From f679f55bf555d684976963753d9c9d43d59c0bf8 Mon Sep 17 00:00:00 2001 From: Elis Elliott Date: Thu, 13 Apr 2023 13:28:43 +0000 Subject: Correct which type of PO has the _LOCK_TASK permission. Bug: n/a Test: a.d.c.LockTaskTest -c yes Change-Id: I7d1c4563bee6187263594ac32cddb728387edfc7 --- .../devicepolicy/DevicePolicyManagerService.java | 134 ++++++++++++++++----- 1 file changed, 103 insertions(+), 31 deletions(-) diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 5cad4e208b3f..e1d3668fccd8 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -11009,17 +11009,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return true; } - - private void enforceCanCallLockTaskLocked(CallerIdentity caller) { - Preconditions.checkCallAuthorization(isProfileOwner(caller) - || isDefaultDeviceOwner(caller) || isFinancedDeviceOwner(caller)); - - final int userId = caller.getUserId(); - if (!canUserUseLockTaskLocked(userId)) { - throw new SecurityException("User " + userId + " is not allowed to use lock task"); - } - } - private void enforceCanQueryLockTaskLocked(ComponentName who, String callerPackageName) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); final int userId = caller.getUserId(); @@ -11047,6 +11036,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return enforcingAdmin; } + private void enforceCanCallLockTaskLocked(CallerIdentity caller) { + Preconditions.checkCallAuthorization(isProfileOwner(caller) + || isDefaultDeviceOwner(caller) || isFinancedDeviceOwner(caller)); + + final int userId = caller.getUserId(); + if (!canUserUseLockTaskLocked(userId)) { + throw new SecurityException("User " + userId + " is not allowed to use lock task"); + } + } + private boolean isSystemUid(CallerIdentity caller) { return UserHandle.isSameApp(caller.getUid(), Process.SYSTEM_UID); } @@ -14637,7 +14636,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isPolicyEngineForFinanceFlagEnabled()) { EnforcingAdmin enforcingAdmin; synchronized (getLockObject()) { - enforcingAdmin = enforceCanCallLockTaskLocked(who, callerPackageName); + enforcingAdmin = enforceCanCallLockTaskLocked(who, caller.getPackageName()); } if (packages.length == 0) { mDevicePolicyEngine.removeLocalPolicy( @@ -14764,8 +14763,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isPolicyEngineForFinanceFlagEnabled()) { EnforcingAdmin enforcingAdmin; synchronized (getLockObject()) { - enforcingAdmin = enforceCanCallLockTaskLocked(who, - callerPackageName); + enforcingAdmin = enforceCanCallLockTaskLocked(who, caller.getPackageName()); enforceCanSetLockTaskFeaturesOnFinancedDevice(caller, flags); } LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicySetByAdmin( @@ -22474,11 +22472,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { "manage_device_policy_microphone_toggle"; // DPC types + private static final int NOT_A_DPC = -1; private static final int DEFAULT_DEVICE_OWNER = 0; private static final int FINANCED_DEVICE_OWNER = 1; private static final int PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2; private static final int PROFILE_OWNER_ON_USER_0 = 3; private static final int PROFILE_OWNER = 4; + private static final int PROFILE_OWNER_ON_USER = 5; + private static final int AFFILIATED_PROFILE_OWNER_ON_USER = 6; + // DPC types + @IntDef(value = { + NOT_A_DPC, + DEFAULT_DEVICE_OWNER, + FINANCED_DEVICE_OWNER, + PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, + PROFILE_OWNER_ON_USER_0, + PROFILE_OWNER, + PROFILE_OWNER_ON_USER, + AFFILIATED_PROFILE_OWNER_ON_USER + }) + private @interface DpcType {} // Permissions of existing DPC types. private static final List DEFAULT_DEVICE_OWNER_PERMISSIONS = List.of( @@ -22632,7 +22645,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { SET_TIME_ZONE ); - + /** + * All the additional permissions granted to a Profile Owner on user 0. + */ private static final List ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS = List.of( MANAGE_DEVICE_POLICY_AIRPLANE_MODE, @@ -22656,6 +22671,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { SET_TIME_ZONE ); + /** + * All the additional permissions granted to a Profile Owner on an unaffiliated user. + */ + private static final List ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS = + List.of( + MANAGE_DEVICE_POLICY_LOCK_TASK + ); + + /** + * All the additional permissions granted to a Profile Owner on an affiliated user. + */ + private static final List ADDITIONAL_AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS = + List.of(); + /** * Combination of {@link PROFILE_OWNER_PERMISSIONS} and * {@link ADDITIONAL_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS}. @@ -22670,6 +22699,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private static final List PROFILE_OWNER_ON_USER_0_PERMISSIONS = new ArrayList(); + /** + * Combination of {@link PROFILE_OWNER_PERMISSIONS} and + * {@link ADDITIONAL_AFFILIATED_PROFIL_OWNER_ON_USER_PERMISSIONS}. + */ + private static final List AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS = + new ArrayList(); + + /** + * Combination of {@link PROFILE_OWNER_PERMISSIONS} and + * {@link ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS}. + */ + private static final List PROFILE_OWNER_ON_USER_PERMISSIONS = + new ArrayList(); + private static final HashMap> DPC_PERMISSIONS = new HashMap<>(); { @@ -22682,6 +22725,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // some extra permissions. PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS); PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS); + // Profile owners on users have all the permission of a profile owner plus + // some extra permissions. + PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS); + PROFILE_OWNER_ON_USER_PERMISSIONS.addAll( + ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS); + // Profile owners on affiliated users have all the permission of a profile owner on a user + // plus some extra permissions. + AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(PROFILE_OWNER_ON_USER_PERMISSIONS); + AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS.addAll( + ADDITIONAL_AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS); DPC_PERMISSIONS.put(DEFAULT_DEVICE_OWNER, DEFAULT_DEVICE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(FINANCED_DEVICE_OWNER, FINANCED_DEVICE_OWNER_PERMISSIONS); @@ -22689,6 +22742,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER_0, PROFILE_OWNER_ON_USER_0_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER, PROFILE_OWNER_PERMISSIONS); + DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER, PROFILE_OWNER_ON_USER_PERMISSIONS); + DPC_PERMISSIONS.put(AFFILIATED_PROFILE_OWNER_ON_USER, + AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS); } //Map of Permission to Delegate Scope. private static final HashMap DELEGATE_SCOPES = new HashMap<>(); @@ -23066,22 +23122,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED) { return true; } - // Check the permissions of DPCs - if (isDefaultDeviceOwner(caller)) { - return DPC_PERMISSIONS.get(DEFAULT_DEVICE_OWNER).contains(permission); - } - if (isFinancedDeviceOwner(caller)) { - return DPC_PERMISSIONS.get(FINANCED_DEVICE_OWNER).contains(permission); - } - if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { - return DPC_PERMISSIONS.get(PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE).contains( - permission); - } - if (isProfileOwnerOnUser0(caller)) { - return DPC_PERMISSIONS.get(PROFILE_OWNER_ON_USER_0).contains(permission); - } - if (isProfileOwner(caller)) { - return DPC_PERMISSIONS.get(PROFILE_OWNER).contains(permission); + int dpcType = getDpcType(caller); + if (dpcType != NOT_A_DPC) { + return DPC_PERMISSIONS.get(dpcType).contains(permission); } // Check the permission for the role-holder if (isCallerDevicePolicyManagementRoleHolder(caller)) { @@ -23151,6 +23194,35 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return calledOnParent ? getProfileParentId(callingUserId) : callingUserId; } + /** + * Return the DPC type of the given caller. + */ + private @DpcType int getDpcType(CallerIdentity caller) { + // Check the permissions of DPCs + if (isDefaultDeviceOwner(caller)) { + return DEFAULT_DEVICE_OWNER; + } + if (isFinancedDeviceOwner(caller)) { + return FINANCED_DEVICE_OWNER; + } + if (isProfileOwner(caller)) { + if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { + return PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE; + } + if (isManagedProfile(caller.getUserId())) { + return PROFILE_OWNER; + } + if (isProfileOwnerOnUser0(caller)) { + return PROFILE_OWNER_ON_USER_0; + } + if (isUserAffiliatedWithDevice(caller.getUserId())) { + return AFFILIATED_PROFILE_OWNER_ON_USER; + } + return PROFILE_OWNER_ON_USER; + } + return NOT_A_DPC; + } + private boolean isPermissionCheckFlagEnabled() { return DeviceConfig.getBoolean( NAMESPACE_DEVICE_POLICY_MANAGER, -- cgit v1.2.3-59-g8ed1b