diff options
| -rw-r--r-- | core/java/android/app/admin/flags/flags.aconfig | 7 | ||||
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 36 |
2 files changed, 33 insertions, 10 deletions
diff --git a/core/java/android/app/admin/flags/flags.aconfig b/core/java/android/app/admin/flags/flags.aconfig index fd7569527493..08649bfd480f 100644 --- a/core/java/android/app/admin/flags/flags.aconfig +++ b/core/java/android/app/admin/flags/flags.aconfig @@ -68,6 +68,13 @@ flag { } flag { + name: "permission_migration_for_zero_trust_impl_enabled" + namespace: "enterprise" + description: "(Implementation) Migrate existing APIs to permission based, and enable DMRH to call them to collect Zero Trust signals." + bug: "289520697" +} + +flag { name: "device_theft_api_enabled" is_exported: true namespace: "enterprise" diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index bf67ce3b713e..a20e1c0bf6fc 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -16765,11 +16765,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { mContext.sendBroadcastAsUser(intent, UserHandle.of(userId)); } - final UserHandle user = UserHandle.of(userId); - final String roleHolderPackage = getRoleHolderPackageNameOnUser( - RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT, userId); - if (roleHolderPackage != null) { - broadcastExplicitIntentToPackage(intent, roleHolderPackage, user); + if (Flags.permissionMigrationForZeroTrustImplEnabled()) { + final UserHandle user = UserHandle.of(userId); + final String roleHolderPackage = getRoleHolderPackageNameOnUser( + RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT, userId); + if (roleHolderPackage != null) { + broadcastExplicitIntentToPackage(intent, roleHolderPackage, user); + } } } }); @@ -16777,10 +16779,18 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public SystemUpdateInfo getPendingSystemUpdate(ComponentName admin, String callerPackage) { - CallerIdentity caller = getCallerIdentity(admin, callerPackage); - enforcePermissions(new String[] {NOTIFY_PENDING_SYSTEM_UPDATE, - MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}, caller.getPackageName(), - caller.getUserId()); + if (Flags.permissionMigrationForZeroTrustImplEnabled()) { + CallerIdentity caller = getCallerIdentity(admin, callerPackage); + enforcePermissions(new String[] {NOTIFY_PENDING_SYSTEM_UPDATE, + MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}, caller.getPackageName(), + caller.getUserId()); + } else { + Objects.requireNonNull(admin, "ComponentName is null"); + + final CallerIdentity caller = getCallerIdentity(admin); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwner(caller)); + } return mOwners.getSystemUpdateInfo(); } @@ -21362,7 +21372,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final CallerIdentity caller = getCallerIdentity(callerPackage); - enforcePermission(MANAGE_DEVICE_POLICY_CERTIFICATES, caller.getPackageName()); + if (Flags.permissionMigrationForZeroTrustImplEnabled()) { + enforcePermission(MANAGE_DEVICE_POLICY_CERTIFICATES, caller.getPackageName()); + } else { + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwner(caller) + || isCallerDelegate(caller, DELEGATION_CERT_INSTALL)); + } synchronized (getLockObject()) { final ActiveAdmin requiredAdmin = getDeviceOrProfileOwnerAdminLocked( caller.getUserId()); |