diff options
| -rw-r--r-- | core/api/current.txt | 2 | ||||
| -rw-r--r-- | core/java/android/app/admin/DevicePolicyManager.java | 6 | ||||
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 16 |
3 files changed, 23 insertions, 1 deletions
diff --git a/core/api/current.txt b/core/api/current.txt index b9ade0b442ba..825ae967e4d7 100644 --- a/core/api/current.txt +++ b/core/api/current.txt @@ -7289,7 +7289,7 @@ package android.app.admin { method public boolean isCommonCriteriaModeEnabled(@Nullable android.content.ComponentName); method public boolean isComplianceAcknowledgementRequired(); method public boolean isDeviceIdAttestationSupported(); - method public boolean isDeviceOwnerApp(String); + method @RequiresPermission(value=android.Manifest.permission.QUERY_ALL_PACKAGES, conditional=true) public boolean isDeviceOwnerApp(String); method public boolean isEphemeralUser(@NonNull android.content.ComponentName); method public boolean isKeyPairGrantedToWifiAuth(@NonNull String); method public boolean isLockTaskPermitted(String); diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 311a60d63b8e..f3ee6837fea5 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -7818,10 +7818,16 @@ public class DevicePolicyManager { * admin apps that want to check whether they are also registered as the device owner app. The * exact mechanism by which a device admin app is registered as a device owner app is defined by * the setup process. + * Starting from {@link android.os.Build.VERSION_CODES#S_V2}, if the caller application's target + * SDK version is {@link android.os.Build.VERSION_CODES#S_V2} or newer, the caller should have + * {@link android.Manifest.permission#QUERY_ALL_PACKAGES} permission otherwise + * {@link SecurityException} will be thrown. + * * @param packageName the package name of the app, to compare with the registered device owner * app, if any. * @return whether or not the package is registered as the device owner app. */ + @RequiresPermission(value = permission.QUERY_ALL_PACKAGES, conditional = true) public boolean isDeviceOwnerApp(String packageName) { throwIfParentInstance("isDeviceOwnerApp"); return isDeviceOwnerAppOnCallingUser(packageName); diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 727f26573fac..b0f0088b33bb 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -18,6 +18,7 @@ package com.android.server.devicepolicy; import static android.Manifest.permission.BIND_DEVICE_ADMIN; import static android.Manifest.permission.MANAGE_CA_CERTIFICATES; +import static android.Manifest.permission.QUERY_ALL_PACKAGES; import static android.Manifest.permission.REQUEST_PASSWORD_COMPLEXITY; import static android.accessibilityservice.AccessibilityServiceInfo.FEEDBACK_ALL_MASK; import static android.app.ActivityManager.LOCK_TASK_MODE_NONE; @@ -628,6 +629,15 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @EnabledSince(targetSdkVersion = Build.VERSION_CODES.S) private static final long PREVENT_SETTING_PASSWORD_QUALITY_ON_PARENT = 165573442L; + /** + * Apps targeting Android S_V2+ need to have + * {@link android.Manifest.permission#QUERY_ALL_PACKAGES} permission to call + * getDeviceOwnerComponent API. + */ + @ChangeId + @EnabledSince(targetSdkVersion = Build.VERSION_CODES.S_V2) + private static final long ENFORCE_QUERY_ALL_PACKAGES_GET_DEVICE_OWNER_COMPONENT = 185896465L; + private static final String CREDENTIAL_MANAGEMENT_APP_INVALID_ALIAS_MSG = "The alias provided must be contained in the aliases specified in the credential " + "management app's authentication policy"; @@ -8599,6 +8609,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { if (!mHasFeature) { return null; } + + if (CompatChanges.isChangeEnabled(ENFORCE_QUERY_ALL_PACKAGES_GET_DEVICE_OWNER_COMPONENT, + Binder.getCallingUid())) { + Preconditions.checkCallAuthorization(hasCallingOrSelfPermission(QUERY_ALL_PACKAGES)); + } + if (!callingUserOnly) { Preconditions.checkCallAuthorization(canManageUsers(getCallerIdentity()) || hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS)); |