
		}

		private boolean hasPermission(String permission, int pid, int uid) {
		@@ -9958,7 +9977,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		Objects.requireNonNull(agent, "agent null");
		Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId");

		final CallerIdentity caller = getCallerIdentity();
		final CallerIdentity caller = getCallerIdentity(admin);
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));

		synchronized (getLockObject()) {
		@@ -10238,8 +10257,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		if (!mHasFeature) {
		return null;
		}
		Preconditions.checkCallAuthorization(canManageUsers(getCallerIdentity())
		\|\| hasCallingOrSelfPermission(permission.QUERY_ADMIN_POLICY));
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(canManageUsers(caller) \|\| canQueryAdminPolicy(caller));

		synchronized (getLockObject()) {
		List<String> result = null;
		@@ -10410,8 +10429,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		public @Nullable List<String> getPermittedInputMethodsAsUser(@UserIdInt int userId) {
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userId));
		Preconditions.checkCallAuthorization(canManageUsers(caller)
		\|\| hasCallingOrSelfPermission(permission.QUERY_ADMIN_POLICY));
		Preconditions.checkCallAuthorization(canManageUsers(caller) \|\| canQueryAdminPolicy(caller));
		final long callingIdentity = Binder.clearCallingIdentity();
		try {
		return getPermittedInputMethodsUnchecked(userId);