diff options
| -rw-r--r-- | core/java/android/app/supervision/SupervisionManager.java | 23 | ||||
| -rw-r--r-- | services/supervision/java/com/android/server/supervision/SupervisionService.java | 18 |
2 files changed, 36 insertions, 5 deletions
diff --git a/core/java/android/app/supervision/SupervisionManager.java b/core/java/android/app/supervision/SupervisionManager.java index aee1cd9b4760..a5b58f968c27 100644 --- a/core/java/android/app/supervision/SupervisionManager.java +++ b/core/java/android/app/supervision/SupervisionManager.java @@ -16,8 +16,10 @@ package android.app.supervision; +import android.annotation.RequiresPermission; import android.annotation.SystemService; import android.annotation.UserHandleAware; +import android.annotation.UserIdInt; import android.compat.annotation.UnsupportedAppUsage; import android.content.Context; import android.os.RemoteException; @@ -32,9 +34,7 @@ public class SupervisionManager { private final Context mContext; private final ISupervisionManager mService; - /** - * @hide - */ + /** @hide */ @UnsupportedAppUsage public SupervisionManager(Context context, ISupervisionManager service) { mContext = context; @@ -48,8 +48,23 @@ public class SupervisionManager { */ @UserHandleAware public boolean isSupervisionEnabled() { + return isSupervisionEnabledForUser(mContext.getUserId()); + } + + /** + * Returns whether the device is supervised. + * + * <p>The caller must be from the same user as the target or hold the {@link + * android.Manifest.permission#INTERACT_ACROSS_USERS} permission. + * + * @hide + */ + @RequiresPermission( + value = android.Manifest.permission.INTERACT_ACROSS_USERS, + conditional = true) + public boolean isSupervisionEnabledForUser(@UserIdInt int userId) { try { - return mService.isSupervisionEnabledForUser(mContext.getUserId()); + return mService.isSupervisionEnabledForUser(userId); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } diff --git a/services/supervision/java/com/android/server/supervision/SupervisionService.java b/services/supervision/java/com/android/server/supervision/SupervisionService.java index 0ccaa6043f5f..073ee31ddd60 100644 --- a/services/supervision/java/com/android/server/supervision/SupervisionService.java +++ b/services/supervision/java/com/android/server/supervision/SupervisionService.java @@ -16,6 +16,11 @@ package com.android.server.supervision; +import static android.Manifest.permission.INTERACT_ACROSS_USERS; +import static android.content.pm.PackageManager.PERMISSION_GRANTED; + +import static com.android.internal.util.Preconditions.checkCallAuthorization; + import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.UserIdInt; @@ -31,6 +36,7 @@ import android.content.Intent; import android.content.IntentFilter; import android.content.pm.PackageManager; import android.content.pm.UserInfo; +import android.os.Binder; import android.os.PersistableBundle; import android.os.RemoteException; import android.os.ResultReceiver; @@ -78,6 +84,9 @@ public class SupervisionService extends ISupervisionManager.Stub { @Override public boolean isSupervisionEnabledForUser(@UserIdInt int userId) { + if (UserHandle.getUserId(Binder.getCallingUid()) != userId) { + enforcePermission(INTERACT_ACROSS_USERS); + } synchronized (getLockObject()) { return getUserDataLocked(userId).supervisionEnabled; } @@ -151,7 +160,8 @@ public class SupervisionService extends ISupervisionManager.Stub { /** Returns whether the supervision app has profile owner status. */ private boolean isProfileOwner(@UserIdInt int userId) { - ComponentName profileOwner = mDpmInternal.getProfileOwnerAsUser(userId); + ComponentName profileOwner = + mDpmInternal != null ? mDpmInternal.getProfileOwnerAsUser(userId) : null; return profileOwner != null && isSupervisionAppPackage(profileOwner.getPackageName()); } @@ -161,6 +171,12 @@ public class SupervisionService extends ISupervisionManager.Stub { mContext.getResources().getString(R.string.config_systemSupervision)); } + /** Enforces that the caller has the given permission. */ + private void enforcePermission(String permission) { + checkCallAuthorization( + mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED); + } + public static class Lifecycle extends SystemService { private final SupervisionService mSupervisionService; |