diff options
| -rw-r--r-- | core/java/android/app/admin/DevicePolicyManager.java | 4 | ||||
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 19 |
2 files changed, 14 insertions, 9 deletions
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 4dc044208a9f..c93a88f9f312 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -6432,7 +6432,7 @@ public class DevicePolicyManager { * broadcast when access to a key is granted. * * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or - * {@code null} if calling from a delegated certificate installer. + * {@code null} if calling from a delegated certificate chooser. * @param alias The alias of the key to grant access to. * @param packageName The name of the (already installed) package to grant access to. * @return {@code true} if the grant was set successfully, {@code false} otherwise. @@ -6498,7 +6498,7 @@ public class DevicePolicyManager { * broadcast when access to a key is revoked. * * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or - * {@code null} if calling from a delegated certificate installer. + * {@code null} if calling from a delegated certificate chooser. * @param alias The alias of the key to revoke access from. * @param packageName The name of the (already installed) package to revoke access from. * @return {@code true} if the grant was revoked successfully, {@code false} otherwise. diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 9a996795622c..e5323cdcc06f 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -5560,7 +5560,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { public boolean hasKeyPair(String callerPackage, String alias) { final CallerIdentity caller = getCallerIdentity(callerPackage); final boolean isCredentialManagementApp = isCredentialManagementApp(caller); - Preconditions.checkCallAuthorization(canManageCertificates(caller) + Preconditions.checkCallAuthorization(canInstallCertificates(caller) || isCredentialManagementApp); if (isCredentialManagementApp) { Preconditions.checkCallAuthorization( @@ -5582,17 +5582,22 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { }); } - private boolean canManageCertificates(CallerIdentity caller) { + private boolean canInstallCertificates(CallerIdentity caller) { return isProfileOwner(caller) || isDeviceOwner(caller) || isCallerDelegate(caller, DELEGATION_CERT_INSTALL); } + private boolean canChooseCertificates(CallerIdentity caller) { + return isProfileOwner(caller) || isDeviceOwner(caller) + || isCallerDelegate(caller, DELEGATION_CERT_SELECTION); + } + @Override public boolean setKeyGrantToWifiAuth(String callerPackage, String alias, boolean hasGrant) { Preconditions.checkStringNotEmpty(alias, "Alias to grant cannot be empty"); final CallerIdentity caller = getCallerIdentity(callerPackage); - Preconditions.checkCallAuthorization(canManageCertificates(caller)); + Preconditions.checkCallAuthorization(canChooseCertificates(caller)); return setKeyChainGrantInternal(alias, hasGrant, Process.WIFI_UID, caller.getUserHandle()); } @@ -5602,7 +5607,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { Preconditions.checkStringNotEmpty(alias, "Alias to check cannot be empty"); final CallerIdentity caller = getCallerIdentity(callerPackage); - Preconditions.checkCallAuthorization(canManageCertificates(caller)); + Preconditions.checkCallAuthorization(canChooseCertificates(caller)); return mInjector.binderWithCleanCallingIdentity(() -> { try (KeyChainConnection keyChainConnection = @@ -5632,7 +5637,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final CallerIdentity caller = getCallerIdentity(who, callerPackage); Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDeviceOwner(caller))) - || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_CERT_INSTALL))); + || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_CERT_SELECTION))); final int granteeUid; try { @@ -5673,7 +5678,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public ParcelableGranteeMap getKeyPairGrants(String callerPackage, String alias) { final CallerIdentity caller = getCallerIdentity(callerPackage); - Preconditions.checkCallAuthorization(canManageCertificates(caller)); + Preconditions.checkCallAuthorization(canChooseCertificates(caller)); final ArrayMap<Integer, Set<String>> result = new ArrayMap<>(); mInjector.binderWithCleanCallingIdentity(() -> { @@ -5733,7 +5738,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { */ if (hasProfileOwner(caller.getUserId())) { // Make sure that the caller is the profile owner or delegate. - Preconditions.checkCallAuthorization(canManageCertificates(caller)); + Preconditions.checkCallAuthorization(canInstallCertificates(caller)); // Verify that the managed profile is on an organization-owned device and as such // the profile owner can access Device IDs. if (isProfileOwnerOfOrganizationOwnedDevice(caller.getUserId())) { |