From 07a7d871e68dafbc37e100d7080be451047dc29d Mon Sep 17 00:00:00 2001 From: Alex Johnston Date: Thu, 20 Apr 2023 10:18:21 +0000 Subject: Give the PO the MANAGE_DEVICE_POLICY_CERTIFICATES permission Also, do not allow a BYOD PO have device ID access even if it has the MANAGE_DEVICE_POLICY_CERTIFICATES permission Bug: 272588294 Test: android.devicepolicy.cts.KeyManagementTest Change-Id: I2658ccbe112940f096986d2dcbd24ba5bd81637a --- .../com/android/server/devicepolicy/DevicePolicyManagerService.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 40024f1f0be3..af4030ad2e19 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -10737,7 +10737,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @VisibleForTesting boolean hasDeviceIdAccessUnchecked(String packageName, int uid) { final int userId = UserHandle.getUserId(uid); - if (isPermissionCheckFlagEnabled()) { + // TODO(b/280048070): Introduce a permission to handle device ID access + if (isPermissionCheckFlagEnabled() + && !(isUidProfileOwnerLocked(uid) || isUidDeviceOwnerLocked(uid))) { return hasPermission(MANAGE_DEVICE_POLICY_CERTIFICATES, packageName, userId); } else { ComponentName deviceOwner = getDeviceOwnerComponent(true); @@ -22836,6 +22838,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { MANAGE_DEVICE_POLICY_LOCATION, MANAGE_DEVICE_POLICY_LOCK, MANAGE_DEVICE_POLICY_LOCK_CREDENTIALS, + MANAGE_DEVICE_POLICY_CERTIFICATES, MANAGE_DEVICE_POLICY_NEARBY_COMMUNICATION, MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY, MANAGE_DEVICE_POLICY_PACKAGE_STATE, @@ -22862,7 +22865,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { MANAGE_DEVICE_POLICY_ACROSS_USERS, MANAGE_DEVICE_POLICY_AIRPLANE_MODE, MANAGE_DEVICE_POLICY_APPS_CONTROL, - MANAGE_DEVICE_POLICY_CERTIFICATES, MANAGE_DEVICE_POLICY_COMMON_CRITERIA_MODE, MANAGE_DEVICE_POLICY_DEFAULT_SMS, MANAGE_DEVICE_POLICY_LOCALE, -- cgit v1.2.3-59-g8ed1b