From 2ce5539045437b44a464a8c633af379c7eef21e1 Mon Sep 17 00:00:00 2001 From: Tony Mak Date: Tue, 15 Aug 2017 19:56:39 +0100 Subject: DPC should not be allowed to grant development permission Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t com.android.cts.devicepolicy.MixedDeviceOwnerTest#testPermissionGrant_developmentPermission Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t com.android.cts.devicepolicy.MixedProfileOwnerTest#testPermissionGrant_developmentPermission Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t com.android.cts.devicepolicy.MixedDeviceOwnerTest#testPermissionGrant Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t com.android.cts.devicepolicy.MixedProfileOwnerTest#testPermissionGrant Test: Run "Permissions lockdown" test in CtsVerifier Merged-In: If83d8edd0eea99145421e967ae47fdc264a5cf7c Merged-In: I129bfe850981cf0b3646b7c1cf19c8a3ec69f512 Bug: 62623498 Change-Id: Ief96a23fa49f1ea923574840f8ff590a5ea2456e --- .../server/devicepolicy/DevicePolicyManagerService.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 479f5e774bce..60a207f946a6 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -55,6 +55,7 @@ import android.content.pm.ApplicationInfo; import android.content.pm.IPackageManager; import android.content.pm.PackageManager; import android.content.pm.PackageManager.NameNotFoundException; +import android.content.pm.PermissionInfo; import android.content.pm.ResolveInfo; import android.content.pm.ServiceInfo; import android.content.pm.UserInfo; @@ -95,6 +96,7 @@ import android.security.KeyChain; import android.security.KeyChain.KeyChainConnection; import android.service.persistentdata.PersistentDataBlockManager; import android.text.TextUtils; +import android.util.EventLog; import android.util.Log; import android.util.PrintWriterPrinter; import android.util.Printer; @@ -6444,6 +6446,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (targetSdkVersion < android.os.Build.VERSION_CODES.M) { return false; } + if (!isRuntimePermission(permission)) { + EventLog.writeEvent(0x534e4554, "62623498", user.getIdentifier(), ""); + return false; + } final PackageManager packageManager = mContext.getPackageManager(); switch (grantState) { case DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED: { @@ -6469,12 +6475,21 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return true; } catch (SecurityException se) { return false; + } catch (NameNotFoundException e) { + return false; } finally { Binder.restoreCallingIdentity(ident); } } } + public boolean isRuntimePermission(String permissionName) throws NameNotFoundException { + final PackageManager packageManager = mContext.getPackageManager(); + PermissionInfo permissionInfo = packageManager.getPermissionInfo(permissionName, 0); + return (permissionInfo.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE) + == PermissionInfo.PROTECTION_DANGEROUS; + } + @Override public int getPermissionGrantState(ComponentName admin, String packageName, String permission) throws RemoteException { -- cgit v1.2.3-59-g8ed1b