Change SystemUID check to QUERY_ADMIN_POLICY check

For getting SSID restriction, use the QUERY_ADMIN_POLICY permission check instead of SystemUID check for SystemUI and SUW Bug: 217268655 Test: atest DevicePolicyManagerTest Change-Id: Ib3a6fbd54bca96b930c7f2481eda03c10f149347
author: Stephanie Bak <dasol@google.com> 2022-02-01 01:02:54 +0000
committer: Stephanie Bak <dasol@google.com> 2022-02-01 01:16:37 +0000
commit: e1a640e2f26a455c0eb99172a3a4f08e77f81a54 (patch)
tree: 24bac8bd9ee3a1a419b698f26c8402824b29dfb3
parent: 6bcc18f7ed49ffd702c72d208abecaf3c25a3e46 (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 79d993268359..1249ed14aa51 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -18459,9 +18459,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
         final CallerIdentity caller = getCallerIdentity();
         Preconditions.checkCallAuthorization(
                 isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller)
-                        || isSystemUid(caller),
+                        || canQueryAdminPolicy(caller),
                 "SSID allowlist can only be retrieved by a device owner or "
-                        + "a profile owner on an organization-owned device or a system app.");
+                        + "a profile owner on an organization-owned device or "
+                        + "an app with the QUERY_ADMIN_POLICY permission.");
         synchronized (getLockObject()) {
             final ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(
                     UserHandle.USER_SYSTEM);
@@ -18497,9 +18498,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
         final CallerIdentity caller = getCallerIdentity();
         Preconditions.checkCallAuthorization(
                 isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller)
-                        || isSystemUid(caller),
+                        || canQueryAdminPolicy(caller),
                 "SSID denylist can only be retrieved by a device owner or "
-                        + "a profile owner on an organization-owned device or a system app.");
+                        + "a profile owner on an organization-owned device or "
+                        + "an app with the QUERY_ADMIN_POLICY permission.");
         synchronized (getLockObject()) {
             final ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(
                     UserHandle.USER_SYSTEM);
author	Stephanie Bak <dasol@google.com>	2022-02-01 01:02:54 +0000
committer	Stephanie Bak <dasol@google.com>	2022-02-01 01:16:37 +0000
commit	e1a640e2f26a455c0eb99172a3a4f08e77f81a54 (patch)
tree	24bac8bd9ee3a1a419b698f26c8402824b29dfb3
parent	6bcc18f7ed49ffd702c72d208abecaf3c25a3e46 (diff)