Introduce a new method in SupervisionManager to check if supervision is enabled for a specific user.

I also fixed a NPE caused by accessing DPM internal when null. Bug: 382038943 Test: atest SupervisionServiceTest Flag: android.app.supervision.flags.deprecate_dpm_supervision_apis Change-Id: I0a3df58851de0f06176d3b59f9be4d621a0d51b7
author: Vitor Carvalho <vtrmc@google.com> 2024-12-07 16:35:15 +0000
committer: Vitor Carvalho <vtrmc@google.com> 2024-12-11 16:12:57 +0000
commit: 0964308e7e4d044c7661d99d94e0f298678e25a5 (patch)
tree: 7e4e65c4ee8310ecc2b3c6493b486cfe463e9472
parent: bd203e0ea1afe7275913ed59f3567bbf7e036504 (diff)
2 files changed, 36 insertions, 5 deletions
diff --git a/core/java/android/app/supervision/SupervisionManager.java b/core/java/android/app/supervision/SupervisionManager.java
index aee1cd9b4760..a5b58f968c27 100644
--- a/core/java/android/app/supervision/SupervisionManager.java
+++ b/core/java/android/app/supervision/SupervisionManager.java
@@ -16,8 +16,10 @@
 
 package android.app.supervision;
 
+import android.annotation.RequiresPermission;
 import android.annotation.SystemService;
 import android.annotation.UserHandleAware;
+import android.annotation.UserIdInt;
 import android.compat.annotation.UnsupportedAppUsage;
 import android.content.Context;
 import android.os.RemoteException;
@@ -32,9 +34,7 @@ public class SupervisionManager {
     private final Context mContext;
     private final ISupervisionManager mService;
 
-    /**
-     * @hide
-     */
+    /** @hide */
     @UnsupportedAppUsage
     public SupervisionManager(Context context, ISupervisionManager service) {
         mContext = context;
@@ -48,8 +48,23 @@ public class SupervisionManager {
      */
     @UserHandleAware
     public boolean isSupervisionEnabled() {
+        return isSupervisionEnabledForUser(mContext.getUserId());
+    }
+
+    /**
+     * Returns whether the device is supervised.
+     *
+     * <p>The caller must be from the same user as the target or hold the {@link
+     * android.Manifest.permission#INTERACT_ACROSS_USERS} permission.
+     *
+     * @hide
+     */
+    @RequiresPermission(
+            value = android.Manifest.permission.INTERACT_ACROSS_USERS,
+            conditional = true)
+    public boolean isSupervisionEnabledForUser(@UserIdInt int userId) {
         try {
-            return mService.isSupervisionEnabledForUser(mContext.getUserId());
+            return mService.isSupervisionEnabledForUser(userId);
         } catch (RemoteException e) {
             throw e.rethrowFromSystemServer();
         }
diff --git a/services/supervision/java/com/android/server/supervision/SupervisionService.java b/services/supervision/java/com/android/server/supervision/SupervisionService.java
index 0ccaa6043f5f..073ee31ddd60 100644
--- a/services/supervision/java/com/android/server/supervision/SupervisionService.java
+++ b/services/supervision/java/com/android/server/supervision/SupervisionService.java
@@ -16,6 +16,11 @@
 
 package com.android.server.supervision;
 
+import static android.Manifest.permission.INTERACT_ACROSS_USERS;
+import static android.content.pm.PackageManager.PERMISSION_GRANTED;
+
+import static com.android.internal.util.Preconditions.checkCallAuthorization;
+
 import android.annotation.NonNull;
 import android.annotation.Nullable;
 import android.annotation.UserIdInt;
@@ -31,6 +36,7 @@ import android.content.Intent;
 import android.content.IntentFilter;
 import android.content.pm.PackageManager;
 import android.content.pm.UserInfo;
+import android.os.Binder;
 import android.os.PersistableBundle;
 import android.os.RemoteException;
 import android.os.ResultReceiver;
@@ -78,6 +84,9 @@ public class SupervisionService extends ISupervisionManager.Stub {
 
     @Override
     public boolean isSupervisionEnabledForUser(@UserIdInt int userId) {
+        if (UserHandle.getUserId(Binder.getCallingUid()) != userId) {
+            enforcePermission(INTERACT_ACROSS_USERS);
+        }
         synchronized (getLockObject()) {
             return getUserDataLocked(userId).supervisionEnabled;
         }
@@ -151,7 +160,8 @@ public class SupervisionService extends ISupervisionManager.Stub {
 
     /** Returns whether the supervision app has profile owner status. */
     private boolean isProfileOwner(@UserIdInt int userId) {
-        ComponentName profileOwner = mDpmInternal.getProfileOwnerAsUser(userId);
+        ComponentName profileOwner =
+                mDpmInternal != null ? mDpmInternal.getProfileOwnerAsUser(userId) : null;
         return profileOwner != null && isSupervisionAppPackage(profileOwner.getPackageName());
     }
 
@@ -161,6 +171,12 @@ public class SupervisionService extends ISupervisionManager.Stub {
                 mContext.getResources().getString(R.string.config_systemSupervision));
     }
 
+    /** Enforces that the caller has the given permission. */
+    private void enforcePermission(String permission) {
+        checkCallAuthorization(
+                mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED);
+    }
+
     public static class Lifecycle extends SystemService {
         private final SupervisionService mSupervisionService;
author	Vitor Carvalho <vtrmc@google.com>	2024-12-07 16:35:15 +0000
committer	Vitor Carvalho <vtrmc@google.com>	2024-12-11 16:12:57 +0000
commit	0964308e7e4d044c7661d99d94e0f298678e25a5 (patch)
tree	7e4e65c4ee8310ecc2b3c6493b486cfe463e9472
parent	bd203e0ea1afe7275913ed59f3567bbf7e036504 (diff)