Give the PO the MANAGE_DEVICE_POLICY_CERTIFICATES permission

Also, do not allow a BYOD PO have device ID access even if it has the MANAGE_DEVICE_POLICY_CERTIFICATES permission Bug: 272588294 Test: android.devicepolicy.cts.KeyManagementTest Change-Id: I2658ccbe112940f096986d2dcbd24ba5bd81637a
author: Alex Johnston <acjohnston@google.com> 2023-04-20 10:18:21 +0000
committer: Alex Johnston <acjohnston@google.com> 2023-04-28 13:16:58 +0000
commit: 07a7d871e68dafbc37e100d7080be451047dc29d (patch)
tree: b72ffe81a5dd2bddbe5157848889d83dcb2a0220
parent: 0f74f7d7d23bd67485e1be0499ea94e7bf890d7b (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 40024f1f0be3..af4030ad2e19 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -10737,7 +10737,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
     @VisibleForTesting
     boolean hasDeviceIdAccessUnchecked(String packageName, int uid) {
         final int userId = UserHandle.getUserId(uid);
-        if (isPermissionCheckFlagEnabled()) {
+        // TODO(b/280048070): Introduce a permission to handle device ID access
+        if (isPermissionCheckFlagEnabled()
+                && !(isUidProfileOwnerLocked(uid) || isUidDeviceOwnerLocked(uid))) {
             return hasPermission(MANAGE_DEVICE_POLICY_CERTIFICATES, packageName, userId);
         } else {
             ComponentName deviceOwner = getDeviceOwnerComponent(true);
@@ -22836,6 +22838,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
                     MANAGE_DEVICE_POLICY_LOCATION,
                     MANAGE_DEVICE_POLICY_LOCK,
                     MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS,
+                    MANAGE_DEVICE_POLICY_CERTIFICATES,
                     MANAGE_DEVICE_POLICY_NEARBY_COMMUNICATION,
                     MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY,
                     MANAGE_DEVICE_POLICY_PACKAGE_STATE,
@@ -22862,7 +22865,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
                     MANAGE_DEVICE_POLICY_ACROSS_USERS,
                     MANAGE_DEVICE_POLICY_AIRPLANE_MODE,
                     MANAGE_DEVICE_POLICY_APPS_CONTROL,
-                    MANAGE_DEVICE_POLICY_CERTIFICATES,
                     MANAGE_DEVICE_POLICY_COMMON_CRITERIA_MODE,
                     MANAGE_DEVICE_POLICY_DEFAULT_SMS,
                     MANAGE_DEVICE_POLICY_LOCALE,
author	Alex Johnston <acjohnston@google.com>	2023-04-20 10:18:21 +0000
committer	Alex Johnston <acjohnston@google.com>	2023-04-28 13:16:58 +0000
commit	07a7d871e68dafbc37e100d7080be451047dc29d (patch)
tree	b72ffe81a5dd2bddbe5157848889d83dcb2a0220
parent	0f74f7d7d23bd67485e1be0499ea94e7bf890d7b (diff)