Allow PO to set network logging delegate

Changes * The profile owner on the managed profile can set the network logging delegate. * If delegated by a profile owner, network logs will only be collected on the work profile. Bug: 170460270 Test: atest com.android.server.devicepolicy.DevicePolicyManagerTest atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testNetworkLogging atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testNetworkLoggingDelegate atest com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testNetworkLogging atest com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testNetworkLoggingDelegate atest com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testDelegate atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testDelegate atest com.android.cts.devicepolicy.MixedProfileOwnerTest#testDelegate Change-Id: I95009ff67716ba259b5e0a8f61d8908cb1c6da4a Merged-In: I95009ff67716ba259b5e0a8f61d8908cb1c6da4a
author: Alex Johnston <acjohnston@google.com> 2021-02-10 18:51:06 +0000
committer: Alex Johnston <acjohnston@google.com> 2021-02-16 15:51:34 +0000
commit: c1e9454a9451af37dbc9e5bb0a1fe58bf10aa4e5 (patch)
tree: b5f5afda72ed9ec4a4a4df9244a68a1ba751d815
parent: 66e3908e391f2da9304ed3048e25ace89c6d99cb (diff)
2 files changed, 12 insertions, 10 deletions
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 37fb298d31b2..15ba39c76f07 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -1869,13 +1869,13 @@ public class DevicePolicyManager {
     /**
      * Grants access to {@link #setNetworkLoggingEnabled}, {@link #isNetworkLoggingEnabled} and
      * {@link #retrieveNetworkLogs}. Once granted the delegated app will start receiving
-     * DelegatedAdminReceiver.onNetworkLogsAvailable() callback, and Device owner will no longer
-     * receive the DeviceAdminReceiver.onNetworkLogsAvailable() callback.
+     * DelegatedAdminReceiver.onNetworkLogsAvailable() callback, and Device owner or Profile Owner
+     * will no longer receive the DeviceAdminReceiver.onNetworkLogsAvailable() callback.
      * There can be at most one app that has this delegation.
      * If another app already had delegated network logging access,
      * it will lose the delegation when a new app is delegated.
      *
-     * <p> Can only be granted by Device Owner.
+     * <p> Can only be granted by Device Owner or Profile Owner of a managed profile.
      */
     public static final String DELEGATION_NETWORK_LOGGING = "delegation-network-logging";
 
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 498ee38d442a..9d1590f7b0fc 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -421,10 +421,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
         DELEGATION_CERT_SELECTION,
     };
 
-    // Subset of delegations that can only be delegated by Device Owner.
-    private static final List<String> DEVICE_OWNER_DELEGATIONS = Arrays.asList(new String[] {
-            DELEGATION_NETWORK_LOGGING,
-    });
+    // Subset of delegations that can only be delegated by Device Owner or Profile Owner of a
+    // managed profile.
+    private static final List<String> DEVICE_OWNER_OR_MANAGED_PROFILE_OWNER_DELEGATIONS =
+            Arrays.asList(new String[]{
+                    DELEGATION_NETWORK_LOGGING,
+            });
 
     // Subset of delegations that only one single package within a given user can hold
     private static final List<String> EXCLUSIVE_DELEGATIONS = Arrays.asList(new String[] {
@@ -5878,10 +5880,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
         }
         // Retrieve the user ID of the calling process.
         final int userId = caller.getUserId();
-        final boolean hasDoDelegation = !Collections.disjoint(scopes, DEVICE_OWNER_DELEGATIONS);
         // Ensure calling process is device/profile owner.
-        if (hasDoDelegation) {
-            Preconditions.checkCallAuthorization(isDeviceOwner(caller));
+        if (!Collections.disjoint(scopes, DEVICE_OWNER_OR_MANAGED_PROFILE_OWNER_DELEGATIONS)) {
+            Preconditions.checkCallAuthorization(isDeviceOwner(caller)
+                    || (isProfileOwner(caller) && isManagedProfile(caller.getUserId())));
         } else {
             Preconditions.checkCallAuthorization(isDeviceOwner(caller) || isProfileOwner(caller));
         }
author	Alex Johnston <acjohnston@google.com>	2021-02-10 18:51:06 +0000
committer	Alex Johnston <acjohnston@google.com>	2021-02-16 15:51:34 +0000
commit	c1e9454a9451af37dbc9e5bb0a1fe58bf10aa4e5 (patch)
tree	b5f5afda72ed9ec4a4a4df9244a68a1ba751d815
parent	66e3908e391f2da9304ed3048e25ace89c6d99cb (diff)