diff options
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 976 |
1 files changed, 231 insertions, 745 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index aca6f7235714..6cdab3f51f85 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -255,7 +255,6 @@ import static android.net.ConnectivityManager.PROFILE_NETWORK_PREFERENCE_ENTERPR import static android.net.ConnectivityManager.PROFILE_NETWORK_PREFERENCE_ENTERPRISE_BLOCKING; import static android.net.ConnectivityManager.PROFILE_NETWORK_PREFERENCE_ENTERPRISE_NO_FALLBACK; import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK; -import static android.provider.DeviceConfig.NAMESPACE_DEVICE_POLICY_MANAGER; import static android.provider.Settings.Global.PRIVATE_DNS_SPECIFIER; import static android.provider.Settings.Secure.MANAGED_PROVISIONING_DPC_DOWNLOADED; import static android.provider.Settings.Secure.USER_SETUP_COMPLETE; @@ -462,7 +461,6 @@ import android.permission.PermissionControllerManager; import android.provider.CalendarContract; import android.provider.ContactsContract.QuickContact; import android.provider.ContactsInternal; -import android.provider.DeviceConfig; import android.provider.Settings; import android.provider.Settings.Global; import android.provider.Telephony; @@ -908,10 +906,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { + "management app's authentication policy"; private static final String NOT_SYSTEM_CALLER_MSG = "Only the system can %s"; - private static final String PERMISSION_BASED_ACCESS_EXPERIMENT_FLAG = - "enable_permission_based_access"; - private static final boolean DEFAULT_VALUE_PERMISSION_BASED_ACCESS_FLAG = false; - private static final int RETRY_COPY_ACCOUNT_ATTEMPTS = 3; /** @@ -4646,22 +4640,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @GuardedBy("getLockObject()") private List<ActiveAdmin> getActiveAdminsForLockscreenPoliciesLocked(int userHandle) { if (isSeparateProfileChallengeEnabled(userHandle)) { - - if (isPermissionCheckFlagEnabled()) { - return getActiveAdminsForAffectedUserInclPermissionBasedAdminLocked(userHandle); - } // If this user has a separate challenge, only return its restrictions. return getUserDataUnchecked(userHandle).mAdminList; } // If isSeparateProfileChallengeEnabled is false and userHandle points to a managed profile // we need to query the parent user who owns the credential. - if (isPermissionCheckFlagEnabled()) { - return getActiveAdminsForUserAndItsManagedProfilesInclPermissionBasedAdminLocked(getProfileParentId(userHandle), - (user) -> !mLockPatternUtils.isSeparateProfileChallengeEnabled(user.id)); - } else { - return getActiveAdminsForUserAndItsManagedProfilesLocked(getProfileParentId(userHandle), - (user) -> !mLockPatternUtils.isSeparateProfileChallengeEnabled(user.id)); - } + return getActiveAdminsForUserAndItsManagedProfilesLocked(getProfileParentId(userHandle), + (user) -> !mLockPatternUtils.isSeparateProfileChallengeEnabled(user.id)); } @@ -4684,33 +4669,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { (user) -> mLockPatternUtils.isProfileWithUnifiedChallenge(user.id)); } - /** - * Get the list of active admins for an affected user: - * <ul> - * <li>The active admins associated with the userHandle itself</li> - * <li>The parent active admins for each managed profile associated with the userHandle</li> - * <li>The permission based admin associated with the userHandle itself</li> - * </ul> - * - * @param userHandle the affected user for whom to get the active admins - * @return the list of active admins for the affected user - */ - @GuardedBy("getLockObject()") - private List<ActiveAdmin> getActiveAdminsForAffectedUserInclPermissionBasedAdminLocked( - int userHandle) { - List<ActiveAdmin> list; - - if (isManagedProfile(userHandle)) { - list = getUserDataUnchecked(userHandle).mAdminList; - } - list = getActiveAdminsForUserAndItsManagedProfilesInclPermissionBasedAdminLocked(userHandle, - /* shouldIncludeProfileAdmins */ (user) -> false); - - if (getUserData(userHandle).mPermissionBasedAdmin != null) { - list.add(getUserData(userHandle).mPermissionBasedAdmin); - } - return list; - } /** * Returns the list of admins on the given user, as well as parent admins for each managed @@ -4763,44 +4721,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return mDevicePolicyEngine.getResolvedPolicyAcrossUsers(policyDefinition, users); } - /** - * Returns the list of admins on the given user, as well as parent admins for each managed - * profile associated with the given user. Optionally also include the admin of each managed - * profile. - * <p> Should not be called on a profile user. - */ - @GuardedBy("getLockObject()") - private List<ActiveAdmin> getActiveAdminsForUserAndItsManagedProfilesInclPermissionBasedAdminLocked(int userHandle, - Predicate<UserInfo> shouldIncludeProfileAdmins) { - ArrayList<ActiveAdmin> admins = new ArrayList<>(); - mInjector.binderWithCleanCallingIdentity(() -> { - for (UserInfo userInfo : mUserManager.getProfiles(userHandle)) { - DevicePolicyData policy = getUserDataUnchecked(userInfo.id); - if (userInfo.id == userHandle) { - admins.addAll(policy.mAdminList); - if (policy.mPermissionBasedAdmin != null) { - admins.add(policy.mPermissionBasedAdmin); - } - } else if (userInfo.isManagedProfile()) { - for (int i = 0; i < policy.mAdminList.size(); i++) { - ActiveAdmin admin = policy.mAdminList.get(i); - if (admin.hasParentActiveAdmin()) { - admins.add(admin.getParentActiveAdmin()); - } - if (shouldIncludeProfileAdmins.test(userInfo)) { - admins.add(admin); - } - } - if (policy.mPermissionBasedAdmin != null - && shouldIncludeProfileAdmins.test(userInfo)) { - admins.add(policy.mPermissionBasedAdmin); - } - } - } - }); - return admins; - } - private boolean isSeparateProfileChallengeEnabled(int userHandle) { return mInjector.binderWithCleanCallingIdentity(() -> mLockPatternUtils.isSeparateProfileChallengeEnabled(userHandle)); @@ -4893,25 +4813,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { return; } - if (!isPermissionCheckFlagEnabled()) { - Objects.requireNonNull(who, "ComponentName is null"); - } + Objects.requireNonNull(who, "ComponentName is null"); Preconditions.checkArgumentNonnegative(timeout, "Timeout must be >= 0 ms"); int userHandle = mInjector.userHandleGetCallingUserId(); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; synchronized (getLockObject()) { ActiveAdmin ap; - if (isPermissionCheckFlagEnabled()) { - CallerIdentity caller = getCallerIdentity(who, callerPackageName); - ap = enforcePermissionAndGetEnforcingAdmin( - who, MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS, - caller.getPackageName(), affectedUserId) - .getActiveAdmin(); - } else { - ap = getActiveAdminForCallerLocked( - who, DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD, parent); - } + ap = getActiveAdminForCallerLocked( + who, DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD, parent); // Calling this API automatically bumps the expiration date final long expiration = timeout > 0L ? (timeout + System.currentTimeMillis()) : 0L; ap.passwordExpirationDate = expiration; @@ -4972,28 +4882,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public boolean addCrossProfileWidgetProvider(ComponentName admin, String callerPackageName, String packageName) { - CallerIdentity caller; + CallerIdentity caller = getCallerIdentity(admin); - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(admin, callerPackageName); - } else { - caller = getCallerIdentity(admin); - } - ActiveAdmin activeAdmin; + Objects.requireNonNull(admin, "ComponentName is null"); + Preconditions.checkCallAuthorization(isProfileOwner(caller)); - if (isPermissionCheckFlagEnabled()) { - EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( - admin, - MANAGE_DEVICE_POLICY_PROFILE_INTERACTION, - caller.getPackageName(), - caller.getUserId()); - activeAdmin = enforcingAdmin.getActiveAdmin(); - } else { - Objects.requireNonNull(admin, "ComponentName is null"); - Preconditions.checkCallAuthorization(isProfileOwner(caller)); - synchronized (getLockObject()) { - activeAdmin = getProfileOwnerLocked(caller.getUserId()); - } + ActiveAdmin activeAdmin; + synchronized (getLockObject()) { + activeAdmin = getProfileOwnerLocked(caller.getUserId()); } List<String> changedProviders = null; @@ -5026,28 +4922,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public boolean removeCrossProfileWidgetProvider(ComponentName admin, String callerPackageName, String packageName) { - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(admin, callerPackageName); - } else { - caller = getCallerIdentity(admin); - } + CallerIdentity caller = getCallerIdentity(admin); - ActiveAdmin activeAdmin; + Objects.requireNonNull(admin, "ComponentName is null"); + Preconditions.checkCallAuthorization(isProfileOwner(caller)); - if (isPermissionCheckFlagEnabled()) { - EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( - admin, - MANAGE_DEVICE_POLICY_PROFILE_INTERACTION, - caller.getPackageName(), - caller.getUserId()); - activeAdmin = enforcingAdmin.getActiveAdmin(); - } else { - Objects.requireNonNull(admin, "ComponentName is null"); - Preconditions.checkCallAuthorization(isProfileOwner(caller)); - synchronized (getLockObject()) { - activeAdmin = getProfileOwnerLocked(caller.getUserId()); - } + ActiveAdmin activeAdmin; + synchronized (getLockObject()) { + activeAdmin = getProfileOwnerLocked(caller.getUserId()); } List<String> changedProviders = null; @@ -5080,27 +4962,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public List<String> getCrossProfileWidgetProviders(ComponentName admin, String callerPackageName) { - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(admin, callerPackageName); - } else { - caller = getCallerIdentity(admin); - } - ActiveAdmin activeAdmin; + CallerIdentity caller = getCallerIdentity(admin); - if (isPermissionCheckFlagEnabled()) { - EnforcingAdmin enforcingAdmin = enforceCanQueryAndGetEnforcingAdmin( - admin, - MANAGE_DEVICE_POLICY_PROFILE_INTERACTION, - caller.getPackageName(), - caller.getUserId()); - activeAdmin = enforcingAdmin.getActiveAdmin(); - } else { - Objects.requireNonNull(admin, "ComponentName is null"); - Preconditions.checkCallAuthorization(isProfileOwner(caller)); - synchronized (getLockObject()) { - activeAdmin = getProfileOwnerLocked(caller.getUserId()); - } + Objects.requireNonNull(admin, "ComponentName is null"); + Preconditions.checkCallAuthorization(isProfileOwner(caller)); + + ActiveAdmin activeAdmin; + synchronized (getLockObject()) { + activeAdmin = getProfileOwnerLocked(caller.getUserId()); } synchronized (getLockObject()) { @@ -5449,24 +5318,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { enforceUserUnlocked(userHandle, parent); synchronized (getLockObject()) { - if (isPermissionCheckFlagEnabled()) { - int affectedUser = parent ? getProfileParentId(userHandle) : userHandle; - enforcePermission(MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS, - callerPackageName, affectedUser); - } else { - // This API can only be called by an active device admin, - // so try to retrieve it to check that the caller is one. - getActiveAdminForCallerLocked( - null, DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD, parent); - } + // This API can only be called by an active device admin, + // so try to retrieve it to check that the caller is one. + getActiveAdminForCallerLocked( + null, DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD, parent); int credentialOwner = getCredentialOwner(userHandle, parent); DevicePolicyData policy = getUserDataUnchecked(credentialOwner); PasswordMetrics metrics = mLockSettingsInternal.getUserPasswordMetrics(credentialOwner); final int userToCheck = getProfileParentUserIfRequested(userHandle, parent); - boolean activePasswordSufficientForUserLocked = isActivePasswordSufficientForUserLocked( + return isActivePasswordSufficientForUserLocked( policy.mPasswordValidAtLastCheckpoint, metrics, userToCheck); - return activePasswordSufficientForUserLocked; } } @@ -5622,21 +5484,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { isDefaultDeviceOwner(caller) || isProfileOwner(caller) || isSystemUid(caller), "Only profile owner, device owner and system may call this method on parent."); } else { - if (isPermissionCheckFlagEnabled()) { - Preconditions.checkCallAuthorization( - hasCallingOrSelfPermission(REQUEST_PASSWORD_COMPLEXITY) - || hasCallingOrSelfPermission(MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS) - || isDefaultDeviceOwner(caller) || isProfileOwner(caller), - "Must have " + REQUEST_PASSWORD_COMPLEXITY + " or " + - MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS - + " permissions, or be a profile owner or device owner."); - } else { - Preconditions.checkCallAuthorization( - hasCallingOrSelfPermission(REQUEST_PASSWORD_COMPLEXITY) - || isDefaultDeviceOwner(caller) || isProfileOwner(caller), - "Must have " + REQUEST_PASSWORD_COMPLEXITY - + " permission, or be a profile owner or device owner."); - } + Preconditions.checkCallAuthorization( + hasCallingOrSelfPermission(REQUEST_PASSWORD_COMPLEXITY) + || isDefaultDeviceOwner(caller) || isProfileOwner(caller), + "Must have " + REQUEST_PASSWORD_COMPLEXITY + + " permission, or be a profile owner or device owner."); } synchronized (getLockObject()) { @@ -5728,26 +5580,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private void setRequiredPasswordComplexityPreCoexistence( String callerPackageName, int passwordComplexity, boolean calledOnParent) { CallerIdentity caller = getCallerIdentity(callerPackageName); - if (!isPermissionCheckFlagEnabled()) { - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) || isProfileOwner(caller)); - Preconditions.checkArgument(!calledOnParent || isProfileOwner(caller)); - } + + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwner(caller)); + Preconditions.checkArgument(!calledOnParent || isProfileOwner(caller)); synchronized (getLockObject()) { ActiveAdmin admin; - if (isPermissionCheckFlagEnabled()) { - // TODO: Make sure this returns the parent of the fake admin - // TODO: Deal with null componentname - int affectedUser = calledOnParent - ? getProfileParentId(caller.getUserId()) : caller.getUserId(); - admin = enforcePermissionAndGetEnforcingAdmin( - null, MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS, - caller.getPackageName(), affectedUser).getActiveAdmin(); - } else { - admin = getParentOfAdminIfRequired( - getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()), calledOnParent); - } + admin = getParentOfAdminIfRequired( + getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()), calledOnParent); if (admin.mPasswordComplexity != passwordComplexity) { // We require the caller to explicitly clear any password quality requirements set @@ -5907,14 +5748,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!isSystemUid(caller)) { // This API can be called by an active device admin or by keyguard code. if (!hasCallingPermission(permission.ACCESS_KEYGUARD_SECURE_STORAGE)) { - if (isPermissionCheckFlagEnabled()) { - int affectedUser = parent ? getProfileParentId(userHandle) : userHandle; - enforcePermission(MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS, - callerPackageName, affectedUser); - } else { - getActiveAdminForCallerLocked( - null, DeviceAdminInfo.USES_POLICY_WATCH_LOGIN, parent); - } + getActiveAdminForCallerLocked( + null, DeviceAdminInfo.USES_POLICY_WATCH_LOGIN, parent); } } @@ -5931,31 +5766,18 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; } - if (!isPermissionCheckFlagEnabled()) { - Objects.requireNonNull(who, "ComponentName is null"); - } - + Objects.requireNonNull(who, "ComponentName is null"); int userId = mInjector.userHandleGetCallingUserId(); int affectedUserId = parent ? getProfileParentId(userId) : userId; synchronized (getLockObject()) { - ActiveAdmin ap; - if (isPermissionCheckFlagEnabled()) { - CallerIdentity caller = getCallerIdentity(who, callerPackageName); - ap = enforcePermissionAndGetEnforcingAdmin( - who, - /*permission=*/ MANAGE_DEVICE_POLICY_WIPE_DATA, - /* adminPolicy=*/ DeviceAdminInfo.USES_POLICY_WIPE_DATA, - caller.getPackageName(), affectedUserId).getActiveAdmin(); - } else { - // This API can only be called by an active device admin, - // so try to retrieve it to check that the caller is one. - getActiveAdminForCallerLocked( - who, DeviceAdminInfo.USES_POLICY_WIPE_DATA, parent); - ap = getActiveAdminForCallerLocked( - who, DeviceAdminInfo.USES_POLICY_WATCH_LOGIN, parent); - } + // This API can only be called by an active device admin, + // so try to retrieve it to check that the caller is one. + getActiveAdminForCallerLocked( + who, DeviceAdminInfo.USES_POLICY_WIPE_DATA, parent); + ActiveAdmin ap = getActiveAdminForCallerLocked( + who, DeviceAdminInfo.USES_POLICY_WATCH_LOGIN, parent); if (ap.maximumFailedPasswordsForWipe != num) { ap.maximumFailedPasswordsForWipe = num; @@ -6210,25 +6032,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { return; } - if (!isPermissionCheckFlagEnabled()) { - Objects.requireNonNull(who, "ComponentName is null"); - } + + Objects.requireNonNull(who, "ComponentName is null"); + int userHandle = mInjector.userHandleGetCallingUserId(); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; synchronized (getLockObject()) { - ActiveAdmin ap; - if (isPermissionCheckFlagEnabled()) { - CallerIdentity caller = getCallerIdentity(who, callerPackageName); - ap = enforcePermissionAndGetEnforcingAdmin( - who, - /*permission=*/ MANAGE_DEVICE_POLICY_LOCK, - /*AdminPolicy=*/DeviceAdminInfo.USES_POLICY_FORCE_LOCK, - caller.getPackageName(), - affectedUserId).getActiveAdmin(); - } else { - ap = getActiveAdminForCallerLocked( - who, DeviceAdminInfo.USES_POLICY_FORCE_LOCK, parent); - } + ActiveAdmin ap = getActiveAdminForCallerLocked( + who, DeviceAdminInfo.USES_POLICY_FORCE_LOCK, parent); if (ap.maximumTimeToUnlock != timeMs) { ap.maximumTimeToUnlock = timeMs; @@ -6334,16 +6145,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { return; } + Preconditions.checkArgument(timeoutMs >= 0, "Timeout must not be a negative number."); - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(who, callerPackageName); - } else { - caller = getCallerIdentity(who); - Objects.requireNonNull(who, "ComponentName is null"); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) || isProfileOwner(caller)); - } + CallerIdentity caller = getCallerIdentity(who); + Objects.requireNonNull(who, "ComponentName is null"); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwner(caller)); + // timeoutMs with value 0 means that the admin doesn't participate // timeoutMs is clamped to the interval in case the internal constants change in the future final long minimumStrongAuthTimeout = getMinimumStrongAuthTimeoutMs(); @@ -6357,17 +6165,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final int userHandle = caller.getUserId(); boolean changed = false; synchronized (getLockObject()) { - ActiveAdmin ap; - if (isPermissionCheckFlagEnabled()) { - int affectedUser = parent - ? getProfileParentId(caller.getUserId()) : caller.getUserId(); - ap = enforcePermissionAndGetEnforcingAdmin( - who, MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS, - caller.getPackageName(), affectedUser).getActiveAdmin(); - } else { - ap = getParentOfAdminIfRequired( - getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()), parent); - } + ActiveAdmin ap = getParentOfAdminIfRequired( + getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()), parent); if (ap.strongAuthUnlockTimeout != timeoutMs) { ap.strongAuthUnlockTimeout = timeoutMs; saveSettingsLocked(userHandle); @@ -6664,16 +6463,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final CallerIdentity caller = getCallerIdentity(who, callerPackage); final boolean isCallerDelegate = isCallerDelegate(caller, DELEGATION_CERT_INSTALL); final boolean isCredentialManagementApp = isCredentialManagementApp(caller); - if (isPermissionCheckFlagEnabled()) { - Preconditions.checkCallAuthorization( - hasPermission(MANAGE_DEVICE_POLICY_CERTIFICATES, - caller.getPackageName(), caller.getUserId()) - || isCredentialManagementApp); - } else { - Preconditions.checkCallAuthorization((caller.hasAdminComponent() - && (isProfileOwner(caller) || isDefaultDeviceOwner(caller))) - || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp))); - } + Preconditions.checkCallAuthorization((caller.hasAdminComponent() + && (isProfileOwner(caller) || isDefaultDeviceOwner(caller))) + || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp))); if (isCredentialManagementApp) { Preconditions.checkCallAuthorization(!isUserSelectable, "The credential " + "management app is not allowed to install a user selectable key pair"); @@ -6733,16 +6525,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final CallerIdentity caller = getCallerIdentity(who, callerPackage); final boolean isCallerDelegate = isCallerDelegate(caller, DELEGATION_CERT_INSTALL); final boolean isCredentialManagementApp = isCredentialManagementApp(caller); - if (isPermissionCheckFlagEnabled()) { - Preconditions.checkCallAuthorization( - hasPermission(MANAGE_DEVICE_POLICY_CERTIFICATES, - caller.getPackageName(), caller.getUserId()) - || isCredentialManagementApp); - } else { - Preconditions.checkCallAuthorization((caller.hasAdminComponent() - && (isProfileOwner(caller) || isDefaultDeviceOwner(caller))) - || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp))); - } + Preconditions.checkCallAuthorization((caller.hasAdminComponent() + && (isProfileOwner(caller) || isDefaultDeviceOwner(caller))) + || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp))); if (isCredentialManagementApp) { Preconditions.checkCallAuthorization( isAliasInCredentialManagementAppPolicy(caller, alias), @@ -6802,13 +6587,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } private boolean canInstallCertificates(CallerIdentity caller) { - if (isPermissionCheckFlagEnabled()) { - return hasPermission(MANAGE_DEVICE_POLICY_CERTIFICATES, - caller.getPackageName(), caller.getUserId()); - } else { - return isProfileOwner(caller) || isDefaultDeviceOwner(caller) - || isCallerDelegate(caller, DELEGATION_CERT_INSTALL); - } + return isProfileOwner(caller) || isDefaultDeviceOwner(caller) + || isCallerDelegate(caller, DELEGATION_CERT_INSTALL); } private boolean canChooseCertificates(CallerIdentity caller) { @@ -7001,16 +6781,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { caller.getPackageName(), caller.getUid())); enforceIndividualAttestationSupportedIfRequested(attestationUtilsFlags); } else { - if (isPermissionCheckFlagEnabled()) { - Preconditions.checkCallAuthorization( - hasPermission(MANAGE_DEVICE_POLICY_CERTIFICATES, - caller.getPackageName(), caller.getUserId()) - || isCredentialManagementApp); - } else { - Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner( - caller) || isDefaultDeviceOwner(caller))) || (caller.hasPackage() && ( - isCallerDelegate || isCredentialManagementApp))); - } + Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner( + caller) || isDefaultDeviceOwner(caller))) || (caller.hasPackage() && ( + isCallerDelegate || isCredentialManagementApp))); if (isCredentialManagementApp) { Preconditions.checkCallAuthorization( isAliasInCredentialManagementAppPolicy(caller, alias), @@ -7143,16 +6916,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final CallerIdentity caller = getCallerIdentity(who, callerPackage); final boolean isCallerDelegate = isCallerDelegate(caller, DELEGATION_CERT_INSTALL); final boolean isCredentialManagementApp = isCredentialManagementApp(caller); - if (isPermissionCheckFlagEnabled()) { - Preconditions.checkCallAuthorization( - hasPermission(MANAGE_DEVICE_POLICY_CERTIFICATES, - caller.getPackageName(), caller.getUserId()) - || isCredentialManagementApp); - } else { - Preconditions.checkCallAuthorization((caller.hasAdminComponent() - && (isProfileOwner(caller) || isDefaultDeviceOwner(caller))) - || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp))); - } + Preconditions.checkCallAuthorization((caller.hasAdminComponent() + && (isProfileOwner(caller) || isDefaultDeviceOwner(caller))) + || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp))); if (isCredentialManagementApp) { Preconditions.checkCallAuthorization( isAliasInCredentialManagementAppPolicy(caller, alias), @@ -8285,29 +8051,21 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { return; } - if (!isPermissionCheckFlagEnabled()) { - Preconditions.checkNotNull(who, "ComponentName is null"); - } + + Preconditions.checkNotNull(who, "ComponentName is null"); + CallerIdentity caller = getCallerIdentity(who, callerPackageName); - if (!isPermissionCheckFlagEnabled()) { - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller)); - } + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller)); + checkCanExecuteOrThrowUnsafe(DevicePolicyManager .OPERATION_SET_FACTORY_RESET_PROTECTION_POLICY); final int frpManagementAgentUid = getFrpManagementAgentUidOrThrow(); synchronized (getLockObject()) { ActiveAdmin admin; - if (isPermissionCheckFlagEnabled()) { - admin = enforcePermissionAndGetEnforcingAdmin( - who, MANAGE_DEVICE_POLICY_FACTORY_RESET, caller.getPackageName(), - UserHandle.USER_ALL) - .getActiveAdmin(); - } else { - admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); - } + admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); admin.mFactoryResetProtectionPolicy = policy; saveSettingsLocked(caller.getUserId()); } @@ -8347,7 +8105,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { || hasCallingPermission(permission.MASTER_CLEAR) || hasCallingPermission(MANAGE_DEVICE_POLICY_FACTORY_RESET), "Must be called by the FRP management agent on device"); - admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceOrSystemPermissionBasedAdminLocked(); + admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); } else { Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) @@ -10247,15 +10005,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return admin; } - ActiveAdmin getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceOrSystemPermissionBasedAdminLocked() { - ensureLocked(); - ActiveAdmin doOrPo = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); - if (isPermissionCheckFlagEnabled() && doOrPo == null) { - return getUserData(0).mPermissionBasedAdmin; - } - return doOrPo; - } - @Override public void clearDeviceOwner(String packageName) { Objects.requireNonNull(packageName, "packageName is null"); @@ -10998,8 +10747,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { * (2.1.1) The caller is the profile owner. * (2.1.2) The caller is from another app in the same user as the profile owner, AND * the caller is the delegated cert installer. - * (3) The caller holds the - * {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES} permission. * * For the device owner case, simply check that the caller is the device owner or the * delegated certificate installer. @@ -11013,24 +10760,18 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @VisibleForTesting boolean hasDeviceIdAccessUnchecked(String packageName, int uid) { final int userId = UserHandle.getUserId(uid); - // TODO(b/280048070): Introduce a permission to handle device ID access - if (isPermissionCheckFlagEnabled() - && !(isUidProfileOwnerLocked(uid) || isUidDeviceOwnerLocked(uid))) { - return hasPermission(MANAGE_DEVICE_POLICY_CERTIFICATES, packageName, userId); - } else { - ComponentName deviceOwner = getDeviceOwnerComponent(true); - if (deviceOwner != null && (deviceOwner.getPackageName().equals(packageName) - || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL))) { - return true; - } - ComponentName profileOwner = getProfileOwnerAsUser(userId); - final boolean isCallerProfileOwnerOrDelegate = profileOwner != null - && (profileOwner.getPackageName().equals(packageName) - || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL)); - if (isCallerProfileOwnerOrDelegate && (isProfileOwnerOfOrganizationOwnedDevice(userId) - || isUserAffiliatedWithDevice(userId))) { - return true; - } + ComponentName deviceOwner = getDeviceOwnerComponent(true); + if (deviceOwner != null && (deviceOwner.getPackageName().equals(packageName) + || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL))) { + return true; + } + ComponentName profileOwner = getProfileOwnerAsUser(userId); + final boolean isCallerProfileOwnerOrDelegate = profileOwner != null + && (profileOwner.getPackageName().equals(packageName) + || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL)); + if (isCallerProfileOwnerOrDelegate && (isProfileOwnerOfOrganizationOwnedDevice(userId) + || isUserAffiliatedWithDevice(userId))) { + return true; } return false; } @@ -11731,25 +11472,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void setDefaultSmsApplication(ComponentName admin, String callerPackageName, String packageName, boolean parent) { - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(admin, callerPackageName); - } else { - caller = getCallerIdentity(admin); - } + CallerIdentity caller = getCallerIdentity(admin); - final int userId; - if (isPermissionCheckFlagEnabled()) { - enforcePermission( - MANAGE_DEVICE_POLICY_DEFAULT_SMS, - caller.getPackageName(), - getAffectedUser(parent)); - } else { - Objects.requireNonNull(admin, "ComponentName is null"); - Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller)); - } + Objects.requireNonNull(admin, "ComponentName is null"); + Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller)); if (!parent && isManagedProfile(caller.getUserId()) && getManagedSubscriptionsPolicy().getPolicyType() @@ -11759,6 +11487,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { + "ManagedSubscriptions policy is set"); } + final int userId; if (parent) { userId = getProfileParentId(mInjector.userHandleGetCallingUserId()); mInjector.binderWithCleanCallingIdentity(() -> enforcePackageIsSystemPackage( @@ -11957,10 +11686,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; } - if (!isPermissionCheckFlagEnabled()) { - Objects.requireNonNull(admin, "admin is null"); - } - + Objects.requireNonNull(admin, "admin is null"); Objects.requireNonNull(agent, "agent is null"); PolicySizeVerifier.enforceMaxPackageNameLength(agent.getPackageName()); @@ -11972,19 +11698,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { int userHandle = mInjector.userHandleGetCallingUserId(); synchronized (getLockObject()) { - ActiveAdmin ap; - if (isPermissionCheckFlagEnabled()) { - CallerIdentity caller = getCallerIdentity(admin, callerPackageName); - int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; - ap = enforcePermissionAndGetEnforcingAdmin( - admin, - /*permission=*/MANAGE_DEVICE_POLICY_KEYGUARD, - /*adminPolicy=*/DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, - caller.getPackageName(), affectedUserId).getActiveAdmin(); - } else { - ap = getActiveAdminForCallerLocked(admin, - DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent); - } + ActiveAdmin ap = getActiveAdminForCallerLocked(admin, + DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent); checkCanExecuteOrThrowUnsafe( DevicePolicyManager.OPERATION_SET_TRUST_AGENT_CONFIGURATION); @@ -12080,27 +11795,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void addCrossProfileIntentFilter(ComponentName who, String callerPackageName, IntentFilter filter, int flags) { - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(who, callerPackageName); - } else { - caller = getCallerIdentity(who); - } - int callingUserId = caller.getUserId(); + CallerIdentity caller = getCallerIdentity(who); + + Objects.requireNonNull(who, "ComponentName is null"); + Preconditions.checkCallAuthorization( + isProfileOwner(caller) || isDefaultDeviceOwner(caller)); - if (isPermissionCheckFlagEnabled()) { - enforcePermission( - MANAGE_DEVICE_POLICY_PROFILE_INTERACTION, - caller.getPackageName(), - callingUserId); - } else { - Objects.requireNonNull(who, "ComponentName is null"); - Preconditions.checkCallAuthorization( - isProfileOwner(caller) || isDefaultDeviceOwner(caller)); - } synchronized (getLockObject()) { long id = mInjector.binderClearCallingIdentity(); try { + int callingUserId = caller.getUserId(); UserInfo parent = mUserManager.getProfileParent(callingUserId); if (parent == null) { Slogf.e(LOG_TAG, "Cannot call addCrossProfileIntentFilter if there is no " @@ -12144,28 +11848,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void clearCrossProfileIntentFilters(ComponentName who, String callerPackageName) { - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(who, callerPackageName); - } else { - caller = getCallerIdentity(who); - } - int callingUserId = caller.getUserId(); + CallerIdentity caller = getCallerIdentity(who); - if (isPermissionCheckFlagEnabled()) { - enforcePermission( - MANAGE_DEVICE_POLICY_PROFILE_INTERACTION, - caller.getPackageName(), - callingUserId); - } else { - Objects.requireNonNull(who, "ComponentName is null"); - Preconditions.checkCallAuthorization( - isProfileOwner(caller) || isDefaultDeviceOwner(caller)); - } + Objects.requireNonNull(who, "ComponentName is null"); + Preconditions.checkCallAuthorization( + isProfileOwner(caller) || isDefaultDeviceOwner(caller)); synchronized (getLockObject()) { long id = mInjector.binderClearCallingIdentity(); try { + int callingUserId = caller.getUserId(); UserInfo parent = mUserManager.getProfileParent(callingUserId); if (parent == null) { Slogf.e(LOG_TAG, "Cannot call clearCrossProfileIntentFilter if there is no " @@ -15166,19 +14858,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { return; } - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(who, callerPackageName); - enforcePermission(MANAGE_DEVICE_POLICY_WIFI, caller.getPackageName(), - UserHandle.USER_ALL); - } else { - caller = getCallerIdentity(who); - Preconditions.checkNotNull(who, "ComponentName is null"); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller)); - } + CallerIdentity caller = getCallerIdentity(who); + Preconditions.checkNotNull(who, "ComponentName is null"); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller)); mInjector.binderWithCleanCallingIdentity(() -> mInjector.settingsGlobalPutInt(Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, @@ -15197,16 +14882,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return false; } CallerIdentity caller = getCallerIdentity(who); - if (isPermissionCheckFlagEnabled()) { - enforcePermission(MANAGE_DEVICE_POLICY_WIFI, who.getPackageName(), - UserHandle.USER_ALL); - } else { - Preconditions.checkNotNull(who, "ComponentName is null"); - - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller)); - } + Preconditions.checkNotNull(who, "ComponentName is null"); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller)); return mInjector.binderWithCleanCallingIdentity(() -> mInjector.settingsGlobalGetInt(Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, 0) > 0); @@ -15294,18 +14973,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public boolean setTime(@Nullable ComponentName who, String callerPackageName, long millis) { - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(who, callerPackageName); - // This is a global action. - enforcePermission(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL); - } else { - caller = getCallerIdentity(who); - Objects.requireNonNull(who, "ComponentName is null"); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller)); - } + CallerIdentity caller = getCallerIdentity(who); + Objects.requireNonNull(who, "ComponentName is null"); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller)); // Don't allow set time when auto time is on. if (mInjector.settingsGlobalGetInt(Global.AUTO_TIME, 0) == 1) { @@ -15322,18 +14994,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public boolean setTimeZone(@Nullable ComponentName who, String callerPackageName, String timeZone) { - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(who, callerPackageName); - // This is a global action. - enforcePermission(SET_TIME_ZONE, caller.getPackageName(), UserHandle.USER_ALL); - } else { - caller = getCallerIdentity(who); - Objects.requireNonNull(who, "ComponentName is null"); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller)); - } + CallerIdentity caller = getCallerIdentity(who); + Objects.requireNonNull(who, "ComponentName is null"); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller)); // Don't allow set timezone when auto timezone is on. if (mInjector.settingsGlobalGetInt(Global.AUTO_TIME_ZONE, 0) == 1) { @@ -16537,22 +16202,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { policy.validateAgainstPreviousFreezePeriod(record.first, record.second, LocalDate.now()); } - CallerIdentity caller; - synchronized (getLockObject()) { - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(who, callerPackageName); - enforcePermission(MANAGE_DEVICE_POLICY_SYSTEM_UPDATES, caller.getPackageName(), - UserHandle.USER_ALL); - } else { - caller = getCallerIdentity(who); - Preconditions.checkCallAuthorization( - isProfileOwnerOfOrganizationOwnedDevice(caller) + CallerIdentity caller = getCallerIdentity(who); + Preconditions.checkCallAuthorization( + isProfileOwnerOfOrganizationOwnedDevice(caller) || isDefaultDeviceOwner(caller)); - } - checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_SYSTEM_UPDATE_POLICY); + checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_SYSTEM_UPDATE_POLICY); + synchronized (getLockObject()) { if (policy == null) { mOwners.clearSystemUpdatePolicy(); } else { @@ -16699,7 +16357,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mUserManager.getUserInfo(UserHandle.getCallingUserId()).isMain()) { Slogf.w(LOG_TAG, "Only the system update service in the main user can broadcast " + "update information."); - return; } }); @@ -16723,7 +16380,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } // Get running users. - final int runningUserIds[]; + final int[] runningUserIds; try { runningUserIds = mInjector.getIActivityManager().getRunningUserIds(); } catch (RemoteException e) { @@ -16966,10 +16623,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return false; } } - if (!isRuntimePermission(permission)) { - return false; - } - return true; + return isRuntimePermission(permission); } private void enforcePermissionGrantStateOnFinancedDevice( @@ -17384,18 +17038,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public String getWifiMacAddress(ComponentName admin, String callerPackageName) { -// if (!isPermissionCheckFlagEnabled()) { - Objects.requireNonNull(admin, "ComponentName is null"); -// } + Objects.requireNonNull(admin, "ComponentName is null"); final CallerIdentity caller = getCallerIdentity(admin, callerPackageName); -// if (isPermissionCheckFlagEnabled()) { -// enforcePermission(MANAGE_DEVICE_POLICY_WIFI, UserHandle.USER_ALL); -// } else { - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller)); -// } + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller)); return mInjector.binderWithCleanCallingIdentity(() -> { String[] macAddresses = mInjector.getWifiManager().getFactoryMacAddresses(); @@ -17462,25 +17110,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { return; } - CallerIdentity caller; - ActiveAdmin admin; message = PolicySizeVerifier.truncateIfLonger(message, MAX_SHORT_SUPPORT_MESSAGE_LENGTH); - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(who, callerPackageName); - EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( - who, - MANAGE_DEVICE_POLICY_SUPPORT_MESSAGE, - caller.getPackageName(), - caller.getUserId()); - admin = enforcingAdmin.getActiveAdmin(); - } else { - caller = getCallerIdentity(who); - Objects.requireNonNull(who, "ComponentName is null"); - synchronized (getLockObject()) { - admin = getActiveAdminForUidLocked(who, caller.getUid()); - } + CallerIdentity caller = getCallerIdentity(who); + Objects.requireNonNull(who, "ComponentName is null"); + + ActiveAdmin admin; + synchronized (getLockObject()) { + admin = getActiveAdminForUidLocked(who, caller.getUid()); } synchronized (getLockObject()) { @@ -17501,23 +17139,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (!mHasFeature) { return null; } - CallerIdentity caller; - ActiveAdmin admin; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(who, callerPackageName); - EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( - who, - MANAGE_DEVICE_POLICY_SUPPORT_MESSAGE, - caller.getPackageName(), - caller.getUserId()); - admin = enforcingAdmin.getActiveAdmin(); - } else { - caller = getCallerIdentity(who); - Objects.requireNonNull(who, "ComponentName is null"); - synchronized (getLockObject()) { - admin = getActiveAdminForUidLocked(who, caller.getUid()); - } + CallerIdentity caller = getCallerIdentity(who); + Objects.requireNonNull(who, "ComponentName is null"); + + ActiveAdmin admin; + synchronized (getLockObject()) { + admin = getActiveAdminForUidLocked(who, caller.getUid()); } return admin.shortSupportMessage; } @@ -17680,26 +17308,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; } CallerIdentity caller = getCallerIdentity(who); - ActiveAdmin admin = null; - if (isPermissionCheckFlagEnabled()) { - EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( - who, - MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY, - caller.getPackageName(), - caller.getUserId()); - admin = enforcingAdmin.getActiveAdmin(); - } else { - Objects.requireNonNull(who, "ComponentName is null"); - Preconditions.checkCallAuthorization(isDeviceOwner(caller) || isProfileOwner(caller)); - } + Objects.requireNonNull(who, "ComponentName is null"); + Preconditions.checkCallAuthorization(isDeviceOwner(caller) || isProfileOwner(caller)); text = PolicySizeVerifier.truncateIfLonger(text, MAX_ORG_NAME_LENGTH); synchronized (getLockObject()) { - if (!isPermissionCheckFlagEnabled()) { - admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); - } + ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); if (!TextUtils.equals(admin.organizationName, text)) { admin.organizationName = (text == null || text.length() == 0) ? null : text.toString(); @@ -17714,23 +17330,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return null; } CallerIdentity caller = getCallerIdentity(who); - ActiveAdmin admin; - if (isPermissionCheckFlagEnabled()) { - EnforcingAdmin enforcingAdmin = enforceCanQueryAndGetEnforcingAdmin( - who, - MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY, - caller.getPackageName(), - caller.getUserId()); - admin = enforcingAdmin.getActiveAdmin(); - } else { - Objects.requireNonNull(who, "ComponentName is null"); - Preconditions.checkCallingUser(isManagedProfile(caller.getUserId())); - Preconditions.checkCallAuthorization(isDeviceOwner(caller) || isProfileOwner(caller)); + Objects.requireNonNull(who, "ComponentName is null"); + Preconditions.checkCallingUser(isManagedProfile(caller.getUserId())); + Preconditions.checkCallAuthorization(isDeviceOwner(caller) || isProfileOwner(caller)); - synchronized (getLockObject()) { - admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); - } + ActiveAdmin admin; + synchronized (getLockObject()) { + admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); } return admin.organizationName; @@ -18214,28 +17821,19 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } final CallerIdentity caller = getCallerIdentity(admin, packageName); - if (isPermissionCheckFlagEnabled()) { - synchronized (getLockObject()) { - Preconditions.checkCallAuthorization(isOrganizationOwnedDeviceWithManagedProfile() - || areAllUsersAffiliatedWithDeviceLocked()); - enforcePermission(MANAGE_DEVICE_POLICY_SECURITY_LOGGING, caller.getPackageName(), - UserHandle.USER_ALL); - } + if (admin != null) { + Preconditions.checkCallAuthorization( + isProfileOwnerOfOrganizationOwnedDevice(caller) + || isDefaultDeviceOwner(caller)); } else { - if (admin != null) { - Preconditions.checkCallAuthorization( - isProfileOwnerOfOrganizationOwnedDevice(caller) - || isDefaultDeviceOwner(caller)); - } else { - // A delegate app passes a null admin component, which is expected - Preconditions.checkCallAuthorization( - isCallerDelegate(caller, DELEGATION_SECURITY_LOGGING)); - } + // A delegate app passes a null admin component, which is expected + Preconditions.checkCallAuthorization( + isCallerDelegate(caller, DELEGATION_SECURITY_LOGGING)); + } - synchronized (getLockObject()) { - Preconditions.checkCallAuthorization(isOrganizationOwnedDeviceWithManagedProfile() - || areAllUsersAffiliatedWithDeviceLocked()); - } + synchronized (getLockObject()) { + Preconditions.checkCallAuthorization(isOrganizationOwnedDeviceWithManagedProfile() + || areAllUsersAffiliatedWithDeviceLocked()); } DevicePolicyEventLogger @@ -18259,7 +17857,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return new ParceledListSlice<SecurityEvent>(output); } catch (IOException e) { Slogf.w(LOG_TAG, "Fail to read previous events" , e); - return new ParceledListSlice<SecurityEvent>(Collections.<SecurityEvent>emptyList()); + return new ParceledListSlice<SecurityEvent>(Collections.emptyList()); } } @@ -18752,8 +18350,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } private boolean hasIncompatibleAccounts(int userId) { - return mHasIncompatibleAccounts == null ? true - : mHasIncompatibleAccounts.getOrDefault(userId, /* default= */ false); + return mHasIncompatibleAccounts == null || mHasIncompatibleAccounts.getOrDefault( + userId, /* default= */ false); } /** @@ -18870,7 +18468,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return false; } } - }; + } private boolean isAdb(CallerIdentity caller) { return isShellUid(caller) || isRootUid(caller); @@ -20168,21 +19766,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void installUpdateFromFile(ComponentName admin, String callerPackageName, ParcelFileDescriptor updateFileDescriptor, StartInstallingUpdateCallback callback) { - if (!isPermissionCheckFlagEnabled()) { - Objects.requireNonNull(admin, "ComponentName is null"); - } + Objects.requireNonNull(admin, "ComponentName is null"); - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(admin, callerPackageName); - enforcePermission(MANAGE_DEVICE_POLICY_SYSTEM_UPDATES, caller.getPackageName(), - UserHandle.USER_ALL); - } else { - caller = getCallerIdentity(admin); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller)); - } + CallerIdentity caller = getCallerIdentity(admin); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller)); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_INSTALL_SYSTEM_UPDATE); DevicePolicyEventLogger @@ -20752,32 +20341,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void setCommonCriteriaModeEnabled(ComponentName who, String callerPackageName, boolean enabled) { - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(who, callerPackageName); - } else { - caller = getCallerIdentity(who); - } - final ActiveAdmin admin; + CallerIdentity caller = getCallerIdentity(who); - if (isPermissionCheckFlagEnabled()) { - EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( - who, - MANAGE_DEVICE_POLICY_COMMON_CRITERIA_MODE, - caller.getPackageName(), - caller.getUserId()); - admin = enforcingAdmin.getActiveAdmin(); - } else { - Objects.requireNonNull(who, "ComponentName is null"); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), - "Common Criteria mode can only be controlled by a device owner or " - + "a profile owner on an organization-owned device."); - synchronized (getLockObject()) { - admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); - } - } + Objects.requireNonNull(who, "ComponentName is null"); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), + "Common Criteria mode can only be controlled by a device owner or " + + "a profile owner on an organization-owned device."); synchronized (getLockObject()) { + final ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); admin.mCommonCriteriaMode = enabled; saveSettingsLocked(caller.getUserId()); } @@ -20809,7 +20381,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // their ActiveAdmin, instead of iterating through all admins. ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); - return admin != null ? admin.mCommonCriteriaMode : false; + return admin != null && admin.mCommonCriteriaMode; } } @@ -22209,7 +21781,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } else { owner = getDeviceOrProfileOwnerAdminLocked(userId); } - boolean canGrant = owner != null ? owner.mAdminCanGrantSensorsPermissions : false; + boolean canGrant = owner != null && owner.mAdminCanGrantSensorsPermissions; mPolicyCache.setAdminCanGrantSensorsPermissions(canGrant); } } @@ -22408,27 +21980,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void setMinimumRequiredWifiSecurityLevel(String callerPackageName, int level) { - CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(callerPackageName); - } else { - caller = getCallerIdentity(); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), - "Wi-Fi minimum security level can only be controlled by a device owner or " - + "a profile owner on an organization-owned device."); - } + CallerIdentity caller = getCallerIdentity(); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), + "Wi-Fi minimum security level can only be controlled by a device owner or " + + "a profile owner on an organization-owned device."); boolean valueChanged = false; synchronized (getLockObject()) { - ActiveAdmin admin; - if (isPermissionCheckFlagEnabled()) { - admin = enforcePermissionAndGetEnforcingAdmin(/* admin= */ null, - MANAGE_DEVICE_POLICY_WIFI, caller.getPackageName(), caller.getUserId()) - .getActiveAdmin(); - } else { - admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); - } + ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); if (admin.mWifiMinimumSecurityLevel != level) { admin.mWifiMinimumSecurityLevel = level; saveSettingsLocked(caller.getUserId()); @@ -22450,21 +22010,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public WifiSsidPolicy getWifiSsidPolicy(String callerPackageName) { final CallerIdentity caller = getCallerIdentity(); - if (isPermissionCheckFlagEnabled()) { - enforcePermission(MANAGE_DEVICE_POLICY_WIFI, callerPackageName, - caller.getUserId()); - } else { - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller) - || canQueryAdminPolicy(caller), - "SSID policy can only be retrieved by a device owner or " - + "a profile owner on an organization-owned device or " - + "an app with the QUERY_ADMIN_POLICY permission."); - } + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller) + || canQueryAdminPolicy(caller), + "SSID policy can only be retrieved by a device owner or " + + "a profile owner on an organization-owned device or " + + "an app with the QUERY_ADMIN_POLICY permission."); synchronized (getLockObject()) { ActiveAdmin admin; - admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceOrSystemPermissionBasedAdminLocked(); + admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); return admin != null ? admin.mWifiSsidPolicy : null; } } @@ -22485,29 +22040,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void setWifiSsidPolicy(String callerPackageName, WifiSsidPolicy policy) { - CallerIdentity caller; - - if (isPermissionCheckFlagEnabled()) { - caller = getCallerIdentity(callerPackageName); - } else { - caller = getCallerIdentity(); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), - "SSID denylist can only be controlled by a device owner or " - + "a profile owner on an organization-owned device."); - } + CallerIdentity caller = getCallerIdentity(); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), + "SSID denylist can only be controlled by a device owner or " + + "a profile owner on an organization-owned device."); boolean changed = false; synchronized (getLockObject()) { - ActiveAdmin admin; - if (isPermissionCheckFlagEnabled()) { - admin = enforcePermissionAndGetEnforcingAdmin( - /* admin= */ null, MANAGE_DEVICE_POLICY_WIFI, - caller.getPackageName(), - caller.getUserId()).getActiveAdmin(); - } else { - admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); - } + ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); if (!Objects.equals(policy, admin.mWifiSsidPolicy)) { admin.mWifiSsidPolicy = policy; changed = true; @@ -22715,7 +22256,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } private final class DevicePolicyManagementRoleObserver implements OnRoleHoldersChangedListener { - private RoleManager mRm; + private final RoleManager mRm; private final Executor mExecutor; private final Context mContext; @@ -22732,13 +22273,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void onRoleHoldersChanged(@NonNull String roleName, @NonNull UserHandle user) { mDevicePolicyEngine.handleRoleChanged(roleName, user.getIdentifier()); - if (RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT.equals(roleName)) { - handleDevicePolicyManagementRoleChange(user); - return; - } - if (RoleManager.ROLE_FINANCED_DEVICE_KIOSK.equals(roleName)) { - handleFinancedDeviceKioskRoleChange(); - return; + switch (roleName) { + case RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT -> + handleDevicePolicyManagementRoleChange(user); + case RoleManager.ROLE_FINANCED_DEVICE_KIOSK -> + handleFinancedDeviceKioskRoleChange(); } } @@ -23390,26 +22929,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { /** * Checks if the calling process has been granted permission to apply a device policy on a - * specific user. - * The given permission will be checked along with its associated cross-user permission if it - * exists and the target user is different to the calling user. - * Returns an {@link EnforcingAdmin} for the caller. - * - * @param admin the component name of the admin. - * @param callerPackageName The package name of the calling application. - * @param permission The name of the permission being checked. - * @param deviceAdminPolicy The userId of the user which the caller needs permission to act on. - * @throws SecurityException if the caller has not been granted the given permission, - * the associated cross-user permission if the caller's user is different to the target user. - */ - private EnforcingAdmin enforcePermissionAndGetEnforcingAdmin(@Nullable ComponentName admin, - String permission, int deviceAdminPolicy, String callerPackageName, int targetUserId) { - enforcePermission(permission, deviceAdminPolicy, callerPackageName, targetUserId); - return getEnforcingAdminForCaller(admin, callerPackageName); - } - - /** - * Checks if the calling process has been granted permission to apply a device policy on a * specific user. Only one permission provided in the list needs to be granted to pass this * check. * The given permissions will be checked along with their associated cross-user permissions if @@ -23431,23 +22950,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } /** - * Checks whether the calling process has been granted permission to query a device policy on - * a specific user. - * The given permission will be checked along with its associated cross-user permission if it - * exists and the target user is different to the calling user. - * - * @param permission The name of the permission being checked. - * @param targetUserId The userId of the user which the caller needs permission to act on. - * @throws SecurityException if the caller has not been granted the given permission, - * the associated cross-user permission if the caller's user is different to the target user. - */ - private EnforcingAdmin enforceCanQueryAndGetEnforcingAdmin(@Nullable ComponentName admin, - String permission, String callerPackageName, int targetUserId) { - enforceCanQuery(permission, callerPackageName, targetUserId); - return getEnforcingAdminForCaller(admin, callerPackageName); - } - - /** * Checks if the calling process has been granted permission to apply a device policy. * * @param callerPackageName The package name of the calling application. @@ -23754,13 +23256,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return NOT_A_DPC; } - private boolean isPermissionCheckFlagEnabled() { - return DeviceConfig.getBoolean( - NAMESPACE_DEVICE_POLICY_MANAGER, - PERMISSION_BASED_ACCESS_EXPERIMENT_FLAG, - DEFAULT_VALUE_PERMISSION_BASED_ACCESS_FLAG); - } - private static boolean isSetStatusBarDisabledCoexistenceEnabled() { return false; } @@ -23837,14 +23332,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller)); } - if (isPermissionCheckFlagEnabled()) { - enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(), - UserHandle.USER_ALL); - } else { - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller)); - } + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller)); synchronized (getLockObject()) { ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); @@ -23874,15 +23364,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public int getMtePolicy(String callerPackageName) { final CallerIdentity caller = getCallerIdentity(callerPackageName); - if (isPermissionCheckFlagEnabled()) { - enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(), - UserHandle.USER_ALL); - } else { - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) - || isProfileOwnerOfOrganizationOwnedDevice(caller) - || isSystemUid(caller)); - } + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) + || isProfileOwnerOfOrganizationOwnedDevice(caller) + || isSystemUid(caller)); + synchronized (getLockObject()) { ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); @@ -24666,7 +24152,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { || isCallerDevicePolicyManagementRoleHolder(caller) || isCallerSystemSupervisionRoleHolder(caller)); return getFinancedDeviceKioskRoleHolderOnAnyUser() != null; - }; + } @Override public String getFinancedDeviceKioskRoleHolder(String callerPackageName) { |