diff options
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 52 |
1 files changed, 37 insertions, 15 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 852e7733d9f0..bfcb4c7b6bc0 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -22466,7 +22466,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } else { // If the permission maps to no policy (null) this means that any active admin // has permission. - return getActiveAdminForUidLocked(null, caller.getUid()) != null; + return isCallerActiveAdminOrDelegate(caller, null); } } catch (SecurityException e) { // A security exception means there is not an active admin with permission and @@ -22505,23 +22505,25 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private EnforcingAdmin getEnforcingAdminForCaller(@Nullable ComponentName who, String callerPackageName) { - CallerIdentity caller = getCallerIdentity(callerPackageName); + CallerIdentity caller = getCallerIdentity(who, callerPackageName); int userId = caller.getUserId(); ActiveAdmin admin; - synchronized (getLockObject()) { - admin = getActiveAdminUncheckedLocked(who, userId); - } - if (isDeviceOwner(caller) || isProfileOwner(caller)) { - return EnforcingAdmin.createEnterpriseEnforcingAdmin(who, userId, admin); - } - if (isCallerDelegate(caller)) { - ComponentName profileOwner = mOwners.getProfileOwnerComponent(caller.getUserId()); - ComponentName dpc = profileOwner != null ? profileOwner : - mOwners.getDeviceOwnerComponent(); - ActiveAdmin dpcAdmin = getDeviceOrProfileOwnerAdminLocked(caller.getUserId()); - return EnforcingAdmin.createEnterpriseEnforcingAdmin(dpc, userId, dpcAdmin); + if (isDeviceOwner(caller) || isProfileOwner(caller) || isCallerDelegate(caller)) { + ComponentName component; + synchronized (getLockObject()) { + if (who != null) { + admin = getActiveAdminUncheckedLocked(who, userId); + component = who; + } else { + admin = getDeviceOrProfileOwnerAdminLocked(userId); + component = admin.info.getComponent(); + } + } + return EnforcingAdmin.createEnterpriseEnforcingAdmin(component, userId, admin); } - if (getActiveAdminUncheckedLocked(who, userId) != null) { + // Check for non-DPC active admins. + admin = getActiveAdminForCaller(who, caller); + if (admin != null) { return EnforcingAdmin.createDeviceAdminEnforcingAdmin(who, userId, admin); } if (admin == null) { @@ -23136,6 +23138,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { }); } + private ActiveAdmin getActiveAdminForCaller(@Nullable ComponentName who, + CallerIdentity caller) { + synchronized (getLockObject()) { + if (who != null) { + return getActiveAdminUncheckedLocked(who, caller.getUserId()); + } + return mInjector.binderWithCleanCallingIdentity(() -> { + List<ComponentName> activeAdmins = getActiveAdmins(caller.getUserId()); + if (activeAdmins != null) { + for (ComponentName admin : activeAdmins) { + if (admin.getPackageName().equals(caller.getPackageName())) { + return getActiveAdminUncheckedLocked(admin, caller.getUserId()); + } + } + } + return null; + }); + } + } + // TODO(b/266808047): This will return false for DeviceAdmins not targetting U, which is // inconsistent with the migration logic that allows migration with old DeviceAdmins. private boolean canAddActiveAdminIfPolicyEngineEnabled(String packageName, int userId) { |